Edit tour

Windows Analysis Report
vsl particulars packing list.exe

Overview

General Information

Sample name:	vsl particulars packing list.exe
Analysis ID:	1464878
MD5:	ec3fe16c54946213c717a27606f70243
SHA1:	d11efe4e0f949ff6b14929cd30ae146c1b4a11c9
SHA256:	f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695
Tags:	exe
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected Snake Keylogger

Yara detected UAC Bypass using CMSTP

AI detected suspicious sample

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

vsl particulars packing list.exe (PID: 4888 cmdline: "C:\Users\user\Desktop\vsl particulars packing list.exe" MD5: EC3FE16C54946213C717A27606F70243)

CasPol.exe (PID: 6712 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)

WerFault.exe (PID: 4228 cmdline: C:\Windows\system32\WerFault.exe -u -p 4888 -s 1052 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "rightlut@valleycountysar.org", "Password": "fY,FLoadtsiF", "Host": "valleycountysar.org", "Port": "26"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.4124784571.0000000003470000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000001.00000002.4123958072.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.4123958072.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000001.00000002.4123958072.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1484e:$a1: get_encryptedPassword 0x14b3a:$a2: get_encryptedUsername 0x1465a:$a3: get_timePasswordChanged 0x14755:$a4: get_passwordField 0x14864:$a5: set_encryptedPassword 0x15e37:$a7: get_logins 0x15d9a:$a10: KeyLoggerEventArgs 0x15a33:$a11: KeyLoggerEventArgsEventHandler
00000001.00000002.4123958072.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18110:$x1: $%SMTPDV$ 0x18176:$x2: $#TheHashHere%& 0x1976d:$x3: %FTPDV$ 0x19861:$x4: $%TelegramDv$ 0x15a33:$x5: KeyLoggerEventArgs 0x15d9a:$x5: KeyLoggerEventArgs 0x19791:$m2: Clipboard Logs ID 0x199b1:$m2: Screenshot Logs ID 0x19ac1:$m2: keystroke Logs ID 0x19d9b:$m3: SnakePW 0x19989:$m4: \SnakeKeylogger\
00000000.00000002.1794048953.000001CD68577000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1794048953.000001CD68577000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1794048953.000001CD68577000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xab276:$a1: get_encryptedPassword 0xcbcbe:$a1: get_encryptedPassword 0xab562:$a2: get_encryptedUsername 0xcbfaa:$a2: get_encryptedUsername 0xab082:$a3: get_timePasswordChanged 0xcbaca:$a3: get_timePasswordChanged 0xab17d:$a4: get_passwordField 0xcbbc5:$a4: get_passwordField 0xab28c:$a5: set_encryptedPassword 0xcbcd4:$a5: set_encryptedPassword 0xac85f:$a7: get_logins 0xcd2a7:$a7: get_logins 0xac7c2:$a10: KeyLoggerEventArgs 0xcd20a:$a10: KeyLoggerEventArgs 0xac45b:$a11: KeyLoggerEventArgsEventHandler 0xccea3:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.1794048953.000001CD68577000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0xaeb38:$x1: $%SMTPDV$ 0xcf580:$x1: $%SMTPDV$ 0xaeb9e:$x2: $#TheHashHere%& 0xcf5e6:$x2: $#TheHashHere%& 0xb0195:$x3: %FTPDV$ 0xd0bdd:$x3: %FTPDV$ 0xb0289:$x4: $%TelegramDv$ 0xd0cd1:$x4: $%TelegramDv$ 0xac45b:$x5: KeyLoggerEventArgs 0xac7c2:$x5: KeyLoggerEventArgs 0xccea3:$x5: KeyLoggerEventArgs 0xcd20a:$x5: KeyLoggerEventArgs 0xb01b9:$m2: Clipboard Logs ID 0xb03d9:$m2: Screenshot Logs ID 0xb04e9:$m2: keystroke Logs ID 0xd0c01:$m2: Clipboard Logs ID 0xd0e21:$m2: Screenshot Logs ID 0xd0f31:$m2: keystroke Logs ID 0xb07c3:$m3: SnakePW 0xd120b:$m3: SnakePW 0xb03b1:$m4: \SnakeKeylogger\
00000001.00000002.4124784571.00000000032A1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1793618699.000001CD58427000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: vsl particulars packing list.exe PID: 4888	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: vsl particulars packing list.exe PID: 4888	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: vsl particulars packing list.exe PID: 4888	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: vsl particulars packing list.exe PID: 4888	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: vsl particulars packing list.exe PID: 4888	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x372fe:$a1: get_encryptedPassword 0x375e0:$a2: get_encryptedUsername 0x37114:$a3: get_timePasswordChanged 0x3720f:$a4: get_passwordField 0x37314:$a5: set_encryptedPassword 0x39704:$a7: get_logins 0x39667:$a10: KeyLoggerEventArgs 0x39300:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: vsl particulars packing list.exe PID: 4888	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x39300:$x5: KeyLoggerEventArgs 0x39667:$x5: KeyLoggerEventArgs 0x39f55:$x5: KeyLoggerEventArgs 0x3a289:$x5: KeyLoggerEventArgs 0x3b837:$m2: Clipboard Logs ID 0x3b92e:$m2: Screenshot Logs ID 0x3b984:$m2: keystroke Logs ID 0x3bab9:$m3: SnakePW 0x3b91a:$m4: \SnakeKeylogger\
Process Memory Space: CasPol.exe PID: 6712	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: CasPol.exe PID: 6712	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: CasPol.exe PID: 6712	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x31fb:$a1: get_encryptedPassword 0x34dd:$a2: get_encryptedUsername 0x3011:$a3: get_timePasswordChanged 0x310c:$a4: get_passwordField 0x3211:$a5: set_encryptedPassword 0x5601:$a7: get_logins 0x5564:$a10: KeyLoggerEventArgs 0x51fd:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: CasPol.exe PID: 6712	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x51fd:$x5: KeyLoggerEventArgs 0x5564:$x5: KeyLoggerEventArgs 0x5e52:$x5: KeyLoggerEventArgs 0x6186:$x5: KeyLoggerEventArgs 0x7734:$m2: Clipboard Logs ID 0x782b:$m2: Screenshot Logs ID 0x7881:$m2: keystroke Logs ID 0x79b6:$m3: SnakePW 0x7817:$m4: \SnakeKeylogger\
Click to see the 16 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.CasPol.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.CasPol.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
1.2.CasPol.exe.400000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
1.2.CasPol.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14a4e:$a1: get_encryptedPassword 0x14d3a:$a2: get_encryptedUsername 0x1485a:$a3: get_timePasswordChanged 0x14955:$a4: get_passwordField 0x14a64:$a5: set_encryptedPassword 0x16037:$a7: get_logins 0x15f9a:$a10: KeyLoggerEventArgs 0x15c33:$a11: KeyLoggerEventArgsEventHandler
1.2.CasPol.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c36b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b59d:$a3: \Google\Chrome\User Data\Default\Login Data 0x1b9d0:$a4: \Orbitum\User Data\Default\Login Data 0x1ca0f:$a5: \Kometa\User Data\Default\Login Data
1.2.CasPol.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x155d6:$s1: UnHook 0x155dd:$s2: SetHook 0x155e5:$s3: CallNextHook 0x155f2:$s4: _hook
1.2.CasPol.exe.400000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18310:$x1: $%SMTPDV$ 0x18376:$x2: $#TheHashHere%& 0x1996d:$x3: %FTPDV$ 0x19a61:$x4: $%TelegramDv$ 0x15c33:$x5: KeyLoggerEventArgs 0x15f9a:$x5: KeyLoggerEventArgs 0x19991:$m2: Clipboard Logs ID 0x19bb1:$m2: Screenshot Logs ID 0x19cc1:$m2: keystroke Logs ID 0x19f9b:$m3: SnakePW 0x19b89:$m4: \SnakeKeylogger\
0.2.vsl particulars packing list.exe.1cd6860d828.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.vsl particulars packing list.exe.1cd6860d828.4.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.vsl particulars packing list.exe.1cd6860d828.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12c4e:$a1: get_encryptedPassword 0x12f3a:$a2: get_encryptedUsername 0x12a5a:$a3: get_timePasswordChanged 0x12b55:$a4: get_passwordField 0x12c64:$a5: set_encryptedPassword 0x14237:$a7: get_logins 0x1419a:$a10: KeyLoggerEventArgs 0x13e33:$a11: KeyLoggerEventArgsEventHandler
0.2.vsl particulars packing list.exe.1cd6860d828.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a56b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1979d:$a3: \Google\Chrome\User Data\Default\Login Data 0x19bd0:$a4: \Orbitum\User Data\Default\Login Data 0x1ac0f:$a5: \Kometa\User Data\Default\Login Data
0.2.vsl particulars packing list.exe.1cd6860d828.4.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x137d6:$s1: UnHook 0x137dd:$s2: SetHook 0x137e5:$s3: CallNextHook 0x137f2:$s4: _hook
0.2.vsl particulars packing list.exe.1cd6860d828.4.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x16510:$x1: $%SMTPDV$ 0x16576:$x2: $#TheHashHere%& 0x17b6d:$x3: %FTPDV$ 0x17c61:$x4: $%TelegramDv$ 0x13e33:$x5: KeyLoggerEventArgs 0x1419a:$x5: KeyLoggerEventArgs 0x17b91:$m2: Clipboard Logs ID 0x17db1:$m2: Screenshot Logs ID 0x17ec1:$m2: keystroke Logs ID 0x1819b:$m3: SnakePW 0x17d89:$m4: \SnakeKeylogger\
0.2.vsl particulars packing list.exe.1cd6862e270.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.vsl particulars packing list.exe.1cd6862e270.2.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.vsl particulars packing list.exe.1cd6862e270.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12c4e:$a1: get_encryptedPassword 0x12f3a:$a2: get_encryptedUsername 0x12a5a:$a3: get_timePasswordChanged 0x12b55:$a4: get_passwordField 0x12c64:$a5: set_encryptedPassword 0x14237:$a7: get_logins 0x1419a:$a10: KeyLoggerEventArgs 0x13e33:$a11: KeyLoggerEventArgsEventHandler
0.2.vsl particulars packing list.exe.1cd6862e270.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a56b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1979d:$a3: \Google\Chrome\User Data\Default\Login Data 0x19bd0:$a4: \Orbitum\User Data\Default\Login Data 0x1ac0f:$a5: \Kometa\User Data\Default\Login Data
0.2.vsl particulars packing list.exe.1cd6862e270.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x137d6:$s1: UnHook 0x137dd:$s2: SetHook 0x137e5:$s3: CallNextHook 0x137f2:$s4: _hook
0.2.vsl particulars packing list.exe.1cd6862e270.2.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x16510:$x1: $%SMTPDV$ 0x16576:$x2: $#TheHashHere%& 0x17b6d:$x3: %FTPDV$ 0x17c61:$x4: $%TelegramDv$ 0x13e33:$x5: KeyLoggerEventArgs 0x1419a:$x5: KeyLoggerEventArgs 0x17b91:$m2: Clipboard Logs ID 0x17db1:$m2: Screenshot Logs ID 0x17ec1:$m2: keystroke Logs ID 0x1819b:$m3: SnakePW 0x17d89:$m4: \SnakeKeylogger\
0.2.vsl particulars packing list.exe.1cd6862e270.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.vsl particulars packing list.exe.1cd6862e270.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.vsl particulars packing list.exe.1cd6862e270.2.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.vsl particulars packing list.exe.1cd6862e270.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14a4e:$a1: get_encryptedPassword 0x14d3a:$a2: get_encryptedUsername 0x1485a:$a3: get_timePasswordChanged 0x14955:$a4: get_passwordField 0x14a64:$a5: set_encryptedPassword 0x16037:$a7: get_logins 0x15f9a:$a10: KeyLoggerEventArgs 0x15c33:$a11: KeyLoggerEventArgsEventHandler
0.2.vsl particulars packing list.exe.1cd6862e270.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c36b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b59d:$a3: \Google\Chrome\User Data\Default\Login Data 0x1b9d0:$a4: \Orbitum\User Data\Default\Login Data 0x1ca0f:$a5: \Kometa\User Data\Default\Login Data
0.2.vsl particulars packing list.exe.1cd6862e270.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x155d6:$s1: UnHook 0x155dd:$s2: SetHook 0x155e5:$s3: CallNextHook 0x155f2:$s4: _hook
0.2.vsl particulars packing list.exe.1cd6862e270.2.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18310:$x1: $%SMTPDV$ 0x18376:$x2: $#TheHashHere%& 0x1996d:$x3: %FTPDV$ 0x19a61:$x4: $%TelegramDv$ 0x15c33:$x5: KeyLoggerEventArgs 0x15f9a:$x5: KeyLoggerEventArgs 0x19991:$m2: Clipboard Logs ID 0x19bb1:$m2: Screenshot Logs ID 0x19cc1:$m2: keystroke Logs ID 0x19f9b:$m3: SnakePW 0x19b89:$m4: \SnakeKeylogger\
0.2.vsl particulars packing list.exe.1cd6860d828.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.vsl particulars packing list.exe.1cd6860d828.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.vsl particulars packing list.exe.1cd6860d828.4.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.vsl particulars packing list.exe.1cd6860d828.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14a4e:$a1: get_encryptedPassword 0x35496:$a1: get_encryptedPassword 0x14d3a:$a2: get_encryptedUsername 0x35782:$a2: get_encryptedUsername 0x1485a:$a3: get_timePasswordChanged 0x352a2:$a3: get_timePasswordChanged 0x14955:$a4: get_passwordField 0x3539d:$a4: get_passwordField 0x14a64:$a5: set_encryptedPassword 0x354ac:$a5: set_encryptedPassword 0x16037:$a7: get_logins 0x36a7f:$a7: get_logins 0x15f9a:$a10: KeyLoggerEventArgs 0x369e2:$a10: KeyLoggerEventArgs 0x15c33:$a11: KeyLoggerEventArgsEventHandler 0x3667b:$a11: KeyLoggerEventArgsEventHandler
0.2.vsl particulars packing list.exe.1cd6860d828.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c36b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3cdb3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b59d:$a3: \Google\Chrome\User Data\Default\Login Data 0x3bfe5:$a3: \Google\Chrome\User Data\Default\Login Data 0x1b9d0:$a4: \Orbitum\User Data\Default\Login Data 0x3c418:$a4: \Orbitum\User Data\Default\Login Data 0x1ca0f:$a5: \Kometa\User Data\Default\Login Data 0x3d457:$a5: \Kometa\User Data\Default\Login Data
0.2.vsl particulars packing list.exe.1cd6860d828.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x155d6:$s1: UnHook 0x3601e:$s1: UnHook 0x155dd:$s2: SetHook 0x36025:$s2: SetHook 0x155e5:$s3: CallNextHook 0x3602d:$s3: CallNextHook 0x155f2:$s4: _hook 0x3603a:$s4: _hook
0.2.vsl particulars packing list.exe.1cd6860d828.4.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18310:$x1: $%SMTPDV$ 0x38d58:$x1: $%SMTPDV$ 0x18376:$x2: $#TheHashHere%& 0x38dbe:$x2: $#TheHashHere%& 0x1996d:$x3: %FTPDV$ 0x3a3b5:$x3: %FTPDV$ 0x19a61:$x4: $%TelegramDv$ 0x3a4a9:$x4: $%TelegramDv$ 0x15c33:$x5: KeyLoggerEventArgs 0x15f9a:$x5: KeyLoggerEventArgs 0x3667b:$x5: KeyLoggerEventArgs 0x369e2:$x5: KeyLoggerEventArgs 0x19991:$m2: Clipboard Logs ID 0x19bb1:$m2: Screenshot Logs ID 0x19cc1:$m2: keystroke Logs ID 0x3a3d9:$m2: Clipboard Logs ID 0x3a5f9:$m2: Screenshot Logs ID 0x3a709:$m2: keystroke Logs ID 0x19f9b:$m3: SnakePW 0x3a9e3:$m3: SnakePW 0x19b89:$m4: \SnakeKeylogger\
Click to see the 28 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000001.00000002.4123958072.0000000000402000.00000040.00000400.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "rightlut@valleycountysar.org", "Password": "fY,FLoadtsiF", "Host": "valleycountysar.org", "Port": "26"}

Multi AV Scanner detection for submitted file

Source: vsl particulars packing list.exe	ReversingLabs: Detection: 47%
Source: vsl particulars packing list.exe	Virustotal: Detection: 44%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: vsl particulars packing list.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 00000000.00000002.1793618699.000001CD58427000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vsl particulars packing list.exe PID: 4888, type: MEMORYSTR

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49732 version: TLS 1.0

Source: vsl particulars packing list.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\mscorlib.pdbJ source: vsl particulars packing list.exe, 00000000.00000002.1793149895.000001CD56988000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WER9CA2.tmp.dmp.4.dr
Source:	Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb2 source: vsl particulars packing list.exe, 00000000.00000002.1793149895.000001CD56988000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER9CA2.tmp.dmp.4.dr
Source:	Binary string: pC:\Users\user\Desktop\vsl particulars packing list.PDB source: vsl particulars packing list.exe, 00000000.00000002.1792963395.000000C085F53000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdbl source: vsl particulars packing list.exe, 00000000.00000002.1793149895.000001CD56988000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: indows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbD402B source: vsl particulars packing list.exe, 00000000.00000002.1793149895.000001CD56924000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER9CA2.tmp.dmp.4.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER9CA2.tmp.dmp.4.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb- source: vsl particulars packing list.exe, 00000000.00000002.1793149895.000001CD56988000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Desktop\vsl particulars packing list.PDB source: vsl particulars packing list.exe, 00000000.00000002.1793149895.000001CD56924000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: WER9CA2.tmp.dmp.4.dr
Source:	Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: vsl particulars packing list.exe, 00000000.00000002.1793149895.000001CD56924000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Desktop\vsl particulars packing list.PDB source: vsl particulars packing list.exe, 00000000.00000002.1792963395.000000C085F53000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER9CA2.tmp.dmp.4.dr
Source:	Binary string: System.Core.ni.pdb source: WER9CA2.tmp.dmp.4.dr
Source:	Binary string: mscorlib.pdb source: WER9CA2.tmp.dmp.4.dr
Source:	Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbe source: vsl particulars packing list.exe, 00000000.00000002.1793149895.000001CD56924000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: vsl particulars packing list.PDB source: vsl particulars packing list.exe, 00000000.00000002.1792963395.000000C085F53000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb3aF source: vsl particulars packing list.exe, 00000000.00000002.1793149895.000001CD56988000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WER9CA2.tmp.dmp.4.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: vsl particulars packing list.exe, 00000000.00000002.1793149895.000001CD56988000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER9CA2.tmp.dmp.4.dr
Source:	Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdbnA source: vsl particulars packing list.exe, 00000000.00000002.1793149895.000001CD56988000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER9CA2.tmp.dmp.4.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER9CA2.tmp.dmp.4.dr

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then jmp 02E3F1F6h	1_2_02E3F007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then jmp 02E3FB80h	1_2_02E3F007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	1_2_02E3E528
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	1_2_02E3EB5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	1_2_02E3ED3C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then jmp 06A38945h	1_2_06A38608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then jmp 06A36171h	1_2_06A35EC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	1_2_06A336CE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then jmp 06A358C1h	1_2_06A35618
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then jmp 06A36A21h	1_2_06A36778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then jmp 06A37751h	1_2_06A374A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then jmp 06A30741h	1_2_06A30498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then jmp 06A30FF1h	1_2_06A30D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then jmp 06A38001h	1_2_06A37D58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then jmp 06A35D19h	1_2_06A35A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	1_2_06A333A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	1_2_06A333B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then jmp 06A36E79h	1_2_06A36BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then jmp 06A365C9h	1_2_06A36320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then jmp 06A30B99h	1_2_06A308F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then jmp 06A302E9h	1_2_06A30040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then jmp 06A372FAh	1_2_06A37050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then jmp 06A38459h	1_2_06A381B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then jmp 06A35441h	1_2_06A35198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then jmp 06A37BA9h	1_2_06A37900

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 1.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.vsl particulars packing list.exe.1cd6862e270.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.vsl particulars packing list.exe.1cd6860d828.4.raw.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 132.226.247.73 132.226.247.73

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49732 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: CasPol.exe, 00000001.00000002.4124784571.0000000003462000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.4124784571.00000000033FE000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.4124784571.0000000003426000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.4124784571.000000000336A000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.4124784571.0000000003419000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.4124784571.0000000003454000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.4124784571.000000000340B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: CasPol.exe, 00000001.00000002.4124784571.0000000003462000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.4124784571.00000000033FE000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.4124784571.00000000033AD000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.4124784571.0000000003358000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.4124784571.0000000003426000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.4124784571.000000000336A000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.4124784571.0000000003419000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.4124784571.0000000003434000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.4124784571.0000000003454000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.4124784571.000000000340B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: CasPol.exe, 00000001.00000002.4124784571.00000000032A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: vsl particulars packing list.exe, 00000000.00000002.1794048953.000001CD68577000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.4123958072.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: CasPol.exe, 00000001.00000002.4124784571.0000000003462000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.4124784571.00000000033FE000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.4124784571.0000000003426000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.4124784571.0000000003419000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.4124784571.0000000003454000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.4124784571.000000000340B000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.4124784571.0000000003383000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: CasPol.exe, 00000001.00000002.4124784571.00000000032A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.4.dr	String found in binary or memory: http://upx.sf.net
Source: CasPol.exe, 00000001.00000002.4124784571.0000000003462000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.4124784571.00000000033FE000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.4124784571.00000000033AD000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.4124784571.0000000003426000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.4124784571.000000000336A000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.4124784571.0000000003419000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.4124784571.0000000003454000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.4124784571.000000000340B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: vsl particulars packing list.exe, 00000000.00000002.1794048953.000001CD68577000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.4123958072.0000000000402000.00000040.00000400.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.4124784571.000000000336A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: CasPol.exe, 00000001.00000002.4124784571.000000000340B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
Source: CasPol.exe, 00000001.00000002.4124784571.0000000003462000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.4124784571.00000000033FE000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.4124784571.00000000033AD000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.4124784571.0000000003426000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.4124784571.0000000003419000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.4124784571.0000000003454000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.4124784571.000000000340B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.vsl particulars packing list.exe.1cd6860d828.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.vsl particulars packing list.exe.1cd6860d828.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.vsl particulars packing list.exe.1cd6860d828.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.vsl particulars packing list.exe.1cd6860d828.4.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.vsl particulars packing list.exe.1cd6862e270.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.vsl particulars packing list.exe.1cd6862e270.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.vsl particulars packing list.exe.1cd6862e270.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.vsl particulars packing list.exe.1cd6862e270.2.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.vsl particulars packing list.exe.1cd6862e270.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.vsl particulars packing list.exe.1cd6862e270.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.vsl particulars packing list.exe.1cd6862e270.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.vsl particulars packing list.exe.1cd6862e270.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.vsl particulars packing list.exe.1cd6860d828.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.vsl particulars packing list.exe.1cd6860d828.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.vsl particulars packing list.exe.1cd6860d828.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.vsl particulars packing list.exe.1cd6860d828.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000001.00000002.4123958072.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000001.00000002.4123958072.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.1794048953.000001CD68577000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1794048953.000001CD68577000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: vsl particulars packing list.exe PID: 4888, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: vsl particulars packing list.exe PID: 4888, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: CasPol.exe PID: 6712, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: CasPol.exe PID: 6712, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Source: C:\Users\user\Desktop\vsl particulars packing list.exe	Code function: 0_2_00007FFD9B8A4370	0_2_00007FFD9B8A4370
Source: C:\Users\user\Desktop\vsl particulars packing list.exe	Code function: 0_2_00007FFD9B898390	0_2_00007FFD9B898390
Source: C:\Users\user\Desktop\vsl particulars packing list.exe	Code function: 0_2_00007FFD9B898388	0_2_00007FFD9B898388
Source: C:\Users\user\Desktop\vsl particulars packing list.exe	Code function: 0_2_00007FFD9B89B310	0_2_00007FFD9B89B310
Source: C:\Users\user\Desktop\vsl particulars packing list.exe	Code function: 0_2_00007FFD9B89E279	0_2_00007FFD9B89E279
Source: C:\Users\user\Desktop\vsl particulars packing list.exe	Code function: 0_2_00007FFD9B8937DC	0_2_00007FFD9B8937DC
Source: C:\Users\user\Desktop\vsl particulars packing list.exe	Code function: 0_2_00007FFD9B89B6F1	0_2_00007FFD9B89B6F1
Source: C:\Users\user\Desktop\vsl particulars packing list.exe	Code function: 0_2_00007FFD9B891608	0_2_00007FFD9B891608
Source: C:\Users\user\Desktop\vsl particulars packing list.exe	Code function: 0_2_00007FFD9B8A43C9	0_2_00007FFD9B8A43C9
Source: C:\Users\user\Desktop\vsl particulars packing list.exe	Code function: 0_2_00007FFD9B89FA0F	0_2_00007FFD9B89FA0F
Source: C:\Users\user\Desktop\vsl particulars packing list.exe	Code function: 0_2_00007FFD9B9600D6	0_2_00007FFD9B9600D6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_02E3B328	1_2_02E3B328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_02E3F007	1_2_02E3F007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_02E3C190	1_2_02E3C190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_02E36108	1_2_02E36108
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_02E3C752	1_2_02E3C752
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_02E3C470	1_2_02E3C470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_02E34AD9	1_2_02E34AD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_02E3CA32	1_2_02E3CA32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_02E3BBD2	1_2_02E3BBD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_02E36880	1_2_02E36880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_02E39858	1_2_02E39858
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_02E3BEB0	1_2_02E3BEB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_02E3B4F2	1_2_02E3B4F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_02E33572	1_2_02E33572
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_02E3E528	1_2_02E3E528
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_02E3E517	1_2_02E3E517
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_06A3B6E8	1_2_06A3B6E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_06A38608	1_2_06A38608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_06A3D670	1_2_06A3D670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_06A3A408	1_2_06A3A408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_06A3BD38	1_2_06A3BD38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_06A3AA58	1_2_06A3AA58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_06A3C388	1_2_06A3C388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_06A38B58	1_2_06A38B58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_06A3B0A0	1_2_06A3B0A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_06A3D028	1_2_06A3D028
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_06A311A0	1_2_06A311A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_06A3C9D8	1_2_06A3C9D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_06A35EB8	1_2_06A35EB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_06A35EC8	1_2_06A35EC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_06A3B6D8	1_2_06A3B6D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_06A3560B	1_2_06A3560B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_06A35618	1_2_06A35618
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_06A3D663	1_2_06A3D663
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_06A33730	1_2_06A33730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_06A3676B	1_2_06A3676B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_06A36778	1_2_06A36778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_06A374A8	1_2_06A374A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_06A30488	1_2_06A30488
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_06A37497	1_2_06A37497
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_06A30498	1_2_06A30498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_06A34430	1_2_06A34430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_06A385FC	1_2_06A385FC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_06A3BD28	1_2_06A3BD28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_06A30D39	1_2_06A30D39
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_06A30D48	1_2_06A30D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_06A37D48	1_2_06A37D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_06A37D58	1_2_06A37D58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_06A35A60	1_2_06A35A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_06A35A70	1_2_06A35A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_06A3AA48	1_2_06A3AA48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_06A333A8	1_2_06A333A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_06A333B8	1_2_06A333B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_06A3A3F8	1_2_06A3A3F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_06A36BC1	1_2_06A36BC1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_06A36BD0	1_2_06A36BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_06A36320	1_2_06A36320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_06A36313	1_2_06A36313
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_06A3C379	1_2_06A3C379
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_06A3B093	1_2_06A3B093
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_06A308E0	1_2_06A308E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_06A308F0	1_2_06A308F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_06A378F0	1_2_06A378F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_06A30007	1_2_06A30007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_06A32807	1_2_06A32807
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_06A32818	1_2_06A32818
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_06A3D018	1_2_06A3D018
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_06A30040	1_2_06A30040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_06A37040	1_2_06A37040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_06A37050	1_2_06A37050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_06A381A0	1_2_06A381A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_06A381B0	1_2_06A381B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_06A3518B	1_2_06A3518B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_06A31191	1_2_06A31191
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_06A35198	1_2_06A35198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_06A3C9C8	1_2_06A3C9C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_06A37900	1_2_06A37900

Source: C:\Users\user\Desktop\vsl particulars packing list.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4888 -s 1052

Source: vsl particulars packing list.exe

Static PE information: No import functions for PE file found

Source: vsl particulars packing list.exe, 00000000.00000000.1649525238.000001CD567A2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameOgogotaL vs vsl particulars packing list.exe
Source: vsl particulars packing list.exe, 00000000.00000002.1793475696.000001CD56BC0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameElewitigaqF vs vsl particulars packing list.exe
Source: vsl particulars packing list.exe, 00000000.00000002.1794048953.000001CD68577000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs vsl particulars packing list.exe
Source: vsl particulars packing list.exe, 00000000.00000002.1794048953.000001CD68577000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameElewitigaqF vs vsl particulars packing list.exe
Source: vsl particulars packing list.exe	Binary or memory string: OriginalFilenameOgogotaL vs vsl particulars packing list.exe

Source: 1.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.vsl particulars packing list.exe.1cd6860d828.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.vsl particulars packing list.exe.1cd6860d828.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.vsl particulars packing list.exe.1cd6860d828.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.vsl particulars packing list.exe.1cd6860d828.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.vsl particulars packing list.exe.1cd6862e270.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.vsl particulars packing list.exe.1cd6862e270.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.vsl particulars packing list.exe.1cd6862e270.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.vsl particulars packing list.exe.1cd6862e270.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.vsl particulars packing list.exe.1cd6862e270.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.vsl particulars packing list.exe.1cd6862e270.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.vsl particulars packing list.exe.1cd6862e270.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.vsl particulars packing list.exe.1cd6862e270.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.vsl particulars packing list.exe.1cd6860d828.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.vsl particulars packing list.exe.1cd6860d828.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.vsl particulars packing list.exe.1cd6860d828.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.vsl particulars packing list.exe.1cd6860d828.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000001.00000002.4123958072.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000001.00000002.4123958072.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.1794048953.000001CD68577000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1794048953.000001CD68577000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: vsl particulars packing list.exe PID: 4888, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: vsl particulars packing list.exe PID: 4888, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: CasPol.exe PID: 6712, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: CasPol.exe PID: 6712, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: 0.2.vsl particulars packing list.exe.1cd6860d828.4.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.vsl particulars packing list.exe.1cd6860d828.4.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.vsl particulars packing list.exe.1cd6860d828.4.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.vsl particulars packing list.exe.1cd6860d828.4.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.vsl particulars packing list.exe.1cd6862e270.2.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.vsl particulars packing list.exe.1cd6862e270.2.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.vsl particulars packing list.exe.1cd6862e270.2.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.vsl particulars packing list.exe.1cd6862e270.2.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: vsl particulars packing list.exe, 00000000.00000002.1793149895.000001CD56924000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbe

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@4/5@2/2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Mutant created: NULL
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4888

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\7ab393cb-1cb2-4b3e-8a4b-b4388d389ec9

Jump to behavior

Source: vsl particulars packing list.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\vsl particulars packing list.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: CasPol.exe, 00000001.00000002.4124784571.00000000034F3000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.4124784571.00000000034E3000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.4124784571.0000000003501000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: vsl particulars packing list.exe	ReversingLabs: Detection: 47%
Source: vsl particulars packing list.exe	Virustotal: Detection: 44%

Source: C:\Users\user\Desktop\vsl particulars packing list.exe

File read: C:\Users\user\Desktop\vsl particulars packing list.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\vsl particulars packing list.exe "C:\Users\user\Desktop\vsl particulars packing list.exe"
Source: C:\Users\user\Desktop\vsl particulars packing list.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Source: C:\Users\user\Desktop\vsl particulars packing list.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4888 -s 1052
Source: C:\Users\user\Desktop\vsl particulars packing list.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"	Jump to behavior

Source: C:\Users\user\Desktop\vsl particulars packing list.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\vsl particulars packing list.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\vsl particulars packing list.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\vsl particulars packing list.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\vsl particulars packing list.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\vsl particulars packing list.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\vsl particulars packing list.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\vsl particulars packing list.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\vsl particulars packing list.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\vsl particulars packing list.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\vsl particulars packing list.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\vsl particulars packing list.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\vsl particulars packing list.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\vsl particulars packing list.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\vsl particulars packing list.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\vsl particulars packing list.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: vsl particulars packing list.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: vsl particulars packing list.exe

Static file information: File size 1563808 > 1048576

Source: vsl particulars packing list.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: vsl particulars packing list.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: \??\C:\Windows\mscorlib.pdbJ source: vsl particulars packing list.exe, 00000000.00000002.1793149895.000001CD56988000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WER9CA2.tmp.dmp.4.dr
Source:	Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb2 source: vsl particulars packing list.exe, 00000000.00000002.1793149895.000001CD56988000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER9CA2.tmp.dmp.4.dr
Source:	Binary string: pC:\Users\user\Desktop\vsl particulars packing list.PDB source: vsl particulars packing list.exe, 00000000.00000002.1792963395.000000C085F53000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdbl source: vsl particulars packing list.exe, 00000000.00000002.1793149895.000001CD56988000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: indows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbD402B source: vsl particulars packing list.exe, 00000000.00000002.1793149895.000001CD56924000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER9CA2.tmp.dmp.4.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER9CA2.tmp.dmp.4.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb- source: vsl particulars packing list.exe, 00000000.00000002.1793149895.000001CD56988000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Desktop\vsl particulars packing list.PDB source: vsl particulars packing list.exe, 00000000.00000002.1793149895.000001CD56924000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: WER9CA2.tmp.dmp.4.dr
Source:	Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: vsl particulars packing list.exe, 00000000.00000002.1793149895.000001CD56924000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Desktop\vsl particulars packing list.PDB source: vsl particulars packing list.exe, 00000000.00000002.1792963395.000000C085F53000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER9CA2.tmp.dmp.4.dr
Source:	Binary string: System.Core.ni.pdb source: WER9CA2.tmp.dmp.4.dr
Source:	Binary string: mscorlib.pdb source: WER9CA2.tmp.dmp.4.dr
Source:	Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbe source: vsl particulars packing list.exe, 00000000.00000002.1793149895.000001CD56924000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: vsl particulars packing list.PDB source: vsl particulars packing list.exe, 00000000.00000002.1792963395.000000C085F53000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb3aF source: vsl particulars packing list.exe, 00000000.00000002.1793149895.000001CD56988000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WER9CA2.tmp.dmp.4.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: vsl particulars packing list.exe, 00000000.00000002.1793149895.000001CD56988000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER9CA2.tmp.dmp.4.dr
Source:	Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdbnA source: vsl particulars packing list.exe, 00000000.00000002.1793149895.000001CD56988000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER9CA2.tmp.dmp.4.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER9CA2.tmp.dmp.4.dr

Source: vsl particulars packing list.exe

Static PE information: 0x840105AF [Tue Mar 6 15:11:43 2040 UTC]

Source: C:\Users\user\Desktop\vsl particulars packing list.exe	Code function: 0_2_00007FFD9B898167 push ebx; ret	0_2_00007FFD9B89816A
Source: C:\Users\user\Desktop\vsl particulars packing list.exe	Code function: 0_2_00007FFD9B891598 push es; iretd	0_2_00007FFD9B8AB307
Source: C:\Users\user\Desktop\vsl particulars packing list.exe	Code function: 0_2_00007FFD9B9600D6 push esp; retf 4810h	0_2_00007FFD9B960312

Source: C:\Users\user\Desktop\vsl particulars packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vsl particulars packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vsl particulars packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vsl particulars packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vsl particulars packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vsl particulars packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vsl particulars packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vsl particulars packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vsl particulars packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vsl particulars packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vsl particulars packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vsl particulars packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vsl particulars packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vsl particulars packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vsl particulars packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vsl particulars packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vsl particulars packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vsl particulars packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vsl particulars packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vsl particulars packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vsl particulars packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vsl particulars packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vsl particulars packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vsl particulars packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vsl particulars packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vsl particulars packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vsl particulars packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vsl particulars packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vsl particulars packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vsl particulars packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vsl particulars packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vsl particulars packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vsl particulars packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: vsl particulars packing list.exe PID: 4888, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: vsl particulars packing list.exe, 00000000.00000002.1793618699.000001CD58427000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: vsl particulars packing list.exe, 00000000.00000002.1793618699.000001CD58427000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\vsl particulars packing list.exe	Memory allocated: 1CD56AD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\vsl particulars packing list.exe	Memory allocated: 1CD703F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Memory allocated: 2E30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Memory allocated: 32A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Memory allocated: 52A0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 598796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 598685	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 598563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 598452	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 598343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 598124	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 597796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 597468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 597249	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 597140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 596921	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 596593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 596483	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 596374	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 596265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 596114	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 595984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 595859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 595749	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 595640	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 595531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 595421	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 595312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 595203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 595093	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 594984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 594874	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 594765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 594656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 594546	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Window / User API: threadDelayed 1956			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Window / User API: threadDelayed 7894			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7224	Thread sleep count: 38 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7224	Thread sleep time: -35048813740048126s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7224	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7228	Thread sleep count: 1956 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7224	Thread sleep time: -599890s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7228	Thread sleep count: 7894 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7224	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7224	Thread sleep time: -599671s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7224	Thread sleep time: -599562s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7224	Thread sleep time: -599453s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7224	Thread sleep time: -599343s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7224	Thread sleep time: -599234s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7224	Thread sleep time: -599125s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7224	Thread sleep time: -599015s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7224	Thread sleep time: -598906s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7224	Thread sleep time: -598796s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7224	Thread sleep time: -598685s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7224	Thread sleep time: -598563s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7224	Thread sleep time: -598452s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7224	Thread sleep time: -598343s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7224	Thread sleep time: -598234s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7224	Thread sleep time: -598124s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7224	Thread sleep time: -598015s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7224	Thread sleep time: -597906s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7224	Thread sleep time: -597796s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7224	Thread sleep time: -597687s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7224	Thread sleep time: -597578s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7224	Thread sleep time: -597468s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7224	Thread sleep time: -597359s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7224	Thread sleep time: -597249s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7224	Thread sleep time: -597140s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7224	Thread sleep time: -597031s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7224	Thread sleep time: -596921s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7224	Thread sleep time: -596812s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7224	Thread sleep time: -596703s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7224	Thread sleep time: -596593s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7224	Thread sleep time: -596483s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7224	Thread sleep time: -596374s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7224	Thread sleep time: -596265s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7224	Thread sleep time: -596114s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7224	Thread sleep time: -595984s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7224	Thread sleep time: -595859s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7224	Thread sleep time: -595749s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7224	Thread sleep time: -595640s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7224	Thread sleep time: -595531s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7224	Thread sleep time: -595421s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7224	Thread sleep time: -595312s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7224	Thread sleep time: -595203s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7224	Thread sleep time: -595093s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7224	Thread sleep time: -594984s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7224	Thread sleep time: -594874s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7224	Thread sleep time: -594765s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7224	Thread sleep time: -594656s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7224	Thread sleep time: -594546s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 598796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 598685	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 598563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 598452	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 598343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 598124	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 597796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 597468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 597249	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 597140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 596921	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 596593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 596483	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 596374	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 596265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 596114	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 595984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 595859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 595749	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 595640	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 595531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 595421	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 595312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 595203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 595093	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 594984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 594874	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 594765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 594656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 594546	Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: VMware
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr	Binary or memory string: VMware, Inc.
Source: vsl particulars packing list.exe, 00000000.00000002.1793618699.000001CD58427000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: vsl particulars packing list.exe, 00000000.00000002.1793618699.000001CD58427000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: vsl particulars packing list.exe, 00000000.00000002.1793618699.000001CD58427000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: Amcache.hve.4.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: vsl particulars packing list.exe, 00000000.00000002.1793618699.000001CD58427000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: vsl particulars packing list.exe, 00000000.00000002.1793618699.000001CD58427000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: Amcache.hve.4.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: vsl particulars packing list.exe, 00000000.00000002.1793618699.000001CD58427000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin`
Source: vsl particulars packing list.exe, 00000000.00000002.1793618699.000001CD58427000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: Amcache.hve.4.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: vsl particulars packing list.exe, 00000000.00000002.1793618699.000001CD58427000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: CasPol.exe, 00000001.00000002.4124134329.000000000124E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll/
Source: vsl particulars packing list.exe, 00000000.00000002.1793618699.000001CD58427000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: Amcache.hve.4.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: vsl particulars packing list.exe, 00000000.00000002.1793618699.000001CD58427000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: vsl particulars packing list.exe, 00000000.00000002.1793618699.000001CD58427000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: Amcache.hve.4.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\vsl particulars packing list.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\vsl particulars packing list.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\vsl particulars packing list.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\vsl particulars packing list.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\vsl particulars packing list.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\vsl particulars packing list.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\vsl particulars packing list.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\vsl particulars packing list.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 422000	Jump to behavior
Source: C:\Users\user\Desktop\vsl particulars packing list.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 424000	Jump to behavior
Source: C:\Users\user\Desktop\vsl particulars packing list.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: E48008	Jump to behavior

Source: C:\Users\user\Desktop\vsl particulars packing list.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"

Jump to behavior

Source: C:\Users\user\Desktop\vsl particulars packing list.exe	Queries volume information: C:\Users\user\Desktop\vsl particulars packing list.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\vsl particulars packing list.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 1.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.vsl particulars packing list.exe.1cd6860d828.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.vsl particulars packing list.exe.1cd6862e270.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.vsl particulars packing list.exe.1cd6862e270.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.vsl particulars packing list.exe.1cd6860d828.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.4124784571.0000000003470000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4123958072.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1794048953.000001CD68577000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4124784571.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vsl particulars packing list.exe PID: 4888, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 6712, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match	File source: 1.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.vsl particulars packing list.exe.1cd6860d828.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.vsl particulars packing list.exe.1cd6862e270.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.vsl particulars packing list.exe.1cd6862e270.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.vsl particulars packing list.exe.1cd6860d828.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.4123958072.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1794048953.000001CD68577000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vsl particulars packing list.exe PID: 4888, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 6712, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 1.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.vsl particulars packing list.exe.1cd6860d828.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.vsl particulars packing list.exe.1cd6862e270.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.vsl particulars packing list.exe.1cd6862e270.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.vsl particulars packing list.exe.1cd6860d828.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.4124784571.0000000003470000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4123958072.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1794048953.000001CD68577000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4124784571.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vsl particulars packing list.exe PID: 4888, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 6712, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	311 Process Injection	1 Disable or Modify Tools	1 OS Credential Dumping	121 Security Software Discovery	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	41 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	311 Process Injection	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Timestomp	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
vsl particulars packing list.exe	47%	ReversingLabs	ByteCode-MSIL.Trojan.SpyNoon
vsl particulars packing list.exe	45%	Virustotal		Browse
vsl particulars packing list.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
reallyfreegeoip.org	0%	Virustotal	Browse
checkip.dyndns.com	0%	Virustotal	Browse
checkip.dyndns.org	1%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
http://upx.sf.net	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://reallyfreegeoip.org	0%	Avira URL Cloud	safe
http://checkip.dyndns.com	0%	Avira URL Cloud	safe
http://checkip.dyndns.org/	0%	Avira URL Cloud	safe
https://reallyfreegeoip.org/xml/8.46.123.33	0%	Avira URL Cloud	safe
http://checkip.dyndns.org	0%	Avira URL Cloud	safe
https://reallyfreegeoip.org/xml/8.46.123.33$	0%	Avira URL Cloud	safe
http://checkip.dyndns.org/q	0%	Avira URL Cloud	safe
https://reallyfreegeoip.org	0%	Virustotal		Browse
http://checkip.dyndns.org	1%	Virustotal		Browse
http://reallyfreegeoip.org	0%	Avira URL Cloud	safe
https://reallyfreegeoip.org/xml/	0%	Avira URL Cloud	safe
http://checkip.dyndns.org/	1%	Virustotal		Browse
http://checkip.dyndns.com	0%	Virustotal		Browse
https://reallyfreegeoip.org/xml/	0%	Virustotal		Browse
http://reallyfreegeoip.org	0%	Virustotal		Browse
http://checkip.dyndns.org/q	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
reallyfreegeoip.org	188.114.96.3	true	true	0%, Virustotal, Browse	unknown
checkip.dyndns.com	132.226.247.73	true	false	0%, Virustotal, Browse	unknown
checkip.dyndns.org	unknown	unknown	true	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/8.46.123.33	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://reallyfreegeoip.org	CasPol.exe, 00000001.00000002.4124784571.0000000003462000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.4124784571.00000000033FE000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.4124784571.00000000033AD000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.4124784571.0000000003426000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.4124784571.000000000336A000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.4124784571.0000000003419000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.4124784571.0000000003454000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.4124784571.000000000340B000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.4.dr	false	URL Reputation: safe	unknown
http://checkip.dyndns.org	CasPol.exe, 00000001.00000002.4124784571.0000000003462000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.4124784571.00000000033FE000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.4124784571.00000000033AD000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.4124784571.0000000003358000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.4124784571.0000000003426000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.4124784571.000000000336A000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.4124784571.0000000003419000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.4124784571.0000000003434000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.4124784571.0000000003454000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.4124784571.000000000340B000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://checkip.dyndns.com	CasPol.exe, 00000001.00000002.4124784571.0000000003462000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.4124784571.00000000033FE000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.4124784571.0000000003426000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.4124784571.000000000336A000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.4124784571.0000000003419000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.4124784571.0000000003454000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.4124784571.000000000340B000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/8.46.123.33$	CasPol.exe, 00000001.00000002.4124784571.0000000003462000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.4124784571.00000000033FE000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.4124784571.00000000033AD000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.4124784571.0000000003426000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.4124784571.0000000003419000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.4124784571.0000000003454000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.4124784571.000000000340B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	CasPol.exe, 00000001.00000002.4124784571.00000000032A1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org/q	vsl particulars packing list.exe, 00000000.00000002.1794048953.000001CD68577000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.4123958072.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://reallyfreegeoip.org	CasPol.exe, 00000001.00000002.4124784571.0000000003462000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.4124784571.00000000033FE000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.4124784571.0000000003426000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.4124784571.0000000003419000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.4124784571.0000000003454000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.4124784571.000000000340B000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.4124784571.0000000003383000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/	vsl particulars packing list.exe, 00000000.00000002.1794048953.000001CD68577000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.4123958072.0000000000402000.00000040.00000400.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.4124784571.000000000336A000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.96.3	reallyfreegeoip.org	European Union		13335	CLOUDFLARENETUS	true
132.226.247.73	checkip.dyndns.com	United States		16989	UTMEMUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1464878
Start date and time:	2024-06-30 17:43:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	vsl particulars packing list.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@4/5@2/2
EGA Information:	Failed
HCA Information:	Successful, ratio: 91% Number of executed functions: 223 Number of non-executed functions: 25
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.73.29
Excluded domains from analysis (whitelisted): d.8.0.a.e.e.f.b.0.0.0.0.0.0.0.0.5.0.0.0.0.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target CasPol.exe, PID 6712 because it is empty
Execution Graph export aborted for target vsl particulars packing list.exe, PID 4888 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:43:58	API Interceptor	13633004x Sleep call for process: CasPol.exe modified
11:44:10	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.96.3	cL7A9wGE3w.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	445798cm.nyashka.top/ProviderEternalLinephpRequestSecurePacketprocessauthwordpress.php
	http://www.youkonew.anakembok.de/	Get hash	malicious	HTMLPhisher	Browse	www.youkonew.anakembok.de/cdn-cgi/challenge-platform/h/g/jsd/r/89b98144d9c843b7
	hnCn8gE6NH.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	yenot.top/providerlowAuthApibigloadprotectflower.php
	288292021 ABB.exe	Get hash	malicious	FormBook	Browse	www.oc7o0.top/2zff/?Hp=4L8xoD0W4Zo4sy87CvwWXXlmZfhaBYNiZZOBxyE5jHDJEgkxN8cq+PG6NIXzy1XRCqQIvL5VyJCknvUNNLKk6zzmBcbZOQR3Nr9VCMayuUBptQdoGcq8y485hKv0f5POEUdLprTAYpXY&5H=CtUlKhgP42a
	eiqj38BeRo.rtf	Get hash	malicious	FormBook	Browse	www.liposuctionclinics2.today/btrd/?OR-TJfQ=g2Awi9g0RhXmDXdNu5BlCrpPGRTrEfCXfESYZTVa1wMirmNXITW5szlP5E4EhRYb22U+Mw==&2dc=kvXd-rKHCF
	Purchase Order -JJ023639-PDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	filetransfer.io/data-package/9a4iHwft/download
	Techno_PO LV12406-00311.xla.xlsx	Get hash	malicious	Unknown	Browse	qr-in.com/cpGHnqq
	Techno_PO LV12406-00311.xla.xlsx	Get hash	malicious	Unknown	Browse	qr-in.com/cpGHnqq
	QUOTATION_JUNQTRA031244#U00faPDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	filetransfer.io/data-package/ygivXnVx/download
	NGL 3200-Phase 2- Strainer.exe	Get hash	malicious	FormBook	Browse	www.oc7o0.top/2zff/?oH=4L8xoD0W4Zo4sy87CvwWXXlmZfhaBYNiZZOBxyE5jHDJEgkxN8cq+PG6NIXzy1XRCqQIvL5VyJCknvUNNLKk7xznBNrfJyFZcb5vCPyKuUBo+l90Wdia8Y821KfsfreAbg==&ML=uVzXijwPkXTxAbN
132.226.247.73	Order Details.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	itinerary_1719382117.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Halkbank_Ekstre_20240625_082306_910668.bat.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	242010.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Baltic questionnaire.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.23220.28486.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	SecuriteInfo.com.Win32.TrojanX-gen.29327.20826.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	CTM USD28600.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	rGcsbax.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	checkip.dyndns.org/
	CTM USD28600.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	MT Marine Tiger.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	Order Details.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	new order.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	LETTER OF AUTHORIZATION.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	MT Marine Tiger.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	vsl particulars packing list.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	new order.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	LETTER OF AUTHORIZATION.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	IMG_2007_520073.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.96.3
	PRODUCTS LIST.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
checkip.dyndns.com	MT Marine Tiger.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	Order Details.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	new order.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	LETTER OF AUTHORIZATION.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	MT Marine Tiger.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	vsl particulars packing list.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	new order.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	Order Details.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	LETTER OF AUTHORIZATION.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	IMG_2007_520073.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	158.101.44.242

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	agDEHyYcqv.exe	Get hash	malicious	DCRat	Browse	104.20.4.235
	MT Marine Tiger.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	Order Details.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	BbaXbvOA7D.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	188.114.97.3
	new order.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	LETTER OF AUTHORIZATION.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	cL7A9wGE3w.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	188.114.96.3
	https://bit.ly/3RPGSFw?lBj=IgAqyyGiOF?ehd=cNhnM3Ug7I	Get hash	malicious	Unknown	Browse	188.114.97.3
	a.exe	Get hash	malicious	Unknown	Browse	104.16.184.241
	exe	Get hash	malicious	Unknown	Browse	172.67.159.30
UTMEMUS	Order Details.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	LETTER OF AUTHORIZATION.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	Order Details.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	Find-DscResource_QoS.ps1	Get hash	malicious	Unknown	Browse	132.226.8.169
	LEpsypIZxU.elf	Get hash	malicious	Mirai, Moobot	Browse	128.169.91.82
	itinerary_1719382117.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	Halkbank_Ekstre_20240625_082306_910668.bat.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	242010.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	MT STENA IMPRESSION Vessel Particulars.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	Baltic questionnaire.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	MT Marine Tiger.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	Order Details.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	new order.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	LETTER OF AUTHORIZATION.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	MT Marine Tiger.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	vsl particulars packing list.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	new order.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	LETTER OF AUTHORIZATION.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	IMG_2007_520073.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.96.3
	30 - 3050324.scr.exe	Get hash	malicious	Remcos	Browse	188.114.96.3

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_vsl particulars _2a3097b0749cea7c749879686258262f8513b925_f9752cab_9d15ffbb-87c8-4af6-92e9-4ee19c6455a3\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0246775601992693
Encrypted:	false
SSDEEP:	192:vVFpCAMfkqPhHi0LCD5wia+B9f0zuiFGZ24lO8GN0:I1PPLCDfae98zuiFGY4lO8H
MD5:	269BAD3BE5F07FAD89BFF2AC4ADA69D9
SHA1:	0523F0EAC9B127A995509AEB1BA188D3286E44D3
SHA-256:	4C9E754D04FAD12079682BB07FB45AB70A9EBD2C149ABD968A23D5FA3613F788
SHA-512:	9CB5A5C14270C7A079FEC278764494291B1A946C57C8962FD6B6FFA05F19E5792EC3631BAEDE73037F86BCBB6116A5873EE281430155D6FCD1780DB29F3F3672
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.4.2.3.5.8.3.7.1.9.7.7.9.0.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.4.2.3.5.8.3.8.3.2.2.7.9.8.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.d.1.5.f.f.b.b.-.8.7.c.8.-.4.a.f.6.-.9.2.e.9.-.4.e.e.1.9.c.6.4.5.5.a.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.e.2.7.d.2.c.e.-.9.5.7.0.-.4.b.c.4.-.a.8.7.e.-.b.5.8.e.a.2.c.9.b.8.5.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.v.s.l. .p.a.r.t.i.c.u.l.a.r.s. .p.a.c.k.i.n.g. .l.i.s.t...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.O.g.o.g.o.t.a.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.3.1.8.-.0.0.0.1.-.0.0.1.4.-.0.7.c.3.-.f.6.5.0.0.4.c.b.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.a.f.b.a.3.1.1.2.e.2.1.d.f.1.d.3.1.1.a.b.e.1.4.a.b.b.2.d.9.4.4.3.0.0.0.0.0.0.0.0.!.0.0.0.0.d.1.1.e.f.e.4.e.0.f.9.4.9.f.f.6.b.1.4.9.2.9.c.d.3.0.a.e.1.4.6.c.1.b.4.a.1.1.c.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9CA2.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 16 streams, Sun Jun 30 15:43:58 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	373462
Entropy (8bit):	3.213008780191718
Encrypted:	false
SSDEEP:	3072:7a2KrabH3Xv0Elx4/tcS1gA1CCqHOyTT/r3+vbtdN9tdN9tdN9tdRP94l6X:7a22uCNDqusD3QhP9
MD5:	F411925DBA0431DE1EF442242BBA92ED
SHA1:	B4F1ED68B292BDA5FD62E09C26D07AD6F5673E76
SHA-256:	D7DBA6EB315263F160F431C3F954D5A7C5ECE74CF629FFB30F4D0553C976CBC0
SHA-512:	BB8E732840CD130539B9808E568AA2BB92D2B50E3E806DA567CB03B7D4FD7537F42C6950783082603658298C41307247FEC7B6535D78290C59338BAD20E75F5D
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......>}.f....................................$...............(.......DB...t..........l.......8...........T...........x)..^............6...........8..............................................................................eJ......L9......Lw......................T...........;}.f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA03D.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8694
Entropy (8bit):	3.7000907527288143
Encrypted:	false
SSDEEP:	192:R6l7wVeJ7XIPAj6Y96IsRgmfZEdipr089btZofTvm:R6lXJ8PAj6YgIsRgmfI2tGfS
MD5:	FF036151F7E655D33564BB110348B709
SHA1:	3318D92480610053DD426BF1A4C1D4205CAF21D5
SHA-256:	CDC976ACCA75D6253F822E146E32FEB17EF96C7B6219A54CB461194913BFD1A6
SHA-512:	0DAF8A727253DA43C7CC602E7EC5173210D8A8AA92F3F7983D9675575A50EB54C19B9AAB321EB6AD7B5F00CDD07EF0E09D7A1DEE76327F2612C4495F5B69B9CF
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.8.8.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA05D.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4902
Entropy (8bit):	4.495404439032114
Encrypted:	false
SSDEEP:	48:cvIwWl8zsqJg771I9qFWpW8VYnYYm8M4JnE6Fsyq8vPEcCsxid:uIjf4I7x07V4JEfWscCsxid
MD5:	6C118DCE7C1DCDC2B7404C9F6079C372
SHA1:	49EB82D805903B2ACEC73FFF21B3F1B5F0B705A8
SHA-256:	190D6DA2752FA0D81AB10A03BC9CF8F583F3018DE2E17863E572C84F30D6546D
SHA-512:	56B2CE5E3984A4B9A6D3EDDF8F37D09194AA9ACD09B35A5E67BC145EF7FFC81D15CF2BF9C68CBCA4F686CC92E70C0B9F42FF64C11EFB7BCBE43127C891E7D5A6
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="390646" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.4660219759551385
Encrypted:	false
SSDEEP:	6144:4IXfpi67eLPU9skLmb0b4yWSPKaJG8nAgejZMMhA2gX4WABl0uNydwBCswSbu:tXD94yWlLZMM6YFHM+u
MD5:	81D85B44945C8427E789D8DC42D4F2D5
SHA1:	56A4D2D9E96CD4FB641FF87FDDC7E8770FC1262B
SHA-256:	9C8608C20DCB6853A81680BEA9F2C6FDEC69B428F45671E2326AC052C767518A
SHA-512:	1E17DF8164A5C93907C0F57AFB6048A295BAC79FF47ED542D206793E66B00CA824FB18BAA6E42F4F215F445D81F167BF8DF3762EF89FCB9E0525F9ACFA07073D
Malicious:	false
Reputation:	low
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...Q..................................................................................................................................................................................................................................................................................................................................................e........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.243986810896208
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	vsl particulars packing list.exe
File size:	1'563'808 bytes
MD5:	ec3fe16c54946213c717a27606f70243
SHA1:	d11efe4e0f949ff6b14929cd30ae146c1b4a11c9
SHA256:	f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695
SHA512:	66125f727ec27d3e1da5c87953e46e928b000d564c784b919ba0b558efe4aa080a2f310e729f03b113ab02bc5aea390bb60a6829d3d586fab414b430d40eab04
SSDEEP:	12288:1hNsCbYGek5/68cYvmjZxVcsK3SCv6vcuqVuMDCqg0h+:14CF/6V1xNK3SnUrRh+
TLSH:	C7751241B2972C23FC9A9875C0C631F426FEAE2734F09A8FDF308E1965865FDA461231
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................."...0..3............... ....@...... ....................................`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x400000
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x840105AF [Tue Mar 6 15:11:43 2040 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
dec ebp
pop edx
nop
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6000	0x9d4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x53a2	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x33be	0x3400	13fddeb0a5ecfad9ff39ebeaa6558b8a	False	0.6508413461538461	data	6.210615629852274	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x6000	0x9d4	0xa00	6d1ee1fe3ac2e11c3235eca22ddd37af	False	0.30859375	data	4.127878733928107	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x60b8	0x398	OpenPGP Public Key			0.48586956521739133
RT_VERSION	0x6450	0x398	OpenPGP Public Key	English	United States	0.48586956521739133
RT_MANIFEST	0x67e8	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 30, 2024 17:43:57.905097008 CEST	49731	80	192.168.2.4	132.226.247.73
Jun 30, 2024 17:43:57.910015106 CEST	80	49731	132.226.247.73	192.168.2.4
Jun 30, 2024 17:43:57.910095930 CEST	49731	80	192.168.2.4	132.226.247.73
Jun 30, 2024 17:43:57.910285950 CEST	49731	80	192.168.2.4	132.226.247.73
Jun 30, 2024 17:43:57.915154934 CEST	80	49731	132.226.247.73	192.168.2.4
Jun 30, 2024 17:43:58.585696936 CEST	80	49731	132.226.247.73	192.168.2.4
Jun 30, 2024 17:43:58.611320972 CEST	49731	80	192.168.2.4	132.226.247.73
Jun 30, 2024 17:43:58.616264105 CEST	80	49731	132.226.247.73	192.168.2.4
Jun 30, 2024 17:43:58.817411900 CEST	80	49731	132.226.247.73	192.168.2.4
Jun 30, 2024 17:43:58.885972977 CEST	49731	80	192.168.2.4	132.226.247.73
Jun 30, 2024 17:43:59.064812899 CEST	49732	443	192.168.2.4	188.114.96.3
Jun 30, 2024 17:43:59.064905882 CEST	443	49732	188.114.96.3	192.168.2.4
Jun 30, 2024 17:43:59.064981937 CEST	49732	443	192.168.2.4	188.114.96.3
Jun 30, 2024 17:43:59.071436882 CEST	49732	443	192.168.2.4	188.114.96.3
Jun 30, 2024 17:43:59.071475029 CEST	443	49732	188.114.96.3	192.168.2.4
Jun 30, 2024 17:43:59.550406933 CEST	443	49732	188.114.96.3	192.168.2.4
Jun 30, 2024 17:43:59.550476074 CEST	49732	443	192.168.2.4	188.114.96.3
Jun 30, 2024 17:43:59.554877996 CEST	49732	443	192.168.2.4	188.114.96.3
Jun 30, 2024 17:43:59.554896116 CEST	443	49732	188.114.96.3	192.168.2.4
Jun 30, 2024 17:43:59.555170059 CEST	443	49732	188.114.96.3	192.168.2.4
Jun 30, 2024 17:43:59.598311901 CEST	49732	443	192.168.2.4	188.114.96.3
Jun 30, 2024 17:43:59.640520096 CEST	443	49732	188.114.96.3	192.168.2.4
Jun 30, 2024 17:43:59.705740929 CEST	443	49732	188.114.96.3	192.168.2.4
Jun 30, 2024 17:43:59.705812931 CEST	443	49732	188.114.96.3	192.168.2.4
Jun 30, 2024 17:43:59.705957890 CEST	49732	443	192.168.2.4	188.114.96.3
Jun 30, 2024 17:43:59.711380005 CEST	49732	443	192.168.2.4	188.114.96.3
Jun 30, 2024 17:43:59.714572906 CEST	49731	80	192.168.2.4	132.226.247.73
Jun 30, 2024 17:43:59.719495058 CEST	80	49731	132.226.247.73	192.168.2.4
Jun 30, 2024 17:43:59.920450926 CEST	80	49731	132.226.247.73	192.168.2.4
Jun 30, 2024 17:43:59.922938108 CEST	49734	443	192.168.2.4	188.114.96.3
Jun 30, 2024 17:43:59.922985077 CEST	443	49734	188.114.96.3	192.168.2.4
Jun 30, 2024 17:43:59.923079014 CEST	49734	443	192.168.2.4	188.114.96.3
Jun 30, 2024 17:43:59.923343897 CEST	49734	443	192.168.2.4	188.114.96.3
Jun 30, 2024 17:43:59.923360109 CEST	443	49734	188.114.96.3	192.168.2.4
Jun 30, 2024 17:43:59.964268923 CEST	49731	80	192.168.2.4	132.226.247.73
Jun 30, 2024 17:44:00.425081015 CEST	443	49734	188.114.96.3	192.168.2.4
Jun 30, 2024 17:44:00.426935911 CEST	49734	443	192.168.2.4	188.114.96.3
Jun 30, 2024 17:44:00.426974058 CEST	443	49734	188.114.96.3	192.168.2.4
Jun 30, 2024 17:44:00.575658083 CEST	443	49734	188.114.96.3	192.168.2.4
Jun 30, 2024 17:44:00.575742960 CEST	443	49734	188.114.96.3	192.168.2.4
Jun 30, 2024 17:44:00.575798035 CEST	49734	443	192.168.2.4	188.114.96.3
Jun 30, 2024 17:44:00.576168060 CEST	49734	443	192.168.2.4	188.114.96.3
Jun 30, 2024 17:44:00.579127073 CEST	49731	80	192.168.2.4	132.226.247.73
Jun 30, 2024 17:44:00.580296993 CEST	49736	80	192.168.2.4	132.226.247.73
Jun 30, 2024 17:44:00.584363937 CEST	80	49731	132.226.247.73	192.168.2.4
Jun 30, 2024 17:44:00.584423065 CEST	49731	80	192.168.2.4	132.226.247.73
Jun 30, 2024 17:44:00.585072994 CEST	80	49736	132.226.247.73	192.168.2.4
Jun 30, 2024 17:44:00.585136890 CEST	49736	80	192.168.2.4	132.226.247.73
Jun 30, 2024 17:44:00.585246086 CEST	49736	80	192.168.2.4	132.226.247.73
Jun 30, 2024 17:44:00.589946985 CEST	80	49736	132.226.247.73	192.168.2.4
Jun 30, 2024 17:44:01.262278080 CEST	80	49736	132.226.247.73	192.168.2.4
Jun 30, 2024 17:44:01.299355030 CEST	49738	443	192.168.2.4	188.114.96.3
Jun 30, 2024 17:44:01.299397945 CEST	443	49738	188.114.96.3	192.168.2.4
Jun 30, 2024 17:44:01.299464941 CEST	49738	443	192.168.2.4	188.114.96.3
Jun 30, 2024 17:44:01.299721003 CEST	49738	443	192.168.2.4	188.114.96.3
Jun 30, 2024 17:44:01.299735069 CEST	443	49738	188.114.96.3	192.168.2.4
Jun 30, 2024 17:44:01.307849884 CEST	49736	80	192.168.2.4	132.226.247.73
Jun 30, 2024 17:44:01.802156925 CEST	443	49738	188.114.96.3	192.168.2.4
Jun 30, 2024 17:44:01.809195995 CEST	49738	443	192.168.2.4	188.114.96.3
Jun 30, 2024 17:44:01.809221983 CEST	443	49738	188.114.96.3	192.168.2.4
Jun 30, 2024 17:44:01.952651024 CEST	443	49738	188.114.96.3	192.168.2.4
Jun 30, 2024 17:44:01.952728987 CEST	443	49738	188.114.96.3	192.168.2.4
Jun 30, 2024 17:44:01.952900887 CEST	49738	443	192.168.2.4	188.114.96.3
Jun 30, 2024 17:44:01.953079939 CEST	49738	443	192.168.2.4	188.114.96.3
Jun 30, 2024 17:44:01.956753016 CEST	49741	80	192.168.2.4	132.226.247.73
Jun 30, 2024 17:44:01.968235970 CEST	80	49741	132.226.247.73	192.168.2.4
Jun 30, 2024 17:44:01.968314886 CEST	49741	80	192.168.2.4	132.226.247.73
Jun 30, 2024 17:44:01.968389988 CEST	49741	80	192.168.2.4	132.226.247.73
Jun 30, 2024 17:44:01.973231077 CEST	80	49741	132.226.247.73	192.168.2.4
Jun 30, 2024 17:44:02.659353018 CEST	80	49741	132.226.247.73	192.168.2.4
Jun 30, 2024 17:44:02.660753012 CEST	49742	443	192.168.2.4	188.114.96.3
Jun 30, 2024 17:44:02.660840988 CEST	443	49742	188.114.96.3	192.168.2.4
Jun 30, 2024 17:44:02.660921097 CEST	49742	443	192.168.2.4	188.114.96.3
Jun 30, 2024 17:44:02.661202908 CEST	49742	443	192.168.2.4	188.114.96.3
Jun 30, 2024 17:44:02.661237955 CEST	443	49742	188.114.96.3	192.168.2.4
Jun 30, 2024 17:44:02.714099884 CEST	49741	80	192.168.2.4	132.226.247.73
Jun 30, 2024 17:44:03.131458998 CEST	443	49742	188.114.96.3	192.168.2.4
Jun 30, 2024 17:44:03.139472008 CEST	49742	443	192.168.2.4	188.114.96.3
Jun 30, 2024 17:44:03.139523983 CEST	443	49742	188.114.96.3	192.168.2.4
Jun 30, 2024 17:44:03.279800892 CEST	443	49742	188.114.96.3	192.168.2.4
Jun 30, 2024 17:44:03.279884100 CEST	443	49742	188.114.96.3	192.168.2.4
Jun 30, 2024 17:44:03.280044079 CEST	49742	443	192.168.2.4	188.114.96.3
Jun 30, 2024 17:44:03.280294895 CEST	49742	443	192.168.2.4	188.114.96.3
Jun 30, 2024 17:44:03.283130884 CEST	49741	80	192.168.2.4	132.226.247.73
Jun 30, 2024 17:44:03.284182072 CEST	49744	80	192.168.2.4	132.226.247.73
Jun 30, 2024 17:44:03.288822889 CEST	80	49741	132.226.247.73	192.168.2.4
Jun 30, 2024 17:44:03.288902044 CEST	49741	80	192.168.2.4	132.226.247.73
Jun 30, 2024 17:44:03.289323092 CEST	80	49744	132.226.247.73	192.168.2.4
Jun 30, 2024 17:44:03.289390087 CEST	49744	80	192.168.2.4	132.226.247.73
Jun 30, 2024 17:44:03.289449930 CEST	49744	80	192.168.2.4	132.226.247.73
Jun 30, 2024 17:44:03.294627905 CEST	80	49744	132.226.247.73	192.168.2.4
Jun 30, 2024 17:44:03.992152929 CEST	80	49744	132.226.247.73	192.168.2.4
Jun 30, 2024 17:44:04.007606030 CEST	49745	443	192.168.2.4	188.114.96.3
Jun 30, 2024 17:44:04.007642984 CEST	443	49745	188.114.96.3	192.168.2.4
Jun 30, 2024 17:44:04.007833958 CEST	49745	443	192.168.2.4	188.114.96.3
Jun 30, 2024 17:44:04.008049011 CEST	49745	443	192.168.2.4	188.114.96.3
Jun 30, 2024 17:44:04.008059978 CEST	443	49745	188.114.96.3	192.168.2.4
Jun 30, 2024 17:44:04.042231083 CEST	49744	80	192.168.2.4	132.226.247.73
Jun 30, 2024 17:44:04.501225948 CEST	443	49745	188.114.96.3	192.168.2.4
Jun 30, 2024 17:44:04.518698931 CEST	49745	443	192.168.2.4	188.114.96.3
Jun 30, 2024 17:44:04.518722057 CEST	443	49745	188.114.96.3	192.168.2.4
Jun 30, 2024 17:44:04.674000025 CEST	443	49745	188.114.96.3	192.168.2.4
Jun 30, 2024 17:44:04.674107075 CEST	443	49745	188.114.96.3	192.168.2.4
Jun 30, 2024 17:44:04.674158096 CEST	49745	443	192.168.2.4	188.114.96.3
Jun 30, 2024 17:44:04.674474001 CEST	49745	443	192.168.2.4	188.114.96.3
Jun 30, 2024 17:44:04.677372932 CEST	49744	80	192.168.2.4	132.226.247.73
Jun 30, 2024 17:44:04.678438902 CEST	49747	80	192.168.2.4	132.226.247.73
Jun 30, 2024 17:44:04.682631969 CEST	80	49744	132.226.247.73	192.168.2.4
Jun 30, 2024 17:44:04.682696104 CEST	49744	80	192.168.2.4	132.226.247.73
Jun 30, 2024 17:44:04.683214903 CEST	80	49747	132.226.247.73	192.168.2.4
Jun 30, 2024 17:44:04.683279991 CEST	49747	80	192.168.2.4	132.226.247.73
Jun 30, 2024 17:44:04.683499098 CEST	49747	80	192.168.2.4	132.226.247.73
Jun 30, 2024 17:44:04.688365936 CEST	80	49747	132.226.247.73	192.168.2.4
Jun 30, 2024 17:44:05.370619059 CEST	80	49747	132.226.247.73	192.168.2.4
Jun 30, 2024 17:44:05.371815920 CEST	49748	443	192.168.2.4	188.114.96.3
Jun 30, 2024 17:44:05.371845961 CEST	443	49748	188.114.96.3	192.168.2.4
Jun 30, 2024 17:44:05.371913910 CEST	49748	443	192.168.2.4	188.114.96.3
Jun 30, 2024 17:44:05.372157097 CEST	49748	443	192.168.2.4	188.114.96.3
Jun 30, 2024 17:44:05.372169971 CEST	443	49748	188.114.96.3	192.168.2.4
Jun 30, 2024 17:44:05.417233944 CEST	49747	80	192.168.2.4	132.226.247.73
Jun 30, 2024 17:44:05.847951889 CEST	443	49748	188.114.96.3	192.168.2.4
Jun 30, 2024 17:44:05.849478006 CEST	49748	443	192.168.2.4	188.114.96.3
Jun 30, 2024 17:44:05.849498987 CEST	443	49748	188.114.96.3	192.168.2.4
Jun 30, 2024 17:44:05.977793932 CEST	443	49748	188.114.96.3	192.168.2.4
Jun 30, 2024 17:44:05.977896929 CEST	443	49748	188.114.96.3	192.168.2.4
Jun 30, 2024 17:44:05.977947950 CEST	49748	443	192.168.2.4	188.114.96.3
Jun 30, 2024 17:44:05.978332996 CEST	49748	443	192.168.2.4	188.114.96.3
Jun 30, 2024 17:44:05.981370926 CEST	49747	80	192.168.2.4	132.226.247.73
Jun 30, 2024 17:44:05.982549906 CEST	49749	80	192.168.2.4	132.226.247.73
Jun 30, 2024 17:44:05.986552954 CEST	80	49747	132.226.247.73	192.168.2.4
Jun 30, 2024 17:44:05.986620903 CEST	49747	80	192.168.2.4	132.226.247.73
Jun 30, 2024 17:44:05.987329006 CEST	80	49749	132.226.247.73	192.168.2.4
Jun 30, 2024 17:44:05.987406015 CEST	49749	80	192.168.2.4	132.226.247.73
Jun 30, 2024 17:44:05.987466097 CEST	49749	80	192.168.2.4	132.226.247.73
Jun 30, 2024 17:44:05.992461920 CEST	80	49749	132.226.247.73	192.168.2.4
Jun 30, 2024 17:44:06.681329966 CEST	80	49749	132.226.247.73	192.168.2.4
Jun 30, 2024 17:44:06.682841063 CEST	49751	443	192.168.2.4	188.114.96.3
Jun 30, 2024 17:44:06.682869911 CEST	443	49751	188.114.96.3	192.168.2.4
Jun 30, 2024 17:44:06.682929993 CEST	49751	443	192.168.2.4	188.114.96.3
Jun 30, 2024 17:44:06.683213949 CEST	49751	443	192.168.2.4	188.114.96.3
Jun 30, 2024 17:44:06.683223963 CEST	443	49751	188.114.96.3	192.168.2.4
Jun 30, 2024 17:44:06.729737043 CEST	49749	80	192.168.2.4	132.226.247.73
Jun 30, 2024 17:44:07.242744923 CEST	443	49751	188.114.96.3	192.168.2.4
Jun 30, 2024 17:44:07.244204044 CEST	49751	443	192.168.2.4	188.114.96.3
Jun 30, 2024 17:44:07.244215965 CEST	443	49751	188.114.96.3	192.168.2.4
Jun 30, 2024 17:44:07.361500025 CEST	443	49751	188.114.96.3	192.168.2.4
Jun 30, 2024 17:44:07.361577988 CEST	443	49751	188.114.96.3	192.168.2.4
Jun 30, 2024 17:44:07.361650944 CEST	49751	443	192.168.2.4	188.114.96.3
Jun 30, 2024 17:44:07.362030983 CEST	49751	443	192.168.2.4	188.114.96.3
Jun 30, 2024 17:44:07.364990950 CEST	49749	80	192.168.2.4	132.226.247.73
Jun 30, 2024 17:44:07.366106033 CEST	49753	80	192.168.2.4	132.226.247.73
Jun 30, 2024 17:44:07.370418072 CEST	80	49749	132.226.247.73	192.168.2.4
Jun 30, 2024 17:44:07.370486975 CEST	49749	80	192.168.2.4	132.226.247.73
Jun 30, 2024 17:44:07.370910883 CEST	80	49753	132.226.247.73	192.168.2.4
Jun 30, 2024 17:44:07.370982885 CEST	49753	80	192.168.2.4	132.226.247.73
Jun 30, 2024 17:44:07.371294975 CEST	49753	80	192.168.2.4	132.226.247.73
Jun 30, 2024 17:44:07.376068115 CEST	80	49753	132.226.247.73	192.168.2.4
Jun 30, 2024 17:44:08.096796036 CEST	80	49753	132.226.247.73	192.168.2.4
Jun 30, 2024 17:44:08.097965956 CEST	49754	443	192.168.2.4	188.114.96.3
Jun 30, 2024 17:44:08.098007917 CEST	443	49754	188.114.96.3	192.168.2.4
Jun 30, 2024 17:44:08.098088026 CEST	49754	443	192.168.2.4	188.114.96.3
Jun 30, 2024 17:44:08.098319054 CEST	49754	443	192.168.2.4	188.114.96.3
Jun 30, 2024 17:44:08.098340034 CEST	443	49754	188.114.96.3	192.168.2.4
Jun 30, 2024 17:44:08.151608944 CEST	49753	80	192.168.2.4	132.226.247.73
Jun 30, 2024 17:44:08.565819979 CEST	443	49754	188.114.96.3	192.168.2.4
Jun 30, 2024 17:44:08.587271929 CEST	49754	443	192.168.2.4	188.114.96.3
Jun 30, 2024 17:44:08.587311983 CEST	443	49754	188.114.96.3	192.168.2.4
Jun 30, 2024 17:44:08.697163105 CEST	443	49754	188.114.96.3	192.168.2.4
Jun 30, 2024 17:44:08.697243929 CEST	443	49754	188.114.96.3	192.168.2.4
Jun 30, 2024 17:44:08.697293043 CEST	49754	443	192.168.2.4	188.114.96.3
Jun 30, 2024 17:44:08.697696924 CEST	49754	443	192.168.2.4	188.114.96.3
Jun 30, 2024 17:45:06.267482042 CEST	80	49736	132.226.247.73	192.168.2.4
Jun 30, 2024 17:45:06.267563105 CEST	49736	80	192.168.2.4	132.226.247.73
Jun 30, 2024 17:45:13.097029924 CEST	80	49753	132.226.247.73	192.168.2.4
Jun 30, 2024 17:45:13.097178936 CEST	49753	80	192.168.2.4	132.226.247.73
Jun 30, 2024 17:45:48.108546019 CEST	49753	80	192.168.2.4	132.226.247.73
Jun 30, 2024 17:45:48.113643885 CEST	80	49753	132.226.247.73	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 30, 2024 17:43:57.875514984 CEST	56086	53	192.168.2.4	1.1.1.1
Jun 30, 2024 17:43:57.883023024 CEST	53	56086	1.1.1.1	192.168.2.4
Jun 30, 2024 17:43:59.054368973 CEST	58143	53	192.168.2.4	1.1.1.1
Jun 30, 2024 17:43:59.064204931 CEST	53	58143	1.1.1.1	192.168.2.4
Jun 30, 2024 17:44:41.270313978 CEST	53	56819	162.159.36.2	192.168.2.4
Jun 30, 2024 17:44:41.956546068 CEST	53	62706	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jun 30, 2024 17:43:57.875514984 CEST	192.168.2.4	1.1.1.1	0x4753	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jun 30, 2024 17:43:59.054368973 CEST	192.168.2.4	1.1.1.1	0x6275	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jun 30, 2024 17:43:57.883023024 CEST	1.1.1.1	192.168.2.4	0x4753	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jun 30, 2024 17:43:57.883023024 CEST	1.1.1.1	192.168.2.4	0x4753	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jun 30, 2024 17:43:57.883023024 CEST	1.1.1.1	192.168.2.4	0x4753	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jun 30, 2024 17:43:57.883023024 CEST	1.1.1.1	192.168.2.4	0x4753	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jun 30, 2024 17:43:57.883023024 CEST	1.1.1.1	192.168.2.4	0x4753	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jun 30, 2024 17:43:57.883023024 CEST	1.1.1.1	192.168.2.4	0x4753	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jun 30, 2024 17:43:59.064204931 CEST	1.1.1.1	192.168.2.4	0x6275	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Jun 30, 2024 17:43:59.064204931 CEST	1.1.1.1	192.168.2.4	0x6275	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	132.226.247.73	80	6712	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Timestamp	Bytes transferred	Direction	Data
Jun 30, 2024 17:43:57.910285950 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jun 30, 2024 17:43:58.585696936 CEST	320	IN	HTTP/1.1 200 OK Date: Sun, 30 Jun 2024 15:43:58 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 6a80ce1f132b3aed39391996f19b4f6e Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Jun 30, 2024 17:43:58.611320972 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jun 30, 2024 17:43:58.817411900 CEST	320	IN	HTTP/1.1 200 OK Date: Sun, 30 Jun 2024 15:43:58 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: a79319cd193e1ddb3870bb0f4b75d63f Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Jun 30, 2024 17:43:59.714572906 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jun 30, 2024 17:43:59.920450926 CEST	320	IN	HTTP/1.1 200 OK Date: Sun, 30 Jun 2024 15:43:59 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: c2bf99af3651e110c98f4d68230b2b19 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49736	132.226.247.73	80	6712	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Timestamp	Bytes transferred	Direction	Data
Jun 30, 2024 17:44:00.585246086 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jun 30, 2024 17:44:01.262278080 CEST	320	IN	HTTP/1.1 200 OK Date: Sun, 30 Jun 2024 15:44:01 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 3ac1cc30b32d8a391d996fe3e01af362 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49741	132.226.247.73	80	6712	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Timestamp	Bytes transferred	Direction	Data
Jun 30, 2024 17:44:01.968389988 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jun 30, 2024 17:44:02.659353018 CEST	320	IN	HTTP/1.1 200 OK Date: Sun, 30 Jun 2024 15:44:02 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: e827f250fd29d4237d616edbe210665e Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49744	132.226.247.73	80	6712	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Timestamp	Bytes transferred	Direction	Data
Jun 30, 2024 17:44:03.289449930 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jun 30, 2024 17:44:03.992152929 CEST	320	IN	HTTP/1.1 200 OK Date: Sun, 30 Jun 2024 15:44:03 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: f8ff360c13d8317dd58739936a1022d7 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49747	132.226.247.73	80	6712	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Timestamp	Bytes transferred	Direction	Data
Jun 30, 2024 17:44:04.683499098 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jun 30, 2024 17:44:05.370619059 CEST	320	IN	HTTP/1.1 200 OK Date: Sun, 30 Jun 2024 15:44:05 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 6c3d69357e3b6b68c23f62515b294596 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49749	132.226.247.73	80	6712	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Timestamp	Bytes transferred	Direction	Data
Jun 30, 2024 17:44:05.987466097 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jun 30, 2024 17:44:06.681329966 CEST	320	IN	HTTP/1.1 200 OK Date: Sun, 30 Jun 2024 15:44:06 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: a788fb9566902f7dedc057c71750e1e6 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49753	132.226.247.73	80	6712	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Timestamp	Bytes transferred	Direction	Data
Jun 30, 2024 17:44:07.371294975 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jun 30, 2024 17:44:08.096796036 CEST	320	IN	HTTP/1.1 200 OK Date: Sun, 30 Jun 2024 15:44:07 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 5bcef2be24a4e9684db957b2c7d67cc4 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49732	188.114.96.3	443	6712	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Timestamp	Bytes transferred	Direction	Data
2024-06-30 15:43:59 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-06-30 15:43:59 UTC	711	IN	HTTP/1.1 200 OK Date: Sun, 30 Jun 2024 15:43:59 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 4803 Last-Modified: Sun, 30 Jun 2024 14:23:56 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hP1DgyG0ptL37S81lcp7cIBWNZHmql3nsGxmtgktC%2BvhqiI9cCljFrzr5i%2B8WIkCfUMWg%2BCxzJjdJPJL9rDHUr8V39iHuscX5Egt%2Bp4AwU3%2FupvwuBFcMhIwnQ9URk%2BqPHuVUqUe"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89bf466dcd180c80-EWR alt-svc: h3=":443"; ma=86400
2024-06-30 15:43:59 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-06-30 15:43:59 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49734	188.114.96.3	443	6712	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Timestamp	Bytes transferred	Direction	Data
2024-06-30 15:44:00 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-06-30 15:44:00 UTC	705	IN	HTTP/1.1 200 OK Date: Sun, 30 Jun 2024 15:44:00 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 4804 Last-Modified: Sun, 30 Jun 2024 14:23:56 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=e3Qls%2F30aHgiwRj0LXeKn9Zq%2FwwRM0Dxfi8c5wGkAjDUruM2G2CwqQRm2Co6XK1xyUpg6ltzkOz4xC%2BTfqSVVcNL7YvEyRtJjR4Wr2Zv7jPfd0wYA1h1LNxUqZuBbZoo2KGmy4iR"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89bf46732bd441a9-EWR alt-svc: h3=":443"; ma=86400
2024-06-30 15:44:00 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-06-30 15:44:00 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49738	188.114.96.3	443	6712	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Timestamp	Bytes transferred	Direction	Data
2024-06-30 15:44:01 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-06-30 15:44:01 UTC	713	IN	HTTP/1.1 200 OK Date: Sun, 30 Jun 2024 15:44:01 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 4805 Last-Modified: Sun, 30 Jun 2024 14:23:56 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wCCWO4ctSAYjj4YjynzZyCtFdtuQ%2FFDCNPF%2B2405BhmQFjtc6%2Fj0Yq05iZJOI1%2F9pS6WXBeLJ4OgeTZMSI5ZgWMlMNxCk%2B5ktBV%2B6h8a0orT%2FowV0NXEyilaOrd8g8jGK8e0QlLG"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89bf467bc8d71784-EWR alt-svc: h3=":443"; ma=86400
2024-06-30 15:44:01 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-06-30 15:44:01 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49742	188.114.96.3	443	6712	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Timestamp	Bytes transferred	Direction	Data
2024-06-30 15:44:03 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-06-30 15:44:03 UTC	709	IN	HTTP/1.1 200 OK Date: Sun, 30 Jun 2024 15:44:03 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 4807 Last-Modified: Sun, 30 Jun 2024 14:23:56 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eQQAG1Ql4pRzGeimgkYEiZWR5ZXEDpSZQBxthgkQ8mxVZ%2BJxZD897qYh1Blqa3QY%2FWluqxdSiROA690TDzA1nsb0yud8r7svS%2BZ%2FcGZA8acbS1RYe5BvDCl3Um5lR1if8X%2BzzveL"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89bf468409f48cb3-EWR alt-svc: h3=":443"; ma=86400
2024-06-30 15:44:03 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-06-30 15:44:03 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49745	188.114.96.3	443	6712	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Timestamp	Bytes transferred	Direction	Data
2024-06-30 15:44:04 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-06-30 15:44:04 UTC	711	IN	HTTP/1.1 200 OK Date: Sun, 30 Jun 2024 15:44:04 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 4808 Last-Modified: Sun, 30 Jun 2024 14:23:56 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AydF%2FHY0gvIjCPV7pROiVio0%2BacTwMKHL8hrwfL49F2pKpjvvlXeDbQpZ1wzZqU%2Ftwn76pCyR9g2ftkZKyhyHjsSl1YJfhiiJCl%2B4foIOvi0CaM13zZT9XwjJB%2BAcl%2F1Qii5oTwC"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89bf468ca9da436f-EWR alt-svc: h3=":443"; ma=86400
2024-06-30 15:44:04 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-06-30 15:44:04 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49748	188.114.96.3	443	6712	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Timestamp	Bytes transferred	Direction	Data
2024-06-30 15:44:05 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-06-30 15:44:05 UTC	713	IN	HTTP/1.1 200 OK Date: Sun, 30 Jun 2024 15:44:05 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 4809 Last-Modified: Sun, 30 Jun 2024 14:23:56 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ea9%2BJZDdMrdQNp7oT%2BdsQEyP4mNoLCPZboyaZVvCkOhG5HivKtn1Xmbec2LWtEbuaPU%2B%2BZNEAwpkoI9Hq4jTHT91H9npZGKW%2Fzygs%2BMixHDwpYPV5DCM78A7urqBo%2FvPMdkL40oc"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89bf4694fb9c42c2-EWR alt-svc: h3=":443"; ma=86400
2024-06-30 15:44:05 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-06-30 15:44:05 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49751	188.114.96.3	443	6712	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Timestamp	Bytes transferred	Direction	Data
2024-06-30 15:44:07 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-06-30 15:44:07 UTC	707	IN	HTTP/1.1 200 OK Date: Sun, 30 Jun 2024 15:44:07 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 4811 Last-Modified: Sun, 30 Jun 2024 14:23:56 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=i3qm%2Fm3z4%2FI7VO8h63pf2HVDUnjwu6NCNJaR6EQS%2BHGOifeXb35Hq5xDhfhd9iQlBEM7PHWer7B1y6nSY8x4Kqfp2seYjM0cYWgyqoztD%2FwgFTKCvJbU8bgqb7H1gzF1GAXumLJU"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89bf469d8b425e67-EWR alt-svc: h3=":443"; ma=86400
2024-06-30 15:44:07 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-06-30 15:44:07 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49754	188.114.96.3	443	6712	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Timestamp	Bytes transferred	Direction	Data
2024-06-30 15:44:08 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-06-30 15:44:08 UTC	705	IN	HTTP/1.1 200 OK Date: Sun, 30 Jun 2024 15:44:08 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 4812 Last-Modified: Sun, 30 Jun 2024 14:23:56 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UFrOhelxWFYg53PHDM6gUkYc1%2BiHze53sB9w8Qbj7bdYxq42nkuQYD6bOTwvXqpd29MYDUdEcBQApbzM%2FS87zPbMZsoS3ZPLW6Cqko8C0VGJ0NHmaLmFLhqGs%2B1GhRqfkuSHY2H3"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89bf46a5fc2b78e7-EWR alt-svc: h3=":443"; ma=86400
2024-06-30 15:44:08 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-06-30 15:44:08 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	11:43:55
Start date:	30/06/2024
Path:	C:\Users\user\Desktop\vsl particulars packing list.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\vsl particulars packing list.exe"
Imagebase:	0x1cd567a0000
File size:	1'563'808 bytes
MD5 hash:	EC3FE16C54946213C717A27606F70243
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1794048953.000001CD68577000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.1794048953.000001CD68577000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1794048953.000001CD68577000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.1794048953.000001CD68577000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1793618699.000001CD58427000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	11:43:56
Start date:	30/06/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Imagebase:	0xcc0000
File size:	108'664 bytes
MD5 hash:	914F728C04D3EDDD5FBA59420E74E56B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000001.00000002.4124784571.0000000003470000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.4123958072.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000001.00000002.4123958072.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000001.00000002.4123958072.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000001.00000002.4123958072.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000001.00000002.4124784571.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	11:43:57
Start date:	30/06/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 4888 -s 1052
Imagebase:	0x7ff7acab0000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Function 00007FFD9B89E279 Relevance: 6.7, Strings: 4, Instructions: 1670COMMON

Download Yara Rule

Strings

x6?h, xrefs: 00007FFD9B89EF39
[M_H, xrefs: 00007FFD9B89E28E
x6?h, xrefs: 00007FFD9B89F049
PM_H, xrefs: 00007FFD9B89ED8E

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID: PM_H$[M_H$x6?h$x6?h
API String ID: 0-4222352242
Opcode ID: 4307d0da846d3305d9dea6c678a62d9cfc44ded266ee4269f8d82a671e00717f
Instruction ID: 768a539de0267488db79e05f834a50af59319d75b91110186b3d928e0c44d03c
Opcode Fuzzy Hash: 4307d0da846d3305d9dea6c678a62d9cfc44ded266ee4269f8d82a671e00717f
Instruction Fuzzy Hash: B5B29A3070DB494FDB29DB28C4A14B5BBE1FF99301B1145BEE48AC72A6DE34E946C781

Function 00007FFD9B898390 Relevance: 5.4, Strings: 3, Instructions: 1666COMMON

Download Yara Rule

Strings

$?h, xrefs: 00007FFD9B8A07BC
x6?h, xrefs: 00007FFD9B8A04FB
x6?h, xrefs: 00007FFD9B8A0520

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID: $?h$x6?h$x6?h
API String ID: 0-3066717606
Opcode ID: 2d4e4fc3f4f3ff186e015f53fb2ea33f9ba73fb6478eb3b11942a75d7a2a5889
Instruction ID: 7ff4456a26daf5a3af93488f158f245a8e9d48048d9ce9819114c14afc757d8b
Opcode Fuzzy Hash: 2d4e4fc3f4f3ff186e015f53fb2ea33f9ba73fb6478eb3b11942a75d7a2a5889
Instruction Fuzzy Hash: 9FC2E431B1AA4D8FDBA8DB58C465AB877E1FF59300F1501BAD04EC72A2DE34AD42CB51

Function 00007FFD9B9600D6 Relevance: 3.3, Strings: 1, Instructions: 2043COMMON

Download Yara Rule

Strings

A, xrefs: 00007FFD9B960786

Memory Dump Source

Source File: 00000000.00000002.1795504324.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b960000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID: A
API String ID: 0-3554254475
Opcode ID: 399849195bdddebefe9e2c76044a9ea4582ea10ab9b3219d8e6bd4348d11f5e7
Instruction ID: eee4481abc332e9317b934a84a4278f64b9fe3bc7d768a4f1e307a165e8a4e8d
Opcode Fuzzy Hash: 399849195bdddebefe9e2c76044a9ea4582ea10ab9b3219d8e6bd4348d11f5e7
Instruction Fuzzy Hash: 27D26C71A1F7C99FDB66DB6888A55A87FE0FF52700F0601FED089CB0A7DA146906C781

Function 00007FFD9B89B6F1 Relevance: 2.8, Strings: 1, Instructions: 1564COMMON

Download Yara Rule

Strings

H, xrefs: 00007FFD9B89BA9E

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: ec6b0a604f84d75502b4aaf2c54024eea4a5c848adf17e072f1c1c1a877977fb
Instruction ID: 8db4b3ff491ffb8d795ac81dc6ff639da91da91355159f5d83b86054b4dd6ce9
Opcode Fuzzy Hash: ec6b0a604f84d75502b4aaf2c54024eea4a5c848adf17e072f1c1c1a877977fb
Instruction Fuzzy Hash: ADB2693060EB8A4FEB19CF68C4A44A47BF1FF99300B1545BED48AC72A6DE35E946C741

Function 00007FFD9B898388 Relevance: 2.2, Strings: 1, Instructions: 928COMMON

Download Yara Rule

Strings

YM_H, xrefs: 00007FFD9B89CCC4

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID: YM_H
API String ID: 0-2854685086
Opcode ID: e593939f4e94aa0e779a3347cabe60bd5fdfde5ae527140dfa3de84773c933e8
Instruction ID: f888b8ec4b6fd9dc0c74f157b8c314150799b9d9982da4087a46699a36733563
Opcode Fuzzy Hash: e593939f4e94aa0e779a3347cabe60bd5fdfde5ae527140dfa3de84773c933e8
Instruction Fuzzy Hash: 1752E830B09A0D4FDF68DB68D865A797BE1EF59301F15017EE44EC72A2DE24ED428B81

Function 00007FFD9B891608 Relevance: 2.0, Strings: 1, Instructions: 706COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFD9B89433F

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 2d5205486801b42085a16d4d307cceaa65b8baca7d81965d541142160cb39179
Instruction ID: 9a10dfd805a202cf1a830536c732a7c72ca566580a7ffec5c2f696fcebce5dc6
Opcode Fuzzy Hash: 2d5205486801b42085a16d4d307cceaa65b8baca7d81965d541142160cb39179
Instruction Fuzzy Hash: 3D127831B1EA4A4FEB2DDB6894A15717BD0EF49310B1902BED45EC71A7EE24F8438781

Function 00007FFD9B8937DC Relevance: 1.7, Strings: 1, Instructions: 438COMMON

Download Yara Rule

Strings

fish, xrefs: 00007FFD9B893830

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID: fish
API String ID: 0-1064584243
Opcode ID: e92f010e66223c1745d2c6e0d7bc04361374a688741239ba89875cc02234b1e3
Instruction ID: 46974b71477c4b9d47ba0ee15445cd09d145eb34165678d23d0333bda7d35565
Opcode Fuzzy Hash: e92f010e66223c1745d2c6e0d7bc04361374a688741239ba89875cc02234b1e3
Instruction Fuzzy Hash: 39C16C31B1DA4D0FEB6CEB68986557977E1EF9A310B0502BED08BC31E7DD24AD068381

Function 00007FFD9B89FA0F Relevance: 1.4, Instructions: 1370COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f6fe0cc0d9f7b9db6e3c2c7c44c2d5654f40172d055d79f3f3a15e712f5e18c
Instruction ID: 5736b6a4314d7dd6fd746267e48e36335484fe569f2c31575819fe7630744077
Opcode Fuzzy Hash: 8f6fe0cc0d9f7b9db6e3c2c7c44c2d5654f40172d055d79f3f3a15e712f5e18c
Instruction Fuzzy Hash: 67726630A1EB4E4FE769DB28C4615B577E1FF99300B0146BED48EC72A2DE24E946C781

Function 00007FFD9B89B310 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad3eced4cfd862b68090ca58abc0fb66bf1bbd82db39431f7baf0a2eea512481
Instruction ID: fa29b9d6f7558b40032a10a00978a3733c8bf4ee352655dc198964991d0e4d46
Opcode Fuzzy Hash: ad3eced4cfd862b68090ca58abc0fb66bf1bbd82db39431f7baf0a2eea512481
Instruction Fuzzy Hash: FCC19B3161DB894FE72DCB6984A11B5BBE2FF89301B1546BED8C7C32B1CE24A506C781

Function 00007FFD9B8A4370 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a28ab5730b9db5e5dbcc98cfa8924de2f50827954b7eef58d23d111a6209fba
Instruction ID: 1a1d72ca55e58198dbc2e9ad2008cb9b85fee5b776f80aed914a154a06869263
Opcode Fuzzy Hash: 1a28ab5730b9db5e5dbcc98cfa8924de2f50827954b7eef58d23d111a6209fba
Instruction Fuzzy Hash: C341373170D7890FDB1E9A3888660B57BA6EB87220B1A82BFD1D7C75E7DC14590783D2

Function 00007FFD9B8A43C9 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38d1538e0f48d548ae96fb6680c9ae3c69866f91d2b2c17428e3c2d2e175561d
Instruction ID: cea03f5781392a968f63e19ba0564b20b201ac8d4512bdfe39705efec4ff030c
Opcode Fuzzy Hash: 38d1538e0f48d548ae96fb6680c9ae3c69866f91d2b2c17428e3c2d2e175561d
Instruction Fuzzy Hash: 3D41282160D6890FDB1E963888661757B66EB87210B1AC2BFD4DBC71E7DC24590783D2

Function 00007FFD9B890D35 Relevance: 5.2, Strings: 4, Instructions: 221COMMON

Download Yara Rule

Strings

([?h, xrefs: 00007FFD9B890D84
8[?h, xrefs: 00007FFD9B890DC4
0[?h, xrefs: 00007FFD9B890DA0
[?h, xrefs: 00007FFD9B890D68

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID: [?h$([?h$0[?h$8[?h
API String ID: 0-519933655
Opcode ID: ec0803af0be2d79fb0ae68bf2fff00a194395fff442e51d91145be7856b379ff
Instruction ID: 0aa6ec59e85ab08475bf2d7708713772ed18ec417ac8bdc621d91c3cede9b9e2
Opcode Fuzzy Hash: ec0803af0be2d79fb0ae68bf2fff00a194395fff442e51d91145be7856b379ff
Instruction Fuzzy Hash: 8951F662B1EA890FEB9AA36C44316746FD2DF9E640B5741F6D04CCB2E7DC186D028352

Function 00007FFD9B890939 Relevance: 5.1, Strings: 4, Instructions: 74COMMON

Download Yara Rule

Strings

[?h, xrefs: 00007FFD9B890975
([?h, xrefs: 00007FFD9B890991
0[?h, xrefs: 00007FFD9B8909AD
8[?h, xrefs: 00007FFD9B8909C9

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID: [?h$([?h$0[?h$8[?h
API String ID: 0-519933655
Opcode ID: eaab30f2968a04f4c54db7866ed6c727db72e69c0476fdcddbcef1debe77a4a1
Instruction ID: 956b9e7795d8ce4c9c3ee0ce767d21a906fb027a7ddcf0f6ef4241828d9e489d
Opcode Fuzzy Hash: eaab30f2968a04f4c54db7866ed6c727db72e69c0476fdcddbcef1debe77a4a1
Instruction Fuzzy Hash: A721A561A0E68A0FEB0AA7B448316E57EA1DF4A244F5641F6E04DCB1D3ED2C5A0643A2

Function 00007FFD9B895ED0 Relevance: 2.9, Strings: 2, Instructions: 426COMMON

Download Yara Rule

Strings

x6?h, xrefs: 00007FFD9B896279
x6?h, xrefs: 00007FFD9B895F94

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID: x6?h$x6?h
API String ID: 0-4123471062
Opcode ID: fb9b1ad5dce9110a798901dbfd78c48aae400fe1e55b4aa5b351c7552aff9d6e
Instruction ID: e62b07892ed138f15563e17e27edc4f4a31685038084062b54f143a454b492b8
Opcode Fuzzy Hash: fb9b1ad5dce9110a798901dbfd78c48aae400fe1e55b4aa5b351c7552aff9d6e
Instruction Fuzzy Hash: A0D1F571A09A1E4FDFA8EF58C860AF977A1FF58344F1101B9D41AD71A6DE34E902C780

Function 00007FFD9B890F31 Relevance: 2.6, Strings: 2, Instructions: 113COMMON

Download Yara Rule

Strings

([?h, xrefs: 00007FFD9B890F87
[?h, xrefs: 00007FFD9B890F7A

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID: [?h$([?h
API String ID: 0-4238421251
Opcode ID: c1d83866bfaa9f15de4e471e88b9e64a919b1e027e34a052616485789a7aad8e
Instruction ID: 7520edcc446f07c6e24bdf304d8aa600ea06096a43c246ddd9d852183006268e
Opcode Fuzzy Hash: c1d83866bfaa9f15de4e471e88b9e64a919b1e027e34a052616485789a7aad8e
Instruction Fuzzy Hash: C131E931B19A5C5FDF85EB68C8699A97BB2FF99700B1500AAE00DC72D6DE245D02C741

Function 00007FFD9B8904D8 Relevance: 2.6, Strings: 2, Instructions: 98COMMON

Download Yara Rule

Strings

([?h, xrefs: 00007FFD9B890F87
[?h, xrefs: 00007FFD9B890F7A

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID: [?h$([?h
API String ID: 0-4238421251
Opcode ID: d17fa9e06d88d0c529f0616d87f2475c7577da393f7fd45750094c565c3e4b4c
Instruction ID: 12b5227f0f0f68d0c879bb564846dbd88a24f5660961a9a76efd2ad26ab3431a
Opcode Fuzzy Hash: d17fa9e06d88d0c529f0616d87f2475c7577da393f7fd45750094c565c3e4b4c
Instruction Fuzzy Hash: 8921A271B1895C5FDB99EB68C869AA977B2FF98700F1500A9E00ED32D5DE34AD02C781

Function 00007FFD9B890620 Relevance: 2.6, Strings: 2, Instructions: 80COMMON

Download Yara Rule

Strings

@~?h, xrefs: 00007FFD9B891983
@~?h, xrefs: 00007FFD9B8919E0

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID: @~?h$@~?h
API String ID: 0-3510672242
Opcode ID: 62e39e22cddc98feb29ac4beab6608235948e55595c87c868ec152d2a36a3b58
Instruction ID: 56360e0e45e612baa5e56ae0f89c904d459ac8e0bd61f68e4788c176bb18644e
Opcode Fuzzy Hash: 62e39e22cddc98feb29ac4beab6608235948e55595c87c868ec152d2a36a3b58
Instruction Fuzzy Hash: 9D113D22E0E58A1FEB26677454206A57EA1DF9A240F5A01FAD44CC71D7ED1C59064341

Function 00007FFD9B89D5D0 Relevance: 1.9, Strings: 1, Instructions: 698COMMON

Download Yara Rule

Strings

x6?h, xrefs: 00007FFD9B89DEE6

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID: x6?h
API String ID: 0-3030256923
Opcode ID: 11aa92d38db9d127350735970e9996bf6d5e7f5a78536a7acbca58e79c2b0fe5
Instruction ID: 267627c804ccb9ce43e8ab15a80e27707764108acf35096f810a798480cc9149
Opcode Fuzzy Hash: 11aa92d38db9d127350735970e9996bf6d5e7f5a78536a7acbca58e79c2b0fe5
Instruction Fuzzy Hash: 29126A32F0EA4E4FEBB8DB6854656757BC1EFA8300B0501BED44EC72E6DD18AD068385

Function 00007FFD9B898B30 Relevance: 1.8, Strings: 1, Instructions: 588COMMON

Download Yara Rule

Strings

x6?h, xrefs: 00007FFD9B89F390

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID: x6?h
API String ID: 0-3030256923
Opcode ID: dbaa7a75ca203c5cce39887e3c8d657d1b5c0887fb9f0ffd67b443a28c8165b3
Instruction ID: 0cfbee2e47352e050c0e8175e908592fdf67d3eef303aab64f7f9d3310a19c8c
Opcode Fuzzy Hash: dbaa7a75ca203c5cce39887e3c8d657d1b5c0887fb9f0ffd67b443a28c8165b3
Instruction Fuzzy Hash: 5602E871B19E4D8FEBACDB5888656B87BD1FF9C310F1501BAD04CC72A2DE28B9468741

Function 00007FFD9B8919F9 Relevance: 1.8, Strings: 1, Instructions: 581COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFD9B8920A4

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: b54ed14566f6317fab5d0ad8ad3ce3de9de5899f7aa71cd0e46a5247ea5b0871
Instruction ID: 4bcc298729155ac3a9791734cb2c4f1301a8d9c218ed7727c2aac42b762688d5
Opcode Fuzzy Hash: b54ed14566f6317fab5d0ad8ad3ce3de9de5899f7aa71cd0e46a5247ea5b0871
Instruction Fuzzy Hash: FA021731B1EA4D4FEBA9EB5C84A56747BE1EF99300B5601FAD05EC71A3DE24BC068341

Function 00007FFD9B893331 Relevance: 1.7, Strings: 1, Instructions: 457COMMON

Download Yara Rule

Strings

x6?h, xrefs: 00007FFD9B893528

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID: x6?h
API String ID: 0-3030256923
Opcode ID: 89075ae770375dc10b0a12f245aae4a0d5079cfacdeed5041edf5f341b8c2f2a
Instruction ID: 452e61f9bdc8f9005bb1d11960060d69c73a7e29e5e80c05adae15d42d2aae8a
Opcode Fuzzy Hash: 89075ae770375dc10b0a12f245aae4a0d5079cfacdeed5041edf5f341b8c2f2a
Instruction Fuzzy Hash: D4C18E21B1EA4F4FEB2E9B5498A01B57BD1FF99300B59427EC08BC32D6DD2CB9438240

Function 00007FFD9B89F2C9 Relevance: 1.6, Strings: 1, Instructions: 400COMMON

Download Yara Rule

Strings

x6?h, xrefs: 00007FFD9B89F390

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID: x6?h
API String ID: 0-3030256923
Opcode ID: c02b75d3d731770c11bd07cd1909c82e4b3b15f79d44211be781844c4fa85468
Instruction ID: 12e88f4f96d0ffc2fdf986034ca864a3c352bb80abde526b0627a31acdb566f5
Opcode Fuzzy Hash: c02b75d3d731770c11bd07cd1909c82e4b3b15f79d44211be781844c4fa85468
Instruction Fuzzy Hash: 5DC1D471B19E4E4FEBACDB4884656B43BD1FFAC311F5601BAD04CC76A2DD28B9064781

Function 00007FFD9B8906F8 Relevance: 1.6, Strings: 1, Instructions: 375COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFD9B8920A4

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 9fb6578b49653be6a3de44b3796a876ceeb091d5884435ed267cadf1b0ba105e
Instruction ID: a3b463770cfa93274d676edfb1de6c4d8f6226ca66ef12c9a9c9dc37c1b00847
Opcode Fuzzy Hash: 9fb6578b49653be6a3de44b3796a876ceeb091d5884435ed267cadf1b0ba105e
Instruction Fuzzy Hash: E6B12F30B18A094FEB6DEB58C4A1971B7E1FF99310B1046B9D09FC36A6DE25F8538780

Function 00007FFD9B898B28 Relevance: 1.5, Strings: 1, Instructions: 253COMMON

Download Yara Rule

Strings

x6?h, xrefs: 00007FFD9B89F049

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID: x6?h
API String ID: 0-3030256923
Opcode ID: 9fae5ef832ffc61e51b64232ce90c02d2443b42ecf06a3bf2ffd65820bbc52e9
Instruction ID: 5c15b72f621fb83d2d5978ddb2d0232e4cbde89474f39be1dad682b6d9401a2f
Opcode Fuzzy Hash: 9fae5ef832ffc61e51b64232ce90c02d2443b42ecf06a3bf2ffd65820bbc52e9
Instruction Fuzzy Hash: 9C71D171A08D0D4FEF5DEB18D865AB87BE1EF69300F15017AE40EC71A6EE24BD468781

Function 00007FFD9B8904C0 Relevance: 1.5, Strings: 1, Instructions: 240COMMON

Download Yara Rule

Strings

h[?h, xrefs: 00007FFD9B890A5E

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID: h[?h
API String ID: 0-2760377079
Opcode ID: 53e9ea45f17be9d03d13a640412e250752340a4da3b8287ca37b5368c5867d7e
Instruction ID: 69a74457affa36a7e6d82d6bb3d13df75a4c57929fdf6e4fa0d1f794a93f23e2
Opcode Fuzzy Hash: 53e9ea45f17be9d03d13a640412e250752340a4da3b8287ca37b5368c5867d7e
Instruction Fuzzy Hash: 8C51AD31B2E64E4FEB5DABA898121B57BC1EF46720F1601B9C49EC7197E918BC4383C1

Function 00007FFD9B892DE0 Relevance: 1.4, Strings: 1, Instructions: 198COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFD9B89433F

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 4e53a7adf4f5594b5cb4b2467f801ffc757badf2d48cc92d1d12a92065b5ebe4
Instruction ID: 12cd818e22e494592448de53e7ff0f6e9d27bd9d47da500dfc625f14a56411ec
Opcode Fuzzy Hash: 4e53a7adf4f5594b5cb4b2467f801ffc757badf2d48cc92d1d12a92065b5ebe4
Instruction Fuzzy Hash: 7151E130B29A098BEB6CDF58C49293177D1FF59304B1A01BCD95EC72A7EE24F952C681

Function 00007FFD9B896116 Relevance: 1.4, Strings: 1, Instructions: 175COMMON

Download Yara Rule

Strings

x6?h, xrefs: 00007FFD9B896279

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID: x6?h
API String ID: 0-3030256923
Opcode ID: cc6db66a6b761461e6a9c97e365403862657818649caee339c69fd01f7393ce9
Instruction ID: fcd4519cdbdf75f3c13b9b5ee3b83a7463a9cd498e99e60a43b37f7d1cd7fcfc
Opcode Fuzzy Hash: cc6db66a6b761461e6a9c97e365403862657818649caee339c69fd01f7393ce9
Instruction Fuzzy Hash: F9512775A1991E8FEF98EF98C460EE877E1FF58344B110279C419DB1AACA35F542CB80

Function 00007FFD9B8909E5 Relevance: 1.4, Strings: 1, Instructions: 141COMMON

Download Yara Rule

Strings

h[?h, xrefs: 00007FFD9B890A5E

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID: h[?h
API String ID: 0-2760377079
Opcode ID: 52036779287ab3e805e3fbd7061aeb3ffac5af6c783a1743afd192b0fc5cbc87
Instruction ID: 5400b82ffaa50fe7dedea624444f771a66be8c9ad8873cfcde11f1be9b1cbfc4
Opcode Fuzzy Hash: 52036779287ab3e805e3fbd7061aeb3ffac5af6c783a1743afd192b0fc5cbc87
Instruction Fuzzy Hash: EF31BD62B2EA1D0FEB5DA6688C525B43BC0DF56720B1701B5C88AC71A7E818FC4343C1

Function 00007FFD9B8A4563 Relevance: 1.3, Strings: 1, Instructions: 43COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD9B8A456E

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID: 0-2740779761
Opcode ID: baa8fedddd101a4ed9f90876e6117341bd35d817ea1e9953bb26a4f80f9803ea
Instruction ID: 75b7e95e796204c88a6ad9f76d7a1c5cc00d24ac7ac5156fce3bcbf6628b4c2a
Opcode Fuzzy Hash: baa8fedddd101a4ed9f90876e6117341bd35d817ea1e9953bb26a4f80f9803ea
Instruction Fuzzy Hash: CEF0E9307581054BCB1C962C8972039739BE7C6315368D33EE597C73EADD34E9078648

Function 00007FFD9B891610 Relevance: .5, Instructions: 510COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4be870de86330eac059ee98e35717896e3d8882b9ead913f1ac14530a7a6742d
Instruction ID: ca0dd209201d2a093943508d5e71b56070b1c4a9bb4c6d1973ba09158e063539
Opcode Fuzzy Hash: 4be870de86330eac059ee98e35717896e3d8882b9ead913f1ac14530a7a6742d
Instruction Fuzzy Hash: 23E15271B0EA0A4FEF2D9B6884A05B577D1EF99350B2502BDD09FC75E6DD28F9428380

Function 00007FFD9B8972FD Relevance: .4, Instructions: 393COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4fd2019165ada1b790ed866f5d6119eaf56ed89bb75e53ba8a606c0a758b008
Instruction ID: cfaf3ce9a6119dd31b2bd255be79a8074e442a18b44b1e165f964f5f439b05a1
Opcode Fuzzy Hash: f4fd2019165ada1b790ed866f5d6119eaf56ed89bb75e53ba8a606c0a758b008
Instruction Fuzzy Hash: 0DB1E371B0A65D8FDF59EBACD8649EC7FB0EF59310F0501BBD049CB1A2DA28A946C740

Function 00007FFD9B8A02C8 Relevance: .4, Instructions: 390COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bffe9bb811335efb1557fa3015d3b4171632a97ab6efe322ce7e24af19f703d
Instruction ID: ab4b385a5906d7cdf578f3027987a5037bb842d6b91b685b550d9fbb02071806
Opcode Fuzzy Hash: 5bffe9bb811335efb1557fa3015d3b4171632a97ab6efe322ce7e24af19f703d
Instruction Fuzzy Hash: B2C18831B2EB4D4FE778DB58946167477E1EF99700F0101BED48DC72A2EE28AD428791

Function 00007FFD9B898F70 Relevance: .3, Instructions: 321COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5611be8958d9bc33eda8b63220e096709e7419f8ef702727217f22eed955650f
Instruction ID: 73ee4db19bb37bc471fd870622bfcad3e968c65264f7563dd836815ec326eeb7
Opcode Fuzzy Hash: 5611be8958d9bc33eda8b63220e096709e7419f8ef702727217f22eed955650f
Instruction Fuzzy Hash: 0CA14430A1DB494FEB29DB688865470BBE1FF59300B1549BDD0ABC36A7DA25BC43C741

Function 00007FFD9B89CAEA Relevance: .3, Instructions: 311COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 777396b4e87f0581f918045f06e4af248de3a9f0ef23a846e5e0b9bb1c3592e2
Instruction ID: 0946352544bc8b38b646262baca44cd6b50bcb4ca67134372294c34643849666
Opcode Fuzzy Hash: 777396b4e87f0581f918045f06e4af248de3a9f0ef23a846e5e0b9bb1c3592e2
Instruction Fuzzy Hash: A591F531B0990D4FDFB8DB5C9865A797BD1EF9C301B1501BEE04EC72A2DE25AD428B81

Function 00007FFD9B898F0D Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ac3c42194a9c9b0f3c23fdafc258778522a60a59568cd214a97c18b56945931
Instruction ID: 8576c7663ec0556f951a76e086fefe5c8ba2863ecb48e24d7d8eec454884cb4c
Opcode Fuzzy Hash: 4ac3c42194a9c9b0f3c23fdafc258778522a60a59568cd214a97c18b56945931
Instruction Fuzzy Hash: 67811231A1EB4A4FEB29CB688865470BBE1FF5934071545FEC0ABC76A3DA25B843C741

Function 00007FFD9B8A3780 Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 485f0987bbd9cd2da62438953053e3863fd56b82d76a2e1de14de73396a63ea4
Instruction ID: da19218480cbff1cae70a14f55587775d95fc35f952e9801d4be33ff6a8d51a9
Opcode Fuzzy Hash: 485f0987bbd9cd2da62438953053e3863fd56b82d76a2e1de14de73396a63ea4
Instruction Fuzzy Hash: E7814961B1DFCA0FD75DA77858719A5BBE1EF65200F0482FAC04AC31EBED28A4068351

Function 00007FFD9B8A2515 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1c87239f74f54905dedea4f46666979f450fbef592b7a1ceb87924a8767bd2b
Instruction ID: a89a356cc3b958ed568e984b5bab28e838117071d6c95cf0226b8818537e4a51
Opcode Fuzzy Hash: d1c87239f74f54905dedea4f46666979f450fbef592b7a1ceb87924a8767bd2b
Instruction Fuzzy Hash: B4710231A0DE4D4FDB99EB5CD864AA8B7E1FF68300B0501AAD40DC72A6DE24AD468781

Function 00007FFD9B8A457E Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c2f914920099bc0371c6fdcd861eb9d6f2d0258c75e8fb55fa5234145497448
Instruction ID: 20b6d7f49ad59b8b7c189e56f2d5c47c970865e682fc1fc552c21995055f9ee0
Opcode Fuzzy Hash: 1c2f914920099bc0371c6fdcd861eb9d6f2d0258c75e8fb55fa5234145497448
Instruction Fuzzy Hash: 2B81AE6254E3C60FD71B8B7488614A57FB1EF9322071E81EFD0C6CB1E3E528991AC762

Function 00007FFD9B8A2530 Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0cd269352d70cc68715de1b38eef94f35a1dde35708005885f7013efce35842
Instruction ID: bac512ea1c4f3f5d2bb70ba2a57800ec528f13723f6dacb62515bbb94dc12647
Opcode Fuzzy Hash: b0cd269352d70cc68715de1b38eef94f35a1dde35708005885f7013efce35842
Instruction Fuzzy Hash: 8561D231A08D4D8FDF99EB5CD865AA8B7E1FF68300F05016AD40DC72A6DE34AD468781

Function 00007FFD9B8904B8 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b894cd243e672951acc289b101f004428d2dd9826aee2521e49f7dcdfbf10c68
Instruction ID: 6361362eae46faa692f42516ae6ccb9dc3b6d68a20b22e2570a902e665fc55f8
Opcode Fuzzy Hash: b894cd243e672951acc289b101f004428d2dd9826aee2521e49f7dcdfbf10c68
Instruction Fuzzy Hash: 2471B730B1DA095FFB69A7B898257B97AD2EFCC310F15407ED40ED32E7DD28A9424641

Function 00007FFD9B896F40 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0687e4a342ddf7da4650a2cdb68ff37a0bb1c812ed2682d01f4bb0014539c87c
Instruction ID: c0c2b468fa08906822f5d1b9342092c45f7cb301bd96c92bbebc7ed1db7a1f56
Opcode Fuzzy Hash: 0687e4a342ddf7da4650a2cdb68ff37a0bb1c812ed2682d01f4bb0014539c87c
Instruction Fuzzy Hash: F0713330A19A094FEB28DB58C865571BBE1FF59344B1149BDD4AFC36A3DE26BC038780

Function 00007FFD9B896A70 Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3e0596e7131d56f469f5406e020e961e9c4d3f09cf120055638a86244f591b1
Instruction ID: bfe16b3e58058f7841b4f50612fccf5cf5693c8c02d58efcf1a768994914e83e
Opcode Fuzzy Hash: c3e0596e7131d56f469f5406e020e961e9c4d3f09cf120055638a86244f591b1
Instruction Fuzzy Hash: C271F570A1961E8FDB59DF58C4A05BA7BA2FF88304F154179E01DC7296DA35ED82C780

Function 00007FFD9B8A4B64 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a8b979b9bbd66e5fe3307735784929920f3e92ff8f3b4a5f9ede439f6e764b9
Instruction ID: a8407597cbf2e3b531f3b69d6236eca8984b3d4c31c3e546be100803b924cffc
Opcode Fuzzy Hash: 2a8b979b9bbd66e5fe3307735784929920f3e92ff8f3b4a5f9ede439f6e764b9
Instruction Fuzzy Hash: 6C717C7150E3C54FD71B8B7488A54A17FB1EF5722071A81EFD0C6CB1B3D528A94ACB62

Function 00007FFD9B893DF2 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3ed3c1002b59deba68f62478f8aec227127196201ceb8d1ffb377998881adec
Instruction ID: 203d8462c9109e2e726d243cfd49921599082a77ab8c68247529202a26f9dd43
Opcode Fuzzy Hash: c3ed3c1002b59deba68f62478f8aec227127196201ceb8d1ffb377998881adec
Instruction Fuzzy Hash: 4F51063170F90E4FEBB8EF9C94646B977D0EF49311B1201BAE44EC71A2DD28AD4187A0

Function 00007FFD9B8929ED Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 287fcf927b47f24c233d4ef5446842ca3ea7e5874eec825b15cbb622da4014a4
Instruction ID: 17518e4479ec6d2c14f0df36794c7d37b801b7ccaa82ca79bceb88a1377c6f46
Opcode Fuzzy Hash: 287fcf927b47f24c233d4ef5446842ca3ea7e5874eec825b15cbb622da4014a4
Instruction Fuzzy Hash: BB51E531B0A94D4FDF5CEB6898656B877E2FF9D340B4501BAD00EC72E6DE29A9024741

Function 00007FFD9B8A4873 Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a6594b4a3624d62adc8544e7e1d14f7518010ab545951c3ed6129ab27b5c15d
Instruction ID: a6b0aa82093f4f54e5ceef72a7d0c4695b9d998b0f045632b78a1ccdaac1c815
Opcode Fuzzy Hash: 6a6594b4a3624d62adc8544e7e1d14f7518010ab545951c3ed6129ab27b5c15d
Instruction Fuzzy Hash: 86615A6250E3C14FD71B8B7488A54A17FB1AF6722071B81EFD0C6CF5E3E518A94AC762

Function 00007FFD9B8A4749 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12e3880ec355bbe4830e2920c83b8241c91c983a1d8555cfd21611ad1075ebab
Instruction ID: 91918cac56d58f5239bd2c117f4029ea55c2a0b25234879e36767bf993d4c3fd
Opcode Fuzzy Hash: 12e3880ec355bbe4830e2920c83b8241c91c983a1d8555cfd21611ad1075ebab
Instruction Fuzzy Hash: 5A71566250E3C64FD71B8B7488654A17FB1AF57220B1E81EFD0C6CB1F3E528694AC762

Function 00007FFD9B8A47E0 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df9950ea0f02b5cd1792091210821553f201f790264e6d2979fdbf1494086e56
Instruction ID: a5b648a06e54b746ed142ea494183be86a63146a9b089edfd631da8f8689606a
Opcode Fuzzy Hash: df9950ea0f02b5cd1792091210821553f201f790264e6d2979fdbf1494086e56
Instruction Fuzzy Hash: 9161776250E3C64FD71B8B7488614A17FB1AF6322071B81EFD0C6CF1E3E529994AC722

Function 00007FFD9B8A4D01 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12f997328fd73b132407e1ad0cca05a79f060cd7b5bf3fddebd0173e5d48a3aa
Instruction ID: 390896cdc15e74e8135e6efab3ac95c9832d808a657726fbf8d12240e1ef08a0
Opcode Fuzzy Hash: 12f997328fd73b132407e1ad0cca05a79f060cd7b5bf3fddebd0173e5d48a3aa
Instruction Fuzzy Hash: AF61866250E3C64FD7178B7488654A17FB1AF6322071B81EFC0C6CF0B3E528A95AC762

Function 00007FFD9B89AF38 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfa953908a9bc2cc9a54f2b098a0dc18d055162b5a2db89ea3abdacc3e034e74
Instruction ID: 454806c90671aca6ff6a5ceee7461afa7dee83c0c1efb317cfc2d6689e30c0ef
Opcode Fuzzy Hash: dfa953908a9bc2cc9a54f2b098a0dc18d055162b5a2db89ea3abdacc3e034e74
Instruction Fuzzy Hash: 7B519F31B0D7864FE719CB6888A1065BFD2FFDA300B0446BED0DAC72E2DA34A506C781

Function 00007FFD9B8A4A35 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 032ab38bd508725579a3a69c7047fa81a153bccb734919b886d3e700270568c5
Instruction ID: 425f73e984a10250a36facb19289bc8786df83caa62ea138e2d8fe2ac12ff1f8
Opcode Fuzzy Hash: 032ab38bd508725579a3a69c7047fa81a153bccb734919b886d3e700270568c5
Instruction Fuzzy Hash: 0B61456250E3C64FD7178B7488614A17FB1AF67220B1F81EFD0C6CF1A3E528695AC762

Function 00007FFD9B8A4C1F Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c70b9f0272f696b27fe63d6b5daa5e8d69da809063d2c14b21088c01cceefd11
Instruction ID: fd68b73c888fd31b6b0f21c7602e884f0cf272e775d9516736ae1141f8737bfa
Opcode Fuzzy Hash: c70b9f0272f696b27fe63d6b5daa5e8d69da809063d2c14b21088c01cceefd11
Instruction Fuzzy Hash: B861686250E3C64FD7178B7488614A17FB1AF6722071F81EFD0C6CB1B3E5285A5AC762

Function 00007FFD9B89C79D Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abba04914df4b788ff8a1edbba36f4a460d59a2a1639b252f8f953a2fea3b6bd
Instruction ID: 0babd499979c6349263a47dcc4e5f7097cebeeed41f8d343c217ef040c317215
Opcode Fuzzy Hash: abba04914df4b788ff8a1edbba36f4a460d59a2a1639b252f8f953a2fea3b6bd
Instruction Fuzzy Hash: 7351363060EB8D5FD769872C84654767FE1EF9A710B0506BEE0CBC36A2CD25A9028782

Function 00007FFD9B8A4696 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8889989919b1278e5cf0994e0f0d6632cfc8a3f786da7f42a3303bc509f811bb
Instruction ID: cf651410a2795cf228dd5490b1f114007d3bdad2f247c43f45c20ef7ee441721
Opcode Fuzzy Hash: 8889989919b1278e5cf0994e0f0d6632cfc8a3f786da7f42a3303bc509f811bb
Instruction Fuzzy Hash: 2361656250E3C64FD7178B7488614A17FB1AF6322071F81EFD0C6CB1A3E518AA5AC762

Function 00007FFD9B8A4A83 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb419a4654221cd129d30ae38478173b5934c14823ce2209dfdc74e9fd86d608
Instruction ID: 1c6d41c83669a2fd6ddc9335276e9ebe5b52e321f0e5d10268ac0a1530a84c20
Opcode Fuzzy Hash: eb419a4654221cd129d30ae38478173b5934c14823ce2209dfdc74e9fd86d608
Instruction Fuzzy Hash: C661666250E3C64FD7178B7488614A17FB1AF67220B1F81EFD0C6CF1A3E5186A4AC762

Function 00007FFD9B8A4911 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 009a3826e87b5a288b43708f8ef26d8873ff225a48c28932b5be47d064c97cf6
Instruction ID: ba972c9d324648df1dddf515468e1fa44b103f0430758e8432c969db93395a7e
Opcode Fuzzy Hash: 009a3826e87b5a288b43708f8ef26d8873ff225a48c28932b5be47d064c97cf6
Instruction Fuzzy Hash: 1F61556250E3C64FD7178B7488614A17FB1AF6322071F81EBD0C6CF1B3E5195A5AC762

Function 00007FFD9B9601A0 Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795504324.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b960000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9aac73ccfced63bc07c25eaea41fdd92885f41e4a791a3683e88fecddb887903
Instruction ID: bd1d9be1290545683b9ae584b61e80d01d43d9cb2e03aa4c24fd87c6fa3f2fe7
Opcode Fuzzy Hash: 9aac73ccfced63bc07c25eaea41fdd92885f41e4a791a3683e88fecddb887903
Instruction Fuzzy Hash: 1A610831A19A4D8FDB6ADF58C8E06B877E1FF65300F1606AAD04EC71A6DA25A942C740

Function 00007FFD9B8A3035 Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12c9bdbc0b571408ce37f98e0cf60262293600471f4ed7276508c2a5c383c677
Instruction ID: 3022fcbbd18df75b297e53201a9f437d0e6b48541c38fc08848cfb397b13e3f4
Opcode Fuzzy Hash: 12c9bdbc0b571408ce37f98e0cf60262293600471f4ed7276508c2a5c383c677
Instruction Fuzzy Hash: E251C531A09A4D8FDF95DF68D464AA97BF1FF5E300F0A00AAD00DD72E2DA25AD41C791

Function 00007FFD9B892A10 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58eca6277a57d4a33e0b3b69e12cab3107bdc8fe0f482bf09a43e95e847a5c1e
Instruction ID: d371ec21fa0fc9a389dd7d42529a0e72f1bd36408d88a82d268c704fc226d0ba
Opcode Fuzzy Hash: 58eca6277a57d4a33e0b3b69e12cab3107bdc8fe0f482bf09a43e95e847a5c1e
Instruction Fuzzy Hash: 2841A531B0990D8FDF5CEB6898656B877E2FF9D340B55017ED00EC72E6DE2999028741

Function 00007FFD9B8973F4 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8bcd0e999751ec296dc59bfc9608f9f2c7fd245a2552d8cee35800043439833
Instruction ID: f11681a3dfb368c342cd10057d1a1125cd9d4f425228a3593c888a400136319e
Opcode Fuzzy Hash: b8bcd0e999751ec296dc59bfc9608f9f2c7fd245a2552d8cee35800043439833
Instruction Fuzzy Hash: 81316F31E0DA4D8FDF95EB98D465AACBFB1FF59300F0501B6D00DDB2A2DA24A945CB40

Function 00007FFD9B9610C9 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795504324.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b960000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90f51cd693aaf8c6312d1cb090e8113fb1f8b32dc1d021474374c7676ecda701
Instruction ID: 415a03d30af6bde742a79d23fd36f40805235017c7a9d275f12ac146af7fa47b
Opcode Fuzzy Hash: 90f51cd693aaf8c6312d1cb090e8113fb1f8b32dc1d021474374c7676ecda701
Instruction Fuzzy Hash: 62414831A0EA9D8FDB66DF64C8655EC7BF0FF66304B0601ABD04AC71A3DA25AD41C780

Function 00007FFD9B898588 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9ec3b36bd1854d2a1bf8737b64ede39698c21e113b9724c26245fd922f6d01f
Instruction ID: b6a4cc4c66a3586b1cabaccede20671f08b906a0fcacf769207bc6833e4bcb69
Opcode Fuzzy Hash: c9ec3b36bd1854d2a1bf8737b64ede39698c21e113b9724c26245fd922f6d01f
Instruction Fuzzy Hash: 5B418030A04A0D8FDF98EF58D464AA97BE1FF6D301F1501AAE40DD72A1DA35AD41CB91

Function 00007FFD9B89F649 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8cf96ae962b6e469bd4720eadc3a355cab31d497d2996c9e9ee3f33c42cc329
Instruction ID: 1068edc82122040be7f116ff96c921168ffd782e301ea166e46c332991891dc2
Opcode Fuzzy Hash: f8cf96ae962b6e469bd4720eadc3a355cab31d497d2996c9e9ee3f33c42cc329
Instruction Fuzzy Hash: 91418571E15A4D8FEF98EBA8C865BACBBE1FF68300F550176D01CD7296DE3468428B41

Function 00007FFD9B8931C9 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3818858d772c7ef45ce34a7628dcc3b7f44133be6f9051fe35b9febb7fe505d
Instruction ID: 52cafec7ce504ac5a0ea49707f3abb335084f12436a51ac115c24bb1bc9a40a9
Opcode Fuzzy Hash: e3818858d772c7ef45ce34a7628dcc3b7f44133be6f9051fe35b9febb7fe505d
Instruction Fuzzy Hash: E6410822B0EA4E0FEB6997A898752B83FD1EF59251F0501BBE04DC71E3DD1859858342

Function 00007FFD9B893E40 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 998f070cd519df65bc7e42daf1c7c35166b9338833492ad9055c8691eb28e0d7
Instruction ID: 58a0c08ec00cb52f64a069f7d073f6f6cced7b2cfe9cec89842a0c4739d0dd9d
Opcode Fuzzy Hash: 998f070cd519df65bc7e42daf1c7c35166b9338833492ad9055c8691eb28e0d7
Instruction Fuzzy Hash: 6641377060EA994FEB5A9B2488644747FE0EF9A345B0505FED08ACB1A3DA19E645C341

Function 00007FFD9B89AFD8 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bce09eacce81539fc019153e150d25844ae4bacea6215261b00714603cf4871
Instruction ID: 8f5c3bbc2ba0afeb4cacee9a6f8389be941dcd0feb32b7e6e554e70b6c820572
Opcode Fuzzy Hash: 2bce09eacce81539fc019153e150d25844ae4bacea6215261b00714603cf4871
Instruction Fuzzy Hash: BA41C27070DB894BEB58CB1984A146ABBE2FFD9301F14857EE4DAC33A5EA34E941C741

Function 00007FFD9B898580 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24c124eaf7ae54e20b3a7c54dbcc9e901e82269a9171add87f8272c825d32e5b
Instruction ID: 6200483bf09136a00d8c2a4a14de02f5ce15bed8568fc14baad5bd0c5e83b96a
Opcode Fuzzy Hash: 24c124eaf7ae54e20b3a7c54dbcc9e901e82269a9171add87f8272c825d32e5b
Instruction Fuzzy Hash: BA418030A05A1D8FDF98EB5CC8646B977E1FF1D301B5601AAD40DC72A1DB35AE418B80

Function 00007FFD9B89B4CA Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1c7bdf1c2acea95d443e24a55afe71d7af4ca14c9e662b2ffab3affc7028c56
Instruction ID: 15731ed6fb27f0d78c448ab35e1ac6e7503d5cef53012918587b683eb387b564
Opcode Fuzzy Hash: c1c7bdf1c2acea95d443e24a55afe71d7af4ca14c9e662b2ffab3affc7028c56
Instruction Fuzzy Hash: ED41137060DB894FDB58CB1894A15B9BBE2FBD9301F14897EE4CAC32A1DA34E541C782

Function 00007FFD9B89D320 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7828e0c9dcdf12e4799ede521e99f8919a2fa54803caf8a537e96ef954b4bb95
Instruction ID: 41647a4921463df1937a17f893cb5e56fa8b9c9ab4a03b7d507df601474a2281
Opcode Fuzzy Hash: 7828e0c9dcdf12e4799ede521e99f8919a2fa54803caf8a537e96ef954b4bb95
Instruction Fuzzy Hash: B1310672B0A80E4FEAB8E75C94B86786BC2FFDC314755017AE01EC71E9DE18AD424344

Function 00007FFD9B8A232D Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 136b74af2e77088078322f6b78ed26e6d411e679764dfede2798da105ed733f2
Instruction ID: 98165d6bc93a8544af6eadede2bc74ead72cc2a0ef7ace666cccff7f9fb0bb10
Opcode Fuzzy Hash: 136b74af2e77088078322f6b78ed26e6d411e679764dfede2798da105ed733f2
Instruction Fuzzy Hash: 5D31F73070E91D0FEB78EF9894646B877D1FF49300B5600BAD84ECB1A7DD19AD5687A0

Function 00007FFD9B89B478 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fdb7452641e0683eb8b50d472d8373605a9e974239f841a406556a6571bd61b
Instruction ID: 7edff11e2952e3aeeb3e895b824433ea0f46330d3b9da0bd06e2cd3cd1a54f81
Opcode Fuzzy Hash: 6fdb7452641e0683eb8b50d472d8373605a9e974239f841a406556a6571bd61b
Instruction Fuzzy Hash: F431243070CB894BEB18CB19D4914B5BBE2FBD9301F158A7EE4CAC32A5DA34E541C782

Function 00007FFD9B89AF98 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d5809cd4ff7ece07ff00f0406b9296628b7d1211b860f5efa97a1f0a0deb253
Instruction ID: cd430517eb305d659edf5c405e32bb597e19e4897585d1b343763bc13ac734f6
Opcode Fuzzy Hash: 3d5809cd4ff7ece07ff00f0406b9296628b7d1211b860f5efa97a1f0a0deb253
Instruction Fuzzy Hash: 0231E57071DB894FE718CB1884A1469BBE2FBCA301F14897EE4DAC33A5EA34E541C781

Function 00007FFD9B890C29 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e03ee72144cea2b541a9088e57688a549f0c4e5aae626f65f1d3106a5abf81e
Instruction ID: b0c5d09095161ef1fa6a8d9cde76c70f8ca8c2bd07234fc61f6e959629eecf53
Opcode Fuzzy Hash: 5e03ee72144cea2b541a9088e57688a549f0c4e5aae626f65f1d3106a5abf81e
Instruction Fuzzy Hash: 1821DC21F1EA4E0FDB65D7AC58612B97BE1FF48604F060277D05DC32E2DD185D428381

Function 00007FFD9B893055 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70117e6f2a9f8f7ca482bb7fb284fa2f6b57d6894e2a39379a13b1e2fc692f1e
Instruction ID: 689beff80f4f16a44856f311e0437b837c67b46fee14328d6a7d413c02a550ea
Opcode Fuzzy Hash: 70117e6f2a9f8f7ca482bb7fb284fa2f6b57d6894e2a39379a13b1e2fc692f1e
Instruction Fuzzy Hash: 5921D731B0EA8C4FDF5AEB688C615A87BA1EF5A300B0501BBD049CB1E3DE285D058352

Function 00007FFD9B89C0BA Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b34ad9970d3615c040573978cf52b0d2e38080eb41cea22241e257d5d6786411
Instruction ID: 1311dc60093599142cd08ce2c5f3f6d6fe44e261c5d291695f22417c3fe068f6
Opcode Fuzzy Hash: b34ad9970d3615c040573978cf52b0d2e38080eb41cea22241e257d5d6786411
Instruction Fuzzy Hash: 3C212230719A4D4FE759DB38D4A40A1BBE1FB9830971446BEE49AC32A6DE35E982C740

Function 00007FFD9B89404D Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f587f53354d1669c92dba849d408b95b6b75358ad6ffbf5f46d631035c75dc1a
Instruction ID: 0e4ba9b114a119da3ab22362f836f33083161438375f4dd95bab9acaa0ec6126
Opcode Fuzzy Hash: f587f53354d1669c92dba849d408b95b6b75358ad6ffbf5f46d631035c75dc1a
Instruction Fuzzy Hash: 9D11B121B0EA8E4FEFB9977844B45B67BD1DF5820071801BFD04EC71E2DE28A8028300

Function 00007FFD9B8A2F89 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c374ac8878792250f601c556b5fcd43413eb28c9ccfc28b3984c83053115571
Instruction ID: 4a3d6a4e36f1147af0563f95158ed7a8c59db91bdf45a23acf5cc5276781c13c
Opcode Fuzzy Hash: 7c374ac8878792250f601c556b5fcd43413eb28c9ccfc28b3984c83053115571
Instruction Fuzzy Hash: B9212331A0D94D4FE361EBA884282B5B7D0EF5C314F0901BBD48CD71B2EE28AA828340

Function 00007FFD9B892BA2 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5860f5701aac636b831515d5bf388cdb58227b62661324ea5ada634fa2d7815c
Instruction ID: 94523513b67e38ad46a0ec49ac2e5b2ec1390c7a120019add8df0122153055bc
Opcode Fuzzy Hash: 5860f5701aac636b831515d5bf388cdb58227b62661324ea5ada634fa2d7815c
Instruction Fuzzy Hash: 2C21056190E6CE4FDB879BB88C645A97FF0EF46250B0501FBD458CB0A7DA291A468341

Function 00007FFD9B89D4A4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c37ea843273a31e1eb83e257a590cc2f769eb06e02a963689e49f2811cc5478
Instruction ID: d8a281dbf92f25a17cfbf6a7fd195c0bac3024f4dc7d10e88c4109cd6cebeb4b
Opcode Fuzzy Hash: 1c37ea843273a31e1eb83e257a590cc2f769eb06e02a963689e49f2811cc5478
Instruction Fuzzy Hash: AA112961F0F14A1FEF79A7A89C345B47B80EF19204B2501B7D04DCB1E3DC08790A43A5

Function 00007FFD9B89103A Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 542fdd73c0ca06aed611b4824897f8256e09f2c696945f84980b32bea6f0cb0f
Instruction ID: 48bdd64141f6a428ec144cbf9c696e535a5e6f7bfcfc6e397175c4e9a4a875cf
Opcode Fuzzy Hash: 542fdd73c0ca06aed611b4824897f8256e09f2c696945f84980b32bea6f0cb0f
Instruction Fuzzy Hash: 7D113031B0D91D5FDF95EB9894A29ECBBA1EF5C310F41113AD00DD3296CE25A9428780

Function 00007FFD9B898368 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2602743e6795fc1e92c9a0b9c7b82a41f218667daf2a44cffcdc6e1a131139d
Instruction ID: 3670169c3fcfbb5acb9645db1721ebe8d132c88939be8551e5d6852f79c1ec51
Opcode Fuzzy Hash: c2602743e6795fc1e92c9a0b9c7b82a41f218667daf2a44cffcdc6e1a131139d
Instruction Fuzzy Hash: E9110630A0DA0A5FDB68EB68C0A497A37E1EF9C311B10053EE44EC36A0CE28F5418741

Function 00007FFD9B898578 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08106611f5f446239961a1d2d9aa577862716406b8d71162d51b182105470122
Instruction ID: 900bc5978d76408a9989d6b452b621906b3c9c8381b4425658af0763a3a60ede
Opcode Fuzzy Hash: 08106611f5f446239961a1d2d9aa577862716406b8d71162d51b182105470122
Instruction Fuzzy Hash: C5012622F2BE1F0BE6F5936C28B52B925CBEFDCB007494176E40CC22B5EC199D424290

Function 00007FFD9B89DFBC Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b889d02904fa2512d4366e21aadee1f91cd9de9542b07b6a4cf958057ebd07b
Instruction ID: b0321e802aa5f6eda69a1b958fd7aeb143a2cdd2ff643ea73dbdc8502a2a715e
Opcode Fuzzy Hash: 4b889d02904fa2512d4366e21aadee1f91cd9de9542b07b6a4cf958057ebd07b
Instruction Fuzzy Hash: AAF02D13F1FE5E06FA71415D38611745FD2FFD861171542F7C088C25E5EC095C874241

Function 00007FFD9B894665 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f98f068c21497d5d3e0f0c5487fac6a92a1d37863ae1f2885f1c8db5a541d87c
Instruction ID: 7678a12e53c3a939a564fb374862185c1ff1f1f4062f0b9e9dcb4e650c63d1fa
Opcode Fuzzy Hash: f98f068c21497d5d3e0f0c5487fac6a92a1d37863ae1f2885f1c8db5a541d87c
Instruction Fuzzy Hash: 86115C7150DBC85FDBA2D72884645653FE1EFAE220B1D02ABE4C8C72A3D624A945C342

Function 00007FFD9B893E38 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf4a00001ea60069b208a9bfa6d6c26eca103cfa39a2bf522efbbc9a9a3c4ee5
Instruction ID: cd8fb667fcc7e9f470e6e134fa111ed7e875d8c6cad4defd22415ac9fac260db
Opcode Fuzzy Hash: bf4a00001ea60069b208a9bfa6d6c26eca103cfa39a2bf522efbbc9a9a3c4ee5
Instruction Fuzzy Hash: 4A110971F0950E8BDF68DF9894666FEBAF5EF48340F11003AE11DE2290DA346A518BC1

Function 00007FFD9B8A371F Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec748ff46e9e88d051a8bb902c0bb4f699b7f3f16574f986906c8f3a062eb22
Instruction ID: 886a2c323307f20ddff01a6d436dc8e1739c228efe4c7c7bbaf8d40af54f86ca
Opcode Fuzzy Hash: dec748ff46e9e88d051a8bb902c0bb4f699b7f3f16574f986906c8f3a062eb22
Instruction Fuzzy Hash: F7F0967270EE0C4FE75CA69C78162B473C1DB8D33170102BFE14EC2256DD16694342C5

Function 00007FFD9B89C951 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9087af13e12d47afac3afb463749f33ba99eaffaa62fc7f896168672edb668fb
Instruction ID: 5ee67843d0e870c1cc9e061e30b4761939063e01070d99ffb80de68411cd51e8
Opcode Fuzzy Hash: 9087af13e12d47afac3afb463749f33ba99eaffaa62fc7f896168672edb668fb
Instruction Fuzzy Hash: 83F0FC3560DE4D4FC766DB2C98545617BF1FF6921030502ABC09AC76E6DE15E8478741

Function 00007FFD9B89D305 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a0b5dda412ac179916254d0935c25b55174ddf797ba0494a70ef2b2a6311bc9
Instruction ID: 2f6779c40dad9a869fd404ffb84ee8e752f4f98c65a9fd67e480048210f631d8
Opcode Fuzzy Hash: 7a0b5dda412ac179916254d0935c25b55174ddf797ba0494a70ef2b2a6311bc9
Instruction Fuzzy Hash: 36014C21B0F54A0FE791D7A85874678BBE1EF8921170A00F7D00CCB1E7DE089C054346

Function 00007FFD9B8A4F18 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41d210f954615398b6e3648bd1d41580c3aa31a526854c4af6e4960bbff1f340
Instruction ID: e40b906e3c49ad1b8b8518fbe022f1d68e46bba9f0edc302ef5bddba861e2900
Opcode Fuzzy Hash: 41d210f954615398b6e3648bd1d41580c3aa31a526854c4af6e4960bbff1f340
Instruction Fuzzy Hash: 51F028322095094FD72CDB7E8CA54763A96EBD6310776117DE087C76E3EC64A913C294

Function 00007FFD9B897E50 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 367612b6c9e43c966d27eb27f54f4bdecc76ecfe25e9d0ea2f096391e8fee7fe
Instruction ID: 720391e4315afc0b0f1a5a5dd17c76153839ee79d9f977a0731a0ed34e903e38
Opcode Fuzzy Hash: 367612b6c9e43c966d27eb27f54f4bdecc76ecfe25e9d0ea2f096391e8fee7fe
Instruction Fuzzy Hash: 97F0BB53F1ED1E06FAB4419D38652741AC2FFDC712B2542F7D44CC26E9EC059C4682C0

Function 00007FFD9B8A3CE6 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53fc88d7df986cc99fa629a5cc6348ffeaed8d8e86166c6ab0a3907138446447
Instruction ID: 5c22e5a05fb3be33dde8fe9093f9936926b881858f596322d3e23b93bcf7b969
Opcode Fuzzy Hash: 53fc88d7df986cc99fa629a5cc6348ffeaed8d8e86166c6ab0a3907138446447
Instruction Fuzzy Hash: A5F0C230B1960A8BD71CEB1C8A5107977D7F7C9719B20927DE09BC72EACD34E9138588

Function 00007FFD9B8A5500 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ddac97759e576e30b2dc645ca89a80080c9ba63f7c0412ce0d9201fe14cfa8d
Instruction ID: 55ac5d03677b130289670b5b13df9e3dfad6f8f00e4e824f9df142b180e2e12a
Opcode Fuzzy Hash: 2ddac97759e576e30b2dc645ca89a80080c9ba63f7c0412ce0d9201fe14cfa8d
Instruction Fuzzy Hash: 55012D327089094BDB2CDE28D8A14BA73D3FBC8321715823EC04BCB2E5DD34F9428690

Function 00007FFD9B8904C8 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54c02e85c0abd3bf176aef606c0a1a66dba67ff40b6494caf510200b6c414461
Instruction ID: 8563e9bc4a9ea6d93ae00de2fcf8b5c66a19f6cb379c0044dd28587112e00611
Opcode Fuzzy Hash: 54c02e85c0abd3bf176aef606c0a1a66dba67ff40b6494caf510200b6c414461
Instruction Fuzzy Hash: 72F03C64B2A94D4FEF9AB76C482576469D1FF1A340F9701F1E40DCB1A7E82CAA428352

Function 00007FFD9B8A361E Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a613f8a0ed686f474663b89f57ea299ba6123d6cee4c70266d248be468908cbf
Instruction ID: 1df117f2e68bdefc3a611267573617e1fd0f4c967f1a90e6f4c9b62048865de7
Opcode Fuzzy Hash: a613f8a0ed686f474663b89f57ea299ba6123d6cee4c70266d248be468908cbf
Instruction Fuzzy Hash: 1BF02432B0C51E4BD72CAA9C8C6A1B43392D3A8750B12433BD446C33F2ED58A90201C0

Function 00007FFD9B892999 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1836aaed037e7098e69ed145bbe01a247f50f547a4f9f255efe6e0df03ccff2d
Instruction ID: d1f6e6c549b900a219498646fcfbecbf6685d067e17c2195a4e442669d745325
Opcode Fuzzy Hash: 1836aaed037e7098e69ed145bbe01a247f50f547a4f9f255efe6e0df03ccff2d
Instruction Fuzzy Hash: 64F09021B1EA484FCB59A77C58655547BE0EF5E21078A01F6E008CB2A3E918DC424341

Function 00007FFD9B892CD8 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19d46baefbb6e96ea5f18df62832f38b0986c78d123984229051e4e4c8f8344d
Instruction ID: 415d46e02fb0d4672aaae14613d1c06d49f67845e297b9aad25498798e54f6af
Opcode Fuzzy Hash: 19d46baefbb6e96ea5f18df62832f38b0986c78d123984229051e4e4c8f8344d
Instruction Fuzzy Hash: 22F0A735718D0D4FCBB8EB2CD45496273E1EB9831035506BAD45EC3668DE21FC428780

Function 00007FFD9B8A3F5D Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd8a5550335cbee2ec9d3aa83e5a126debc90436045526b3683917037dc1c260
Instruction ID: 744aeff4cef3b3d1f66b5ae8087644e733dd3d9e2fc695e705205437140d5eee
Opcode Fuzzy Hash: cd8a5550335cbee2ec9d3aa83e5a126debc90436045526b3683917037dc1c260
Instruction Fuzzy Hash: ECF05021B1D50F4BDB2CDDA894614B17393D7A4350704433EC007C73D5ED24BA068280

Function 00007FFD9B8929B0 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 982b542eff7d2b1ae8cc3265f71bbafcd6813ee2f62bf27c1eb3bb7d660ac88b
Instruction ID: fcf3f3f39dd79d5c296f21ccdc5c64a155fee4e24030ba63681e47d238c208f2
Opcode Fuzzy Hash: 982b542eff7d2b1ae8cc3265f71bbafcd6813ee2f62bf27c1eb3bb7d660ac88b
Instruction Fuzzy Hash: CAE04F30B1991C4FCB98B77CA81956876D5EF8D31178605F5F40DC72A6ED28DC414380

Function 00007FFD9B89B148 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c0a6d4e2936e3a387841abc451c86996e02f550e5f34225cca8beeafa674b89
Instruction ID: 9a50fd307740d9f52e6f867cc1e07b639fe945f21408d08a8eeea59b5e83a522
Opcode Fuzzy Hash: 4c0a6d4e2936e3a387841abc451c86996e02f550e5f34225cca8beeafa674b89
Instruction Fuzzy Hash: 38E0D813B0F94D4BDF78D6DD68D51A477C2EAEC12170A02B7E41CC32A6D9159D454340

Function 00007FFD9B8A4295 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 529970e079871becbc36c5d155802d896aab686219f2baa9cac1e366ae335fd6
Instruction ID: 1e3eaec433e4683bb7c77efe27e0e6d9127ef3f8de88627ce4b3190980b326ea
Opcode Fuzzy Hash: 529970e079871becbc36c5d155802d896aab686219f2baa9cac1e366ae335fd6
Instruction Fuzzy Hash: 84F0823470A70ECBDB29EFA088A0176B252EBC9351F15453EC102867A5DE75EA46C741

Function 00007FFD9B89D3B0 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c540d6770f0020042b5690195e5ea68cb7bf02f71a37c221925144f2e383240d
Instruction ID: 066d0a0e68b5b6f2e5d5876c09f1bb216c9a2a0da80c89223b6e5dfb7b38a0b3
Opcode Fuzzy Hash: c540d6770f0020042b5690195e5ea68cb7bf02f71a37c221925144f2e383240d
Instruction Fuzzy Hash: 13E08682B1F84D49D674479CB4A5074ABD0DF6D22276503FBD08947571E84A66828384

Function 00007FFD9B890CFE Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6531c8e19b7b5cd45d911cd582ff835a562da2c275a582cfedb75ffc48155b4
Instruction ID: 43e46ea61863caf1367805842a7360dc8f76fb6fc4057ec11170c063526d71cf
Opcode Fuzzy Hash: f6531c8e19b7b5cd45d911cd582ff835a562da2c275a582cfedb75ffc48155b4
Instruction Fuzzy Hash: FBE07D3661D98C0BDF80EA5CBC214D57BA0FBC9308F01029AF55CC7251D6116515C341

Function 00007FFD9B89A53C Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bf6f4c2de9a2887c838c4297f6c23e00a3a87e7f52602b96434fd587c5b47c0
Instruction ID: 998b6fc882eb5ff99197522ff088cf15e9ac7b97e2cebbc9fd521c6c90475e83
Opcode Fuzzy Hash: 7bf6f4c2de9a2887c838c4297f6c23e00a3a87e7f52602b96434fd587c5b47c0
Instruction Fuzzy Hash: 08E04F7554F3D91FCB57967A88608547F906F4724079A81FEC4848F2E3E42D554BC742

Function 00007FFD9B890906 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96c39ac63c3ef4581dd36fe90509fabece7b52d13dc9100489b4aee688cf5e9c
Instruction ID: 91966df3fd116581248505a1f1e9e2ff66c65d7b2257f193edc22cd527aafd05
Opcode Fuzzy Hash: 96c39ac63c3ef4581dd36fe90509fabece7b52d13dc9100489b4aee688cf5e9c
Instruction Fuzzy Hash: FCE0C23294EA4C4BDB44EA6D6C610C57BA4FB4D348F01065AF45CC3192E6269A618382

Function 00007FFD9B9609FC Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795504324.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b960000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfa55bd82cecac91c004244b219b67efa30f85e92986106cd43e7cc3b5c7af2
Instruction ID: ea3768cabf29ae03ce451a7e50912da16746232ec3b820288e57d2f891ef8dda
Opcode Fuzzy Hash: 6bfa55bd82cecac91c004244b219b67efa30f85e92986106cd43e7cc3b5c7af2
Instruction Fuzzy Hash: B3E0E531A0562E8ADF64EB48D891BEDB3B1EF88340F0041E6D55EA3291CA346A85CF52

Function 00007FFD9B8946EF Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb396d8f673c1a5eedd5b02150c9267f840169603e3d1db76e46eec3c1f3e633
Instruction ID: 12423fcc4c813233b17287604cfdfe67b46bf88c68dba404944293a8555f3231
Opcode Fuzzy Hash: eb396d8f673c1a5eedd5b02150c9267f840169603e3d1db76e46eec3c1f3e633
Instruction Fuzzy Hash: 57D01213B9ED0C1B4550658C7C1217CB3C1D7CD53674103BBD44DC2258CD1A594242C2

Function 00007FFD9B89D403 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e512f64add79514d278e7e86dcd43bd83c8d5d2814f6c834aeb35dbacf979ef2
Instruction ID: a13b04d650deaf838d45bc7179f28174f041dd1c25f8ac2727340f4185987d46
Opcode Fuzzy Hash: e512f64add79514d278e7e86dcd43bd83c8d5d2814f6c834aeb35dbacf979ef2
Instruction Fuzzy Hash: B2D02293B2F80E48E778478CB8950B4A3C0DFAC631322037BE00982270E98B1AC343C4

Function 00007FFD9B89D3CB Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38fd2a860edfb91e0df71e627306528b6cbdd7cee3755cc7c3e5158b4e143bcc
Instruction ID: 797347ee7c01fd8b16a0b50c883e54338d4155258743503c05dd0cd8cf3783c3
Opcode Fuzzy Hash: 38fd2a860edfb91e0df71e627306528b6cbdd7cee3755cc7c3e5158b4e143bcc
Instruction Fuzzy Hash: 51D0A783B0F44A1AF720029878852F8AFC4CB551B1F1902B6D04842061D88A19C29340

Function 00007FFD9B8A46D3 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1e104928d44749c71162ea8860658d8b4f4a0ee9e3ef5f36c5026180c52b8b3
Instruction ID: db6485f5eb11250084e088db1c019eed08a6021a5ecff8436831b508b259b0e2
Opcode Fuzzy Hash: f1e104928d44749c71162ea8860658d8b4f4a0ee9e3ef5f36c5026180c52b8b3
Instruction Fuzzy Hash: 4DE0E67171D7044FC65CDB69C4B6436B7E6EFC9A04B11942DD4C7836B5CD70BD018A42

Function 00007FFD9B89D46C Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1969630060df6e3b2b13fadab5e82df9c97878c4936d8fa3973659f4812faa9
Instruction ID: a79b232f8687275e7b7c96534f8c247209a7932fa4a2975bcc448784d02907a0
Opcode Fuzzy Hash: d1969630060df6e3b2b13fadab5e82df9c97878c4936d8fa3973659f4812faa9
Instruction Fuzzy Hash: 1CD0A7A2B0E80D1EE7B49ACCB4A0170F3C0EB68220751037BD04CCA290C80519424380

Function 00007FFD9B89D453 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dd7ce399b213135640df7a6a6e7f9174f6d6773b3fb622c1d7ed6b87d6ee969
Instruction ID: 4cdd7d3f8c291c4e8bab123cc4f0ab268d2b08e5438d7f7694e7f4db73dba49a
Opcode Fuzzy Hash: 5dd7ce399b213135640df7a6a6e7f9174f6d6773b3fb622c1d7ed6b87d6ee969
Instruction Fuzzy Hash: CDD022B3B1B40E4FF7384A8CB8940B0F3D4DBA81217A6023BD048CB2F0DD5628828340

Function 00007FFD9B8A49B2 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29886e9c9e006227aa6d3b1c4278fa791145a838ea1099839a9d21ea78562cbf
Instruction ID: 199904f6e3ea386b0397066af2a0573d17bb08c21679621e63d4c94b1f30e961
Opcode Fuzzy Hash: 29886e9c9e006227aa6d3b1c4278fa791145a838ea1099839a9d21ea78562cbf
Instruction Fuzzy Hash: 61E08C3660AA08CBE729E764C4A05A6B3E2FF98305F11443CD0CBC3262DE34FA05C640

Function 00007FFD9B894010 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ba54353bfc5739abcf38bfeeaf4b7826be6a1069b7dc34fce4a3ded6042c068
Instruction ID: 11049b62411bcd757a97ca65f2c2e867ab023219db2500b6ecb30f68dbe51213
Opcode Fuzzy Hash: 2ba54353bfc5739abcf38bfeeaf4b7826be6a1069b7dc34fce4a3ded6042c068
Instruction Fuzzy Hash: 61D0957451B70D4FCB59DB2084508247BD0FF8A300FD21179E404873A1D13E85428741

Function 00007FFD9B89D43A Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9830815e70b7d5f962fc0ea7056be49b1e5dcceaedffeb697123b37c1980a42
Instruction ID: 2edebc5d8305a834f3b63ec19f74a6df4250084b0c19a68e61fb82cf8e46b141
Opcode Fuzzy Hash: f9830815e70b7d5f962fc0ea7056be49b1e5dcceaedffeb697123b37c1980a42
Instruction Fuzzy Hash: D4D0A763F4A40A0AE6644A8CB494470F3D0DBA8121715023BD009C32A0DC5519C24740

Function 00007FFD9B89D3E8 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e57a315d9ebc9a182eb40b954553c35b340bfe8130e999c180471dc43b6925e
Instruction ID: 9f68442f21b37821b0a293715e8185e1164ace7b5a19a5aadeac46bfbdae25b5
Opcode Fuzzy Hash: 2e57a315d9ebc9a182eb40b954553c35b340bfe8130e999c180471dc43b6925e
Instruction Fuzzy Hash: F0D0A753A1E50589E778478DB050070F3D0DF98261365407BD148461A0F55A15838348

Function 00007FFD9B89D41F Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e35532ea96bbba097f22978e8de8b756e02a695f57c357b89c6aa93d5ece3b6c
Instruction ID: 5b73e7d83160da30ed85f470b26c8cfc3d44a5de250cfe6d33b874aa90e7d60d
Opcode Fuzzy Hash: e35532ea96bbba097f22978e8de8b756e02a695f57c357b89c6aa93d5ece3b6c
Instruction Fuzzy Hash: FDD0A983E0A00685EA64078CB0A00B8E7E0DF6812432900BAD289861A2E98B19838388

Function 00007FFD9B89D396 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e994f3d7d0ba4b5d5e658725c612bca8f83eed3f5f6faf54af0c8611942e59cd
Instruction ID: 67286d51cd0423befb57ec539120126466bb83b407dcbef3f7b170e1c7477e05
Opcode Fuzzy Hash: e994f3d7d0ba4b5d5e658725c612bca8f83eed3f5f6faf54af0c8611942e59cd
Instruction Fuzzy Hash: 61D0A74370E4498AE724828C74A0074FBC0DFAC05472900B7D1844B1A1D44A59435384

Function 00007FFD9B89D487 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad16a919be20c58281434d4b2ab9599f2eb474330699a5b6e84bced8e88486c7
Instruction ID: 26b32488c4af89e6db94efdc0c21e8cd5e5ece03f9f1de9f96e6d1374bdd8231
Opcode Fuzzy Hash: ad16a919be20c58281434d4b2ab9599f2eb474330699a5b6e84bced8e88486c7
Instruction Fuzzy Hash: 35C01293E1B40A4EE7B447CC74910A4B790DB98E3479640B6D118D52B5DC5659824384

Function 00007FFD9B8A4611 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 334fc5696ff45154c71cdfd0d7abb107067ec7d18bd36a529a057a076a8af42b
Instruction ID: 6fe0114488c5894d0efa9dc16de3082f6eafa8a07dfa665a895fd7294e17d79e
Opcode Fuzzy Hash: 334fc5696ff45154c71cdfd0d7abb107067ec7d18bd36a529a057a076a8af42b
Instruction Fuzzy Hash: 7ED0A93970B2198AE9380BA4A9260293685DF083107A604BCF80F9A2A38E2D6A038090

Function 00007FFD9B8A5148 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a0c7cfdf341aa8b26e3ef1ca58113f19a8cf8a87ab7603ce946fd90f493b6c5
Instruction ID: 9fee253bddc6dafdda5abca2bc5feb4b6b4ae68a3ea5bfe71ad7dbaad36a38d0
Opcode Fuzzy Hash: 6a0c7cfdf341aa8b26e3ef1ca58113f19a8cf8a87ab7603ce946fd90f493b6c5
Instruction Fuzzy Hash: 4AD05E31605609CBD63C9B64806203672D2FF0D200796287DC487C3EA2CF36BD42CA81

Function 00007FFD9B8A4633 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf7721744ff8a9fa39f82eef57620a417e55808b4bb0f15018841e63b83c4a9e
Instruction ID: 4d0e0c1f85dd96545f6bec6300d8d801f6ed9ccd973131d795d820d8bd89005d
Opcode Fuzzy Hash: bf7721744ff8a9fa39f82eef57620a417e55808b4bb0f15018841e63b83c4a9e
Instruction Fuzzy Hash: A0D0C73420AA088FD6299B54946156173E1EF48300711486CD48FC7261CE35F502C681

Function 00007FFD9B8A36D7 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc5e9e144d8cde9dfd0b1e0c256423a16799c64532830ee02d78e86e7a70ac7c
Instruction ID: 9c4b3faa2108463c3973de16f04f57f63584c6b6fa2fd03edabc11f68d886a72
Opcode Fuzzy Hash: dc5e9e144d8cde9dfd0b1e0c256423a16799c64532830ee02d78e86e7a70ac7c
Instruction Fuzzy Hash: BBC08031F095554FC33D5AE40021035514747CD600761927E8D0D977E5CC254B064790

Function 00007FFD9B8A3D1E Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a530e6f91564ee513cee70a37474039e47cd4805bb4f1d0d3251f2ae8d6ad370
Instruction ID: f02111459eb95b354c6d35d96b9a0d1570e66d3ad284bb8d2b996fbcebde3cfc
Opcode Fuzzy Hash: a530e6f91564ee513cee70a37474039e47cd4805bb4f1d0d3251f2ae8d6ad370
Instruction Fuzzy Hash: 6DC0122072A30957865CEF5E412213DB7CB9FDC909F30557E948FD25A1CD646D05550A

Function 00007FFD9B8A505B Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 027409a01cf9bf2d1f41c65d7db3a264cabe5d67441200a22c185a1af927a57b
Instruction ID: 4a56898f52a045de2dcb79427e489fb13077c578b91c6f0642b11393adbc8294
Opcode Fuzzy Hash: 027409a01cf9bf2d1f41c65d7db3a264cabe5d67441200a22c185a1af927a57b
Instruction Fuzzy Hash: 64C01231A1A1138BD63D677040620B56156EF47604B16607ED58B6B1924E6A79028D92

Function 00007FFD9B89D565 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54d5c65d072fac339478a2ab517efe487d09c761ee716ef3bdf88559e77737d6
Instruction ID: 5b8748c8eaf87aa4f278fc07436ae3d849e5477375244397aaa19905d7c3d931
Opcode Fuzzy Hash: 54d5c65d072fac339478a2ab517efe487d09c761ee716ef3bdf88559e77737d6
Instruction Fuzzy Hash: 02B092A2B8E4194EE560468CB4800A8F790D6882347A652B3D00889168C49A49C24384

Non-executed Functions

Function 00007FFD9B8985FA Relevance: 6.3, Strings: 5, Instructions: 92COMMON

Download Yara Rule

Strings

M_^, xrefs: 00007FFD9B898672
M_^, xrefs: 00007FFD9B898622
M_^, xrefs: 00007FFD9B8985FA
M_^, xrefs: 00007FFD9B898612
M_^, xrefs: 00007FFD9B898662

Memory Dump Source

Source File: 00000000.00000002.1795306721.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_vsl particulars packing list.jbxd

Similarity

API ID:
String ID: M_^$M_^$M_^$M_^$M_^
API String ID: 0-3725639274
Opcode ID: b8d5e310c3fdc3b471c3dfce78d8745c67b7636cabdf68efbfe9469ac1a18529
Instruction ID: fc3e6d455f56dce87eb152b462e9b9c0fb40af8923d7da43d7c0afe5f969f181
Opcode Fuzzy Hash: b8d5e310c3fdc3b471c3dfce78d8745c67b7636cabdf68efbfe9469ac1a18529
Instruction Fuzzy Hash: 8B21F6B3E0A66A8BD6675A1ACC6A59977D0FF2425CB0A03F5C4ADCB2C3FD15780741C1

Analysis Process: CasPol.exePID: 6712, Parent PID: 4888COMMON

Executed Functions

Function 02E36880 Relevance: 5.3, Strings: 4, Instructions: 338COMMON

Download Yara Rule

Strings

(o^q, xrefs: 02E36988
,bq, xrefs: 02E369F2
(o^q, xrefs: 02E3697A
,bq, xrefs: 02E36A00

Memory Dump Source

Source File: 00000001.00000002.4124727488.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_CasPol.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$,bq$,bq
API String ID: 0-879173519
Opcode ID: d371d7ff2d902a48023d36bafd86afdc7f566e1ab849842b62c1b2ee2228d58b
Instruction ID: c864867b574544b68052b7326ba8f5a25af1f4d502ee913dc5bd6f72664116e5
Opcode Fuzzy Hash: d371d7ff2d902a48023d36bafd86afdc7f566e1ab849842b62c1b2ee2228d58b
Instruction Fuzzy Hash: FCD14E70A40109EFCB16CFA9C988AEDBBBAFF8834AF15D065E405AB265D731D841CF54

Function 02E39858 Relevance: 3.4, Strings: 2, Instructions: 854COMMON

Download Yara Rule

Strings

(o^q, xrefs: 02E39C78
4'^q, xrefs: 02E3A273

Memory Dump Source

Source File: 00000001.00000002.4124727488.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_CasPol.jbxd

Similarity

API ID:
String ID: (o^q$4'^q
API String ID: 0-273632683
Opcode ID: 67301f77375dfb57760f471967480a89a1d420fc35b0cca3b04bc8611378888d
Instruction ID: f5100ad43e9f35e2515cf708cbd7f7379c865227be2705fea15d96187fb0ad2f
Opcode Fuzzy Hash: 67301f77375dfb57760f471967480a89a1d420fc35b0cca3b04bc8611378888d
Instruction Fuzzy Hash: F5729371A40209DFCB16CF68C988AAEBBF2FF88305F15D565E8459B365D770E881CB60

Function 02E36108 Relevance: 3.0, Strings: 2, Instructions: 511COMMON

Download Yara Rule

Strings

(o^q, xrefs: 02E36642
Hbq, xrefs: 02E3650E

Memory Dump Source

Source File: 00000001.00000002.4124727488.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_CasPol.jbxd

Similarity

API ID:
String ID: (o^q$Hbq
API String ID: 0-662517225
Opcode ID: 4cbeec42ab696c2ace9c6b677f5f85252f395e834c9f47bb563abe9edbbaab4f
Instruction ID: 157dd6f3812678dd0fb8a3bcc9551f3b14d93571ba3679a00f24878b1ee4da3b
Opcode Fuzzy Hash: 4cbeec42ab696c2ace9c6b677f5f85252f395e834c9f47bb563abe9edbbaab4f
Instruction Fuzzy Hash: 50128C70A002189FCB19DF79C858AAEBBF6FF88305F248569E5099B395DF349C41CB94

Function 02E33572 Relevance: 2.9, Strings: 2, Instructions: 397COMMON

Download Yara Rule

Strings

Xbq, xrefs: 02E335AF
$^q, xrefs: 02E33596

Memory Dump Source

Source File: 00000001.00000002.4124727488.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_CasPol.jbxd

Similarity

API ID:
String ID: Xbq$$^q
API String ID: 0-1593437937
Opcode ID: d5ca03fa788cff1ceadc41e920eb65a35175b6a6ee2b131cd1a44f5cc566c228
Instruction ID: 728dd8398645ea3da754eb2b81638acb50e1f5a61274474418c794557a2258c2
Opcode Fuzzy Hash: d5ca03fa788cff1ceadc41e920eb65a35175b6a6ee2b131cd1a44f5cc566c228
Instruction Fuzzy Hash: 84E13F74F402489FCB09DF78D458AAEBBB2FF88711B5494A9E406E7394CB359C42CB91

Function 02E3B328 Relevance: 2.9, Strings: 2, Instructions: 351COMMON

Download Yara Rule

Strings

PH^q, xrefs: 02E3B758
PH^q, xrefs: 02E3B747

Memory Dump Source

Source File: 00000001.00000002.4124727488.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_CasPol.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: e86059058e75eaafb0090157cda028e3a0bdc013ca80fd4e4cfaf9a03a3c1297
Instruction ID: 0af70a1067cc467d97f7a64355e946cce545e36915c195ed43a6b91451d98867
Opcode Fuzzy Hash: e86059058e75eaafb0090157cda028e3a0bdc013ca80fd4e4cfaf9a03a3c1297
Instruction Fuzzy Hash: CDE10970E40618CFDB15CFA9D988A9DBBB2FF48319F15D069E809AB361DB31A841CF54

Function 06A38B58 Relevance: 2.7, Strings: 2, Instructions: 228COMMON

Download Yara Rule

Strings

PH^q, xrefs: 06A38E9A
PH^q, xrefs: 06A38EAB

Memory Dump Source

Source File: 00000001.00000002.4127333420.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_CasPol.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 9bf21f8877e57951da49acf50bd65e46d287c6f340390c400b80b735d5891056
Instruction ID: 4f680a3f6bfc7bfd74e15aebd7e26a451dc994d20282d07078a923653051b623
Opcode Fuzzy Hash: 9bf21f8877e57951da49acf50bd65e46d287c6f340390c400b80b735d5891056
Instruction Fuzzy Hash: D4A11674E05218CFDB58DFA9C9846ADBBF2FF4A300F1081AAE419AB355DB385946CF50

Function 02E3C752 Relevance: 2.7, Strings: 2, Instructions: 191COMMON

Download Yara Rule

Strings

PH^q, xrefs: 02E3C9A7
PH^q, xrefs: 02E3C9B8

Memory Dump Source

Source File: 00000001.00000002.4124727488.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_CasPol.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: f8d3f44259a0b9240f50395777166a77291fdd5179c3824f7df519a29b19d039
Instruction ID: 90ec220e0e62ad566e131314a6a56b3b320bba0ea46dd1f27ae98553fc823a7d
Opcode Fuzzy Hash: f8d3f44259a0b9240f50395777166a77291fdd5179c3824f7df519a29b19d039
Instruction Fuzzy Hash: 9581A774E40218CFDB18DFA9D948A9DBBF2BF89315F14D06AE809AB365DB349941CF10

Function 02E3C190 Relevance: 2.7, Strings: 2, Instructions: 189COMMON

Download Yara Rule

Strings

PH^q, xrefs: 02E3C3F8
PH^q, xrefs: 02E3C3E7

Memory Dump Source

Source File: 00000001.00000002.4124727488.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_CasPol.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 34bc8313f6fb1c8a29115907b821cc2b1af570b803bd175258603a73a7fb77d9
Instruction ID: d19a03f251592f971b25825cdcfc07d262148770ada0603618c8c31e8530faf8
Opcode Fuzzy Hash: 34bc8313f6fb1c8a29115907b821cc2b1af570b803bd175258603a73a7fb77d9
Instruction Fuzzy Hash: DE81A574E40218CFDB14DFA9D884A9DBBF2BF89305F14D0AAE819AB365DB309945CF50

Function 02E3BEB0 Relevance: 2.7, Strings: 2, Instructions: 188COMMON

Download Yara Rule

Strings

PH^q, xrefs: 02E3C118
PH^q, xrefs: 02E3C107

Memory Dump Source

Source File: 00000001.00000002.4124727488.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_CasPol.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 1db1c0e0c076111745d5564ac8b117b2084dcac539b8995c5f6abe04a4ade5c4
Instruction ID: 740013e4b988240f2b4c5ebd74b5bce37dea6d4dd7bfed5c244e10ead71d4b6c
Opcode Fuzzy Hash: 1db1c0e0c076111745d5564ac8b117b2084dcac539b8995c5f6abe04a4ade5c4
Instruction Fuzzy Hash: F081C574E40218CFDB14DFA9D884A9DBBF2BF89305F10D06AE809AB365DB319985CF11

Function 02E34AD9 Relevance: 2.7, Strings: 2, Instructions: 187COMMON

Download Yara Rule

Strings

PH^q, xrefs: 02E34D41
PH^q, xrefs: 02E34D30

Memory Dump Source

Source File: 00000001.00000002.4124727488.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_CasPol.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: e8db8439b552af6934bce431eccc239da28fb88de8615aeea8271fb51c82def8
Instruction ID: f23436252e7b75e5b156df09fae12dc0936501dc8b054b48dca6fb8f275709b0
Opcode Fuzzy Hash: e8db8439b552af6934bce431eccc239da28fb88de8615aeea8271fb51c82def8
Instruction Fuzzy Hash: 0181A274E40218CFEB14CFAAD984A9DBBF2BF89301F14D069E819AB365DB349941CF50

Function 02E3C470 Relevance: 2.7, Strings: 2, Instructions: 186COMMON

Download Yara Rule

Strings

PH^q, xrefs: 02E3C6C7
PH^q, xrefs: 02E3C6D8

Memory Dump Source

Source File: 00000001.00000002.4124727488.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_CasPol.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: aa4280396fd492352f732b8db5bb90f3d6c1af20a24d0490f5cbd58665e2bc1d
Instruction ID: 8e3168fd4a302beb3ec8cc30c69100fe56390cb3b39e9a1f3fa12a05d58ad827
Opcode Fuzzy Hash: aa4280396fd492352f732b8db5bb90f3d6c1af20a24d0490f5cbd58665e2bc1d
Instruction Fuzzy Hash: 1781B674E40218DFDB14DFA9D984A9DBBF2BF89311F14E06AE409AB365DB349941CF10

Function 02E3CA32 Relevance: 2.7, Strings: 2, Instructions: 186COMMON

Download Yara Rule

Strings

PH^q, xrefs: 02E3CC87
PH^q, xrefs: 02E3CC98

Memory Dump Source

Source File: 00000001.00000002.4124727488.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_CasPol.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 18fa6966fa448d4b7d3b33064756be1e9c83734a00c6482038faf24ecb6d1ba1
Instruction ID: 7eb6a4a2e9c17d1f916eedff76b9565926efd61c8da850706e4303a007fe68b1
Opcode Fuzzy Hash: 18fa6966fa448d4b7d3b33064756be1e9c83734a00c6482038faf24ecb6d1ba1
Instruction Fuzzy Hash: B281B574E40218CFDB14DFA9D994A9DBBF2BF89301F24D06AE819AB365DB349941CF10

Function 02E3BBD2 Relevance: 2.7, Strings: 2, Instructions: 184COMMON

Download Yara Rule

Strings

PH^q, xrefs: 02E3BE38
PH^q, xrefs: 02E3BE27

Memory Dump Source

Source File: 00000001.00000002.4124727488.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_CasPol.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 0ffcce766031a53e5c69d67cb3a8de697deb3d1611b9a76fa88609c3a7b34521
Instruction ID: fe6fbf9aee8baf17cf8abdf61f81720aa048d3adaf6a8bc2ecc3afde6e0e7b62
Opcode Fuzzy Hash: 0ffcce766031a53e5c69d67cb3a8de697deb3d1611b9a76fa88609c3a7b34521
Instruction Fuzzy Hash: 0981A374E40218CFDB18DFAAD884A9DBBF2BF89305F14D069E809AB365DB349945CF10

Function 02E3B4F2 Relevance: 2.7, Strings: 2, Instructions: 152COMMON

Download Yara Rule

Strings

PH^q, xrefs: 02E3B758
PH^q, xrefs: 02E3B747

Memory Dump Source

Source File: 00000001.00000002.4124727488.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_CasPol.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 5f6669203868e313053987fe7dc5e4c9a100e30e74a37dc5912e3dca1d8a038e
Instruction ID: e9c7ef47a03fbf57edadb715c000ed98ab8848a30f9f10b6412b698756d7fc84
Opcode Fuzzy Hash: 5f6669203868e313053987fe7dc5e4c9a100e30e74a37dc5912e3dca1d8a038e
Instruction Fuzzy Hash: 8061B374E402089FDB18DFAAD984A9DBBF2FF89305F14D069E819AB365DB345941CF10

Function 06A311A0 Relevance: .7, Instructions: 745COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4127333420.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f9a1c199c09e9df46834e6faa02a1624a0af09c72cfa46225bb65ecdef7d471
Instruction ID: cee03b2066d4caa15fa5a3aa820a7ed0f28544f9938ee3a20ac4f0080e03c854
Opcode Fuzzy Hash: 1f9a1c199c09e9df46834e6faa02a1624a0af09c72cfa46225bb65ecdef7d471
Instruction Fuzzy Hash: 6D827F74E012288FDB64DF69D998BDDBBB2BB49300F1081EAA40DA7364DB355E81CF41

Function 02E3F007 Relevance: .7, Instructions: 717COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4124727488.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdfac9859583aabc9d567102f4df0c6ffea3f1f74fd4a938b30e53d006a19645
Instruction ID: 1fe76e6f5f5bf0754c31fd29ef1d7e771eee39465c648b3bd2504f7c30e396d6
Opcode Fuzzy Hash: cdfac9859583aabc9d567102f4df0c6ffea3f1f74fd4a938b30e53d006a19645
Instruction Fuzzy Hash: D472DF74E012288FDB65DF69C994BD9BBB2BB49305F10A1EAE408A7351DB349EC1CF50

Function 06A38608 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4127333420.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 669d246731577e90839f7b6e7326952751dffbcbbad86840e68540a6e716d6b2
Instruction ID: 64438501988e7ca2c20cc639d36c6701811d12ad176c24f280f11f96b6ca01f3
Opcode Fuzzy Hash: 669d246731577e90839f7b6e7326952751dffbcbbad86840e68540a6e716d6b2
Instruction Fuzzy Hash: 16E1B274E01218CFEB54DFA5D954B9DBBB2BF89304F2081AAE408AB394DB355D85CF50

Function 06A3B6E8 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4127333420.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5be161ec80e4de49c6bb7b24e45e5f05eda7ef96a83afc8cea03c1fe1e977c7d
Instruction ID: ae83bd12f617ba7bef959136d842ee957ce7159b42b822f41091b3bcc8451f2c
Opcode Fuzzy Hash: 5be161ec80e4de49c6bb7b24e45e5f05eda7ef96a83afc8cea03c1fe1e977c7d
Instruction Fuzzy Hash: 1EA19270E012288FEB64DF6AD944B9DFBF2AF89300F14D0AAD40CA7251DB345A85CF61

Function 06A3D670 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4127333420.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3af4aad4d6eecedf14f4207dc3bcd7de008ba4492d1f470fd6ebe30cb32cda9b
Instruction ID: d9c1361dd1f4fe9abd02068f158c5ac2a827d9b84b32b3b1272205fb5f9865d3
Opcode Fuzzy Hash: 3af4aad4d6eecedf14f4207dc3bcd7de008ba4492d1f470fd6ebe30cb32cda9b
Instruction Fuzzy Hash: 8CA19F70E01228CFEB68DF6AD944B9DBBF2AF89300F14D0AAD409A7250DB745A85CF51

Function 06A3C388 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4127333420.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd31e3ee1ef0b6f49628b19e612a9aafc4ca5bcf9d035891cdffeae29476955c
Instruction ID: 18094ab0958a8b3db868bcb3d53279f3892313bcc596c27d19214e97584776ed
Opcode Fuzzy Hash: dd31e3ee1ef0b6f49628b19e612a9aafc4ca5bcf9d035891cdffeae29476955c
Instruction Fuzzy Hash: C4A1A171E012288FEB68DF6AD944B9DFBF2AF89310F14D0AAD409B7251DB345A85CF50

Function 06A3A408 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4127333420.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8823787d8064ed15e5cf5adf647c24005d5383f0f7ed9bdfc8a8bc39900ea469
Instruction ID: 49ea98aea755c5cae8e28e9e7870a609b936de1a9bc7b33c61ed1e9d21b19bc0
Opcode Fuzzy Hash: 8823787d8064ed15e5cf5adf647c24005d5383f0f7ed9bdfc8a8bc39900ea469
Instruction Fuzzy Hash: CFA1A175E012288FEB68DF6AC944B9DFBF2AB89300F14C0AAD54CA7254DB345A85CF51

Function 06A3C9D8 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4127333420.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce2203e55b9c8e8013083421158fb9b8dfef5785607dc49d8e63dbebac14acd5
Instruction ID: 4426091e308110116b15fd74481fbacd82c5b0f921b37a48dfb79feb46c984b4
Opcode Fuzzy Hash: ce2203e55b9c8e8013083421158fb9b8dfef5785607dc49d8e63dbebac14acd5
Instruction Fuzzy Hash: 82A1A171E012288FEB68DF6AD944B9DFBF2AF89310F14D0AAD409B7251DB345A85CF50

Function 06A3BD38 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4127333420.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5fd80d86c8770aa90bbedc68714abe48754cd073fda45c1e3da056ad4c70079
Instruction ID: aeb168f7d04c1b2944a92f241b23a0adf90518cf2a7ddeb73608032dcd749591
Opcode Fuzzy Hash: c5fd80d86c8770aa90bbedc68714abe48754cd073fda45c1e3da056ad4c70079
Instruction Fuzzy Hash: 78A1B174E012288FEB68DF6AD944B9DFBF2BF89300F14D0AAD409A7250DB345A85CF51

Function 06A3AA58 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4127333420.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3e0ce935a427ac2d770f93990de99f88cf81ec455207927cc4e4ae07dcf909e
Instruction ID: 18dfaafafc7a6a374fb1696b7ceb082b30c00303e76f80749829674da25fd216
Opcode Fuzzy Hash: c3e0ce935a427ac2d770f93990de99f88cf81ec455207927cc4e4ae07dcf909e
Instruction Fuzzy Hash: 6BA1A171E012288FEB68DF6AC944B9DFBF2AF89300F14D0AAD50DA7251DB345A85CF51

Function 06A3B0A0 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4127333420.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22fb1d9df364291f5b53fcb00a6d5257ad989f7010ee0cb642c9dfeb6d539d63
Instruction ID: 899466d5d3a97f42ee8fe875f163ffac529a39476478e2a67b8de799f13a5c0c
Opcode Fuzzy Hash: 22fb1d9df364291f5b53fcb00a6d5257ad989f7010ee0cb642c9dfeb6d539d63
Instruction Fuzzy Hash: 6AA1A271E012288FEB64DF6AD944B9DFBF2BF89300F14D1AAD408A7254DB345A85CF51

Function 06A3D028 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4127333420.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a07264f926c70296708f73ef2b681399310c57ab19456a3692c0e744ffd8a71f
Instruction ID: fce597e9dfa1511f6cddd60f805bbd4d4b2ed2029772bd6a652f68799b70b8a5
Opcode Fuzzy Hash: a07264f926c70296708f73ef2b681399310c57ab19456a3692c0e744ffd8a71f
Instruction Fuzzy Hash: 01A18F70E01228CFEB68DF6AD944B9DFAF2AF89300F14D0AAD409A7250DB345A85CF51

Function 06A31191 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4127333420.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3064be223a9b054b3b290af2733de17a81ef62a39ee8d9a29fe7c21182abef13
Instruction ID: 6044ce7e1918191e6676e8d1097f110e1480a3ce02bbb9567fda1dffde0e5c2b
Opcode Fuzzy Hash: 3064be223a9b054b3b290af2733de17a81ef62a39ee8d9a29fe7c21182abef13
Instruction Fuzzy Hash: 7D81B174E012289FDB64DF69D895BEDBBB2BF89300F1081EAD848A7254DB305E81CF40

Function 06A3B093 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4127333420.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2c64de9c6b07dce24b573527a2c7c947036b0ae0605fb6356153075d5b26ddf
Instruction ID: f4698d83dbacc3812b99486ab98dbffa6896a7a29e96e40b28cdc7c876595e25
Opcode Fuzzy Hash: e2c64de9c6b07dce24b573527a2c7c947036b0ae0605fb6356153075d5b26ddf
Instruction Fuzzy Hash: 53819271E00628CFEB68DF6AD944B9DFAF2AF89300F14C1AAD40CA7254DB345A85CF51

Function 06A3D018 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4127333420.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e0f98b613771340560d92b49369a0e7c9a6a815522a79ae7d0ec02b8a1140f9
Instruction ID: 58fbc553a7f57152ff03319431e4d9881617e8a0e97bbb6e871d2b07a110e3e5
Opcode Fuzzy Hash: 2e0f98b613771340560d92b49369a0e7c9a6a815522a79ae7d0ec02b8a1140f9
Instruction Fuzzy Hash: B8717371E01628CFEB68DF6AC944B9DFAF2AF89300F14C0AAD40DA7254DB345A85CF51

Function 06A3AA48 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4127333420.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0f0ade9476dc4a55c4a35f7966ca27aaea08d6c531e7d90554f5f6201bb7a91
Instruction ID: baed5cc95c8cc052c247621da992db2421f214ba1f3e70ccb10d2cf150378459
Opcode Fuzzy Hash: d0f0ade9476dc4a55c4a35f7966ca27aaea08d6c531e7d90554f5f6201bb7a91
Instruction Fuzzy Hash: 92718571E00628CFEB58CF6AC944B9DFAF2AF89300F14C0AAD50DA7255DB345A85CF51

Function 06A385FC Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4127333420.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 929317f934c3669d0a9e8b8922dea0e9db993e2c8afab4e84c41a0202cfe7f24
Instruction ID: f651ddb51af58f7fe3897456379cfe7cd5998b011a487e199464c7f36cc1a538
Opcode Fuzzy Hash: 929317f934c3669d0a9e8b8922dea0e9db993e2c8afab4e84c41a0202cfe7f24
Instruction Fuzzy Hash: 5D41E3B1E002188BEB58DFAAC9547DEFBF2AF88300F14D16AD418BB250DB355946CF54

Function 06A3C9C8 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4127333420.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 989922e992730d944147de7d341049749280b561a545ca63b3671a05a1fcfacf
Instruction ID: e5f26648b99d16edc94ae39dd452194ec5c88d96f2d641358106b5845e5d27f4
Opcode Fuzzy Hash: 989922e992730d944147de7d341049749280b561a545ca63b3671a05a1fcfacf
Instruction Fuzzy Hash: 8C4169B1E016188BEB58CF6BCD457CAFAF3AFC9300F04C1AAD50CA6254DB740A868F51

Function 06A3C379 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4127333420.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59713dfbd7eca75b8a24acc66c1a15c6ef7b2eb51279ba75715833f92705f4dd
Instruction ID: 7a035cb7976390a8158667b88cd9bc279df4b883aa10d72d3fccb0bdd99243a1
Opcode Fuzzy Hash: 59713dfbd7eca75b8a24acc66c1a15c6ef7b2eb51279ba75715833f92705f4dd
Instruction Fuzzy Hash: 184169B1E016188BEB58CF6BDD4578AFAF3AFC9310F04C1AAD50CA6254DB740A858F51

Function 06A3BD28 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4127333420.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d80425abce45bcebe04c8507738cdd11c3b073eade1d4bea8c3a8bebc6d7801
Instruction ID: 312369ee7841580ce6036d76a3f48df4b2de6f4b3f0558b963fed652e2427176
Opcode Fuzzy Hash: 2d80425abce45bcebe04c8507738cdd11c3b073eade1d4bea8c3a8bebc6d7801
Instruction Fuzzy Hash: 964159B1E016188BEB58CF6BDD457C9FAF3AFC9304F14C1AAD50CA6264DB740A868F51

Function 06A3D663 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4127333420.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a05dc4338e2022fdd88c28c90885353eedbae76f14b45327d59ab99f9a8a479
Instruction ID: 485649c0fd5325fa9a1a44300afc6960ce0bc159c7fc192f04832f5fb150ea61
Opcode Fuzzy Hash: 3a05dc4338e2022fdd88c28c90885353eedbae76f14b45327d59ab99f9a8a479
Instruction Fuzzy Hash: 344168B1E016188BEB58CF6BCD4578AFAF3AFC8300F04C1AAD50CA6254EB740A858F51

Function 06A3B6D8 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4127333420.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d89eb6c02efc059b23ec9a1185106dc1f1ebe4b01f53b0447c6bec1850cfcfe
Instruction ID: 41af716de8e4e34e49d8564e2bed381f216d20c4fad12a98cdf0fea135a9859c
Opcode Fuzzy Hash: 2d89eb6c02efc059b23ec9a1185106dc1f1ebe4b01f53b0447c6bec1850cfcfe
Instruction Fuzzy Hash: BA4169B1E016188BEB58CF6BDD45789FAF3AFC8314F14C1AAC50CA6264EB740A858F51

Function 06A3A3F8 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4127333420.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6299f5311f3c61815172e911df45896c1d40435748a556823cdf6dfa1efc1d3c
Instruction ID: 9f74c944cbd3ffd4d1b3ad3e88344a53c08e2ade0e8eabf6f1606d384b604e03
Opcode Fuzzy Hash: 6299f5311f3c61815172e911df45896c1d40435748a556823cdf6dfa1efc1d3c
Instruction Fuzzy Hash: F44189B1E016288BEB58CF6BD9457D9FAF3AFC8304F04C1AAD54CA6264DB340A85CF11

Function 02E36E58 Relevance: 10.5, Strings: 8, Instructions: 475COMMON

Download Yara Rule

Strings

,bq, xrefs: 02E372F8
,bq, xrefs: 02E37308
(o^q, xrefs: 02E37367
(o^q, xrefs: 02E36F7D
(o^q, xrefs: 02E3701A
(o^q, xrefs: 02E36F51
(o^q, xrefs: 02E37377
(o^q, xrefs: 02E36E96

Memory Dump Source

Source File: 00000001.00000002.4124727488.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_CasPol.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$(o^q$(o^q$(o^q$(o^q$,bq$,bq
API String ID: 0-1932283790
Opcode ID: bec86080f616e19b3f0c45975af0fb3cbf428902bad37e1a4bf174d02bb42f0a
Instruction ID: 73043e0af14e494b649b26f6bb3fa148b1704a6a02453733303a98bca1ffca1b
Opcode Fuzzy Hash: bec86080f616e19b3f0c45975af0fb3cbf428902bad37e1a4bf174d02bb42f0a
Instruction Fuzzy Hash: B7126A70A402099FCB16CF69D988A9EBBF2FF48319F159569E819DB361DB30EC41CB50

Function 02E377F0 Relevance: 3.2, Strings: 2, Instructions: 690COMMON

Download Yara Rule

Strings

$^q, xrefs: 02E38337
$^q, xrefs: 02E38314

Memory Dump Source

Source File: 00000001.00000002.4124727488.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_CasPol.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: da081fd19a890164ee980e6bde3ca4c3ce2abdf0d4b76b220daaedc28d3e7ca0
Instruction ID: 6c2ad4767f4c0a9a4bb72c55f3146c6240b02151f0d2e31a69c7ad9984281480
Opcode Fuzzy Hash: da081fd19a890164ee980e6bde3ca4c3ce2abdf0d4b76b220daaedc28d3e7ca0
Instruction Fuzzy Hash: 75524074A00218CFEB54DBA4C894B9EBB73FB94300F1091A9D50A6B3A4DF359D85EF61

Function 02E387E9 Relevance: 2.8, Strings: 2, Instructions: 328COMMON

Download Yara Rule

Strings

4'^q, xrefs: 02E38837
4'^q, xrefs: 02E38811

Memory Dump Source

Source File: 00000001.00000002.4124727488.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_CasPol.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: 98a3e8f52ebd1673078e3852e6da2f29cb0f9a41d5853b705fa9ecb65634f851
Instruction ID: be20295e605ab882fe24e802e66928c02e8e2d9ede47326d178746e782a9c51e
Opcode Fuzzy Hash: 98a3e8f52ebd1673078e3852e6da2f29cb0f9a41d5853b705fa9ecb65634f851
Instruction Fuzzy Hash: ABB166743901028FDB1ADA29C96DBB93696EF8570AF14946AF506CF3A1EF29CC42C741

Function 02E356A8 Relevance: 2.8, Strings: 2, Instructions: 323COMMON

Download Yara Rule

Strings

Hbq, xrefs: 02E35793
Hbq, xrefs: 02E357C6

Memory Dump Source

Source File: 00000001.00000002.4124727488.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_CasPol.jbxd

Similarity

API ID:
String ID: Hbq$Hbq
API String ID: 0-4258043069
Opcode ID: 529ef6b08a4acf55212b51b5e33514edbb2d19b0257d4bec6b5287692a0c849c
Instruction ID: c88088814d680638be99db299412e4414b3c570a44552b902c8de5b51cc92aff
Opcode Fuzzy Hash: 529ef6b08a4acf55212b51b5e33514edbb2d19b0257d4bec6b5287692a0c849c
Instruction Fuzzy Hash: A4B1BE307442508FCB169F79C899B7A7BB2AF8831AF549969E846CB391DF34C801CB91

Function 02E35C08 Relevance: 2.7, Strings: 2, Instructions: 230COMMON

Download Yara Rule

Strings

,bq, xrefs: 02E35CE8
,bq, xrefs: 02E35CDE

Memory Dump Source

Source File: 00000001.00000002.4124727488.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_CasPol.jbxd

Similarity

API ID:
String ID: ,bq$,bq
API String ID: 0-2699258169
Opcode ID: 07061d688c70f200edec84312af8b9ba44f0a72ee64f04e57b2eb6f38fa3c59f
Instruction ID: 8043a3fab26503f01ce0637eff16c62e056f585f5e95553e8e47487d698b7170
Opcode Fuzzy Hash: 07061d688c70f200edec84312af8b9ba44f0a72ee64f04e57b2eb6f38fa3c59f
Instruction Fuzzy Hash: B3819E31A80105CFCB15DF69C88CAAAB7F2FF8E21AB95D169D405DB364DB31E841CB91

Function 06A323E0 Relevance: 2.7, Strings: 2, Instructions: 229COMMON

Download Yara Rule

Strings

LR^q, xrefs: 06A323FC
LR^q, xrefs: 06A32529

Memory Dump Source

Source File: 00000001.00000002.4127333420.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_CasPol.jbxd

Similarity

API ID:
String ID: LR^q$LR^q
API String ID: 0-4089051495
Opcode ID: bddf4d373f4240c7997d48f24b0347200dd6d5a542f0bca513d45e3d1fe32682
Instruction ID: 65e652e3033c342c67725ee9073588d98d19d77e1819ea245d92c4d09b51d979
Opcode Fuzzy Hash: bddf4d373f4240c7997d48f24b0347200dd6d5a542f0bca513d45e3d1fe32682
Instruction Fuzzy Hash: 5F81C234B101158FCB48EF78D854A6E77B6FF88700B1581A9E506DB3A5EB34EE02CB91

Function 06A39510 Relevance: 2.7, Strings: 2, Instructions: 210COMMON

Download Yara Rule

Strings

(bq, xrefs: 06A396EA
(&^q, xrefs: 06A3962B

Memory Dump Source

Source File: 00000001.00000002.4127333420.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_CasPol.jbxd

Similarity

API ID:
String ID: (&^q$(bq
API String ID: 0-1294341849
Opcode ID: aa54bf9daad8fab0ea9d00f0adad128aadb9092eb0f768b4beb5c32f0fa4555c
Instruction ID: 8b9d855f876345261e08555914c70aca13a00ea4ce2888b358a3e0444ca3aaa9
Opcode Fuzzy Hash: aa54bf9daad8fab0ea9d00f0adad128aadb9092eb0f768b4beb5c32f0fa4555c
Instruction Fuzzy Hash: 32717031F002199BDB55EFB9C8546AEBBF2AF88700F148529E405BB380EF749D46CB91

Function 02E33428 Relevance: 2.6, Strings: 2, Instructions: 112COMMON

Download Yara Rule

Strings

Xbq, xrefs: 02E3345E
Xbq, xrefs: 02E33435

Memory Dump Source

Source File: 00000001.00000002.4124727488.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_CasPol.jbxd

Similarity

API ID:
String ID: Xbq$Xbq
API String ID: 0-1243427068
Opcode ID: c92d6106634b7c47e2f122bc3fec41b4531721d364aed2c9030d2b5916c75d10
Instruction ID: f7146b790eb8c09a35b875ac4f0e753ddc2ac3136bfcb3da4e4b21eb9306dd43
Opcode Fuzzy Hash: c92d6106634b7c47e2f122bc3fec41b4531721d364aed2c9030d2b5916c75d10
Instruction Fuzzy Hash: C3312932B803149BDF1E4B69558C67EA7D6ABC0226F149479E806C3380DF75CC41C6D1

Function 02E30C8F Relevance: 1.7, Strings: 1, Instructions: 403COMMON

Download Yara Rule

Strings

LR^q, xrefs: 02E30E5E

Memory Dump Source

Source File: 00000001.00000002.4124727488.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_CasPol.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 2d2c507906cd4e3e117138687423aa7c38507a32141bc0cc2323284386e93091
Instruction ID: f7a2ed467c7c5a5c1d79bfcb43387a7b4bf41532997488ff872bc822c8e00672
Opcode Fuzzy Hash: 2d2c507906cd4e3e117138687423aa7c38507a32141bc0cc2323284386e93091
Instruction Fuzzy Hash: 5F22E274E5021ACFCB54DF68E989A8DBBB2FF49301F1086A9E809A7314DB346D95CF50

Function 02E30CA0 Relevance: 1.6, Strings: 1, Instructions: 395COMMON

Download Yara Rule

Strings

LR^q, xrefs: 02E30E5E

Memory Dump Source

Source File: 00000001.00000002.4124727488.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_CasPol.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: da1bbab240994f1500409273e397a5b9cd47891501731cc777917515c488748f
Instruction ID: 5a8145d096f6fe147b243219f05a0315e47fde472e7f45a4bf4a30e1bcee1acd
Opcode Fuzzy Hash: da1bbab240994f1500409273e397a5b9cd47891501731cc777917515c488748f
Instruction Fuzzy Hash: 6122D274E50219CFCB54DF68E989A8DBBB2FF49301F1086A9E809A7314DB346D95CF50

Function 02E3A650 Relevance: 1.4, Strings: 1, Instructions: 119COMMON

Download Yara Rule

Strings

(o^q, xrefs: 02E3A7D9

Memory Dump Source

Source File: 00000001.00000002.4124727488.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_CasPol.jbxd

Similarity

API ID:
String ID: (o^q
API String ID: 0-74704288
Opcode ID: a121408f236ffc4cb41a4fbcabae3e85a11b24ae6eefc80dbfe8378dfddddf5e
Instruction ID: eb5d0af4ac1b12add256fc8539a7b3a601e837c4a1ced20622dd7d826ec830d6
Opcode Fuzzy Hash: a121408f236ffc4cb41a4fbcabae3e85a11b24ae6eefc80dbfe8378dfddddf5e
Instruction Fuzzy Hash: D041CF357002048FCB099F69D95A6EE7BF6FF88211F248469E906E7391DE359C02CBA0

Function 02E3A818 Relevance: .4, Instructions: 407COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4124727488.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6fda5c7783a6f2dd7d2ed3f7c47a3e48e94814e6b06ef2c8ea1367b5e62f701
Instruction ID: 95c07024a4f048e1eb7f5e81b7519b4569ea6d65c3b4ac5d264a5490ea8d2a9e
Opcode Fuzzy Hash: f6fda5c7783a6f2dd7d2ed3f7c47a3e48e94814e6b06ef2c8ea1367b5e62f701
Instruction Fuzzy Hash: 51F15B71A406148FCB05CF6DD898AADBBF6FF88315B1AD069E445AB361CB35EC81CB50

Function 02E37438 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4124727488.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ed4d28c14b004ce2f9c47bfd9738d420b48f3d6e651a6c321857a91e2b1cb79
Instruction ID: f2e377d5597afd1d52f4dd417c034ea5e6b0e9c8f303e966092e9f0b37cb8fee
Opcode Fuzzy Hash: 9ed4d28c14b004ce2f9c47bfd9738d420b48f3d6e651a6c321857a91e2b1cb79
Instruction Fuzzy Hash: E8714E75740205CFDB1ADF29C49CAADBBE5AF4960AF1590A9E805CB3B1DB70DC41CB90

Function 02E3CEC7 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4124727488.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ea27582315db8c69ec0e6274a37d09b6c1625962ca7fe243bbeabbce9aefbf4
Instruction ID: e93df0a28d68af6747d64cbd1a5f00724d106a3eaf0b39e54e33efea6c109f01
Opcode Fuzzy Hash: 9ea27582315db8c69ec0e6274a37d09b6c1625962ca7fe243bbeabbce9aefbf4
Instruction Fuzzy Hash: 4C51CF708B53429FC3182B24BAAF1AABFB4FB2F3277826D45B10E861158F305855DA21

Function 02E3CED8 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4124727488.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40c1c5a8ace661343a6a05f0a82aba294c73eb65704668572b77dad1770d0d33
Instruction ID: 2ddada89ad16b9c275a47606c6affc3cde9d13c4e1acba87e5b108b6eb258b99
Opcode Fuzzy Hash: 40c1c5a8ace661343a6a05f0a82aba294c73eb65704668572b77dad1770d0d33
Instruction Fuzzy Hash: 75519D748B12439FC3182F34BAAF1AABFB4FB6F3277816D01B10E861158F305855DA61

Function 02E3E2D9 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4124727488.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c38321aa8cbb587a50ab86e6d904861003ad81d9e9b4474fec22dd27be834866
Instruction ID: 68d0cb70ebd0ee2a130cefff444b1601266412e5e965137125886a963b616212
Opcode Fuzzy Hash: c38321aa8cbb587a50ab86e6d904861003ad81d9e9b4474fec22dd27be834866
Instruction Fuzzy Hash: C2511270D00218DFDB18DFA4D998AEDBBB6FF88304F608529E809AB354DB359985CF40

Function 02E3CD10 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4124727488.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e588ba5bb622e49b7a090bd5d45cece360b34775df154e32e6a8b8d43ed54f76
Instruction ID: 5146936178bea3419aa9bc58c4c40b74704943b9173c96b3d1322a336cc112cb
Opcode Fuzzy Hash: e588ba5bb622e49b7a090bd5d45cece360b34775df154e32e6a8b8d43ed54f76
Instruction Fuzzy Hash: D4519474E01208DFDB48DFA9D58499DBBF2FF89300F24916AE819AB364DB31A905CF50

Function 06A3DCC0 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4127333420.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2666746e75fdf503801dd07e873bce5481eb7b8d13c5a8862ecb02d8c63c263
Instruction ID: 5ddc4cbc2a6db8567d59a30ee8c238e8165a25d591256b8bb734a1e02e6423fe
Opcode Fuzzy Hash: e2666746e75fdf503801dd07e873bce5481eb7b8d13c5a8862ecb02d8c63c263
Instruction Fuzzy Hash: 4C41AA31D51319CFDB00AFA0E46CBEEBBB9EB8A316F405825E11266380CB781E44CF95

Function 02E33908 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4124727488.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84b2677e37018c261b7bf49de6f6eb90ea058df21e6e722b4bec69887d9e3ceb
Instruction ID: 7eb521656a2737a51a6cccdb006d7b4996e1e7ce555e0e66c051adb86dbd249a
Opcode Fuzzy Hash: 84b2677e37018c261b7bf49de6f6eb90ea058df21e6e722b4bec69887d9e3ceb
Instruction Fuzzy Hash: A451B775E01208CFCB08DFA9E49499DBBF2FF89301B209469E809AB324DB35AD45CF51

Function 02E3F0E9 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4124727488.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70310eac6c7a1efb5dd938ef6dfd4674324a7b16f69be7a1365d6db3175e9ab5
Instruction ID: 95c14d0da70aeacad932f45a4629758116cc024b55acc1c658e12dd7ccf39620
Opcode Fuzzy Hash: 70310eac6c7a1efb5dd938ef6dfd4674324a7b16f69be7a1365d6db3175e9ab5
Instruction Fuzzy Hash: A451B174E01228CFCB25DF68D988BEDBBB1BB49306F1095AAD409A7350D7359E85CF50

Function 02E39A63 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4124727488.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97a7e45c2c892e5d551807164321e35e77dec8756e593fd97d5ec0b211803024
Instruction ID: e32f07b90f86273adeb799835f05b397bdb33ee5038fed5594ffe799b0d0e068
Opcode Fuzzy Hash: 97a7e45c2c892e5d551807164321e35e77dec8756e593fd97d5ec0b211803024
Instruction Fuzzy Hash: 0741CD31A44249DFCF16CFA8C848BDEBFB2EF89355F009155E8119B296D3B4E910CBA0

Function 06A39500 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4127333420.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65ec6b3009909f22e3a5d7b78e40b25a2977d075e8c4282d4dcbe4c1b65a7053
Instruction ID: d8ff92fe370f6fc0bd6592891ac4234bc782de2a44ee384fb03909b0e4e91948
Opcode Fuzzy Hash: 65ec6b3009909f22e3a5d7b78e40b25a2977d075e8c4282d4dcbe4c1b65a7053
Instruction Fuzzy Hash: C8412E71E002199BDB54EFA5C980ADFFBF5AF88710F148129E415BB380EB70AD46CB91

Function 06A39A49 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4127333420.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e2315a59058fa257c09c01cb97fc179b5e43c6a2094fd0c1c53e7d3ed807fcf
Instruction ID: 39190b1a8b6fafc63aa04b608f1a50e258fedb0fa24af8a216527aad037d7f2c
Opcode Fuzzy Hash: 0e2315a59058fa257c09c01cb97fc179b5e43c6a2094fd0c1c53e7d3ed807fcf
Instruction Fuzzy Hash: 6241E374E01218CFCB44DFA9D5946EEBBF5EB48304F10912AE815AB350EB745946CF54

Function 02E3D7CE Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4124727488.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0efe61545c60eb6117c55bfb1af5b3ff5bd62b1ec5ae2f632d76cf5d6c3b91c
Instruction ID: 6b59fd3563a1750e383d22711bacf61835c47317c760d3af2bb8d609f87e83df
Opcode Fuzzy Hash: f0efe61545c60eb6117c55bfb1af5b3ff5bd62b1ec5ae2f632d76cf5d6c3b91c
Instruction Fuzzy Hash: 51413970D84108CFCB05DFA8E8996EDBBB2FF49306F60E159E41AA7244DB35A841CF54

Function 02E36730 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4124727488.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a6fbf1deaeeaf01c5f4eafb3f1bc8f1a2cb2e2128d7a8408c40b992e6f5bce8
Instruction ID: 1150f825ae0ea9a245cd3375bbb166f1c1453be27ea27474da2b38d6ff05045b
Opcode Fuzzy Hash: 4a6fbf1deaeeaf01c5f4eafb3f1bc8f1a2cb2e2128d7a8408c40b992e6f5bce8
Instruction Fuzzy Hash: 0E41C130A00208EFDF158F69D848BAB7BFAEB48305F04D46AE8159B241DB78DC55CFA5

Function 06A39A58 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4127333420.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7426a071008c74e3ddca77693ead977f2ee4a3aea876b238d40f23a17d8df4ad
Instruction ID: 515ce982c6888e1041d771618148c2c9f9df31b9a7f8b1ee40096c39a14479f4
Opcode Fuzzy Hash: 7426a071008c74e3ddca77693ead977f2ee4a3aea876b238d40f23a17d8df4ad
Instruction Fuzzy Hash: 3D41D374E01218CFDB44DFA9D5946EEBBF1EF48304F10912AE415AB350EB745946CF50

Function 02E3D76E Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4124727488.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 644f796a44292aad5e0d341435f0106259561d43c418d201b6d9be11da977017
Instruction ID: bdcd5ada60f898ba15f348358f19727f115e7b7b97e86dcf5d78b888dc5b1e64
Opcode Fuzzy Hash: 644f796a44292aad5e0d341435f0106259561d43c418d201b6d9be11da977017
Instruction Fuzzy Hash: B841F570E81208CFCB05DFA8E8986EDBBF2FB49306F60E159E419A7244DB35A851CF54

Function 02E3D620 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4124727488.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d844ba9672561d7624fb46f34e85712e817dd5f442aae4e290bd9c0e06cf011
Instruction ID: a848d717bfaae1e87eb459dc410ca6fc097821da750d38a5a23b76ee62e2e444
Opcode Fuzzy Hash: 8d844ba9672561d7624fb46f34e85712e817dd5f442aae4e290bd9c0e06cf011
Instruction Fuzzy Hash: 52411770E41208CBCB09DFAAD8486EEFBF2FB89305F14E129E814A7254DB359845CF54

Function 02E34DC8 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4124727488.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23e0418d8eb33b74959b413371a41b246dec26bfb4d5938bc74caa2932bb4995
Instruction ID: 9fd254f64e7d9f65f07af581df1e29727b28cfdac28560aa9e12b64c7ac973b7
Opcode Fuzzy Hash: 23e0418d8eb33b74959b413371a41b246dec26bfb4d5938bc74caa2932bb4995
Instruction Fuzzy Hash: F23150317441099FCF0A9F65D459AAF3FA7EB88309F108429F9158B390DB38CC65DBA1

Function 06A3DCB1 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4127333420.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e7b3245c0bee537b69b469214aef37cc9c12c19cc6b1b02146349cde61b06b1
Instruction ID: 890b26fd4ce3461b17b82ba1fc4b1ef3ed4f54a7094655b1dc44ad686f079f3e
Opcode Fuzzy Hash: 8e7b3245c0bee537b69b469214aef37cc9c12c19cc6b1b02146349cde61b06b1
Instruction Fuzzy Hash: 5F318930D51219CFDB00AFA5E46C7EEBBB4EB4A316F409869E51666380CB781A94CF91

Function 02E376E0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4124727488.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aac41a4fe465fd0e4a382f3b82fcee892a7acc780b6c1ed11cf02e85a6bec73b
Instruction ID: 55d091973e6ecc76185623a5a67051f62625db363c6b77e65ce2552daab5d408
Opcode Fuzzy Hash: aac41a4fe465fd0e4a382f3b82fcee892a7acc780b6c1ed11cf02e85a6bec73b
Instruction Fuzzy Hash: C121CF743842044BEB1A1629C899BBAB6979FC4A5FF14907CE506CB794EF25CC82D3C1

Function 02E3A809 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4124727488.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dbaefdac39190b1055a1f53c3df9cdff43e80cce553ed26ac47df39690f1875
Instruction ID: 1ceaa8a51bd0e907d552e3b0316f8853f00d646039a9186d530777417bb95534
Opcode Fuzzy Hash: 2dbaefdac39190b1055a1f53c3df9cdff43e80cce553ed26ac47df39690f1875
Instruction Fuzzy Hash: 50319370A405098FCB04CF6DC889AAEBBB7FF88355B15C169E555A73A5CB34DC42CB90

Function 02E3DF79 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4124727488.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ce1da5778944062157554be6d949a122cd31aea76818310305b248c6db18606
Instruction ID: 36843b903c8b20308161772253ad78605ca51496290cd80da851f72d7ced7044
Opcode Fuzzy Hash: 2ce1da5778944062157554be6d949a122cd31aea76818310305b248c6db18606
Instruction Fuzzy Hash: 76219D71E402098BDB09DFABEC086EEBBB6EFC9311F48E525E404B7254DB748905CE65

Function 02E32060 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4124727488.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20555aef6931d625ff42d3d5d2d87d186d9ed66acb002ffeede0ba2367bf1fc5
Instruction ID: b46efddb2efe7e1cfb543782ddd7489fb4aa649458448efb75a6108f3d1d8d78
Opcode Fuzzy Hash: 20555aef6931d625ff42d3d5d2d87d186d9ed66acb002ffeede0ba2367bf1fc5
Instruction Fuzzy Hash: 2421E031A002059FCB15DF34C444AAE77A5EB89258F10C019EE8A8B340DB39EE46CBE2

Function 02E35A70 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4124727488.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 040a1980ec4b7bc057332b627eaedaabbf9993fc684f25e8ccbf2df76065af44
Instruction ID: 9d4cf8d90877243abdf9e415735d04a4cca301c83fa3da8e67683c5351b9bad8
Opcode Fuzzy Hash: 040a1980ec4b7bc057332b627eaedaabbf9993fc684f25e8ccbf2df76065af44
Instruction Fuzzy Hash: C421C0317406119FCB1A9A29D4A956EB7A6EBC975AB588169E80ACB340CF34DC02CBD0

Function 02D8D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4124561365.0000000002D8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2d8d000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03c871f80b9a3238a78178c638c302ced9aea05e1b86a0f32881308f5e4b1034
Instruction ID: 675f88f22e59b894c60c5371cd4429a725f9fa13753671a0e11861133fc9a237
Opcode Fuzzy Hash: 03c871f80b9a3238a78178c638c302ced9aea05e1b86a0f32881308f5e4b1034
Instruction Fuzzy Hash: B92104B1504204EFDB14EF24D9C4B26BBA6FB88314F30C66DE8494B3D2C73AD846CA61

Function 02E339ED Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4124727488.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f7878858cfc59d283c79444d54906a64973ca72b9cef28b6e4e2510e1868f65
Instruction ID: 37a892a8cf02427a7859fd0e0cae9c2c6ff3b05f6ffcc85e25ea7a67db289f80
Opcode Fuzzy Hash: 1f7878858cfc59d283c79444d54906a64973ca72b9cef28b6e4e2510e1868f65
Instruction Fuzzy Hash: F031B574E11209CFCB04DFA8E59889DBBF2FF49305B2090A9E819AB324D735AD45CF51

Function 02E34DB9 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4124727488.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afbbfdc51078b441bd2febba1a45b90cd1a62642c5f3924c30b974a4233a04cb
Instruction ID: 66b6cc8f7acf615044afb6829d4f21929075fc524270a56094d475eed6afeaed
Opcode Fuzzy Hash: afbbfdc51078b441bd2febba1a45b90cd1a62642c5f3924c30b974a4233a04cb
Instruction Fuzzy Hash: AA21A5317441099FCB199F69E849BAB3BA6EB84319F108069F9058B380DB38CC65DBE1

Function 06A396F0 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4127333420.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49191aa2dfbe62122ddeb6fd6917c11f69a9303bf59b70cce9bbbbfd1770e0ea
Instruction ID: 5b1779b119e77c6d41d6f52aee72d1e3b2efe0780be763a29adc9fdc14c1b325
Opcode Fuzzy Hash: 49191aa2dfbe62122ddeb6fd6917c11f69a9303bf59b70cce9bbbbfd1770e0ea
Instruction Fuzzy Hash: DD1127367082645FCB466FB85C141AE3FE3EFC9250B15446AE405DB3C1DE388D0287A2

Function 02E3D60F Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4124727488.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df75c8070087f4922332045551aa38e14d6cf60e350431e6c819333f66d35dab
Instruction ID: 0a8761d8abc9485b51239fcffc219a710ae981b4278719787afb995c1972a212
Opcode Fuzzy Hash: df75c8070087f4922332045551aa38e14d6cf60e350431e6c819333f66d35dab
Instruction Fuzzy Hash: 1A115E71E405088BDB09CFAAD8496EEBBF2EBCD315F04E129D414A7254DB345906CE54

Function 06A3E0C0 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4127333420.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24606e2f93c0a2d72640fa64b542e529b2a87b088ba08184923bbabd2be30fca
Instruction ID: c07eaa89b993cd0bcef37972f7e9a0bf8538137f0a97c22ec13f97bcf1d8f41a
Opcode Fuzzy Hash: 24606e2f93c0a2d72640fa64b542e529b2a87b088ba08184923bbabd2be30fca
Instruction Fuzzy Hash: 971126303042148FD7091B7A5C556FBAFABAFEA210B184477F546C3396DE388C068771

Function 02E3E201 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4124727488.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0053ea3c5706477d2c6a465ceb39151f65d1a4563c9536d11afbd5077b7f081f
Instruction ID: dd6b390ae97efc404914ef024ff53bd14832e2dc4e212aa4da9330aba4e0cdd6
Opcode Fuzzy Hash: 0053ea3c5706477d2c6a465ceb39151f65d1a4563c9536d11afbd5077b7f081f
Instruction Fuzzy Hash: 81215970E00109DFDB44EFB8E98569EBBF2FB44304F54D5AAD4089B314EB345E458B81

Function 02E31F61 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4124727488.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48f39f0ba461baeba7a2e1a3c7ac675eb5ed12f8682b158a7a4f9a815f1332f0
Instruction ID: 69c0a1e8475bea9e35fc55c0a2bd016ba8e07084ebfb8d6137dc0fe75dc3f277
Opcode Fuzzy Hash: 48f39f0ba461baeba7a2e1a3c7ac675eb5ed12f8682b158a7a4f9a815f1332f0
Instruction Fuzzy Hash: E121C274D106098FCB44EFA8D84A6EEBFF1FB49301F10916AE805B2310EB345A45CBA1

Function 06A39350 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4127333420.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7212b64fb9105e9c5b235f88d2bf63fe789e01413f176b42fabf450372088850
Instruction ID: 2c4b6fa5d2d26b860347d79e6e5aa1532c26f29302c1c5c2e356c6ff1091303d
Opcode Fuzzy Hash: 7212b64fb9105e9c5b235f88d2bf63fe789e01413f176b42fabf450372088850
Instruction Fuzzy Hash: CC1164B2800249DFCB10DF99C844BEEBFF4EB48320F108419E918A7210D379A950CFA5

Function 06A39999 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4127333420.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aecf49f41073208b1a442b21c4950543bbdc7a7587883383716b9793375a10ce
Instruction ID: 9b5d73a6c22a3966a9715a7566314294355f2747b7597db8b0c96898b7e4ab22
Opcode Fuzzy Hash: aecf49f41073208b1a442b21c4950543bbdc7a7587883383716b9793375a10ce
Instruction Fuzzy Hash: D71164B2800249DFCB10DF99C845BDEBFF4EB48320F148419E918A7210C339A590CFA4

Function 06A38EC1 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4127333420.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adbc735d3a74ea39b988235f9a62c922b1f0c027469021beea18a8763b1aa12e
Instruction ID: 39285300e56814794256685db05e2d7ae0fba750e76dcd16cbc6c3702846a2f6
Opcode Fuzzy Hash: adbc735d3a74ea39b988235f9a62c922b1f0c027469021beea18a8763b1aa12e
Instruction Fuzzy Hash: C9112E34E001598FEB00DFE8E850B9EBBB2AF49310F119051F908E7348EB3499418B51

Function 02E3E208 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4124727488.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bce1bba756551fa96712e0be7d43880c13118496100046c651c1d693c4676ef0
Instruction ID: f3a983932c65d598412f60f4ab3b38342083431dedea90cbb5b562f2645932b7
Opcode Fuzzy Hash: bce1bba756551fa96712e0be7d43880c13118496100046c651c1d693c4676ef0
Instruction Fuzzy Hash: 02115970E00109DFCB44DFB8E98469EBBF2FB44304F54D5AAC4089B314EB345E458B81

Function 02E35607 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4124727488.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6d93d68d4c2abc9bf0da42925dddef9187510f3c648feef6f61a070f61c9ad4
Instruction ID: c14782f19f4b239152debfca23a085b06fcde944e4593a9f6602ec64c76d4442
Opcode Fuzzy Hash: b6d93d68d4c2abc9bf0da42925dddef9187510f3c648feef6f61a070f61c9ad4
Instruction Fuzzy Hash: 5C01D272A001046FCB0A8E659815AEE3FABDBCD251B59806BF505D7380CA398C02DBA0

Function 02E31F08 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4124727488.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc5a422fb367b8fb2973e7ef72948a8ed56cfa91291cbb823b8c07f96c9971a8
Instruction ID: 3014828ae2d80729f877d7e0a81f428c6a4fc980adb4836db90f58517e4e0783
Opcode Fuzzy Hash: cc5a422fb367b8fb2973e7ef72948a8ed56cfa91291cbb823b8c07f96c9971a8
Instruction Fuzzy Hash: 89213674D046098FCB11EFB8D8495EDBFB0BF4A314F1451AAE845BB264EB305A85CBA1

Function 02D8D03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4124561365.0000000002D8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2d8d000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: b74431b47e676e261ba743106157a5098a8f8912bb99f345c2aef701c1eb773d
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 4711D075504244CFCB11DF20C5C4B15BF62FB44314F24C6A9D8494B392C33AD84ACF51

Function 06A32670 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4127333420.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cbd8483c2773a59a44b3d6a9241cc943e95f84403381c2e9314518f9ff6f282
Instruction ID: f3b9d335b21a7a1e77b0dfe282241ffb7011b94100ac5b0565e141abf493d393
Opcode Fuzzy Hash: 0cbd8483c2773a59a44b3d6a9241cc943e95f84403381c2e9314518f9ff6f282
Instruction Fuzzy Hash: 4801C075B101218FC754EBB8D9096ADBBF4FF4C711B00416AE409DB325EB31CD028B91

Function 06A325E8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4127333420.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15564ccf1fcb0f220e13ed0db60c87cb0dd3aa36299923ebfb0c282f22498f9c
Instruction ID: 2da8a3c53395ea3415d6cceb4522637e69f1b03d15668b830341a510da528a13
Opcode Fuzzy Hash: 15564ccf1fcb0f220e13ed0db60c87cb0dd3aa36299923ebfb0c282f22498f9c
Instruction Fuzzy Hash: 9201BB70E002199FCF54EFB9D8056EEBBF5EF48201F50856AE419E7250E7385901CF95

Function 06A39760 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4127333420.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 174117045ed0db21f0b12fdb42828c0b6780265bc6c1b259cd929cfe3ae4956f
Instruction ID: e93225f6e5bcbdd5312c0b5a874d4b7d3fc78e8140488057784e46e63e5a7d09
Opcode Fuzzy Hash: 174117045ed0db21f0b12fdb42828c0b6780265bc6c1b259cd929cfe3ae4956f
Instruction Fuzzy Hash: BBF054377001187F8B055E99A8459AF7AABFBC8250B00442AF90997350DE32891597A5

Function 02E3D449 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4124727488.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59e98f9386d9ab9a839f7f4216989c7ac11f0654563d9ab6078f1512789b5072
Instruction ID: 83223580cb47123b964c87de38069f93a43d3956313cf6d28e8d5cd755304507
Opcode Fuzzy Hash: 59e98f9386d9ab9a839f7f4216989c7ac11f0654563d9ab6078f1512789b5072
Instruction Fuzzy Hash: 8EE02B70DC010597D7099A55EC0E6EAB3B8E785331F40A424A000E3340DB749911C651

Function 02E3DF08 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4124727488.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f7811d50e42f36c4647ac419d8448fb3006b7bb0234a8838a3261fc9931e90f
Instruction ID: 9d0951c52b540cee512913154ac1273822395bf257c433213736b06d90b01c37
Opcode Fuzzy Hash: 4f7811d50e42f36c4647ac419d8448fb3006b7bb0234a8838a3261fc9931e90f
Instruction Fuzzy Hash: 3BE06870D48305D7DB10DFAAEC982EEFBB4FB8B315F00A834D604B2250DBB49514CAA1

Function 02E3D4B4 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4124727488.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9fea7399600d60daa2df6b49b4e1679c295fe03fc9f4fc57d9a7fc1771c8aed
Instruction ID: f5f9047c3d710a2ac5ee7929ac8c74ecf01972997731f51542676afe901d3977
Opcode Fuzzy Hash: f9fea7399600d60daa2df6b49b4e1679c295fe03fc9f4fc57d9a7fc1771c8aed
Instruction Fuzzy Hash: 36E0D8E2C89140CAD71A4BA56C1A0F4BF70DAD7236784B0C7D09587125D715D616D701

Function 02E32010 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4124727488.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46d3d88b27a4d58b099ac97edc6dfad57cb500e56ce6a4a4b13abf4f7317da25
Instruction ID: 654f69ae7be632b6088a29e6521ad84d05512a59f0cab9680d89bcd154daed47
Opcode Fuzzy Hash: 46d3d88b27a4d58b099ac97edc6dfad57cb500e56ce6a4a4b13abf4f7317da25
Instruction Fuzzy Hash: 08E02632D2022A63CB009BB0DC016DEB738EFD2220F808622D42436500EB74664B86E2

Function 02E32020 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4124727488.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 015572b7efe4dba3a1817799c29117519244cad61d30d881e0d2c98c3435ed02
Instruction ID: 38500f3bade9f6392afe9a83f925e0f025d31839c3fe1b8d4446b912d8b1d3f2
Opcode Fuzzy Hash: 015572b7efe4dba3a1817799c29117519244cad61d30d881e0d2c98c3435ed02
Instruction Fuzzy Hash: 72D01231D2022A578B00AAA5DC044EEB738EE95665B504626D55437140EB70665986A2

Function 02E38258 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4124727488.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: 290137cf106d0b2847c1aaba52cc14ba732c2d3346e19285a25aa453b0a8d1dc
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: BEC0123318C1242A9625504E7C44AA3674CD2C12B5A154137F55C9320094425C4081A4

Function 02E3A70D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4124727488.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 632119fae4f2ed2f4b774364683c1a605bcd0ed2b00ab6d4a8c8a35e2954c5a5
Instruction ID: fc73073b581193525dd0667efcb3a47ddcebcf14867a1b5e983428a5753b07d1
Opcode Fuzzy Hash: 632119fae4f2ed2f4b774364683c1a605bcd0ed2b00ab6d4a8c8a35e2954c5a5
Instruction Fuzzy Hash: 91D0173AB00008DFCF048F89E8408DDBBB6FB9C221B008016F911A3224CA319821CB50

Function 02E3FBEB Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4124727488.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a66313535daa08db42055eab704ac5b3b07e1d145e9dbd260424488557b9d2a
Instruction ID: 60cc05e159dc84b70f9a13485bf20e2e3341c0e95275196991cf9b68cc476453
Opcode Fuzzy Hash: 9a66313535daa08db42055eab704ac5b3b07e1d145e9dbd260424488557b9d2a
Instruction Fuzzy Hash: 3FD06774D8411C8BCB24DF54EA452ECB7B0EB99301F0021E69809B3210D6305A90CF11

Non-executed Functions

Function 06A32807 Relevance: 12.9, Strings: 10, Instructions: 388COMMON

Download Yara Rule

Strings

", xrefs: 06A33087
PH^q, xrefs: 06A32CE2
PH^q, xrefs: 06A32BEA
PH^q, xrefs: 06A32DEB
PH^q, xrefs: 06A32CF6
PH^q, xrefs: 06A32EE6
PH^q, xrefs: 06A32DD7
PH^q, xrefs: 06A32ED2
Hbq, xrefs: 06A32869
PH^q, xrefs: 06A32BFE

Memory Dump Source

Source File: 00000001.00000002.4127333420.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_CasPol.jbxd

Similarity

API ID:
String ID: "$Hbq$PH^q$PH^q$PH^q$PH^q$PH^q$PH^q$PH^q$PH^q
API String ID: 0-2450740202
Opcode ID: 73328eeddb06a41b654305f133dcc08e5f7d44a5f220dd7740eba82763845bbf
Instruction ID: 830cd58a2257c09f587723f673af58b52d181718e94136d00dd590e78212a8f7
Opcode Fuzzy Hash: 73328eeddb06a41b654305f133dcc08e5f7d44a5f220dd7740eba82763845bbf
Instruction Fuzzy Hash: 1912B274E00218CFDB58DF69D994B9DBBB2BF89300F1085A9D809AB364DB359E85CF50

Function 02E3E528 Relevance: 1.8, Strings: 1, Instructions: 596COMMON

Download Yara Rule

Strings

.5vq, xrefs: 02E3E643

Memory Dump Source

Source File: 00000001.00000002.4124727488.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_CasPol.jbxd

Similarity

API ID:
String ID: .5vq
API String ID: 0-493797296
Opcode ID: ad12cc592f0e43b0beefd01beae35850ca2ef0e64cd4c330fc5a818878eb1bb8
Instruction ID: 5301e511de0eb11afb141c53a8dd6089d657b98747328c1421653ce9c6bb7901
Opcode Fuzzy Hash: ad12cc592f0e43b0beefd01beae35850ca2ef0e64cd4c330fc5a818878eb1bb8
Instruction Fuzzy Hash: A752AB74E01228CFDB65DF69C884B9DBBB2BF89301F1491EAE409A7254DB359E81CF50

Function 06A35EC8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4127333420.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e2cb749f613c7a3aec2672dcdf66cf71fc468e483e404c06c06e7231f8e14da
Instruction ID: 4d337c4175f96d788a272f3058ff64acde03c8a14ed347a38049ca17276722e6
Opcode Fuzzy Hash: 7e2cb749f613c7a3aec2672dcdf66cf71fc468e483e404c06c06e7231f8e14da
Instruction Fuzzy Hash: F7C1B074E00218CFDB54DFA5D954BADBBB2EF88304F2091AAD809AB354DB359D85CF50

Function 06A35618 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4127333420.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48ca1894b6f514f436ddb48fc628e362eeca6da0836aca415a91dbba4b55ff42
Instruction ID: 087346e02957d40b7c2a3caac4d7c22cdcc707a90afb4a0cc75a4f8d6efaaa7c
Opcode Fuzzy Hash: 48ca1894b6f514f436ddb48fc628e362eeca6da0836aca415a91dbba4b55ff42
Instruction Fuzzy Hash: 1DC1A174E00218CFDB54DFA9D994B9DBBB2EF89300F1081A9D809AB354DB359D85CF50

Function 06A35A70 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4127333420.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f16c3408fe8e796c7a9f11315d4bb55201418621a847badc5f7e95137deccf6
Instruction ID: 1c3e79036b84c5af26e0d5e6c28e55a6984a6513762490e39fbf28ef4a92eb75
Opcode Fuzzy Hash: 1f16c3408fe8e796c7a9f11315d4bb55201418621a847badc5f7e95137deccf6
Instruction Fuzzy Hash: 37C1A174E00218CFDB54DFA9D954BADBBB2EF89304F2081A9D809AB354DB359E85CF50

Function 06A36BD0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4127333420.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b640e4665fa78aa7da6ab583498e6b2ede13916ece25a3daec0f2ee258e3e162
Instruction ID: e5764f92c8d490805f884dba789bd2668a6f7080c08008ad9b79a391795d6f76
Opcode Fuzzy Hash: b640e4665fa78aa7da6ab583498e6b2ede13916ece25a3daec0f2ee258e3e162
Instruction Fuzzy Hash: 84C1A074E00218CFDB54DFA5D954BADBBB2EF89300F2091AAE809AB354DB359D85CF50

Function 06A36320 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4127333420.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd92f196d17450567ac14ccd15cd965edac27153f44a9e0d0abb1c37b1714f11
Instruction ID: 9ac602ea5ddec6c3500c6f7459bb16d9e8ee73d632e43d07f8b8efb2d951bdb5
Opcode Fuzzy Hash: dd92f196d17450567ac14ccd15cd965edac27153f44a9e0d0abb1c37b1714f11
Instruction Fuzzy Hash: 82C1A074E00218CFDB54DFA5D954BADBBB2EF88300F2091AAE809AB354DB359D85CF50

Function 06A36778 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4127333420.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a65b3009ea038a228cc25949bdda093aa39f90be9bd4261b32ed8c0dfaa18c6e
Instruction ID: 1f91a249743bc266ea3f5613c252ccb4a9380208484a9d7a75b46fdef465150e
Opcode Fuzzy Hash: a65b3009ea038a228cc25949bdda093aa39f90be9bd4261b32ed8c0dfaa18c6e
Instruction Fuzzy Hash: BBC1B074E00218CFDB54DFA5D954BADBBB2EF88300F2091A9E809AB354DB359E85CF50

Function 06A374A8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4127333420.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 782130c4de318ff02355a62ae4f0612fd2dffc42a3b95b3e26ddccc88653a537
Instruction ID: 430f87c8b420fca0e9890df97255dafdc494961079d49c2ebbe5b2541ebc51ab
Opcode Fuzzy Hash: 782130c4de318ff02355a62ae4f0612fd2dffc42a3b95b3e26ddccc88653a537
Instruction Fuzzy Hash: 77C1A174E01218CFDB54DFA5D954BADBBB2EF89300F2081AAD809AB354DB359D85CF50

Function 06A30498 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4127333420.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b167030da945b9380ad29bc4c82a1e8f192720f4f637ec2f905771d248c93b8a
Instruction ID: a73eb81c911704307cdc6603ae69fdc5f20f46732a79c8f375b574db93751077
Opcode Fuzzy Hash: b167030da945b9380ad29bc4c82a1e8f192720f4f637ec2f905771d248c93b8a
Instruction Fuzzy Hash: 96C1A174E01218CFDB54DFA5D954BADBBB2EF88300F2081A9E809AB354DB359E85CF50

Function 06A308F0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4127333420.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5285cc77b62372f098a1dc7a56fa3d90dbca44ede1c1daa438fe9bef5e2f22b9
Instruction ID: 880bb7ac52a3221b7eb7cfac304b1555c040aca5477d5dc9a379584787ae905a
Opcode Fuzzy Hash: 5285cc77b62372f098a1dc7a56fa3d90dbca44ede1c1daa438fe9bef5e2f22b9
Instruction Fuzzy Hash: 56C19074E00218CFDB54DFA5D954BADBBB2EF88304F2081A9E809AB355DB355E85CF50

Function 06A30040 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4127333420.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9658249f33995fb5e40e3295dc22eed1fa1cb5acac9f623ffae588d4e94b7544
Instruction ID: b6ae784e8bb2ff4d13b61165c2dc310d5210f63c5e48f1cb99b228d88a615138
Opcode Fuzzy Hash: 9658249f33995fb5e40e3295dc22eed1fa1cb5acac9f623ffae588d4e94b7544
Instruction Fuzzy Hash: E8C1A074E00218CFDB54DFA5D954BADBBB2EF88304F2091A9E809AB354DB359E85CF50

Function 06A37050 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4127333420.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ec1610d6a9d05d7a4efdf7761b3922f32cec2bc486b284276025a5acb961fa5
Instruction ID: 4ac117a88ab821b8059098bbe149a3d86f6f7b8cb87cd6a350adcc799fc26c7b
Opcode Fuzzy Hash: 5ec1610d6a9d05d7a4efdf7761b3922f32cec2bc486b284276025a5acb961fa5
Instruction Fuzzy Hash: E6C1A174E00218CFDB54DFA5D994BADBBB2EF89300F2091A9E809AB354DB359D85CF50

Function 06A381B0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4127333420.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14ad90655f0675909920238b17d8bac2c4482d562dcd3a73b233c88acddd280d
Instruction ID: 7c2c54780ee96eb949dd79c246371363d41ca7ff3ddeecd932a2637372c93875
Opcode Fuzzy Hash: 14ad90655f0675909920238b17d8bac2c4482d562dcd3a73b233c88acddd280d
Instruction Fuzzy Hash: 13C1A174E00218CFDB54DFA5D954BADBBB2EF88300F1081A9E809AB354DB359D85CF50

Function 06A35198 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4127333420.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b1ba0b2f52d1c2b9a44b35c55357acc51df5d880e926ea18639a2ec4260b5ff
Instruction ID: ffd675268168a7fe6f327ff0fa48e4720b906793a59f6aa375260d957e190e62
Opcode Fuzzy Hash: 9b1ba0b2f52d1c2b9a44b35c55357acc51df5d880e926ea18639a2ec4260b5ff
Instruction Fuzzy Hash: F9C1A174E00218CFDB54DFA9D994BADBBB2EF89300F2081A9D809AB354DB359D85CF50

Function 06A37900 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4127333420.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0669330da3646eb030832909122057128c83bb7376e48d42d2afba497185761e
Instruction ID: eeb36d3f982ae38657f3e8c2edf31a0eae1a28924beba495bfa9db01ff7fa544
Opcode Fuzzy Hash: 0669330da3646eb030832909122057128c83bb7376e48d42d2afba497185761e
Instruction Fuzzy Hash: 99C19074E00218CFDB54DFA5D954BADBBB2EF88304F2091AAD809AB354DB359E85CF50

Function 06A30D48 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4127333420.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24ac03ad2777c2872469d08fabf96146cabcf9ffe438dea35d3b937a96128b8c
Instruction ID: 6aae7d3e28fbca254af4440c9c6323ff095218a931d25c63cbae2088943bf458
Opcode Fuzzy Hash: 24ac03ad2777c2872469d08fabf96146cabcf9ffe438dea35d3b937a96128b8c
Instruction Fuzzy Hash: E2C1A074E00218CFDB54DFA5D954BADBBB2AF89300F2091A9E809AB354DB359D85CF50

Function 06A37D58 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4127333420.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65ee5069defa0a97ccef53480dde526adb647e5e06a05e869049f0b4858e545f
Instruction ID: 1620554fc5f159e7e2075caf2217d9dd4ae8465177293ed0debec1bd13732fb9
Opcode Fuzzy Hash: 65ee5069defa0a97ccef53480dde526adb647e5e06a05e869049f0b4858e545f
Instruction Fuzzy Hash: D7C19074E00218CFDB54DFA5D954BADBBB2EF89300F2081A9E819AB354DB359E85CF50

Function 06A333B8 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4127333420.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 697b00a5e10f6d19f7a821c0667dcaa681b52b796462d08bb43eee9516a7040d
Instruction ID: 11d96b2269b4d16da5e42c69ae9eb6b2282421dc5aeb48d50ca8ae09dc5b58b1
Opcode Fuzzy Hash: 697b00a5e10f6d19f7a821c0667dcaa681b52b796462d08bb43eee9516a7040d
Instruction Fuzzy Hash: 8FB1B674E00218CFDB54DFA9D994A9DBBB2FF89310F1081A9E819AB365DB35AD41CF40

Function 02E3EB5B Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4124727488.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f208137ea85e21671e9ca0ecaccd68fc260fb3178057e39180a95b07e207c0c
Instruction ID: 8bd39d2b2772c593e74c86dbb73401c5f801dc90636ef494d1fbf2205cc100ca
Opcode Fuzzy Hash: 8f208137ea85e21671e9ca0ecaccd68fc260fb3178057e39180a95b07e207c0c
Instruction Fuzzy Hash: 71A18B74A01228CFDB65DF24C994BE9BBB2BF4A301F5095EAE409A7350DB319E81CF51

Function 06A333A8 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4127333420.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df32b88ee777c0b13718e71ac573c4125b270ec87500500adf606d2fc51352f2
Instruction ID: a763e8015854c087d9db739ea8db1e922aa646d96579f92c1edeb91b74aca110
Opcode Fuzzy Hash: df32b88ee777c0b13718e71ac573c4125b270ec87500500adf606d2fc51352f2
Instruction Fuzzy Hash: 8451B574E006588FDB48DFAAD59499DFBF2FF89310F14916AE818AB364DB34A941CF40

Function 02E3ED3C Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4124727488.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5486a5c9d63efebf55f0bc60428581eeb3960389f22364f7f21aa9f39299043
Instruction ID: f00ad2d09f9e36f0d02881fb16f3d57585351048a66615f11b4d3cb29c0a045f
Opcode Fuzzy Hash: c5486a5c9d63efebf55f0bc60428581eeb3960389f22364f7f21aa9f39299043
Instruction Fuzzy Hash: 8D519F74A01228CFCB69DF24D954BE9BBB2BF4A301F5095E9E40AA7350DB319E81CF51

Function 06A336CE Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4127333420.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2eaff882d85cb20076ceb6fa07f5bd5cc2c4b5cfbe740bf9dc38ba271cc46aa
Instruction ID: ba06cbbe50054df9532ea438de5abaa1097e6f5af4d7868d8a0762039d09f5ec
Opcode Fuzzy Hash: d2eaff882d85cb20076ceb6fa07f5bd5cc2c4b5cfbe740bf9dc38ba271cc46aa
Instruction Fuzzy Hash: 55D09234D8826CCACF20EFA8E9543AEB772FF86301F0025A6E508B7650D7309E51CE16

Function 02E36088 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;^q, xrefs: 02E3609E
\;^q, xrefs: 02E360C6
\;^q, xrefs: 02E360BA
\;^q, xrefs: 02E36094

Memory Dump Source

Source File: 00000001.00000002.4124727488.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e30000_CasPol.jbxd

Similarity

API ID:
String ID: \;^q$\;^q$\;^q$\;^q
API String ID: 0-3001612457
Opcode ID: 81ab1c8856c1e25b634ae67b5032da9b47f2a55376a77c2952956e8c06366192
Instruction ID: f9c644254b75d1bc2e08bb3ee915e373c4d92c3ff4e0e1d940ef6093559303ab
Opcode Fuzzy Hash: 81ab1c8856c1e25b634ae67b5032da9b47f2a55376a77c2952956e8c06366192
Instruction Fuzzy Hash: 4B019E31780014AF8B358A3CC449A2677EEAF88A6A715916AE102CF3B4DA72DC41CB58

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report vsl particulars packing list.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Exploits

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_vsl particulars _2a3097b0749cea7c749879686258262f8513b925_f9752cab_9d15ffbb-87c8-4af6-92e9-4ee19c6455a3\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9CA2.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA03D.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA05D.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Windows Analysis Report
vsl particulars packing list.exe