Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Bill_Of _Lading.exe

Overview

General Information

Sample name:Bill_Of _Lading.exe
Analysis ID:1544347
MD5:31b5ced94cfe86f5b51c0c1c3650a6a3
SHA1:eaf8c4cc98fa278b8f1398410017d9d46232d475
SHA256:d2529b27449d53c7b0006f144c0d702db17001e014fb9145e7c7b7349db0a277
Tags:AgentTeslaexeuser-threatcat_ch
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected UAC Bypass using CMSTP
.NET source code references suspicious native API functions
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Disables UAC (registry)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file does not import any functions
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Outbound SMTP Connections
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Bill_Of _Lading.exe (PID: 7400 cmdline: "C:\Users\user\Desktop\Bill_Of _Lading.exe" MD5: 31B5CED94CFE86F5B51C0C1C3650A6A3)
    • conhost.exe (PID: 7408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7552 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bill_Of _Lading.exe" -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • CasPol.exe (PID: 7612 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)
    • CasPol.exe (PID: 7620 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)
    • WerFault.exe (PID: 7716 cmdline: C:\Windows\system32\WerFault.exe -u -p 7400 -s 1048 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "25", "Host": "mail.iaa-airferight.com", "Username": "web@iaa-airferight.com", "Password": "webmaster"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.2945675273.00000000032FC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000002.1777119131.000001922DE20000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
      00000004.00000002.2945675273.00000000032D1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000004.00000002.2945675273.00000000032D1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000004.00000002.2944572875.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 9 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.2.CasPol.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              4.2.CasPol.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                4.2.CasPol.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x334ef:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x33561:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x335eb:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x3367d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x336e7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x33759:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x337ef:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x3387f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                0.2.Bill_Of _Lading.exe.1923db2c4c0.5.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  0.2.Bill_Of _Lading.exe.1923db2c4c0.5.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 10 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bill_Of _Lading.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bill_Of _Lading.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Bill_Of _Lading.exe", ParentImage: C:\Users\user\Desktop\Bill_Of _Lading.exe, ParentProcessId: 7400, ParentProcessName: Bill_Of _Lading.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bill_Of _Lading.exe" -Force, ProcessId: 7552, ProcessName: powershell.exe
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bill_Of _Lading.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bill_Of _Lading.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Bill_Of _Lading.exe", ParentImage: C:\Users\user\Desktop\Bill_Of _Lading.exe, ParentProcessId: 7400, ParentProcessName: Bill_Of _Lading.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bill_Of _Lading.exe" -Force, ProcessId: 7552, ProcessName: powershell.exe
                    Sigma detected: Suspicious Outbound SMTP Connections
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 46.175.148.58, DestinationIsIpv6: false, DestinationPort: 25, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe, Initiated: true, ProcessId: 7612, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49738
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bill_Of _Lading.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bill_Of _Lading.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Bill_Of _Lading.exe", ParentImage: C:\Users\user\Desktop\Bill_Of _Lading.exe, ParentProcessId: 7400, ParentProcessName: Bill_Of _Lading.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bill_Of _Lading.exe" -Force, ProcessId: 7552, ProcessName: powershell.exe

                    Suricata Signatures

                    No Suricata rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 0.2.Bill_Of _Lading.exe.1923db2c4c0.5.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "25", "Host": "mail.iaa-airferight.com", "Username": "web@iaa-airferight.com", "Password": "webmaster"}
                    Multi AV Scanner detection for submitted file
                    Source: Bill_Of _Lading.exeReversingLabs: Detection: 71%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for sample
                    Source: Bill_Of _Lading.exeJoe Sandbox ML: detected

                    Exploits

                    barindex
                    Yara detected UAC Bypass using CMSTP
                    Source: Yara matchFile source: 00000000.00000002.1777119131.000001922DE20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Bill_Of _Lading.exe PID: 7400, type: MEMORYSTR
                    Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49736 version: TLS 1.2
                    Source: Bill_Of _Lading.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: System.Management.pdbP0# source: WER5691.tmp.dmp.7.dr
                    Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER5691.tmp.dmp.7.dr
                    Source: Binary string: System.ni.pdbRSDS source: WER5691.tmp.dmp.7.dr
                    Source: Binary string: System.Windows.Forms.pdbP source: WER5691.tmp.dmp.7.dr
                    Source: Binary string: System.Windows.Forms.ni.pdb source: WER5691.tmp.dmp.7.dr
                    Source: Binary string: System.Drawing.ni.pdb source: WER5691.tmp.dmp.7.dr
                    Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER5691.tmp.dmp.7.dr
                    Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER5691.tmp.dmp.7.dr
                    Source: Binary string: System.Drawing.ni.pdbRSDS source: WER5691.tmp.dmp.7.dr
                    Source: Binary string: System.pdb source: WER5691.tmp.dmp.7.dr
                    Source: Binary string: System.Core.ni.pdb source: WER5691.tmp.dmp.7.dr
                    Source: Binary string: Microsoft.VisualBasic.pdb source: WER5691.tmp.dmp.7.dr
                    Source: Binary string: System.Windows.Forms.pdb source: WER5691.tmp.dmp.7.dr
                    Source: Binary string: mscorlib.pdb source: WER5691.tmp.dmp.7.dr
                    Source: Binary string: System.Drawing.pdbq1 source: WER5691.tmp.dmp.7.dr
                    Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER5691.tmp.dmp.7.dr
                    Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WER5691.tmp.dmp.7.dr
                    Source: Binary string: System.Management.pdb source: WER5691.tmp.dmp.7.dr
                    Source: Binary string: System.Drawing.pdb source: WER5691.tmp.dmp.7.dr
                    Source: Binary string: mscorlib.ni.pdb source: WER5691.tmp.dmp.7.dr
                    Source: Binary string: System.Management.ni.pdb source: WER5691.tmp.dmp.7.dr
                    Source: Binary string: System.Core.pdb source: WER5691.tmp.dmp.7.dr
                    Source: Binary string: System.ni.pdb source: WER5691.tmp.dmp.7.dr
                    Source: Binary string: System.pdb8 source: WER5691.tmp.dmp.7.dr
                    Source: Binary string: System.Core.ni.pdbRSDS source: WER5691.tmp.dmp.7.dr
                    Source: Joe Sandbox ViewIP Address: 46.175.148.58 46.175.148.58
                    Source: Joe Sandbox ViewIP Address: 172.67.74.152 172.67.74.152
                    Source: Joe Sandbox ViewIP Address: 172.67.74.152 172.67.74.152
                    Source: Joe Sandbox ViewASN Name: ASLAGIDKOM-NETUA ASLAGIDKOM-NETUA
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: api.ipify.org
                    Source: global trafficTCP traffic: 192.168.2.4:49738 -> 46.175.148.58:25
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                    Source: global trafficDNS traffic detected: DNS query: mail.iaa-airferight.com
                    Source: CasPol.exe, 00000004.00000002.2945675273.00000000032FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.iaa-airferight.com
                    Source: CasPol.exe, 00000004.00000002.2945675273.0000000003281000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: Amcache.hve.7.drString found in binary or memory: http://upx.sf.net
                    Source: Bill_Of _Lading.exe, 00000000.00000002.1777775843.000001923DAF1000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.2944572875.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: Bill_Of _Lading.exe, 00000000.00000002.1777775843.000001923DAF1000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.2945675273.0000000003281000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.2944572875.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                    Source: CasPol.exe, 00000004.00000002.2945675273.0000000003281000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                    Source: CasPol.exe, 00000004.00000002.2945675273.0000000003281000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
                    Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49736 version: TLS 1.2

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 0.2.Bill_Of _Lading.exe.1923db2c4c0.5.raw.unpack, abAX9N.cs.Net Code: OPnJT
                    Source: 0.2.Bill_Of _Lading.exe.1923db66f08.4.raw.unpack, abAX9N.cs.Net Code: OPnJT

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 4.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.Bill_Of _Lading.exe.1923db2c4c0.5.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.Bill_Of _Lading.exe.1923db66f08.4.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.Bill_Of _Lading.exe.1923db66f08.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.Bill_Of _Lading.exe.1923db2c4c0.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Initial sample is a PE file and has a suspicious name
                    Source: initial sampleStatic PE information: Filename: Bill_Of _Lading.exe
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeCode function: 0_2_00007FFD9B98757B NtUnmapViewOfSection,0_2_00007FFD9B98757B
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeCode function: 0_2_00007FFD9B98AB170_2_00007FFD9B98AB17
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeCode function: 0_2_00007FFD9B993AB10_2_00007FFD9B993AB1
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeCode function: 0_2_00007FFD9B98AEF10_2_00007FFD9B98AEF1
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeCode function: 0_2_00007FFD9B98DE890_2_00007FFD9B98DE89
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeCode function: 0_2_00007FFD9B9835080_2_00007FFD9B983508
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeCode function: 0_2_00007FFD9B9885500_2_00007FFD9B988550
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeCode function: 0_2_00007FFD9B9835200_2_00007FFD9B983520
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeCode function: 0_2_00007FFD9B993B080_2_00007FFD9B993B08
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeCode function: 0_2_00007FFD9B993B570_2_00007FFD9B993B57
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeCode function: 0_2_00007FFD9B9834950_2_00007FFD9B983495
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeCode function: 0_2_00007FFD9BA500020_2_00007FFD9BA50002
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 4_2_02DBA1984_2_02DBA198
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 4_2_02DBE6AF4_2_02DBE6AF
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 4_2_02DB4A984_2_02DB4A98
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 4_2_02DBA9604_2_02DBA960
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 4_2_02DB3E804_2_02DB3E80
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 4_2_02DB41C84_2_02DB41C8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 4_2_06A1A25C4_2_06A1A25C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 4_2_06A1BAD24_2_06A1BAD2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 4_2_06A1BAD84_2_06A1BAD8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 4_2_06A255884_2_06A25588
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 4_2_06A265E04_2_06A265E0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 4_2_06A2B20F4_2_06A2B20F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 4_2_06A223584_2_06A22358
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 4_2_06A27D684_2_06A27D68
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 4_2_06A276884_2_06A27688
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 4_2_06A2E3884_2_06A2E388
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 4_2_06A200404_2_06A20040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 4_2_06A200074_2_06A20007
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7400 -s 1048
                    Source: Bill_Of _Lading.exeStatic PE information: No import functions for PE file found
                    Source: Bill_Of _Lading.exe, 00000000.00000002.1777775843.000001923DAF1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamec5ea4fda-43b2-4fc0-8a8b-07958574f042.exe4 vs Bill_Of _Lading.exe
                    Source: Bill_Of _Lading.exe, 00000000.00000002.1777775843.000001923DAF1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameEqaxaye@ vs Bill_Of _Lading.exe
                    Source: Bill_Of _Lading.exe, 00000000.00000002.1777775843.000001923DDEE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameEqaxaye@ vs Bill_Of _Lading.exe
                    Source: Bill_Of _Lading.exe, 00000000.00000000.1682434970.000001922BDB6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameNewStb.exe4 vs Bill_Of _Lading.exe
                    Source: Bill_Of _Lading.exeBinary or memory string: OriginalFilenameNewStb.exe4 vs Bill_Of _Lading.exe
                    Source: 4.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.Bill_Of _Lading.exe.1923db2c4c0.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.Bill_Of _Lading.exe.1923db66f08.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.Bill_Of _Lading.exe.1923db66f08.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.Bill_Of _Lading.exe.1923db2c4c0.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.Bill_Of _Lading.exe.1923db2c4c0.5.raw.unpack, RsYAkkzVoy.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Bill_Of _Lading.exe.1923db2c4c0.5.raw.unpack, Kqqzixk.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Bill_Of _Lading.exe.1923db2c4c0.5.raw.unpack, xROdzGigX.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Bill_Of _Lading.exe.1923db2c4c0.5.raw.unpack, ywes.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Bill_Of _Lading.exe.1923db2c4c0.5.raw.unpack, iPVW0zV.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                    Source: 0.2.Bill_Of _Lading.exe.1923db2c4c0.5.raw.unpack, 1Pi9sgbHwoV.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.Bill_Of _Lading.exe.1923db2c4c0.5.raw.unpack, YUgDfWK2g4.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Bill_Of _Lading.exe.1923db2c4c0.5.raw.unpack, YUgDfWK2g4.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 0.2.Bill_Of _Lading.exe.1923db2c4c0.5.raw.unpack, MarWtcu.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Bill_Of _Lading.exe.1923db2c4c0.5.raw.unpack, MarWtcu.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Bill_Of _Lading.exe.1923db2c4c0.5.raw.unpack, MarWtcu.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Bill_Of _Lading.exe.1923db2c4c0.5.raw.unpack, MarWtcu.csCryptographic APIs: 'TransformFinalBlock'
                    Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@10/10@2/2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7560:120:WilError_03
                    Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7400
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7408:120:WilError_03
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1w10vwtz.wqg.ps1Jump to behavior
                    Source: Bill_Of _Lading.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: Bill_Of _Lading.exeStatic file information: TRID: Win64 Executable Console Net Framework (206006/5) 48.58%
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: Bill_Of _Lading.exeReversingLabs: Detection: 71%
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeFile read: C:\Users\user\Desktop\Bill_Of _Lading.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\Bill_Of _Lading.exe "C:\Users\user\Desktop\Bill_Of _Lading.exe"
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bill_Of _Lading.exe" -Force
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7400 -s 1048
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bill_Of _Lading.exe" -ForceJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: Bill_Of _Lading.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: Bill_Of _Lading.exeStatic file information: File size 1433631 > 1048576
                    Source: Bill_Of _Lading.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: System.Management.pdbP0# source: WER5691.tmp.dmp.7.dr
                    Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER5691.tmp.dmp.7.dr
                    Source: Binary string: System.ni.pdbRSDS source: WER5691.tmp.dmp.7.dr
                    Source: Binary string: System.Windows.Forms.pdbP source: WER5691.tmp.dmp.7.dr
                    Source: Binary string: System.Windows.Forms.ni.pdb source: WER5691.tmp.dmp.7.dr
                    Source: Binary string: System.Drawing.ni.pdb source: WER5691.tmp.dmp.7.dr
                    Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER5691.tmp.dmp.7.dr
                    Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER5691.tmp.dmp.7.dr
                    Source: Binary string: System.Drawing.ni.pdbRSDS source: WER5691.tmp.dmp.7.dr
                    Source: Binary string: System.pdb source: WER5691.tmp.dmp.7.dr
                    Source: Binary string: System.Core.ni.pdb source: WER5691.tmp.dmp.7.dr
                    Source: Binary string: Microsoft.VisualBasic.pdb source: WER5691.tmp.dmp.7.dr
                    Source: Binary string: System.Windows.Forms.pdb source: WER5691.tmp.dmp.7.dr
                    Source: Binary string: mscorlib.pdb source: WER5691.tmp.dmp.7.dr
                    Source: Binary string: System.Drawing.pdbq1 source: WER5691.tmp.dmp.7.dr
                    Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER5691.tmp.dmp.7.dr
                    Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WER5691.tmp.dmp.7.dr
                    Source: Binary string: System.Management.pdb source: WER5691.tmp.dmp.7.dr
                    Source: Binary string: System.Drawing.pdb source: WER5691.tmp.dmp.7.dr
                    Source: Binary string: mscorlib.ni.pdb source: WER5691.tmp.dmp.7.dr
                    Source: Binary string: System.Management.ni.pdb source: WER5691.tmp.dmp.7.dr
                    Source: Binary string: System.Core.pdb source: WER5691.tmp.dmp.7.dr
                    Source: Binary string: System.ni.pdb source: WER5691.tmp.dmp.7.dr
                    Source: Binary string: System.pdb8 source: WER5691.tmp.dmp.7.dr
                    Source: Binary string: System.Core.ni.pdbRSDS source: WER5691.tmp.dmp.7.dr
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeCode function: 0_2_00007FFD9B988167 push ebx; ret 0_2_00007FFD9B98816A
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeCode function: 0_2_00007FFD9B9800BD pushad ; iretd 0_2_00007FFD9B9800C1
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeCode function: 0_2_00007FFD9B9878CB push ebx; retf 0_2_00007FFD9B98796A
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeCode function: 0_2_00007FFD9B987841 push ebx; retf 0_2_00007FFD9B98796A
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeCode function: 0_2_00007FFD9B986830 pushad ; iretd 0_2_00007FFD9B9868C9
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeCode function: 0_2_00007FFD9BA50002 push esp; retf 4810h0_2_00007FFD9BA50312
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 4_2_02DBAA8D push edi; ret 4_2_02DBAA91
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 4_2_02DBABA7 push esi; ret 4_2_02DBABB5
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 4_2_02DBAC92 push ebp; ret 4_2_02DBAC96
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 4_2_02DBADDB push esp; ret 4_2_02DBADDD
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 4_2_06A13A40 push FC06B0DAh; retf 4_2_06A13A4D
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 4_2_06A2FFBF push es; ret 4_2_06A2FFC0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 4_2_06A2EAE8 push cs; retn 5505h4_2_06A2EAF6

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: Bill_Of _Lading.exe PID: 7400, type: MEMORYSTR
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: Bill_Of _Lading.exe, 00000000.00000002.1777119131.000001922DE20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                    Source: Bill_Of _Lading.exe, 00000000.00000002.1777119131.000001922DE20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: Bill_Of _Lading.exe, 00000000.00000002.1777119131.000001922DB01000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLLP
                    Source: Bill_Of _Lading.exe, 00000000.00000002.1777119131.000001922DB01000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAMEP
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeMemory allocated: 1922C010000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeMemory allocated: 19245AE0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMemory allocated: 2DB0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMemory allocated: 3280000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMemory allocated: 5280000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: IdentifierJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeFile opened / queried: C:\WINDOWS\system32\drivers\vmmouse.sysJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\disk\Enum name: 0Jump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeFile opened / queried: C:\WINDOWS\system32\drivers\vmhgfs.sysJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeFile opened / queried: C:\WINDOWS\system32\drivers\VBoxMouse.sysJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7059Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2632Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWindow / User API: threadDelayed 2555Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWindow / User API: threadDelayed 7285Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7836Thread sleep time: -7378697629483816s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7868Thread sleep time: -27670116110564310s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7868Thread sleep time: -100000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7872Thread sleep count: 2555 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7868Thread sleep time: -99875s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7872Thread sleep count: 7285 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7868Thread sleep time: -99765s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7868Thread sleep time: -99651s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7868Thread sleep time: -99545s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7868Thread sleep time: -99437s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7868Thread sleep time: -99328s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7868Thread sleep time: -99207s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7868Thread sleep time: -99079s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7868Thread sleep time: -98953s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7868Thread sleep time: -98844s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7868Thread sleep time: -98734s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7868Thread sleep time: -98625s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7868Thread sleep time: -98516s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7868Thread sleep time: -98391s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7868Thread sleep time: -98266s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7868Thread sleep time: -98023s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7868Thread sleep time: -97906s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7868Thread sleep time: -97778s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7868Thread sleep time: -97609s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7868Thread sleep time: -97453s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7868Thread sleep time: -97344s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7868Thread sleep time: -97219s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7868Thread sleep time: -97109s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7868Thread sleep time: -97000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7868Thread sleep time: -96890s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7868Thread sleep time: -96781s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7868Thread sleep time: -96672s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7868Thread sleep time: -96562s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7868Thread sleep time: -96453s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7868Thread sleep time: -96344s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7868Thread sleep time: -96234s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7868Thread sleep time: -96125s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7868Thread sleep time: -96016s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7868Thread sleep time: -95891s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7868Thread sleep time: -95766s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7868Thread sleep time: -95656s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7868Thread sleep time: -95547s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7868Thread sleep time: -95437s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7868Thread sleep time: -95328s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7868Thread sleep time: -95219s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7868Thread sleep time: -95109s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7868Thread sleep time: -95000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7868Thread sleep time: -94891s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7868Thread sleep time: -94766s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7868Thread sleep time: -94641s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7868Thread sleep time: -94531s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7868Thread sleep time: -94422s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7868Thread sleep time: -94312s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7868Thread sleep time: -94203s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7868Thread sleep time: -94094s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7868Thread sleep time: -93984s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7868Thread sleep time: -93875s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 99875Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 99765Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 99651Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 99545Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 99437Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 99328Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 99207Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 99079Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 98953Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 98844Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 98734Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 98625Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 98516Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 98391Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 98266Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 98023Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 97906Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 97778Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 97609Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 97453Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 97344Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 97219Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 97109Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 97000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 96890Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 96781Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 96672Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 96562Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 96453Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 96344Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 96234Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 96125Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 96016Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 95891Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 95766Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 95656Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 95547Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 95437Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 95328Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 95219Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 95109Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 95000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 94891Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 94766Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 94641Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 94531Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 94422Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 94312Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 94203Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 94094Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 93984Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 93875Jump to behavior
                    Source: Amcache.hve.7.drBinary or memory string: VMware
                    Source: Bill_Of _Lading.exe, 00000000.00000002.1777119131.000001922DB01000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: QEMUP
                    Source: Bill_Of _Lading.exe, 00000000.00000002.1777119131.000001922DB01000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: "SOFTWARE\VMware, Inc.\VMware ToolsP
                    Source: Bill_Of _Lading.exe, 00000000.00000002.1777119131.000001922DE20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                    Source: Amcache.hve.7.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                    Source: Bill_Of _Lading.exe, 00000000.00000002.1777119131.000001922DB01000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
                    Source: Bill_Of _Lading.exe, 00000000.00000002.1777119131.000001922DE20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
                    Source: Amcache.hve.7.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                    Source: Amcache.hve.7.drBinary or memory string: vmci.sys
                    Source: Bill_Of _Lading.exe, 00000000.00000002.1777119131.000001922DE20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
                    Source: Bill_Of _Lading.exe, 00000000.00000002.1777119131.000001922DE20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                    Source: Bill_Of _Lading.exe, 00000000.00000002.1777119131.000001922DE20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
                    Source: Amcache.hve.7.drBinary or memory string: VMware20,1
                    Source: Bill_Of _Lading.exe, 00000000.00000002.1777119131.000001922DB01000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: &C:\WINDOWS\system32\drivers\vmhgfs.sysP
                    Source: Amcache.hve.7.drBinary or memory string: Microsoft Hyper-V Generation Counter
                    Source: Amcache.hve.7.drBinary or memory string: NECVMWar VMware SATA CD00
                    Source: Amcache.hve.7.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                    Source: Amcache.hve.7.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                    Source: Amcache.hve.7.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                    Source: Amcache.hve.7.drBinary or memory string: VMware PCI VMCI Bus Device
                    Source: Bill_Of _Lading.exe, 00000000.00000002.1777119131.000001922DE20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
                    Source: Bill_Of _Lading.exe, 00000000.00000002.1777119131.000001922DE20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
                    Source: Amcache.hve.7.drBinary or memory string: VMware VMCI Bus Device
                    Source: Amcache.hve.7.drBinary or memory string: VMware Virtual RAM
                    Source: Amcache.hve.7.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                    Source: Bill_Of _Lading.exe, 00000000.00000002.1777119131.000001922DB01000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREP
                    Source: Amcache.hve.7.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                    Source: Amcache.hve.7.drBinary or memory string: VMware Virtual USB Mouse
                    Source: Bill_Of _Lading.exe, 00000000.00000002.1777119131.000001922DB01000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmwareP
                    Source: Amcache.hve.7.drBinary or memory string: vmci.syshbin
                    Source: Amcache.hve.7.drBinary or memory string: VMware, Inc.
                    Source: Amcache.hve.7.drBinary or memory string: VMware20,1hbin@
                    Source: Bill_Of _Lading.exe, 00000000.00000002.1777119131.000001922DB01000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: )C:\WINDOWS\system32\drivers\VBoxMouse.sysP
                    Source: Amcache.hve.7.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                    Source: Amcache.hve.7.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                    Source: Amcache.hve.7.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                    Source: Bill_Of _Lading.exe, 00000000.00000002.1782046721.0000019246390000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: Bill_Of _Lading.exe, 00000000.00000002.1777119131.000001922DB01000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: %C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\P
                    Source: Bill_Of _Lading.exe, 00000000.00000002.1777119131.000001922DE20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                    Source: Bill_Of _Lading.exe, 00000000.00000002.1777119131.000001922DE20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                    Source: Amcache.hve.7.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                    Source: Amcache.hve.7.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                    Source: Bill_Of _Lading.exe, 00000000.00000002.1777119131.000001922DB01000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIP
                    Source: Bill_Of _Lading.exe, 00000000.00000002.1777119131.000001922DB01000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'C:\WINDOWS\system32\drivers\vmmouse.sysP
                    Source: Amcache.hve.7.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                    Source: Amcache.hve.7.drBinary or memory string: vmci.syshbin`
                    Source: Amcache.hve.7.drBinary or memory string: \driver\vmci,\driver\pci
                    Source: Bill_Of _Lading.exe, 00000000.00000002.1777119131.000001922DE20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                    Source: Amcache.hve.7.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                    Source: Amcache.hve.7.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                    Source: Bill_Of _Lading.exe, 00000000.00000002.1777119131.000001922DB01000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: "SOFTWARE\VMware, Inc.\VMware Tools
                    Source: CasPol.exe, 00000004.00000002.2949458385.00000000062F6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll||
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    .NET source code references suspicious native API functions
                    Source: Bill_Of _Lading.exe, .csReference to suspicious API methods: GetProcAddress(, )
                    Source: Bill_Of _Lading.exe, .csReference to suspicious API methods: LoadLibrary("kernel32.dll")
                    Source: Bill_Of _Lading.exe, .csReference to suspicious API methods: GetProcAddress(, "VirtualProtect")
                    Source: 0.2.Bill_Of _Lading.exe.1923db2c4c0.5.raw.unpack, DWQSVyCYV.csReference to suspicious API methods: uJn9vmw.OpenProcess(_9bBuo4xIRNG.DuplicateHandle, bInheritHandle: true, (uint)lKyMoD2.ProcessID)
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bill_Of _Lading.exe" -Force
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bill_Of _Lading.exe" -ForceJump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 value starts with: 4D5AJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000Jump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 402000Jump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 43C000Jump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 43E000Jump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: F86008Jump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bill_Of _Lading.exe" -ForceJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeQueries volume information: C:\Users\user\Desktop\Bill_Of _Lading.exe VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Lowering of HIPS / PFW / Operating System Security Settings

                    barindex
                    Disables UAC (registry)
                    Source: C:\Users\user\Desktop\Bill_Of _Lading.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUAJump to behavior
                    Source: Amcache.hve.7.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                    Source: Amcache.hve.7.drBinary or memory string: msmpeng.exe
                    Source: Amcache.hve.7.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                    Source: Amcache.hve.7.drBinary or memory string: MsMpEng.exe

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 4.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Bill_Of _Lading.exe.1923db2c4c0.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Bill_Of _Lading.exe.1923db66f08.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Bill_Of _Lading.exe.1923db66f08.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Bill_Of _Lading.exe.1923db2c4c0.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000004.00000002.2945675273.00000000032FC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.2945675273.00000000032D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.2944572875.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1777775843.000001923DAF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Bill_Of _Lading.exe PID: 7400, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 7612, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: Yara matchFile source: 4.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Bill_Of _Lading.exe.1923db2c4c0.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Bill_Of _Lading.exe.1923db66f08.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Bill_Of _Lading.exe.1923db66f08.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Bill_Of _Lading.exe.1923db2c4c0.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000004.00000002.2945675273.00000000032D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.2944572875.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1777775843.000001923DAF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Bill_Of _Lading.exe PID: 7400, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 7612, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 4.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Bill_Of _Lading.exe.1923db2c4c0.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Bill_Of _Lading.exe.1923db66f08.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Bill_Of _Lading.exe.1923db66f08.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Bill_Of _Lading.exe.1923db2c4c0.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000004.00000002.2945675273.00000000032FC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.2945675273.00000000032D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.2944572875.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1777775843.000001923DAF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Bill_Of _Lading.exe PID: 7400, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 7612, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		211
                    Process Injection                    		21
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		341
                    Security Software Discovery                    		Remote Services1
                    Email Collection                    		11
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Native API                    		Boot or Logon Initialization Scripts1
                    DLL Side-Loading                    		261
                    Virtualization/Sandbox Evasion                    		1
                    Input Capture                    		1
                    Process Discovery                    		Remote Desktop Protocol1
                    Input Capture                    		1
                    Ingress Tool Transfer                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)211
                    Process Injection                    		1
                    Credentials in Registry                    		261
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin Shares11
                    Archive Collected Data                    		2
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                    Deobfuscate/Decode Files or Information                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object Model2
                    Data from Local System                    		23
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Obfuscated Files or Information                    		LSA Secrets1
                    System Network Configuration Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    DLL Side-Loading                    		Cached Domain Credentials1
                    File and Directory Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync24
                    System Information Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1544347 Sample: Bill_Of _Lading.exe Startdate: 29/10/2024 Architecture: WINDOWS Score: 100 23 mail.iaa-airferight.com 2->23 25 api.ipify.org 2->25 31 Found malware configuration 2->31 33 Malicious sample detected (through community Yara rule) 2->33 35 Multi AV Scanner detection for submitted file 2->35 37 11 other signatures 2->37 8 Bill_Of _Lading.exe 1 4 2->8         started        signatures3 process4 signatures5 39 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->39 41 Writes to foreign memory regions 8->41 43 Adds a directory exclusion to Windows Defender 8->43 45 2 other signatures 8->45 11 CasPol.exe 15 4 8->11         started        15 powershell.exe 23 8->15         started        17 WerFault.exe 20 16 8->17         started        19 2 other processes 8->19 process6 dnsIp7 27 mail.iaa-airferight.com 46.175.148.58, 25 ASLAGIDKOM-NETUA Ukraine 11->27 29 api.ipify.org 172.67.74.152, 443, 49736 CLOUDFLARENETUS United States 11->29 47 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->47 49 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 11->49 51 Tries to steal Mail credentials (via file / registry access) 11->51 55 2 other signatures 11->55 53 Loading BitLocker PowerShell Module 15->53 21 conhost.exe 15->21         started        signatures8 process9

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    Bill_Of _Lading.exe71%ReversingLabsWin64.Spyware.Negasteal
                    Bill_Of _Lading.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    https://api.ipify.org/0%URL Reputationsafe
                    https://api.ipify.org0%URL Reputationsafe
                    http://upx.sf.net0%URL Reputationsafe
                    https://account.dyn.com/0%URL Reputationsafe
                    https://api.ipify.org/t0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    mail.iaa-airferight.com
                    		46.175.148.58
                    		truetrue
                      		unknown
                      api.ipify.org
                      		172.67.74.152
                      		truefalse
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://api.ipify.org/false
                        • URL Reputation: safe
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://api.ipify.orgBill_Of _Lading.exe, 00000000.00000002.1777775843.000001923DAF1000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.2945675273.0000000003281000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.2944572875.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://upx.sf.netAmcache.hve.7.drfalse
                        • URL Reputation: safe
                        		unknown
                        https://account.dyn.com/Bill_Of _Lading.exe, 00000000.00000002.1777775843.000001923DAF1000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.2944572875.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://api.ipify.org/tCasPol.exe, 00000004.00000002.2945675273.0000000003281000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameCasPol.exe, 00000004.00000002.2945675273.0000000003281000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://mail.iaa-airferight.comCasPol.exe, 00000004.00000002.2945675273.00000000032FC000.00000004.00000800.00020000.00000000.sdmpfalse
                          		unknown

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          46.175.148.58
                          		mail.iaa-airferight.comUkraine
                          		56394ASLAGIDKOM-NETUAtrue
                          172.67.74.152
                          		api.ipify.orgUnited States
                          		13335CLOUDFLARENETUSfalse

                          General Information

                          Joe Sandbox version:41.0.0 Charoite
                          Analysis ID:1544347
                          Start date and time:2024-10-29 10:06:45 +01:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 5m 51s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:12
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:Bill_Of _Lading.exe
                          Detection:MAL
                          Classification:mal100.troj.spyw.expl.evad.winEXE@10/10@2/2
                          EGA Information:
                          • Successful, ratio: 100%
                          HCA Information:
                          • Successful, ratio: 88%
                          • Number of executed functions: 79
                          • Number of non-executed functions: 6
                          Cookbook Comments:
                          • Found application associated with file extension: .exe

                          Warnings

                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                          • Excluded IPs from analysis (whitelisted): 20.42.65.92, 52.182.143.212
                          • Excluded domains from analysis (whitelisted): onedsblobprdeus17.eastus.cloudapp.azure.com, onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size exceeded maximum capacity and may have missing behavior information.
                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                          • Report size getting too big, too many NtCreateKey calls found.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • Report size getting too big, too many NtReadVirtualMemory calls found.
                          • Report size getting too big, too many NtSetInformationFile calls found.
                          • VT rate limit hit for: Bill_Of _Lading.exe

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          05:07:42API Interceptor19x Sleep call for process: powershell.exe modified
                          05:07:44API Interceptor183x Sleep call for process: CasPol.exe modified
                          05:07:45API Interceptor1x Sleep call for process: WerFault.exe modified

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          46.175.148.58techno POORD035338.exeGet hashmaliciousAgentTeslaBrowse
                            New Cmr JV2410180005.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                              PO F1298-24 Fabric Order.exeGet hashmaliciousAgentTeslaBrowse
                                PO F1298-24 Fabric Order.zipGet hashmaliciousAgentTeslaBrowse
                                  PO 316347 24MIA00660067.exeGet hashmaliciousAgentTeslaBrowse
                                    Purchase Order For Linear Actuator.exeGet hashmaliciousAgentTeslaBrowse
                                      PO FOR CONNECTOR WITH TERMINAL.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                        New PO-Auras Demand.exeGet hashmaliciousAgentTeslaBrowse
                                          SecuriteInfo.com.BackDoor.AgentTeslaNET.37.28277.26776.exeGet hashmaliciousAgentTeslaBrowse
                                            New Purchase Order 568330.exeGet hashmaliciousAgentTeslaBrowse
                                              172.67.74.15267065b4c84713_Javiles.exeGet hashmaliciousRDPWrap ToolBrowse
                                              • api.ipify.org/
                                              Yc9hcFC1ux.exeGet hashmaliciousUnknownBrowse
                                              • api.ipify.org/
                                              4F08j2Rmd9.binGet hashmaliciousXmrigBrowse
                                              • api.ipify.org/
                                              y8tCHz7CwC.binGet hashmaliciousXmrigBrowse
                                              • api.ipify.org/
                                              file.exeGet hashmaliciousUnknownBrowse
                                              • api.ipify.org/
                                              file.exeGet hashmaliciousUnknownBrowse
                                              • api.ipify.org/
                                              file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                              • api.ipify.org/
                                              file.exeGet hashmaliciousRDPWrap ToolBrowse
                                              • api.ipify.org/
                                              Prismifyr-Install.exeGet hashmaliciousNode StealerBrowse
                                              • api.ipify.org/
                                              2zYP8qOYmJ.exeGet hashmaliciousUnknownBrowse
                                              • api.ipify.org/

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              mail.iaa-airferight.comtechno POORD035338.exeGet hashmaliciousAgentTeslaBrowse
                                              • 46.175.148.58
                                              New Cmr JV2410180005.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                              • 46.175.148.58
                                              PO F1298-24 Fabric Order.exeGet hashmaliciousAgentTeslaBrowse
                                              • 46.175.148.58
                                              PO F1298-24 Fabric Order.zipGet hashmaliciousAgentTeslaBrowse
                                              • 46.175.148.58
                                              PO 316347 24MIA00660067.exeGet hashmaliciousAgentTeslaBrowse
                                              • 46.175.148.58
                                              Purchase Order For Linear Actuator.exeGet hashmaliciousAgentTeslaBrowse
                                              • 46.175.148.58
                                              PO FOR CONNECTOR WITH TERMINAL.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                              • 46.175.148.58
                                              New PO-Auras Demand.exeGet hashmaliciousAgentTeslaBrowse
                                              • 46.175.148.58
                                              SecuriteInfo.com.BackDoor.AgentTeslaNET.37.28277.26776.exeGet hashmaliciousAgentTeslaBrowse
                                              • 46.175.148.58
                                              New Purchase Order 568330.exeGet hashmaliciousAgentTeslaBrowse
                                              • 46.175.148.58
                                              api.ipify.orgShipping documents 00029399400059.exeGet hashmaliciousAgentTeslaBrowse
                                              • 172.67.74.152
                                              z20SWIFT_MT103_Payment_552016_pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                              • 104.26.12.205
                                              file.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                              • 172.67.74.152
                                              Remittance Receipt.exeGet hashmaliciousAgentTeslaBrowse
                                              • 104.26.12.205
                                              SecuriteInfo.com.Win64.Malware-gen.4046.15809.exeGet hashmaliciousEICARBrowse
                                              • 104.26.13.205
                                              SecuriteInfo.com.Win64.Malware-gen.4046.15809.exeGet hashmaliciousUnknownBrowse
                                              • 104.26.12.205
                                              SUNNY HONG VSL PARTICULARS.xlsx.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                              • 172.67.74.152
                                              SecuriteInfo.com.Trojan.Inject5.10837.16335.2292.exeGet hashmaliciousAgentTeslaBrowse
                                              • 172.67.74.152
                                              Rampage.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                              • 104.26.13.205

                                              ASNs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              ASLAGIDKOM-NETUAtechno POORD035338.exeGet hashmaliciousAgentTeslaBrowse
                                              • 46.175.148.58
                                              New Cmr JV2410180005.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                              • 46.175.148.58
                                              PO F1298-24 Fabric Order.exeGet hashmaliciousAgentTeslaBrowse
                                              • 46.175.148.58
                                              PO F1298-24 Fabric Order.zipGet hashmaliciousAgentTeslaBrowse
                                              • 46.175.148.58
                                              PO 316347 24MIA00660067.exeGet hashmaliciousAgentTeslaBrowse
                                              • 46.175.148.58
                                              Purchase Order For Linear Actuator.exeGet hashmaliciousAgentTeslaBrowse
                                              • 46.175.148.58
                                              PO FOR CONNECTOR WITH TERMINAL.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                              • 46.175.148.58
                                              New PO-Auras Demand.exeGet hashmaliciousAgentTeslaBrowse
                                              • 46.175.148.58
                                              SecuriteInfo.com.BackDoor.AgentTeslaNET.37.28277.26776.exeGet hashmaliciousAgentTeslaBrowse
                                              • 46.175.148.58
                                              New Purchase Order 568330.exeGet hashmaliciousAgentTeslaBrowse
                                              • 46.175.148.58
                                              CLOUDFLARENETUSProforma-Invoice#018879TT0100..docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 188.114.96.3
                                              swift-copy31072024PDF.htmlGet hashmaliciousHTMLPhisherBrowse
                                              • 1.1.1.1
                                              ST007 SWIFT CONFIRMATION.xlsGet hashmaliciousUnknownBrowse
                                              • 188.114.97.3
                                              file.exeGet hashmaliciousLummaCBrowse
                                              • 188.114.96.3
                                              ST007 SWIFT CONFIRMATION.xlsGet hashmaliciousUnknownBrowse
                                              • 188.114.96.3
                                              Transferencia.docGet hashmaliciousQuasarBrowse
                                              • 188.114.96.3
                                              https://clairecarpenter.com/wp-includes/css/pbcmc.php?7112797967704b536932307466507a4373757943784b5463314a54533470796b784f7a456e567130725553383750315338317430677031416341#Email#Get hashmaliciousHTMLPhisherBrowse
                                              • 104.17.25.14
                                              https://inspireelectricale.za.com/u78dqGet hashmaliciousHTMLPhisherBrowse
                                              • 104.17.25.14
                                              https://banginggamestore.xyz/?encoded_value=223GDT1&sub1=239ba09cf2754b24813bab1ed4e19d57&sub2=&sub3=&sub4=&sub5=21539&source_id=20131&ip=94.107.182.21&domain=www.followthislinknow.comGet hashmaliciousUnknownBrowse
                                              • 172.67.179.37
                                              file.exeGet hashmaliciousStealc, VidarBrowse
                                              • 172.64.41.3

                                              JA3 Fingerprints

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              3b5074b1b5d032e5620f69f9f700ff0eIGNM2810202400017701_270620240801_546001.vbsGet hashmaliciousGuLoaderBrowse
                                              • 172.67.74.152
                                              https://clairecarpenter.com/wp-includes/css/pbcmc.php?7112797967704b536932307466507a4373757943784b5463314a54533470796b784f7a456e567130725553383750315338317430677031416341#Email#Get hashmaliciousHTMLPhisherBrowse
                                              • 172.67.74.152
                                              file.exeGet hashmaliciousStealc, VidarBrowse
                                              • 172.67.74.152
                                              https://filerit.com/pi-240924.ps1Get hashmaliciousUnknownBrowse
                                              • 172.67.74.152
                                              JVLkkfzSKW.exeGet hashmaliciousStealc, VidarBrowse
                                              • 172.67.74.152
                                              Shipping documents 00029399400059.exeGet hashmaliciousAgentTeslaBrowse
                                              • 172.67.74.152
                                              file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Quasar, StealcBrowse
                                              • 172.67.74.152
                                              z20SWIFT_MT103_Payment_552016_pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                              • 172.67.74.152
                                              https://mail.kb4.io/XT0VNMzRJS3djRnBKZnFha1JaVThBUHFHRmpuS2FmSUY4aUszUlY3Sm0rWmpyUWR3ekQzL2xjN0xhVVJlTzhvZzgyMGtTUkxmSWtGdWlUY2I0NStmRWlLS2xHcGZsNTZUN3VyanNiKzVaNjhaeTRSTXFXVGdwc0J4amUxRFFPMU5DTTd5ejl5aXZxUlBwL1NDaDBRSk9DWVJkc09KRUZodTl0SFh5bFVVWEdYZTMzcm5ZTCtCSGpmZWRIMEprQjhiZExvOE9wSGkwUS9KTjQwSVdjQT0tLVBNYWNLTzcyT0xCdDkzb3ItLURlVmNvdGI3d3BGenM5UWJzc1EreXc9PQ==?cid=2260646675Get hashmaliciousUnknownBrowse
                                              • 172.67.74.152
                                              setup.exeGet hashmaliciousUnknownBrowse
                                              • 172.67.74.152

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Bill_Of _Lading._d5a6bc31333ed2731238387cca9c2baed124745_111ed6a7_b97e09e4-30ca-4144-a8f1-17b94789fc12\Report.wer

                                              Download File
                                              Process:C:\Windows\System32\WerFault.exe
                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):65536
                                              Entropy (8bit):1.2279597446700177
                                              Encrypted:false
                                              SSDEEP:192:kq4S1P6Bz50UnUFaWBHhQ83mudzuiF6Z24lO833:r4SgBOUnUFamHhYqzuiF6Y4lO833
                                              MD5:6ABEDAFE7C2A130D74E2CA8248E247E8
                                              SHA1:5D30A4CEFFD323B00C8BEEA5FD53B4F1072AF943
                                              SHA-256:09A7D44124F52C523F40E3177311CF2A612B2CECB212BACC0739CE38D80B892A
                                              SHA-512:9B534EA56EADDBDDF3FE254DCBB8816575D18C167BFCD69FB67C06CE63970A51D38233B700A990B6A171ADF544511AB81252BC6B6E01659EB64922274F84DA2C
                                              Malicious:false
                                              Reputation:low
                                              Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.6.6.6.4.6.1.6.7.1.7.5.1.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.6.6.6.4.6.2.3.7.4.8.7.8.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.9.7.e.0.9.e.4.-.3.0.c.a.-.4.1.4.4.-.a.8.f.1.-.1.7.b.9.4.7.8.9.f.c.1.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.d.1.4.5.f.3.3.-.0.8.6.6.-.4.5.3.8.-.8.a.6.f.-.6.3.0.9.e.5.0.e.0.1.f.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.B.i.l.l._.O.f. ._.L.a.d.i.n.g...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.N.e.w.S.t.b...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.e.8.-.0.0.0.1.-.0.0.1.4.-.b.7.6.c.-.2.2.f.f.e.1.2.9.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.0.e.5.0.8.a.9.0.6.9.a.1.b.4.f.0.5.b.e.4.4.4.1.e.a.6.1.0.9.6.f.0.0.0.0.0.0.0.0.!.0.0.0.0.e.a.f.8.c.4.c.c.9.8.f.a.2.7.8.b.8.f.1.3.9.8.4.1.0.0.1.7.d.9.d.4.6.2.3.2.d.4.7.5.!.B.i.l.l._.O.f.

                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER5691.tmp.dmp

                                              Download File
                                              Process:C:\Windows\System32\WerFault.exe
                                              File Type:Mini DuMP crash report, 16 streams, Tue Oct 29 09:07:42 2024, 0x1205a4 type
                                              Category:dropped
                                              Size (bytes):482528
                                              Entropy (8bit):3.269457065642725
                                              Encrypted:false
                                              SSDEEP:6144:oKI+3kndFabT6e44fLKCsea7uLMH/zbq13QMg:oKnHieaaKqZQMg
                                              MD5:F2E5D00B66E8CBAA7943834DEB6BC073
                                              SHA1:334D2CCA5754AECBB1D43CD10F9289E5A24D98DD
                                              SHA-256:240F17DFE078E42B2CD9E5386E26FDB3276C303562584320CC402665DB281869
                                              SHA-512:EF79F68A5E78ACF2B47B0EF3C24ADA6F3CFC4EB03858033AAD50505B20968B8A1FE517F0A780A78F7EFCB4CB74C43C735CB3A4FFF3EBDD8EF6786333B26DCEAF
                                              Malicious:false
                                              Reputation:low
                                              Preview:MDMP..a..... ........ g............t...........<...........$....(......0 ...(.......O..............l.......8...........T...........`<... ..........$I...........K..............................................................................eJ.......K......Lw......................T............ g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER5886.tmp.WERInternalMetadata.xml

                                              Download File
                                              Process:C:\Windows\System32\WerFault.exe
                                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):8626
                                              Entropy (8bit):3.709597188813778
                                              Encrypted:false
                                              SSDEEP:192:R6l7wVeJ500QO6Y9Xxhqgmfa6JAprs89b6PwOf5kfm:R6lXJ60QO6Y9xhqgmfaic6PhfWe
                                              MD5:886D39524A24AADE3E4B89D378B47AC5
                                              SHA1:1BAF08359553B5D2EFFA85894C11FA78CCBE714F
                                              SHA-256:FD0A64F740C7F8B4C49404391C05261D3CD27749399BC7A314178C836BD639BB
                                              SHA-512:8E5878E47BF64C8C9392BAE050B50129D340A045EEC03867DB553AB87C7D8AD7FD8525D07AB08642157BEB1ADD1EB2988EC382296D987DAFB24C130750DA5404
                                              Malicious:false
                                              Reputation:low
                                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.4.0.0.<./.P.i.

                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER58D5.tmp.xml

                                              Download File
                                              Process:C:\Windows\System32\WerFault.exe
                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):4784
                                              Entropy (8bit):4.515998876231688
                                              Encrypted:false
                                              SSDEEP:48:cvIwWl8zs8Jg771I99iWpW8VY6Ym8M4JrtAFNyq85G+dRerv8pd:uIjf6I7mj7V+JrOXG0rv8pd
                                              MD5:F035CA573E8F7CB4BFE8165B30DB96CD
                                              SHA1:F34187E173E5A4F96FB58E1B525160F126D19051
                                              SHA-256:73A31CA0D2DC24EB0D093C853108E2AC1DA989B0961865DC0CC8231FAA168584
                                              SHA-512:4923A27241076F51DB6164683A88673EE45AF21C193BD11471B7AF8013B7FB743103E8A332F290256B1FBDE4257D4A9649EF4E66955D816268E86E510F617014
                                              Malicious:false
                                              Reputation:low
                                              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="564490" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):64
                                              Entropy (8bit):1.1940658735648508
                                              Encrypted:false
                                              SSDEEP:3:Nlllulbnolz:NllUc
                                              MD5:F23953D4A58E404FCB67ADD0C45EB27A
                                              SHA1:2D75B5CACF2916C66E440F19F6B3B21DFD289340
                                              SHA-256:16F994BFB26D529E4C28ED21C6EE36D4AFEAE01CEEB1601E85E0E7FDFF4EFA8B
                                              SHA-512:B90BFEC26910A590A367E8356A20F32A65DB41C6C62D79CA0DDCC8D95C14EB48138DEC6B992A6E5C7B35CFF643063012462DA3E747B2AA15721FE2ECCE02C044
                                              Malicious:false
                                              Reputation:moderate, very likely benign file
                                              Preview:@...e................................................@..........

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1w10vwtz.wqg.ps1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3kjuxhrd.arq.psm1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dvfrzyx5.k1x.ps1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sux4zclx.ilm.psm1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Windows\appcompat\Programs\Amcache.hve

                                              Download File
                                              Process:C:\Windows\System32\WerFault.exe
                                              File Type:MS Windows registry file, NT/2000 or above
                                              Category:dropped
                                              Size (bytes):1835008
                                              Entropy (8bit):4.465628472598911
                                              Encrypted:false
                                              SSDEEP:6144:8IXfpi67eLPU9skLmb0b4/WSPKaJG8nAgejZMMhA2gX4WABl0uNadwBCswSbF:BXD94/WlLZMM6YFHk+F
                                              MD5:C98D6BAB55554E735BDA60E5BEDBC092
                                              SHA1:534B8A375EE6123490C2C8EACAD76B7B232BA412
                                              SHA-256:3AC71D71E858157ECD4BF3F5BE8B600AA8C49EBDD55C1CC64C42C9BF773BBC2B
                                              SHA-512:2A1797754719592692CFF9590EBF69BA1D3D2DC23CD67B579F07DA6916C76417FE57D422122F49A556747971123253667E35F654F644BF49952E631E59280CEF
                                              Malicious:false
                                              Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.l4..)................................................................................................................................................................................................................................................................................................................................................#6........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              Static File Info

                                              General

                                              File type:PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
                                              Entropy (8bit):6.334744855511504
                                              TrID:
                                              • Win64 Executable Console Net Framework (206006/5) 48.58%
                                              • Win64 Executable Console (202006/5) 47.64%
                                              • Win64 Executable (generic) (12005/4) 2.83%
                                              • Generic Win/DOS Executable (2004/3) 0.47%
                                              • DOS Executable Generic (2002/1) 0.47%
                                              File name:Bill_Of _Lading.exe
                                              File size:1'433'631 bytes
                                              MD5:31b5ced94cfe86f5b51c0c1c3650a6a3
                                              SHA1:eaf8c4cc98fa278b8f1398410017d9d46232d475
                                              SHA256:d2529b27449d53c7b0006f144c0d702db17001e014fb9145e7c7b7349db0a277
                                              SHA512:4a54bb1ec2ae99ef1fe12874094a9cb0df46861d6164dd89c6377139ad72930847061591f3eca0af62d45e19c400b4fed7f326e50653af23d31c24cd24923d2c
                                              SSDEEP:12288:9zytFacJklRgyjP5HXfb1qS7JC3TyC5xkcPrfUC4PFSRIdxuvW6A:UFaKkMyL5Hj1w3OcjIyg
                                              TLSH:B2652502792B8DA3FE249239C0C538F591FC1C5B31F9A11FCFA8AD39956943D191E93A
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....u.g.........."...0.J'............... ....@...... ....................... ....../.....`................................

                                              File Icon

                                              Icon Hash:2946e68e96b3ca4d

                                              Static PE Info

                                              General

                                              Entrypoint:0x400000
                                              Entrypoint Section:
                                              Digitally signed:false
                                              Imagebase:0x400000
                                              Subsystem:windows cui
                                              Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                              DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                              Time Stamp:0x671A75BC [Thu Oct 24 16:28:44 2024 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:
                                              OS Version Major:4
                                              OS Version Minor:0
                                              File Version Major:4
                                              File Version Minor:0
                                              Subsystem Version Major:4
                                              Subsystem Version Minor:0
                                              Import Hash:

                                              Entrypoint Preview

                                              Instruction
                                              dec ebp
                                              pop edx
                                              nop
                                              add byte ptr [ebx], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax+eax], al
                                              add byte ptr [eax], al

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000x2b68a.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x20000x274a0x2800ab32d8a2affd810b484333fdf8ba0c4fFalse0.5806640625data5.714609463115511IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                              .rsrc0x60000x2b68a0x2b8002a5e1c12685c88f4462f7ff08bc1c5edFalse0.20933234554597702data5.118493192143437IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                              Resources

                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                              RT_ICON0x62c40x3751PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9929383518113127
                                              RT_ICON0x9a180x10828Device independent bitmap graphic, 128 x 256 x 32, image size 675840.0891251626641429
                                              RT_ICON0x1a2400x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 380160.13335610678999368
                                              RT_ICON0x236e80x5488Device independent bitmap graphic, 72 x 144 x 32, image size 216000.16816081330868762
                                              RT_ICON0x28b700x4228Device independent bitmap graphic, 64 x 128 x 32, image size 168960.15594000944733113
                                              RT_ICON0x2cd980x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 96000.23392116182572614
                                              RT_ICON0x2f3400x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 42240.274624765478424
                                              RT_ICON0x303e80x988Device independent bitmap graphic, 24 x 48 x 32, image size 24000.41885245901639345
                                              RT_ICON0x30d700x468Device independent bitmap graphic, 16 x 32 x 32, image size 10880.5
                                              RT_GROUP_ICON0x311d80x84data0.7272727272727273
                                              RT_VERSION0x3125c0x244data0.46379310344827585
                                              RT_MANIFEST0x314a00x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                              Network Behavior

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Oct 29, 2024 10:07:43.403328896 CET49736443192.168.2.4172.67.74.152
                                              Oct 29, 2024 10:07:43.403382063 CET44349736172.67.74.152192.168.2.4
                                              Oct 29, 2024 10:07:43.403446913 CET49736443192.168.2.4172.67.74.152
                                              Oct 29, 2024 10:07:43.414823055 CET49736443192.168.2.4172.67.74.152
                                              Oct 29, 2024 10:07:43.414841890 CET44349736172.67.74.152192.168.2.4
                                              Oct 29, 2024 10:07:44.028803110 CET44349736172.67.74.152192.168.2.4
                                              Oct 29, 2024 10:07:44.028928041 CET49736443192.168.2.4172.67.74.152
                                              Oct 29, 2024 10:07:44.032131910 CET49736443192.168.2.4172.67.74.152
                                              Oct 29, 2024 10:07:44.032139063 CET44349736172.67.74.152192.168.2.4
                                              Oct 29, 2024 10:07:44.032413006 CET44349736172.67.74.152192.168.2.4
                                              Oct 29, 2024 10:07:44.079000950 CET49736443192.168.2.4172.67.74.152
                                              Oct 29, 2024 10:07:44.096499920 CET49736443192.168.2.4172.67.74.152
                                              Oct 29, 2024 10:07:44.143349886 CET44349736172.67.74.152192.168.2.4
                                              Oct 29, 2024 10:07:44.276715994 CET44349736172.67.74.152192.168.2.4
                                              Oct 29, 2024 10:07:44.276806116 CET44349736172.67.74.152192.168.2.4
                                              Oct 29, 2024 10:07:44.276895046 CET49736443192.168.2.4172.67.74.152
                                              Oct 29, 2024 10:07:44.328475952 CET49736443192.168.2.4172.67.74.152
                                              Oct 29, 2024 10:07:45.564232111 CET4973825192.168.2.446.175.148.58
                                              Oct 29, 2024 10:07:46.578927994 CET4973825192.168.2.446.175.148.58
                                              Oct 29, 2024 10:07:48.594563007 CET4973825192.168.2.446.175.148.58
                                              Oct 29, 2024 10:07:52.594645977 CET4973825192.168.2.446.175.148.58
                                              Oct 29, 2024 10:08:00.594679117 CET4973825192.168.2.446.175.148.58

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Oct 29, 2024 10:07:43.328752995 CET5390453192.168.2.41.1.1.1
                                              Oct 29, 2024 10:07:43.337305069 CET53539041.1.1.1192.168.2.4
                                              Oct 29, 2024 10:07:45.549212933 CET6099353192.168.2.41.1.1.1
                                              Oct 29, 2024 10:07:45.563581944 CET53609931.1.1.1192.168.2.4

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                              Oct 29, 2024 10:07:43.328752995 CET192.168.2.41.1.1.10x2e92Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                              Oct 29, 2024 10:07:45.549212933 CET192.168.2.41.1.1.10x7d7eStandard query (0)mail.iaa-airferight.comA (IP address)IN (0x0001)false

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                              Oct 29, 2024 10:07:43.337305069 CET1.1.1.1192.168.2.40x2e92No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                              Oct 29, 2024 10:07:43.337305069 CET1.1.1.1192.168.2.40x2e92No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                              Oct 29, 2024 10:07:43.337305069 CET1.1.1.1192.168.2.40x2e92No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                              Oct 29, 2024 10:07:45.563581944 CET1.1.1.1192.168.2.40x7d7eNo error (0)mail.iaa-airferight.com46.175.148.58A (IP address)IN (0x0001)false

                                              HTTP Request Dependency Graph

                                              • api.ipify.org

                                              HTTPS Proxied Packets

                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              0192.168.2.449736172.67.74.1524437612C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                              TimestampBytes transferredDirectionData
                                              2024-10-29 09:07:44 UTC155OUTGET / HTTP/1.1
                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                              Host: api.ipify.org
                                              Connection: Keep-Alive
                                              2024-10-29 09:07:44 UTC211INHTTP/1.1 200 OK
                                              Date: Tue, 29 Oct 2024 09:07:44 GMT
                                              Content-Type: text/plain
                                              Content-Length: 14
                                              Connection: close
                                              Vary: Origin
                                              cf-cache-status: DYNAMIC
                                              Server: cloudflare
                                              CF-RAY: 8da204590ed3e546-DFW
                                              2024-10-29 09:07:44 UTC14INData Raw: 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32
                                              Data Ascii: 173.254.250.72


                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Target ID:0
                                              Start time:05:07:36
                                              Start date:29/10/2024
                                              Path:C:\Users\user\Desktop\Bill_Of _Lading.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Users\user\Desktop\Bill_Of _Lading.exe"
                                              Imagebase:0x1922bdb0000
                                              File size:1'433'631 bytes
                                              MD5 hash:31B5CED94CFE86F5B51C0C1C3650A6A3
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1777119131.000001922DE20000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1777775843.000001923DAF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1777775843.000001923DAF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:1
                                              Start time:05:07:36
                                              Start date:29/10/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7699e0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:2
                                              Start time:05:07:40
                                              Start date:29/10/2024
                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bill_Of _Lading.exe" -Force
                                              Imagebase:0x7ff788560000
                                              File size:452'608 bytes
                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:3
                                              Start time:05:07:40
                                              Start date:29/10/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7699e0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:4
                                              Start time:05:07:40
                                              Start date:29/10/2024
                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                                              Imagebase:0xc90000
                                              File size:108'664 bytes
                                              MD5 hash:914F728C04D3EDDD5FBA59420E74E56B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.2945675273.00000000032FC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.2945675273.00000000032D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.2945675273.00000000032D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.2944572875.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.2944572875.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              Reputation:high
                                              Has exited:false

                                              General

                                              Target ID:5
                                              Start time:05:07:40
                                              Start date:29/10/2024
                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                                              Imagebase:0x8e0000
                                              File size:108'664 bytes
                                              MD5 hash:914F728C04D3EDDD5FBA59420E74E56B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:7
                                              Start time:05:07:40
                                              Start date:29/10/2024
                                              Path:C:\Windows\System32\WerFault.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\WerFault.exe -u -p 7400 -s 1048
                                              Imagebase:0x7ff6a8610000
                                              File size:570'736 bytes
                                              MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              Disassembly

                                              Reset < >

                                                Execution Graph

                                                Execution Coverage:10.6%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:33.3%
                                                Total number of Nodes:9
                                                Total number of Limit Nodes:0
                                                execution_graph 13175 7ffd9b98757b 13176 7ffd9b987585 NtUnmapViewOfSection 13175->13176 13178 7ffd9b9a431a 13176->13178 13171 7ffd9b981fea 13172 7ffd9b981ff9 VirtualProtect 13171->13172 13174 7ffd9b9820db 13172->13174 13179 7ffd9b9808b9 13180 7ffd9b9808d0 FreeConsole 13179->13180 13182 7ffd9b98094e 13180->13182

                                                Executed Functions

                                                Function 00007FFD9BA50002 Relevance: 2.3, Instructions: 2265COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 225 7ffd9ba50002-7ffd9ba50019 227 7ffd9ba50029-7ffd9ba5004f 225->227 228 7ffd9ba5001b-7ffd9ba50027 225->228 230 7ffd9ba50050-7ffd9ba50054 227->230 228->227 230->230
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1787115752.00007FFD9BA50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9ba50000_Bill_Of _Lading.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 66e350b51f7e6ad34e9c33bf1585d8d2a2cb4a1b69646b3b376eeb6de52e8a92
                                                • Instruction ID: cc8bd6096bdf3d3a23c1cd9cba54d47db3c9091ea442edc0557ac443c4da15a2
                                                • Opcode Fuzzy Hash: 66e350b51f7e6ad34e9c33bf1585d8d2a2cb4a1b69646b3b376eeb6de52e8a92
                                                • Instruction Fuzzy Hash: E3E24171A0E7CA4FD775DBA888755A87BE0FF56700F0501FED089CB0A3DAA86A46C741
                                                Function 00007FFD9B988550 Relevance: 2.2, Strings: 1, Instructions: 922COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 231 7ffd9b988550-7ffd9b98c325 233 7ffd9b98c327-7ffd9b98c36e 231->233 234 7ffd9b98c36f-7ffd9b98c399 231->234 233->234 237 7ffd9b98c39b-7ffd9b98c3b0 234->237 238 7ffd9b98c3b2 234->238 239 7ffd9b98c3b4-7ffd9b98c3b9 237->239 238->239 241 7ffd9b98c4b6-7ffd9b98c4d6 239->241 242 7ffd9b98c3bf-7ffd9b98c3ce 239->242 244 7ffd9b98c527-7ffd9b98c532 241->244 248 7ffd9b98c3d8-7ffd9b98c3d9 242->248 249 7ffd9b98c3d0-7ffd9b98c3d6 242->249 246 7ffd9b98c4d8-7ffd9b98c4de 244->246 247 7ffd9b98c534-7ffd9b98c543 244->247 250 7ffd9b98c9a2-7ffd9b98c9ba 246->250 251 7ffd9b98c4e4-7ffd9b98c505 call 7ffd9b988530 246->251 256 7ffd9b98c545-7ffd9b98c557 247->256 257 7ffd9b98c559 247->257 252 7ffd9b98c3db-7ffd9b98c3fe 248->252 249->252 263 7ffd9b98c9bc-7ffd9b98c9f7 call 7ffd9b9885c8 250->263 264 7ffd9b98ca04-7ffd9b98ca19 call 7ffd9b983518 250->264 269 7ffd9b98c50a-7ffd9b98c524 251->269 255 7ffd9b98c453-7ffd9b98c45e 252->255 260 7ffd9b98c400-7ffd9b98c406 255->260 261 7ffd9b98c460-7ffd9b98c477 255->261 262 7ffd9b98c55b-7ffd9b98c560 256->262 257->262 260->250 266 7ffd9b98c40c-7ffd9b98c450 call 7ffd9b988530 260->266 279 7ffd9b98c4a6-7ffd9b98c4b1 call 7ffd9b9880c0 261->279 280 7ffd9b98c479-7ffd9b98c49f call 7ffd9b988530 261->280 267 7ffd9b98c566-7ffd9b98c588 call 7ffd9b988530 262->267 268 7ffd9b98c5ec-7ffd9b98c600 262->268 314 7ffd9b98c9f9-7ffd9b98ca02 263->314 315 7ffd9b98ca41-7ffd9b98ca4b 263->315 286 7ffd9b98ca1e-7ffd9b98ca31 264->286 266->255 303 7ffd9b98c5b6-7ffd9b98c5b7 267->303 304 7ffd9b98c58a-7ffd9b98c5b4 267->304 273 7ffd9b98c650-7ffd9b98c65f 268->273 274 7ffd9b98c602-7ffd9b98c608 268->274 269->244 291 7ffd9b98c66c 273->291 292 7ffd9b98c661-7ffd9b98c66a 273->292 275 7ffd9b98c627-7ffd9b98c63f 274->275 276 7ffd9b98c60a-7ffd9b98c625 274->276 294 7ffd9b98c648-7ffd9b98c64b 275->294 276->275 279->268 280->279 309 7ffd9b98ca3c-7ffd9b98ca3f 286->309 310 7ffd9b98ca33-7ffd9b98ca3b 286->310 298 7ffd9b98c66e-7ffd9b98c673 291->298 292->298 301 7ffd9b98c7f8-7ffd9b98c80d 294->301 307 7ffd9b98c679-7ffd9b98c67c 298->307 308 7ffd9b98c97f-7ffd9b98c980 298->308 328 7ffd9b98c84d 301->328 329 7ffd9b98c80f-7ffd9b98c84b 301->329 306 7ffd9b98c5b9-7ffd9b98c5c0 303->306 304->306 306->268 316 7ffd9b98c5c2-7ffd9b98c5e7 call 7ffd9b988558 306->316 317 7ffd9b98c67e-7ffd9b98c69b call 7ffd9b980198 307->317 318 7ffd9b98c6c4-7ffd9b98c6cb 307->318 322 7ffd9b98c983-7ffd9b98c992 308->322 309->315 310->309 314->264 319 7ffd9b98ca56-7ffd9b98ca67 315->319 320 7ffd9b98ca4d-7ffd9b98ca55 315->320 316->268 345 7ffd9b98c96e-7ffd9b98c97e 316->345 317->318 359 7ffd9b98c69d-7ffd9b98c6bd 317->359 330 7ffd9b98c7cc-7ffd9b98c7ef 318->330 331 7ffd9b98c6d1-7ffd9b98c6dd 318->331 326 7ffd9b98ca69-7ffd9b98ca71 319->326 327 7ffd9b98ca72-7ffd9b98cabf call 7ffd9b989fd0 319->327 320->319 339 7ffd9b98c993-7ffd9b98c99b 322->339 326->327 367 7ffd9b98cad1 327->367 368 7ffd9b98cac1-7ffd9b98cacf 327->368 333 7ffd9b98c84f-7ffd9b98c854 328->333 329->333 346 7ffd9b98c7f5-7ffd9b98c7f6 330->346 331->250 338 7ffd9b98c6e3-7ffd9b98c6f2 331->338 341 7ffd9b98c856-7ffd9b98c8ad call 7ffd9b983450 333->341 342 7ffd9b98c8c4-7ffd9b98c8d8 333->342 343 7ffd9b98c705-7ffd9b98c712 call 7ffd9b980198 338->343 344 7ffd9b98c6f4-7ffd9b98c703 338->344 339->250 394 7ffd9b98c91e-7ffd9b98c923 341->394 395 7ffd9b98c8af-7ffd9b98c8b3 341->395 353 7ffd9b98c927-7ffd9b98c933 call 7ffd9b986490 342->353 354 7ffd9b98c8da-7ffd9b98c905 call 7ffd9b983450 342->354 363 7ffd9b98c718-7ffd9b98c71e 343->363 344->363 346->301 364 7ffd9b98c934-7ffd9b98c94c 353->364 373 7ffd9b98c90a-7ffd9b98c912 354->373 359->318 369 7ffd9b98c720-7ffd9b98c74d 363->369 370 7ffd9b98c753-7ffd9b98c758 363->370 364->250 371 7ffd9b98c94e-7ffd9b98c95e 364->371 374 7ffd9b98cad3-7ffd9b98cad8 367->374 368->374 369->370 370->250 378 7ffd9b98c75e-7ffd9b98c77e 370->378 377 7ffd9b98c960-7ffd9b98c96b 371->377 373->322 379 7ffd9b98c914-7ffd9b98c917 373->379 380 7ffd9b98cada-7ffd9b98caed call 7ffd9b982440 374->380 381 7ffd9b98caef-7ffd9b98caf5 374->381 377->345 390 7ffd9b98c780-7ffd9b98c791 378->390 391 7ffd9b98c792-7ffd9b98c7c2 call 7ffd9b988458 378->391 379->339 386 7ffd9b98c919 379->386 384 7ffd9b98cafc-7ffd9b98cb03 380->384 381->384 385 7ffd9b98caf7 call 7ffd9b983468 381->385 385->384 386->377 392 7ffd9b98c91b 386->392 390->391 400 7ffd9b98c7c7-7ffd9b98c7ca 391->400 392->394 394->353 395->364 398 7ffd9b98c8b5-7ffd9b98c8bf 395->398 400->301
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1786757293.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b980000_Bill_Of _Lading.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: aN_H
                                                • API String ID: 0-2650695561
                                                • Opcode ID: 818e7f12e476deb5bedb288c19893c5513c71a1ccf2557624c553d57be88a5a1
                                                • Instruction ID: 1508d888480f9cc72b2ef11529fe56abfb4a189d214617a6a400601fc803c700
                                                • Opcode Fuzzy Hash: 818e7f12e476deb5bedb288c19893c5513c71a1ccf2557624c553d57be88a5a1
                                                • Instruction Fuzzy Hash: C952E430B19A0D5FDB68EB68D465A7977E1EF59300F1501BEE04EC72A2DE34ED428781
                                                Function 00007FFD9B983508 Relevance: 1.8, Strings: 1, Instructions: 566COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1786757293.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b980000_Bill_Of _Lading.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: fish
                                                • API String ID: 0-1064584243
                                                • Opcode ID: 297b8346678f4a1091855d9b29825bb33fa6f8efba8ffec3f805628c241b4f3b
                                                • Instruction ID: cd51d4813d9495c9ac1c29a66e9f35c8e0a1caefabaca99df06a9cde1e661776
                                                • Opcode Fuzzy Hash: 297b8346678f4a1091855d9b29825bb33fa6f8efba8ffec3f805628c241b4f3b
                                                • Instruction Fuzzy Hash: 89F1BD3171DE8A1FE76CAB7898755B577E1EF96310B0541BEE08BC71E3DD28A9028381
                                                Function 00007FFD9B983495 Relevance: 1.8, Strings: 1, Instructions: 506COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 572 7ffd9b983495-7ffd9b9834a1 573 7ffd9b9834a3-7ffd9b9834b0 572->573 574 7ffd9b98350f-7ffd9b98364e 572->574 573->574 577 7ffd9b991c60-7ffd9b991c7d 573->577 632 7ffd9b983654-7ffd9b9836a3 574->632 633 7ffd9b9838c6-7ffd9b9838f9 574->633 579 7ffd9b991d60-7ffd9b991d83 577->579 580 7ffd9b991c83-7ffd9b991c92 577->580 587 7ffd9b991d84-7ffd9b991d99 579->587 582 7ffd9b991ca3-7ffd9b991cab 580->582 583 7ffd9b991c94-7ffd9b991c99 580->583 586 7ffd9b991cb1-7ffd9b991cd1 582->586 582->587 583->582 596 7ffd9b991cde-7ffd9b991cef 586->596 597 7ffd9b991cd3-7ffd9b991cdc 586->597 593 7ffd9b991d9b 587->593 594 7ffd9b991d9d-7ffd9b991dd7 587->594 593->594 599 7ffd9b991ddd-7ffd9b991dec 593->599 610 7ffd9b991dd9-7ffd9b991ddc 594->610 611 7ffd9b991dee 594->611 607 7ffd9b991d06 596->607 608 7ffd9b991cf1-7ffd9b991d04 596->608 597->596 612 7ffd9b991df0-7ffd9b991df5 599->612 613 7ffd9b991d0b-7ffd9b991d10 607->613 608->613 610->599 611->612 614 7ffd9b991e07-7ffd9b991e2c 612->614 615 7ffd9b991df7-7ffd9b991e05 call 7ffd9b987d78 612->615 617 7ffd9b991d38-7ffd9b991d3b 613->617 618 7ffd9b991d12-7ffd9b991d15 613->618 629 7ffd9b991e2d-7ffd9b991e33 614->629 615->629 617->587 621 7ffd9b991d3d-7ffd9b991d4d 617->621 618->587 622 7ffd9b991d17-7ffd9b991d36 call 7ffd9b983458 call 7ffd9b987d68 618->622 626 7ffd9b991d54-7ffd9b991d5f 621->626 627 7ffd9b991d4f call 7ffd9b983460 621->627 622->626 627->626 652 7ffd9b9836a5-7ffd9b9836b5 632->652 642 7ffd9b983903-7ffd9b983908 633->642 643 7ffd9b9838fb-7ffd9b983902 633->643 645 7ffd9b9838b0-7ffd9b9838c5 642->645 646 7ffd9b983909-7ffd9b98391e 642->646 643->642 647 7ffd9b983952-7ffd9b983981 646->647 648 7ffd9b983920-7ffd9b983922 646->648 661 7ffd9b983984-7ffd9b9839ba 647->661 650 7ffd9b983924-7ffd9b983927 call 7ffd9b9825d8 648->650 651 7ffd9b98392c-7ffd9b983932 648->651 650->651 654 7ffd9b983934-7ffd9b983940 651->654 655 7ffd9b983941-7ffd9b983951 651->655 662 7ffd9b9836b7-7ffd9b9836c4 call 7ffd9b982508 652->662 654->655 661->661 663 7ffd9b9839bc 661->663 665 7ffd9b9836c9-7ffd9b9836e0 662->665 667 7ffd9b983742-7ffd9b983755 665->667 668 7ffd9b9836e2-7ffd9b983740 call 7ffd9b9832f0 * 2 call 7ffd9b9832f8 667->668 669 7ffd9b983757-7ffd9b983759 667->669 668->667 671 7ffd9b9837b2-7ffd9b9837c5 669->671 673 7ffd9b98375b-7ffd9b9837b0 call 7ffd9b9832f0 * 2 call 7ffd9b980218 671->673 674 7ffd9b9837c7-7ffd9b9837c9 671->674 673->671 676 7ffd9b98386e-7ffd9b983881 674->676 680 7ffd9b9837ce-7ffd9b983800 call 7ffd9b9832f0 676->680 681 7ffd9b983887-7ffd9b9838c5 676->681 691 7ffd9b983802-7ffd9b983818 680->691 692 7ffd9b98381a-7ffd9b98381b 680->692 695 7ffd9b98381d-7ffd9b98383c call 7ffd9b980860 691->695 692->695 700 7ffd9b983841-7ffd9b983867 call 7ffd9b9825e0 695->700 703 7ffd9b98386c 700->703 703->676
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1786757293.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b980000_Bill_Of _Lading.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: fish
                                                • API String ID: 0-1064584243
                                                • Opcode ID: 393bf600c4e9fdc3331d7b1ae152a78a0de0968571c0004fcde47710bc59cf0e
                                                • Instruction ID: 8de89894d71a3ea93449fcc78aad6ce4daec32ded2e9d8841ef8e9c74fc2194c
                                                • Opcode Fuzzy Hash: 393bf600c4e9fdc3331d7b1ae152a78a0de0968571c0004fcde47710bc59cf0e
                                                • Instruction Fuzzy Hash: 4EE19A21B1EE5E2FE7A8EA6C94646B537D0FF95314B0500BFE08EC71A7DD28A9418380
                                                Function 00007FFD9B98757B Relevance: 1.7, APIs: 1, Instructions: 204COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 704 7ffd9b98757b-7ffd9b9a41fa 715 7ffd9b9a41fc-7ffd9b9a4230 704->715 716 7ffd9b9a4253-7ffd9b9a4264 704->716 719 7ffd9b9a427e-7ffd9b9a4318 NtUnmapViewOfSection 715->719 724 7ffd9b9a4232-7ffd9b9a4252 715->724 716->719 726 7ffd9b9a431a 719->726 727 7ffd9b9a4320-7ffd9b9a433c 719->727 724->716 726->727
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1786757293.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b980000_Bill_Of _Lading.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8a2657cc5d814b5ce0b581005316095a70039218ab97167c4e5b6000784d00d5
                                                • Instruction ID: 76f7db66387933a2d97fad517252ae73aca4b706bcd7747c62e798a748e74ac2
                                                • Opcode Fuzzy Hash: 8a2657cc5d814b5ce0b581005316095a70039218ab97167c4e5b6000784d00d5
                                                • Instruction Fuzzy Hash: 63514B31B0D6188FE758FAACA866BF97BD0DF95320F0441BBD05EC7293DD1568498391
                                                Function 00007FFD9B98AEF1 Relevance: 1.5, Instructions: 1536COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1786757293.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b980000_Bill_Of _Lading.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 024d7c0e839b16cb9d7d6fc0bddc59870c4310fda9f1bed87251b611f489b3e2
                                                • Instruction ID: 83a0fe31a5cacb61a4727ed6f191fcd95de7b65c832fd87e68d6ab5eb02ba462
                                                • Opcode Fuzzy Hash: 024d7c0e839b16cb9d7d6fc0bddc59870c4310fda9f1bed87251b611f489b3e2
                                                • Instruction Fuzzy Hash: 53B26A3061EB8A4FD729DF38C4A04B5B7E1FF96300B1945BED08AC72B6DA35A946C741
                                                Function 00007FFD9B98DE89 Relevance: 1.5, Instructions: 1473COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1786757293.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b980000_Bill_Of _Lading.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e2ee78618cd6bcfb30578ab83ff0299ef78cbe9833e7e59c61603cad7e3f12bc
                                                • Instruction ID: 138a2f502ebc3dd06f464e149dedf014df20caa0b6235419f1b5a6f449a1a648
                                                • Opcode Fuzzy Hash: e2ee78618cd6bcfb30578ab83ff0299ef78cbe9833e7e59c61603cad7e3f12bc
                                                • Instruction Fuzzy Hash: 05A2573062DF494FD329DB28C4A04B5B7E2FF85301B1546BEE48AC72A6DE35E946C781
                                                Function 00007FFD9B983520 Relevance: 1.0, Instructions: 1011COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1786757293.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b980000_Bill_Of _Lading.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b661417f3e43ba641923e1f662038913a74882844217e12fab4175ea1975c35a
                                                • Instruction ID: 14838bb4a64b5a39e69fbc78b89620d69298f4463bc94f0453d0468d05f3c6fd
                                                • Opcode Fuzzy Hash: b661417f3e43ba641923e1f662038913a74882844217e12fab4175ea1975c35a
                                                • Instruction Fuzzy Hash: 5A727831A2EA4A5FE7B88B1484613B4B7D1EF52310F1641BDD48ECB5E3DE28B946C780
                                                Function 00007FFD9B98AB17 Relevance: .4, Instructions: 390COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1786757293.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b980000_Bill_Of _Lading.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1dfc467cb06b2f2161dfe4fb67e9c920ed746de6cb3574e22740c9084d1c1002
                                                • Instruction ID: 12061a9101a8f6b950e51c80bd5b942b1a00afc1e553aa55ad4bdd2176dab48f
                                                • Opcode Fuzzy Hash: 1dfc467cb06b2f2161dfe4fb67e9c920ed746de6cb3574e22740c9084d1c1002
                                                • Instruction Fuzzy Hash: 59C19B3062DF8E4FD32DCB6884A11B1BBE2FF95301B15467ED4C6C72A6DA38A546C781
                                                Function 00007FFD9B993AB1 Relevance: .2, Instructions: 188COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1786757293.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b980000_Bill_Of _Lading.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 12e3897e425e4763eedf9d83af72ec36d92fd0bea914bf072cbd0fc120b9fab4
                                                • Instruction ID: 4d8b0510a98946e2d221a8c106829e6f279b5c1c9a1d5ca4316ad4a936177288
                                                • Opcode Fuzzy Hash: 12e3897e425e4763eedf9d83af72ec36d92fd0bea914bf072cbd0fc120b9fab4
                                                • Instruction Fuzzy Hash: 5E51593170D74D1FD71E9A7888361B57BA5EB87220B0682BFD087CB1F7DC28A8068381
                                                Function 00007FFD9B993B08 Relevance: .2, Instructions: 165COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1786757293.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b980000_Bill_Of _Lading.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 74595c1ac676f630e4929a9ead80235da36172d53e42426cd85f151efe0d9a1b
                                                • Instruction ID: 2f730833c6618317cd8a96068a8f2206840a4461491968273cbfff729250af0a
                                                • Opcode Fuzzy Hash: 74595c1ac676f630e4929a9ead80235da36172d53e42426cd85f151efe0d9a1b
                                                • Instruction Fuzzy Hash: 2441493170D78A1FD71E9A7888751B53BA5EB83210B0682BFD087CB1E7DD28A9068391
                                                Function 00007FFD9B993B57 Relevance: .1, Instructions: 115COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1786757293.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b980000_Bill_Of _Lading.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 96e8b0db2543be5691dd903efa0fc9f572f2ade6eb637efc48462d40716840d9
                                                • Instruction ID: 5cf884cb9bbe163402aaddc3bc774e809e304b0ff6f8097ce8e07e8586d0eb0f
                                                • Opcode Fuzzy Hash: 96e8b0db2543be5691dd903efa0fc9f572f2ade6eb637efc48462d40716840d9
                                                • Instruction Fuzzy Hash: 9C31C56160E7891FD72F8AB48C755767FA5DB83220B0682BFD086CB5A3DD585C068392
                                                Function 00007FFD9B981FEA Relevance: 1.6, APIs: 1, Instructions: 141memoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 729 7ffd9b981fea-7ffd9b981ff7 730 7ffd9b982002-7ffd9b982013 729->730 731 7ffd9b981ff9-7ffd9b982001 729->731 732 7ffd9b98201e-7ffd9b9820d9 VirtualProtect 730->732 733 7ffd9b982015-7ffd9b98201d 730->733 731->730 737 7ffd9b9820e1-7ffd9b982112 732->737 738 7ffd9b9820db 732->738 733->732 738->737
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1786757293.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b980000_Bill_Of _Lading.jbxd
                                                Similarity
                                                • API ID: ProtectVirtual
                                                • String ID:
                                                • API String ID: 544645111-0
                                                • Opcode ID: 37f965fc89620ad926168b4a0f398eaa3f28bc014d6066eb0d503d1743832f35
                                                • Instruction ID: 737743b3e45172c8bf12d2d007020c4c1641e94d9cef4d6fa295cb4676dc7515
                                                • Opcode Fuzzy Hash: 37f965fc89620ad926168b4a0f398eaa3f28bc014d6066eb0d503d1743832f35
                                                • Instruction Fuzzy Hash: D041493190D7888FD7199BA898166E97BF0EF56321F0443AFD099C31A3CE786846C792
                                                Function 00007FFD9B9808B9 Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 740 7ffd9b9808b9-7ffd9b98094c FreeConsole 744 7ffd9b980954-7ffd9b98097b 740->744 745 7ffd9b98094e 740->745 745->744
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1786757293.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b980000_Bill_Of _Lading.jbxd
                                                Similarity
                                                • API ID: ConsoleFree
                                                • String ID:
                                                • API String ID: 771614528-0
                                                • Opcode ID: 6b5826a1bdc31bbd46f53f58aadfeea5d26068a6fd8066de06fca533b8915c83
                                                • Instruction ID: b548988638aa329bfa54dfee8bf216a5856d518cf267b9231749aed86920d023
                                                • Opcode Fuzzy Hash: 6b5826a1bdc31bbd46f53f58aadfeea5d26068a6fd8066de06fca533b8915c83
                                                • Instruction Fuzzy Hash: 3121827090CB5C8FDB29DF59D845AF97BF0EB56310F04426FD089C31A2D6646849CB51
                                                Function 00007FFD9B980493 Relevance: 1.6, APIs: 1, Instructions: 90COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 746 7ffd9b980493-7ffd9b980912 749 7ffd9b98091a-7ffd9b98094c FreeConsole 746->749 750 7ffd9b980954-7ffd9b98097b 749->750 751 7ffd9b98094e 749->751 751->750
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1786757293.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b980000_Bill_Of _Lading.jbxd
                                                Similarity
                                                • API ID: ConsoleFree
                                                • String ID:
                                                • API String ID: 771614528-0
                                                • Opcode ID: 698bcf01f83067fa22ae44817e8ec89a20d88f226cf67d12db21a7e1c9775dd9
                                                • Instruction ID: 7a5781b2dc136327767feebd8f5b15adbb95eb9ec2c1eb184751a30d5e0086e8
                                                • Opcode Fuzzy Hash: 698bcf01f83067fa22ae44817e8ec89a20d88f226cf67d12db21a7e1c9775dd9
                                                • Instruction Fuzzy Hash: 6021B370A0CA1C8FDB28DF99D849BFA77F0EB55321F00822ED05AD3652DB74A446CB91
                                                Function 00007FFD9BA510C9 Relevance: .3, Instructions: 256COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1787115752.00007FFD9BA50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9ba50000_Bill_Of _Lading.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f4a70f570a43a2233e9bce96d5f0463121526afd0f29531c41ce5c248a669cd4
                                                • Instruction ID: 9a48b96142395c4f91e5e58bb7e43eae36a56605f8fd92bdc0680c9c9938aebc
                                                • Opcode Fuzzy Hash: f4a70f570a43a2233e9bce96d5f0463121526afd0f29531c41ce5c248a669cd4
                                                • Instruction Fuzzy Hash: CE711D31A0DB8D4FDB66DBA488755B97BE0FF65300B0601FBD04AC71A3DA68AE41C741

                                                Execution Graph

                                                Execution Coverage:11.4%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:0%
                                                Total number of Nodes:111
                                                Total number of Limit Nodes:11
                                                execution_graph 39237 6a1faa0 39238 6a1fad3 39237->39238 39239 6a1fb12 39238->39239 39240 6a1fbbc 39238->39240 39242 6a1fb6a CallWindowProcW 39239->39242 39243 6a1fb19 39239->39243 39244 6a1a554 39240->39244 39242->39243 39245 6a1a55f 39244->39245 39247 6a1e6f9 39245->39247 39248 6a1a61c CallWindowProcW 39245->39248 39248->39247 39259 6a12ed0 DuplicateHandle 39260 6a12f66 39259->39260 39261 2db0848 39263 2db084e 39261->39263 39262 2db091b 39263->39262 39266 6a11b80 39263->39266 39270 6a11b70 39263->39270 39267 6a11b8f 39266->39267 39274 6a11568 39267->39274 39271 6a11b8f 39270->39271 39272 6a11568 2 API calls 39271->39272 39273 6a11bb0 39272->39273 39273->39263 39276 6a11573 39274->39276 39278 6a12a0c 39276->39278 39279 6a12a17 39278->39279 39280 6a13c5c 39279->39280 39283 6a154e0 39279->39283 39287 6a154de 39279->39287 39284 6a15501 39283->39284 39285 6a15525 39284->39285 39291 6a15690 39284->39291 39285->39280 39288 6a15501 39287->39288 39289 6a15525 39288->39289 39290 6a15690 2 API calls 39288->39290 39289->39280 39290->39289 39293 6a1569d 39291->39293 39292 6a156d6 39292->39285 39293->39292 39295 6a13a1c 39293->39295 39297 6a13a27 39295->39297 39298 6a15b7f 39297->39298 39299 6a13a2c 39297->39299 39298->39292 39300 6a13a37 39299->39300 39305 6a1570c 39300->39305 39302 6a15bb7 39309 6a1af0c 39302->39309 39307 6a15717 39305->39307 39306 6a16e40 39306->39302 39307->39306 39308 6a154e0 2 API calls 39307->39308 39308->39306 39310 6a15bf1 39309->39310 39311 6a1af25 39309->39311 39310->39297 39319 6a1b148 39311->39319 39323 6a1b158 39311->39323 39312 6a1af5d 39326 6a1c458 39312->39326 39330 6a1c3df 39312->39330 39335 6a1c449 39312->39335 39313 6a1b011 39320 6a1b158 39319->39320 39339 6a1b198 39320->39339 39321 6a1b162 39321->39312 39325 6a1b198 GetModuleHandleW 39323->39325 39324 6a1b162 39324->39312 39325->39324 39327 6a1c483 39326->39327 39328 6a1c532 39327->39328 39344 6a1d330 39327->39344 39331 6a1c401 39330->39331 39332 6a1c47a 39330->39332 39331->39313 39333 6a1c532 39332->39333 39334 6a1d330 CreateWindowExW 39332->39334 39334->39333 39336 6a1c45b 39335->39336 39337 6a1c532 39336->39337 39338 6a1d330 CreateWindowExW 39336->39338 39338->39337 39341 6a1b19d 39339->39341 39340 6a1b1dc 39340->39321 39341->39340 39342 6a1b3e0 GetModuleHandleW 39341->39342 39343 6a1b40d 39342->39343 39343->39321 39345 6a1d346 39344->39345 39346 6a1d37e CreateWindowExW 39344->39346 39345->39328 39348 6a1d4b4 39346->39348 39249 6a12c88 39250 6a12cce GetCurrentProcess 39249->39250 39252 6a12d20 GetCurrentThread 39250->39252 39253 6a12d19 39250->39253 39254 6a12d56 39252->39254 39255 6a12d5d GetCurrentProcess 39252->39255 39253->39252 39254->39255 39256 6a12d93 39255->39256 39257 6a12dbb GetCurrentThreadId 39256->39257 39258 6a12dec 39257->39258 39349 2dbec20 39350 2dbec66 GlobalMemoryStatusEx 39349->39350 39351 2dbec96 39350->39351 39352 12cd030 39353 12cd048 39352->39353 39354 12cd0a2 39353->39354 39355 6a1a554 CallWindowProcW 39353->39355 39360 6a1d548 39353->39360 39364 6a1d598 39353->39364 39369 6a1e698 39353->39369 39373 6a1d537 39353->39373 39355->39354 39361 6a1d56e 39360->39361 39362 6a1d58f 39361->39362 39363 6a1a554 CallWindowProcW 39361->39363 39362->39354 39363->39362 39365 6a1d587 39364->39365 39368 6a1d5a6 39364->39368 39366 6a1a554 CallWindowProcW 39365->39366 39367 6a1d58f 39366->39367 39367->39354 39368->39354 39370 6a1e6a8 39369->39370 39372 6a1e6f9 39370->39372 39377 6a1a61c CallWindowProcW 39370->39377 39374 6a1d545 39373->39374 39375 6a1d58f 39374->39375 39376 6a1a554 CallWindowProcW 39374->39376 39375->39354 39376->39375 39377->39372

                                                Executed Functions

                                                Function 06A22358 Relevance: 9.0, Strings: 6, Instructions: 1485COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2950089285.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a20000_CasPol.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $dq$$dq$$dq$$dq$$dq$$dq
                                                • API String ID: 0-2331353128
                                                • Opcode ID: ecfba5fc171bc62528f7cccb267d58c9f5a671f1a0b38674c05e6258e694acb0
                                                • Instruction ID: ae7f53fd46b265a765e34734fe9b701457df65b46205a09263ff75a557a62e19
                                                • Opcode Fuzzy Hash: ecfba5fc171bc62528f7cccb267d58c9f5a671f1a0b38674c05e6258e694acb0
                                                • Instruction Fuzzy Hash: F9D24834E10216CFDB64EB68C584B9DB7B2FF89310F5485A9D409AF265EB34ED81CB80
                                                Function 06A27D68 Relevance: 3.0, Strings: 2, Instructions: 473COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1689 6a27d68-6a27d86 1690 6a27d88-6a27d8b 1689->1690 1691 6a27da2-6a27da5 1690->1691 1692 6a27d8d-6a27d9b 1690->1692 1693 6a27dc6-6a27dc9 1691->1693 1694 6a27da7-6a27dc1 1691->1694 1698 6a27e0e-6a27e24 1692->1698 1699 6a27d9d 1692->1699 1696 6a27dd6-6a27dd9 1693->1696 1697 6a27dcb-6a27dd5 1693->1697 1694->1693 1701 6a27ddb-6a27df7 1696->1701 1702 6a27dfc-6a27dfe 1696->1702 1708 6a27e2a-6a27e33 1698->1708 1709 6a2803f-6a28049 1698->1709 1699->1691 1701->1702 1703 6a27e00 1702->1703 1704 6a27e05-6a27e08 1702->1704 1703->1704 1704->1690 1704->1698 1711 6a2804a-6a2807f 1708->1711 1712 6a27e39-6a27e56 1708->1712 1715 6a28081-6a28084 1711->1715 1721 6a2802c-6a28039 1712->1721 1722 6a27e5c-6a27e84 1712->1722 1716 6a28086-6a280a2 1715->1716 1717 6a280a7-6a280aa 1715->1717 1716->1717 1719 6a280b0-6a280bf 1717->1719 1720 6a282df-6a282e2 1717->1720 1732 6a280c1-6a280dc 1719->1732 1733 6a280de-6a28122 1719->1733 1724 6a282e8-6a282f4 1720->1724 1725 6a2838d-6a2838f 1720->1725 1721->1708 1721->1709 1722->1721 1743 6a27e8a-6a27e93 1722->1743 1734 6a282ff-6a28301 1724->1734 1728 6a28391 1725->1728 1729 6a28396-6a28399 1725->1729 1728->1729 1729->1715 1730 6a2839f-6a283a8 1729->1730 1732->1733 1746 6a282b3-6a282c9 1733->1746 1747 6a28128-6a28139 1733->1747 1736 6a28303-6a28309 1734->1736 1737 6a28319-6a2831d 1734->1737 1738 6a2830b 1736->1738 1739 6a2830d-6a2830f 1736->1739 1741 6a2832b 1737->1741 1742 6a2831f-6a28329 1737->1742 1738->1737 1739->1737 1745 6a28330-6a28332 1741->1745 1742->1745 1743->1711 1748 6a27e99-6a27eb5 1743->1748 1750 6a28343-6a2837c 1745->1750 1751 6a28334-6a28337 1745->1751 1746->1720 1757 6a2829e-6a282ad 1747->1757 1758 6a2813f-6a2815c 1747->1758 1759 6a2801a-6a28026 1748->1759 1760 6a27ebb-6a27ee5 1748->1760 1750->1719 1771 6a28382-6a2838c 1750->1771 1751->1730 1757->1746 1757->1747 1758->1757 1768 6a28162-6a28258 call 6a26590 1758->1768 1759->1721 1759->1743 1773 6a28010-6a28015 1760->1773 1774 6a27eeb-6a27f13 1760->1774 1822 6a28266 1768->1822 1823 6a2825a-6a28264 1768->1823 1773->1759 1774->1773 1780 6a27f19-6a27f47 1774->1780 1780->1773 1786 6a27f4d-6a27f56 1780->1786 1786->1773 1787 6a27f5c-6a27f8e 1786->1787 1794 6a27f90-6a27f94 1787->1794 1795 6a27f99-6a27fb5 1787->1795 1794->1773 1797 6a27f96 1794->1797 1795->1759 1798 6a27fb7-6a2800e call 6a26590 1795->1798 1797->1795 1798->1759 1824 6a2826b-6a2826d 1822->1824 1823->1824 1824->1757 1825 6a2826f-6a28274 1824->1825 1826 6a28282 1825->1826 1827 6a28276-6a28280 1825->1827 1828 6a28287-6a28289 1826->1828 1827->1828 1828->1757 1829 6a2828b-6a28297 1828->1829 1829->1757
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2950089285.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a20000_CasPol.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $dq$$dq
                                                • API String ID: 0-2340669324
                                                • Opcode ID: 99890ba4f2e11f0bd3e76642271129b90e78f8c2406c1a902def2fc37d12e24f
                                                • Instruction ID: 74e7b36eb84e4517a31cd9a8959341d0d9258355a3322ad8e1144a1f7177c192
                                                • Opcode Fuzzy Hash: 99890ba4f2e11f0bd3e76642271129b90e78f8c2406c1a902def2fc37d12e24f
                                                • Instruction Fuzzy Hash: 9F02D030B002269FDB54EB69D5906AEB7F2FF84310F248568E805DB394DB39ED46CB90
                                                Function 06A265E0 Relevance: .8, Instructions: 802COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2950089285.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a20000_CasPol.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4422ca0a084cdf166e96576d68dc9820a08be03f839bd5820f8d2389eda4aa24
                                                • Instruction ID: d444a9292cd0d39bcf2622feb89bb0c6548c1a6fa188c1952d4b368e0f40809f
                                                • Opcode Fuzzy Hash: 4422ca0a084cdf166e96576d68dc9820a08be03f839bd5820f8d2389eda4aa24
                                                • Instruction Fuzzy Hash: BB629F34B112269FDB54EB68D594BADB7F2EF88310F149469E40ADB394DB35EC41CB80
                                                Function 06A25588 Relevance: .6, Instructions: 593COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2950089285.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a20000_CasPol.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 25634610bead0d2d339336d1f2c0173be494d87848c9c0eafd848531ea25b627
                                                • Instruction ID: ce11074d114919aee9abe9fc8dcba55a5e7cac0bb2b61404c787b501634124c8
                                                • Opcode Fuzzy Hash: 25634610bead0d2d339336d1f2c0173be494d87848c9c0eafd848531ea25b627
                                                • Instruction Fuzzy Hash: A822B571F502268FDF64DBA8C5806AEBBB2FF89310F248469D815AF395DA35DC41CB90
                                                Function 06A2B20F Relevance: .6, Instructions: 577COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2950089285.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a20000_CasPol.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 96733cf67efb545286046160928724ead84d56830b3309982cad478fba9ebb22
                                                • Instruction ID: b95a760da7de692ce2b6c9d3c2927c5b08ed57e63a94eda1167097eeb952ad51
                                                • Opcode Fuzzy Hash: 96733cf67efb545286046160928724ead84d56830b3309982cad478fba9ebb22
                                                • Instruction Fuzzy Hash: 41225F70F5022A8BDF64EB5DD4947AEB7B2EB49318F648426E409DF391CB34DC818B61
                                                Function 06A2ACB8 Relevance: 10.4, Strings: 8, Instructions: 394COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 526 6a2acb8-6a2acd6 527 6a2acd8-6a2acdb 526->527 528 6a2ace5-6a2ace8 527->528 529 6a2acdd-6a2ace2 527->529 530 6a2acea-6a2ad06 528->530 531 6a2ad0b-6a2ad0e 528->531 529->528 530->531 532 6a2ad10-6a2ad14 531->532 533 6a2ad1f-6a2ad22 531->533 535 6a2aee4-6a2aeee 532->535 536 6a2ad1a 532->536 537 6a2ad24-6a2ad37 533->537 538 6a2ad3c-6a2ad3f 533->538 536->533 537->538 539 6a2ad41-6a2ad4a 538->539 540 6a2ad4f-6a2ad52 538->540 539->540 541 6a2aed5-6a2aede 540->541 542 6a2ad58-6a2ad5b 540->542 541->535 545 6a2ad5d-6a2ad66 541->545 542->545 546 6a2ad75-6a2ad78 542->546 547 6a2aeef-6a2af01 545->547 548 6a2ad6c-6a2ad70 545->548 549 6a2ad7a-6a2ad87 546->549 550 6a2ad8c-6a2ad8e 546->550 556 6a2af03-6a2af26 547->556 557 6a2ae9d 547->557 548->546 549->550 551 6a2ad90 550->551 552 6a2ad95-6a2ad98 550->552 551->552 552->527 555 6a2ad9e-6a2adc2 552->555 567 6a2aed2 555->567 568 6a2adc8-6a2add7 555->568 558 6a2af28-6a2af2b 556->558 559 6a2aea3-6a2aecb 557->559 561 6a2af31-6a2af6c 558->561 562 6a2b194-6a2b197 558->562 559->567 577 6a2af72-6a2af7e 561->577 578 6a2b15f-6a2b172 561->578 564 6a2b1a6-6a2b1a9 562->564 565 6a2b199 call 6a2b20f 562->565 569 6a2b1ba-6a2b1bd 564->569 570 6a2b1ab-6a2b1af 564->570 572 6a2b19f-6a2b1a1 565->572 567->541 584 6a2add9-6a2addf 568->584 585 6a2adef-6a2ae2a call 6a26590 568->585 575 6a2b1ca-6a2b1cd 569->575 576 6a2b1bf-6a2b1c9 569->576 570->561 573 6a2b1b5 570->573 572->564 573->569 580 6a2b1f0-6a2b1f2 575->580 581 6a2b1cf-6a2b1eb 575->581 589 6a2af80-6a2af99 577->589 590 6a2af9e-6a2afe2 577->590 582 6a2b174-6a2b175 578->582 587 6a2b1f4 580->587 588 6a2b1f9-6a2b1fc 580->588 581->580 582->562 591 6a2ade3-6a2ade5 584->591 592 6a2ade1 584->592 608 6a2ae42-6a2ae59 585->608 609 6a2ae2c-6a2ae32 585->609 587->588 588->558 595 6a2b202-6a2b20c 588->595 589->582 613 6a2afe4-6a2aff6 590->613 614 6a2affe-6a2b03d 590->614 591->585 592->585 621 6a2ae71-6a2ae82 608->621 622 6a2ae5b-6a2ae61 608->622 611 6a2ae36-6a2ae38 609->611 612 6a2ae34 609->612 611->608 612->608 613->614 618 6a2b043-6a2b11e call 6a26590 614->618 619 6a2b124-6a2b139 614->619 618->619 619->578 631 6a2ae84-6a2ae8a 621->631 632 6a2ae9a-6a2ae9c 621->632 626 6a2ae63 622->626 627 6a2ae65-6a2ae67 622->627 626->621 627->621 633 6a2ae8e-6a2ae90 631->633 634 6a2ae8c 631->634 632->559 633->632 634->632
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2950089285.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a20000_CasPol.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $dq$$dq$$dq$$dq$$dq$$dq$$dq$$dq
                                                • API String ID: 0-634254105
                                                • Opcode ID: b4a2c66b31ea8d086c086de382654e299781a25beae5b622c94bbf5e3d4b424c
                                                • Instruction ID: 9fc3a360c48d51ae45fd5a91f9b28c1ff821e8d43a60ec4ef8af8cacf9d9e929
                                                • Opcode Fuzzy Hash: b4a2c66b31ea8d086c086de382654e299781a25beae5b622c94bbf5e3d4b424c
                                                • Instruction Fuzzy Hash: 1AE19130F102269FDB55EF69D9806AEB7F2FF85301F208929D9099B354DB34AC46CB90
                                                Function 06A2B630 Relevance: 8.0, Strings: 6, Instructions: 470COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1101 6a2b630-6a2b650 1102 6a2b652-6a2b655 1101->1102 1103 6a2b657-6a2b65e 1102->1103 1104 6a2b66f-6a2b672 1102->1104 1105 6a2b9d3-6a2ba0e 1103->1105 1106 6a2b664-6a2b66a 1103->1106 1107 6a2b682-6a2b685 1104->1107 1108 6a2b674-6a2b67d 1104->1108 1116 6a2ba10-6a2ba13 1105->1116 1106->1104 1109 6a2b687-6a2b689 1107->1109 1110 6a2b68c-6a2b68f 1107->1110 1108->1107 1109->1110 1111 6a2b691-6a2b697 1110->1111 1112 6a2b69c-6a2b69f 1110->1112 1111->1112 1114 6a2b770-6a2b771 1112->1114 1115 6a2b6a5-6a2b6a8 1112->1115 1117 6a2b776-6a2b779 1114->1117 1118 6a2b6c5-6a2b6c8 1115->1118 1119 6a2b6aa-6a2b6b3 1115->1119 1120 6a2ba19-6a2ba41 1116->1120 1121 6a2bc7f-6a2bc82 1116->1121 1122 6a2b77b-6a2b7c9 call 6a26590 1117->1122 1123 6a2b7ce-6a2b7d1 1117->1123 1127 6a2b6ca-6a2b6d3 1118->1127 1128 6a2b6d8-6a2b6db 1118->1128 1119->1105 1124 6a2b6b9-6a2b6c0 1119->1124 1169 6a2ba43-6a2ba46 1120->1169 1170 6a2ba4b-6a2ba8f 1120->1170 1125 6a2bc84-6a2bca0 1121->1125 1126 6a2bca5-6a2bca7 1121->1126 1122->1123 1134 6a2b7d3-6a2b7e8 1123->1134 1135 6a2b810-6a2b813 1123->1135 1124->1118 1125->1126 1132 6a2bca9 1126->1132 1133 6a2bcae-6a2bcb1 1126->1133 1127->1128 1130 6a2b6eb-6a2b6ee 1128->1130 1131 6a2b6dd-6a2b6e6 1128->1131 1136 6a2b6f0-6a2b6f6 1130->1136 1137 6a2b708-6a2b70b 1130->1137 1131->1130 1132->1133 1133->1116 1138 6a2bcb7-6a2bcc0 1133->1138 1134->1105 1157 6a2b7ee-6a2b80b 1134->1157 1140 6a2b852-6a2b855 1135->1140 1141 6a2b815-6a2b82a 1135->1141 1136->1105 1144 6a2b6fc-6a2b703 1136->1144 1147 6a2b71a-6a2b71d 1137->1147 1148 6a2b70d-6a2b713 1137->1148 1145 6a2b857-6a2b85e 1140->1145 1146 6a2b87f-6a2b882 1140->1146 1141->1105 1161 6a2b830-6a2b84d 1141->1161 1144->1137 1145->1105 1153 6a2b864-6a2b874 1145->1153 1158 6a2b884-6a2b8a0 1146->1158 1159 6a2b8a5-6a2b8a8 1146->1159 1155 6a2b72f-6a2b732 1147->1155 1156 6a2b71f-6a2b72a 1147->1156 1148->1136 1154 6a2b715 1148->1154 1185 6a2b947-6a2b94e 1153->1185 1186 6a2b87a 1153->1186 1154->1147 1165 6a2b734-6a2b73b 1155->1165 1166 6a2b749-6a2b74c 1155->1166 1156->1155 1157->1135 1158->1159 1162 6a2b8ca-6a2b8cd 1159->1162 1163 6a2b8aa-6a2b8c5 1159->1163 1161->1140 1171 6a2b8d7-6a2b8da 1162->1171 1172 6a2b8cf-6a2b8d2 1162->1172 1163->1162 1165->1105 1178 6a2b741-6a2b744 1165->1178 1167 6a2b756-6a2b759 1166->1167 1168 6a2b74e-6a2b753 1166->1168 1182 6a2b766-6a2b769 1167->1182 1183 6a2b75b-6a2b761 1167->1183 1168->1167 1169->1138 1216 6a2bc74-6a2bc7e 1170->1216 1217 6a2ba95-6a2ba9e 1170->1217 1180 6a2b92e-6a2b937 1171->1180 1181 6a2b8dc-6a2b8df 1171->1181 1172->1171 1178->1166 1180->1119 1187 6a2b93d 1180->1187 1191 6a2b8f0-6a2b8f3 1181->1191 1192 6a2b8e1-6a2b8e5 1181->1192 1182->1148 1188 6a2b76b-6a2b76e 1182->1188 1183->1182 1185->1105 1189 6a2b954-6a2b964 1185->1189 1186->1146 1199 6a2b942-6a2b945 1187->1199 1188->1114 1188->1117 1189->1114 1207 6a2b96a 1189->1207 1197 6a2b903-6a2b906 1191->1197 1198 6a2b8f5-6a2b8fe 1191->1198 1192->1131 1196 6a2b8eb 1192->1196 1196->1191 1197->1114 1204 6a2b90c-6a2b90f 1197->1204 1198->1197 1199->1185 1201 6a2b96f-6a2b972 1199->1201 1208 6a2b984-6a2b987 1201->1208 1209 6a2b974 1201->1209 1205 6a2b911-6a2b918 1204->1205 1206 6a2b929-6a2b92c 1204->1206 1205->1105 1211 6a2b91e-6a2b924 1205->1211 1206->1180 1206->1199 1207->1201 1208->1114 1210 6a2b98d-6a2b990 1208->1210 1218 6a2b97c-6a2b97f 1209->1218 1214 6a2b992-6a2b999 1210->1214 1215 6a2b9b6-6a2b9b8 1210->1215 1211->1206 1214->1105 1219 6a2b99b-6a2b9ab 1214->1219 1221 6a2b9ba 1215->1221 1222 6a2b9bf-6a2b9c2 1215->1222 1223 6a2baa4-6a2bb10 call 6a26590 1217->1223 1224 6a2bc6a-6a2bc6f 1217->1224 1218->1208 1219->1145 1229 6a2b9b1 1219->1229 1221->1222 1222->1102 1225 6a2b9c8-6a2b9d2 1222->1225 1235 6a2bb16-6a2bb1b 1223->1235 1236 6a2bc0a-6a2bc1f 1223->1236 1224->1216 1229->1215 1238 6a2bb37 1235->1238 1239 6a2bb1d-6a2bb23 1235->1239 1236->1224 1242 6a2bb39-6a2bb3f 1238->1242 1240 6a2bb25-6a2bb27 1239->1240 1241 6a2bb29-6a2bb2b 1239->1241 1245 6a2bb35 1240->1245 1241->1245 1243 6a2bb41-6a2bb47 1242->1243 1244 6a2bb54-6a2bb61 1242->1244 1246 6a2bbf5-6a2bc04 1243->1246 1247 6a2bb4d 1243->1247 1252 6a2bb63-6a2bb69 1244->1252 1253 6a2bb79-6a2bb86 1244->1253 1245->1242 1246->1235 1246->1236 1247->1244 1248 6a2bb88-6a2bb95 1247->1248 1249 6a2bbbc-6a2bbc9 1247->1249 1258 6a2bb97-6a2bb9d 1248->1258 1259 6a2bbad-6a2bbba 1248->1259 1260 6a2bbe1-6a2bbee 1249->1260 1261 6a2bbcb-6a2bbd1 1249->1261 1254 6a2bb6b 1252->1254 1255 6a2bb6d-6a2bb6f 1252->1255 1253->1246 1254->1253 1255->1253 1263 6a2bba1-6a2bba3 1258->1263 1264 6a2bb9f 1258->1264 1259->1246 1260->1246 1265 6a2bbd3 1261->1265 1266 6a2bbd5-6a2bbd7 1261->1266 1263->1259 1264->1259 1265->1260 1266->1260
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2950089285.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a20000_CasPol.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $dq$$dq$$dq$$dq$$dq$$dq
                                                • API String ID: 0-2331353128
                                                • Opcode ID: 83e10655e81c131c9013f5adf8504dba15777374cdca3bbf12ca17fb918f493a
                                                • Instruction ID: 9fcb83083e59d103445625dc50f8d1328059d2927337ebc06329fec411adc68b
                                                • Opcode Fuzzy Hash: 83e10655e81c131c9013f5adf8504dba15777374cdca3bbf12ca17fb918f493a
                                                • Instruction Fuzzy Hash: 95027F30E5022A8FDB64EF6CD5846ADB7B2EB45318F20856AD409DF255DB34EC41CBA1
                                                Function 06A12C88 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1269 6a12c88-6a12d17 GetCurrentProcess 1273 6a12d20-6a12d54 GetCurrentThread 1269->1273 1274 6a12d19-6a12d1f 1269->1274 1275 6a12d56-6a12d5c 1273->1275 1276 6a12d5d-6a12d91 GetCurrentProcess 1273->1276 1274->1273 1275->1276 1278 6a12d93-6a12d99 1276->1278 1279 6a12d9a-6a12db5 call 6a12e58 1276->1279 1278->1279 1282 6a12dbb-6a12dea GetCurrentThreadId 1279->1282 1283 6a12df3-6a12e55 1282->1283 1284 6a12dec-6a12df2 1282->1284 1284->1283
                                                APIs
                                                • GetCurrentProcess.KERNEL32 ref: 06A12D06
                                                • GetCurrentThread.KERNEL32 ref: 06A12D43
                                                • GetCurrentProcess.KERNEL32 ref: 06A12D80
                                                • GetCurrentThreadId.KERNEL32 ref: 06A12DD9
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2950036397.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a10000_CasPol.jbxd
                                                Similarity
                                                • API ID: Current$ProcessThread
                                                • String ID:
                                                • API String ID: 2063062207-0
                                                • Opcode ID: d356b8f4ff6e1de35e89ad126e5a98c9fdcc87b7f3cacef4ced1845223af8773
                                                • Instruction ID: 086a8843f4f38487d1e7d910fedc8bf155c90e58262a7e771c69d7678ad6392e
                                                • Opcode Fuzzy Hash: d356b8f4ff6e1de35e89ad126e5a98c9fdcc87b7f3cacef4ced1845223af8773
                                                • Instruction Fuzzy Hash: 35515AB09003098FDB54EFA9D948BDEBBF1FF48314F248059E019A7391DB74A985CB65
                                                Function 06A12C87 Relevance: 6.1, APIs: 4, Instructions: 126threadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1291 6a12c87-6a12d17 GetCurrentProcess 1295 6a12d20-6a12d54 GetCurrentThread 1291->1295 1296 6a12d19-6a12d1f 1291->1296 1297 6a12d56-6a12d5c 1295->1297 1298 6a12d5d-6a12d91 GetCurrentProcess 1295->1298 1296->1295 1297->1298 1300 6a12d93-6a12d99 1298->1300 1301 6a12d9a-6a12db5 call 6a12e58 1298->1301 1300->1301 1304 6a12dbb-6a12dea GetCurrentThreadId 1301->1304 1305 6a12df3-6a12e55 1304->1305 1306 6a12dec-6a12df2 1304->1306 1306->1305
                                                APIs
                                                • GetCurrentProcess.KERNEL32 ref: 06A12D06
                                                • GetCurrentThread.KERNEL32 ref: 06A12D43
                                                • GetCurrentProcess.KERNEL32 ref: 06A12D80
                                                • GetCurrentThreadId.KERNEL32 ref: 06A12DD9
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2950036397.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a10000_CasPol.jbxd
                                                Similarity
                                                • API ID: Current$ProcessThread
                                                • String ID:
                                                • API String ID: 2063062207-0
                                                • Opcode ID: 5bb6cb7b6a44eed8142efeeccf2c5767919480e55da44e7e2ca2b527303e0708
                                                • Instruction ID: f5131b3733259093a96e62550712dc258e07de37155973966e3f32a44c30accb
                                                • Opcode Fuzzy Hash: 5bb6cb7b6a44eed8142efeeccf2c5767919480e55da44e7e2ca2b527303e0708
                                                • Instruction Fuzzy Hash: D05158B09003098FDB44EFA9D948BDEBBF1FF48314F248459E019AB291DB34A985CB65
                                                Function 06A29138 Relevance: 5.2, Strings: 4, Instructions: 230COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1313 6a29138-6a2915d 1314 6a2915f-6a29162 1313->1314 1315 6a29a20-6a29a23 1314->1315 1316 6a29168-6a2917d 1314->1316 1317 6a29a25-6a29a44 1315->1317 1318 6a29a49-6a29a4b 1315->1318 1323 6a29195-6a291ab 1316->1323 1324 6a2917f-6a29185 1316->1324 1317->1318 1320 6a29a52-6a29a55 1318->1320 1321 6a29a4d 1318->1321 1320->1314 1325 6a29a5b-6a29a65 1320->1325 1321->1320 1330 6a291b6-6a291b8 1323->1330 1326 6a29187 1324->1326 1327 6a29189-6a2918b 1324->1327 1326->1323 1327->1323 1331 6a291d0-6a29241 1330->1331 1332 6a291ba-6a291c0 1330->1332 1343 6a29243-6a29266 1331->1343 1344 6a2926d-6a29289 1331->1344 1333 6a291c2 1332->1333 1334 6a291c4-6a291c6 1332->1334 1333->1331 1334->1331 1343->1344 1349 6a292b5-6a292d0 1344->1349 1350 6a2928b-6a292ae 1344->1350 1355 6a292d2-6a292f4 1349->1355 1356 6a292fb-6a29316 1349->1356 1350->1349 1355->1356 1361 6a2933b-6a29349 1356->1361 1362 6a29318-6a29334 1356->1362 1363 6a2934b-6a29354 1361->1363 1364 6a29359-6a293d3 1361->1364 1362->1361 1363->1325 1370 6a29420-6a29435 1364->1370 1371 6a293d5-6a293f3 1364->1371 1370->1315 1375 6a293f5-6a29404 1371->1375 1376 6a2940f-6a2941e 1371->1376 1375->1376 1376->1370 1376->1371
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2950089285.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a20000_CasPol.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $dq$$dq$$dq$$dq
                                                • API String ID: 0-185584874
                                                • Opcode ID: 07dcb4657fd0143706229d7024d10332d7b291c0efda2f2091ac6b9b3ef819b5
                                                • Instruction ID: 76f369e8b7b708b7840342317cc04ad46c6cdc5fe577fef333b5dff97a84672f
                                                • Opcode Fuzzy Hash: 07dcb4657fd0143706229d7024d10332d7b291c0efda2f2091ac6b9b3ef819b5
                                                • Instruction Fuzzy Hash: 93913170B1021A9FDB54DF6AD9507AFB7F6EF84600F108569D80DEB344EA34AD428B91
                                                Function 06A2CF28 Relevance: 4.6, Strings: 3, Instructions: 800COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1379 6a2cf28-6a2cf43 1380 6a2cf45-6a2cf48 1379->1380 1381 6a2cf91-6a2cf94 1380->1381 1382 6a2cf4a-6a2cf8c 1380->1382 1383 6a2d414-6a2d420 1381->1383 1384 6a2cf9a-6a2cf9d 1381->1384 1382->1381 1386 6a2d122-6a2d131 1383->1386 1387 6a2d426-6a2d713 1383->1387 1388 6a2cfe6-6a2cfe9 1384->1388 1389 6a2cf9f-6a2cfae 1384->1389 1392 6a2d133-6a2d138 1386->1392 1393 6a2d140-6a2d14c 1386->1393 1592 6a2d93a-6a2d944 1387->1592 1593 6a2d719-6a2d71f 1387->1593 1390 6a2d032-6a2d035 1388->1390 1391 6a2cfeb-6a2d02d 1388->1391 1394 6a2cfb0-6a2cfb5 1389->1394 1395 6a2cfbd-6a2cfc9 1389->1395 1396 6a2d037-6a2d079 1390->1396 1397 6a2d07e-6a2d081 1390->1397 1391->1390 1392->1393 1398 6a2d945-6a2d97e 1393->1398 1401 6a2d152-6a2d164 1393->1401 1394->1395 1395->1398 1399 6a2cfcf-6a2cfe1 1395->1399 1396->1397 1404 6a2d083-6a2d09f 1397->1404 1405 6a2d0a4-6a2d0a7 1397->1405 1418 6a2d980-6a2d983 1398->1418 1399->1388 1419 6a2d169-6a2d16c 1401->1419 1404->1405 1409 6a2d0f0-6a2d0f3 1405->1409 1410 6a2d0a9-6a2d0eb 1405->1410 1414 6a2d0f5-6a2d0fa 1409->1414 1415 6a2d0fd-6a2d100 1409->1415 1410->1409 1414->1415 1422 6a2d102-6a2d118 1415->1422 1423 6a2d11d-6a2d120 1415->1423 1428 6a2d9a6-6a2d9a9 1418->1428 1429 6a2d985-6a2d9a1 1418->1429 1420 6a2d17b-6a2d17e 1419->1420 1421 6a2d16e-6a2d170 1419->1421 1433 6a2d180-6a2d1c2 1420->1433 1434 6a2d1c7-6a2d1ca 1420->1434 1430 6a2d411 1421->1430 1431 6a2d176 1421->1431 1422->1423 1423->1386 1423->1419 1435 6a2d9ab 1428->1435 1436 6a2d9b8-6a2d9bb 1428->1436 1429->1428 1430->1383 1431->1420 1433->1434 1439 6a2d213-6a2d216 1434->1439 1440 6a2d1cc-6a2d20e 1434->1440 1639 6a2d9ab call 6a2dab0 1435->1639 1640 6a2d9ab call 6a2da9d 1435->1640 1444 6a2d9ee-6a2d9f0 1436->1444 1445 6a2d9bd-6a2d9e9 1436->1445 1453 6a2d225-6a2d228 1439->1453 1454 6a2d218-6a2d21a 1439->1454 1440->1439 1451 6a2d9f2 1444->1451 1452 6a2d9f7-6a2d9fa 1444->1452 1445->1444 1450 6a2d9b1-6a2d9b3 1450->1436 1451->1452 1452->1418 1461 6a2d9fc-6a2da0b 1452->1461 1464 6a2d271-6a2d274 1453->1464 1465 6a2d22a-6a2d26c 1453->1465 1462 6a2d220 1454->1462 1463 6a2d2cf-6a2d2d8 1454->1463 1484 6a2da72-6a2da87 1461->1484 1485 6a2da0d-6a2da70 call 6a26590 1461->1485 1462->1453 1470 6a2d2e7-6a2d2f3 1463->1470 1471 6a2d2da-6a2d2df 1463->1471 1467 6a2d276-6a2d2b8 1464->1467 1468 6a2d2bd-6a2d2bf 1464->1468 1465->1464 1467->1468 1475 6a2d2c1 1468->1475 1476 6a2d2c6-6a2d2c9 1468->1476 1478 6a2d404-6a2d409 1470->1478 1479 6a2d2f9-6a2d30d 1470->1479 1471->1470 1475->1476 1476->1380 1476->1463 1478->1430 1479->1430 1496 6a2d313-6a2d325 1479->1496 1499 6a2da88 1484->1499 1485->1484 1506 6a2d327-6a2d32d 1496->1506 1507 6a2d349-6a2d34b 1496->1507 1499->1499 1511 6a2d331-6a2d33d 1506->1511 1512 6a2d32f 1506->1512 1518 6a2d355-6a2d361 1507->1518 1516 6a2d33f-6a2d347 1511->1516 1512->1516 1516->1518 1526 6a2d363-6a2d36d 1518->1526 1527 6a2d36f 1518->1527 1529 6a2d374-6a2d376 1526->1529 1527->1529 1529->1430 1531 6a2d37c-6a2d398 call 6a26590 1529->1531 1540 6a2d3a7-6a2d3b3 1531->1540 1541 6a2d39a-6a2d39f 1531->1541 1540->1478 1542 6a2d3b5-6a2d402 1540->1542 1541->1540 1542->1430 1594 6a2d721-6a2d726 1593->1594 1595 6a2d72e-6a2d737 1593->1595 1594->1595 1595->1398 1596 6a2d73d-6a2d750 1595->1596 1598 6a2d756-6a2d75c 1596->1598 1599 6a2d92a-6a2d934 1596->1599 1600 6a2d76b-6a2d774 1598->1600 1601 6a2d75e-6a2d763 1598->1601 1599->1592 1599->1593 1600->1398 1602 6a2d77a-6a2d79b 1600->1602 1601->1600 1605 6a2d7aa-6a2d7b3 1602->1605 1606 6a2d79d-6a2d7a2 1602->1606 1605->1398 1607 6a2d7b9-6a2d7d6 1605->1607 1606->1605 1607->1599 1610 6a2d7dc-6a2d7e2 1607->1610 1610->1398 1611 6a2d7e8-6a2d801 1610->1611 1613 6a2d807-6a2d82e 1611->1613 1614 6a2d91d-6a2d924 1611->1614 1613->1398 1617 6a2d834-6a2d83e 1613->1617 1614->1599 1614->1610 1617->1398 1618 6a2d844-6a2d85b 1617->1618 1620 6a2d86a-6a2d885 1618->1620 1621 6a2d85d-6a2d868 1618->1621 1620->1614 1626 6a2d88b-6a2d8a4 call 6a26590 1620->1626 1621->1620 1630 6a2d8b3-6a2d8bc 1626->1630 1631 6a2d8a6-6a2d8ab 1626->1631 1630->1398 1632 6a2d8c2-6a2d916 1630->1632 1631->1630 1632->1614 1639->1450 1640->1450
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2950089285.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a20000_CasPol.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $dq$$dq$$dq
                                                • API String ID: 0-2861643491
                                                • Opcode ID: cb9e6932cd10620ad67f414e306a9edc35b2d68694f2da2c08639e2e1970484d
                                                • Instruction ID: d9f3114bae5b1ebb76f49af240998e17b8b96661f485d4e1c023daccc4cb3b0e
                                                • Opcode Fuzzy Hash: cb9e6932cd10620ad67f414e306a9edc35b2d68694f2da2c08639e2e1970484d
                                                • Instruction Fuzzy Hash: DE626070B002268FCB55EB6CE590A5EB7F2FF84315B208968D4099F359DB75ED86CB80
                                                Function 06A24B50 Relevance: 3.9, Strings: 3, Instructions: 186COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1641 6a24b50-6a24b74 1642 6a24b76-6a24b79 1641->1642 1643 6a25258-6a2525b 1642->1643 1644 6a24b7f-6a24c77 1642->1644 1645 6a2527c-6a2527e 1643->1645 1646 6a2525d-6a25277 1643->1646 1664 6a24cfa-6a24d01 1644->1664 1665 6a24c7d-6a24cc5 1644->1665 1648 6a25280 1645->1648 1649 6a25285-6a25288 1645->1649 1646->1645 1648->1649 1649->1642 1650 6a2528e-6a2529b 1649->1650 1666 6a24d07-6a24d77 1664->1666 1667 6a24d85-6a24d8e 1664->1667 1687 6a24cca call 6a253fa 1665->1687 1688 6a24cca call 6a25408 1665->1688 1684 6a24d82 1666->1684 1685 6a24d79 1666->1685 1667->1650 1678 6a24cd0-6a24cec 1682 6a24cf7-6a24cf8 1678->1682 1683 6a24cee 1678->1683 1682->1664 1683->1682 1684->1667 1685->1684 1687->1678 1688->1678
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2950089285.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a20000_CasPol.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: fiq$XPiq$\Oiq
                                                • API String ID: 0-1639307521
                                                • Opcode ID: 16d831ef7034042289509366f651823662fd970a95f679c44554266b4fa72573
                                                • Instruction ID: 5427231da4a22fe339d8b7ebefbe4fa18f33ead8d52780efff36d3a4d2bcd5df
                                                • Opcode Fuzzy Hash: 16d831ef7034042289509366f651823662fd970a95f679c44554266b4fa72573
                                                • Instruction Fuzzy Hash: A3618170F102199FEB54AFA9C4547AEBAF6FF88700F208429E509AB394DF759C05CB90
                                                Function 06A29127 Relevance: 2.7, Strings: 2, Instructions: 156COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 2506 6a29127-6a2915d 2507 6a2915f-6a29162 2506->2507 2508 6a29a20-6a29a23 2507->2508 2509 6a29168-6a2917d 2507->2509 2510 6a29a25-6a29a44 2508->2510 2511 6a29a49-6a29a4b 2508->2511 2516 6a29195-6a291ab 2509->2516 2517 6a2917f-6a29185 2509->2517 2510->2511 2513 6a29a52-6a29a55 2511->2513 2514 6a29a4d 2511->2514 2513->2507 2518 6a29a5b-6a29a65 2513->2518 2514->2513 2523 6a291b6-6a291b8 2516->2523 2519 6a29187 2517->2519 2520 6a29189-6a2918b 2517->2520 2519->2516 2520->2516 2524 6a291d0-6a29241 2523->2524 2525 6a291ba-6a291c0 2523->2525 2536 6a29243-6a29266 2524->2536 2537 6a2926d-6a29289 2524->2537 2526 6a291c2 2525->2526 2527 6a291c4-6a291c6 2525->2527 2526->2524 2527->2524 2536->2537 2542 6a292b5-6a292d0 2537->2542 2543 6a2928b-6a292ae 2537->2543 2548 6a292d2-6a292f4 2542->2548 2549 6a292fb-6a29316 2542->2549 2543->2542 2548->2549 2554 6a2933b-6a29349 2549->2554 2555 6a29318-6a29334 2549->2555 2556 6a2934b-6a29354 2554->2556 2557 6a29359-6a293d3 2554->2557 2555->2554 2556->2518 2563 6a29420-6a29435 2557->2563 2564 6a293d5-6a293f3 2557->2564 2563->2508 2568 6a293f5-6a29404 2564->2568 2569 6a2940f-6a2941e 2564->2569 2568->2569 2569->2563 2569->2564
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2950089285.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a20000_CasPol.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $dq$$dq
                                                • API String ID: 0-2340669324
                                                • Opcode ID: f7787b5bb7d5fd631db1af551d7ee3498758ead5c65a13f8b615062f57afc339
                                                • Instruction ID: 5754824408d6fe3c4834032d75bf594b726c20f3537656b372d7621f0ad68688
                                                • Opcode Fuzzy Hash: f7787b5bb7d5fd631db1af551d7ee3498758ead5c65a13f8b615062f57afc339
                                                • Instruction Fuzzy Hash: 95517670B101169FDB94DB79E9507AF77FAEF88600F148469C909DB394DA34EC42CB91
                                                Function 06A1B198 Relevance: 1.7, APIs: 1, Instructions: 200COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNEL32(00000000), ref: 06A1B3FE
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2950036397.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a10000_CasPol.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: 5e04ff88533ba2583b17d7ab3c6975675218c03e648b78ab752e22514cac09a3
                                                • Instruction ID: a69fcc9d633ace45621f5de35cb5dd8f5f8bc9e4ca0190051abe026b2aee5388
                                                • Opcode Fuzzy Hash: 5e04ff88533ba2583b17d7ab3c6975675218c03e648b78ab752e22514cac09a3
                                                • Instruction Fuzzy Hash: 27815970A00B058FD764EF29D54579ABBF1FF48304F008A6DD49ADBA50DB75E849CBA0
                                                Function 06A1D330 Relevance: 1.7, APIs: 1, Instructions: 151COMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06A1D4A2
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2950036397.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a10000_CasPol.jbxd
                                                Similarity
                                                • API ID: CreateWindow
                                                • String ID:
                                                • API String ID: 716092398-0
                                                • Opcode ID: cd2476db6fc6a964e84662bbe62e554e469f0805c9b2a28a8245471e0e2e731e
                                                • Instruction ID: 225c5c335eaa4d3e643a1521f20a8362aafdfd2060cf2414633ff88d90b3f6a3
                                                • Opcode Fuzzy Hash: cd2476db6fc6a964e84662bbe62e554e469f0805c9b2a28a8245471e0e2e731e
                                                • Instruction Fuzzy Hash: EF5113B1C00249AFDF55DFA9C984ADDBFB5FF48310F24816AE918AB221D7719845CF90
                                                Function 06A1D390 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06A1D4A2
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2950036397.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a10000_CasPol.jbxd
                                                Similarity
                                                • API ID: CreateWindow
                                                • String ID:
                                                • API String ID: 716092398-0
                                                • Opcode ID: eb3ee1f9e506f5e0d785eebb6d76c31f55e211da8f3b276476c643b5e5200bcd
                                                • Instruction ID: c01c9bf9d4cf4a3ba5fbc14727f3fea62ac6eefaf056b2afdf1c8a6f843c47fb
                                                • Opcode Fuzzy Hash: eb3ee1f9e506f5e0d785eebb6d76c31f55e211da8f3b276476c643b5e5200bcd
                                                • Instruction Fuzzy Hash: 0341B0B1D10309DFDB14DF99C984ADEBBB5FF88314F24812AE819AB250D775A845CF90
                                                Function 06A1A61C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                Download Yara Rule
                                                APIs
                                                • CallWindowProcW.USER32(?,?,?,?,?), ref: 06A1FB91
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2950036397.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a10000_CasPol.jbxd
                                                Similarity
                                                • API ID: CallProcWindow
                                                • String ID:
                                                • API String ID: 2714655100-0
                                                • Opcode ID: 53dede3a8822a219ace31af661ff442565241285e8a1ff03ba7c8456fa0b347d
                                                • Instruction ID: 958547ca402d0517d5dc6712944ef043b7ba0170276431761ae160c9c915a823
                                                • Opcode Fuzzy Hash: 53dede3a8822a219ace31af661ff442565241285e8a1ff03ba7c8456fa0b347d
                                                • Instruction Fuzzy Hash: 99415AB49003498FDB54DF59C888AAABBF5FF88314F24C459D519AB321C774A845CFA0
                                                Function 06A12EC8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                Download Yara Rule
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06A12F57
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2950036397.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a10000_CasPol.jbxd
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: 30b50d7203d46fe1a17c161982509c737060efb331105b38b8d0a2d61a61f3ec
                                                • Instruction ID: 8276a17098c2401c6ecefa364d2749a1d489a955c5222fb7c42ac0871f0a42df
                                                • Opcode Fuzzy Hash: 30b50d7203d46fe1a17c161982509c737060efb331105b38b8d0a2d61a61f3ec
                                                • Instruction Fuzzy Hash: F521DFB59002489FDB10CFAAD984ADEBFF5EB48310F14801AE968A7250D374AA54DFA5
                                                Function 06A12ED0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                Download Yara Rule
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06A12F57
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2950036397.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a10000_CasPol.jbxd
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: 0bc1d60d4d6c8a31ec408d44babcaf4959543f3f4947c2238565dafb737d6c5c
                                                • Instruction ID: f7cddf696da0426579be1078f7fb031fdf5e0ac923e89e1e59b17ab4a1013a9b
                                                • Opcode Fuzzy Hash: 0bc1d60d4d6c8a31ec408d44babcaf4959543f3f4947c2238565dafb737d6c5c
                                                • Instruction Fuzzy Hash: 4121E4B59002089FDB10CF9AD984ADEBBF4FB48310F14801AE918A7350D374A954CFA0
                                                Function 02DBEC18 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                Download Yara Rule
                                                APIs
                                                • GlobalMemoryStatusEx.KERNEL32 ref: 02DBEC87
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2945549381.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_2db0000_CasPol.jbxd
                                                Similarity
                                                • API ID: GlobalMemoryStatus
                                                • String ID:
                                                • API String ID: 1890195054-0
                                                • Opcode ID: cd02f87be0b2b2401274d7165ac9d97ebfaf0b98ae0fb9d486e861abeb91dd4c
                                                • Instruction ID: de0c391ee97f6aab5694a1b8818aa2f60a03b7c81cf4a64e91d5bc8b3fa7501c
                                                • Opcode Fuzzy Hash: cd02f87be0b2b2401274d7165ac9d97ebfaf0b98ae0fb9d486e861abeb91dd4c
                                                • Instruction Fuzzy Hash: 211103B1C0025A9BCB10DF9AC544ADEFBF4BF48324F15816AE818A7341D378A944CFA1
                                                Function 02DBEC20 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                Download Yara Rule
                                                APIs
                                                • GlobalMemoryStatusEx.KERNEL32 ref: 02DBEC87
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2945549381.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_2db0000_CasPol.jbxd
                                                Similarity
                                                • API ID: GlobalMemoryStatus
                                                • String ID:
                                                • API String ID: 1890195054-0
                                                • Opcode ID: cef0879f3e75326abf535dfc5205ee8c8b83eada44917a79654e3012651e2a5c
                                                • Instruction ID: 5a2400a0ded17c794f36e912ef950772230047cb9e65d872af8a44dc7b8267d1
                                                • Opcode Fuzzy Hash: cef0879f3e75326abf535dfc5205ee8c8b83eada44917a79654e3012651e2a5c
                                                • Instruction Fuzzy Hash: E7111FB1C002599BCB10DF9AC544ADEFBF4BF48320F11816AE818A7381D378A944CFA1
                                                Function 06A1B398 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNEL32(00000000), ref: 06A1B3FE
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2950036397.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a10000_CasPol.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: 506010b3161c2f6c37e1c46e95f897d7d00ee6f67418743e694c534d7954cafb
                                                • Instruction ID: 8053a6bbf8fbcf52bb2a18db299c3ac0cbe189e8c9cfe32f760b56dfdb3eb6ca
                                                • Opcode Fuzzy Hash: 506010b3161c2f6c37e1c46e95f897d7d00ee6f67418743e694c534d7954cafb
                                                • Instruction Fuzzy Hash: 2D11E0B6C003498FCB10DF9AC844ADEFBF4EB88324F10842AD419AB651D375A545CFA1
                                                Function 06A24B40 Relevance: 1.4, Strings: 1, Instructions: 125COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2950089285.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a20000_CasPol.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: XPiq
                                                • API String ID: 0-3497805733
                                                • Opcode ID: 2476baa2e2745450e891d7e855b1de4db7fdd9daacef55fd66bf9a6bbff52778
                                                • Instruction ID: 7751fb3f8fec0769b1d2f084f2719672be65d56f31ad97f2b9d1835204b535dd
                                                • Opcode Fuzzy Hash: 2476baa2e2745450e891d7e855b1de4db7fdd9daacef55fd66bf9a6bbff52778
                                                • Instruction Fuzzy Hash: 1D415E74F102199FDB559FA9C854BAEBAF6FF8C700F20852AE105AB394DB749C058B90
                                                Function 06A2DAB0 Relevance: 1.4, Strings: 1, Instructions: 117COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2950089285.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a20000_CasPol.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: PHdq
                                                • API String ID: 0-2991842255
                                                • Opcode ID: b4919814c095fa8f644c64c33e2d3aabfc5a16cbd99946007d815fc8a7cc98c8
                                                • Instruction ID: 0c16b16f789c8d3a89c14c44219df9b3ff7d69a019b6149573e19a8e630c4ad3
                                                • Opcode Fuzzy Hash: b4919814c095fa8f644c64c33e2d3aabfc5a16cbd99946007d815fc8a7cc98c8
                                                • Instruction Fuzzy Hash: 0F418270E5071A9FDB64FF69D49469EBBB2FF85301F204529E805EB241EB70E842CB81
                                                Function 06A2DA9D Relevance: 1.4, Strings: 1, Instructions: 113COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2950089285.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a20000_CasPol.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: PHdq
                                                • API String ID: 0-2991842255
                                                • Opcode ID: 87db2bfdee0369121d20cbe15ecf8f9c4a96cd1d5e9ab8071669b9acce362bd5
                                                • Instruction ID: 96477edfca8426946c654ef41dedf59a1ab27a65caeb7b32b408f6259f2b8e86
                                                • Opcode Fuzzy Hash: 87db2bfdee0369121d20cbe15ecf8f9c4a96cd1d5e9ab8071669b9acce362bd5
                                                • Instruction Fuzzy Hash: DB41A270E003169FDB65EF69D59469EBBB2FF85201F104529E805EB246DB70E842CB40
                                                Function 06A221BD Relevance: 1.4, Strings: 1, Instructions: 110COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2950089285.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a20000_CasPol.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: PHdq
                                                • API String ID: 0-2991842255
                                                • Opcode ID: cff8852a72319f799fcb27102aa84923954228cb1cc10ca8312c27d777ac00ba
                                                • Instruction ID: 6aeb07600d6db8d650e8f686c70bfa55f5d7a7cc118198dba65f4998e21da321
                                                • Opcode Fuzzy Hash: cff8852a72319f799fcb27102aa84923954228cb1cc10ca8312c27d777ac00ba
                                                • Instruction Fuzzy Hash: B0316230B102169FDB58AB78D95876E3BA3EF89200F144568D406EF394DF35EE02CBA4
                                                Function 06A221D0 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2950089285.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a20000_CasPol.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: PHdq
                                                • API String ID: 0-2991842255
                                                • Opcode ID: dffb6c48084d6188294aa1ed3511c644f747af6aef09a1ce80503842297d12e4
                                                • Instruction ID: 0f68323cd2952d37beaaff6f8668ad16c15e53d0026ce83e29734e3f1e1486ce
                                                • Opcode Fuzzy Hash: dffb6c48084d6188294aa1ed3511c644f747af6aef09a1ce80503842297d12e4
                                                • Instruction Fuzzy Hash: C0311E70B102169FDB58AB78D55876E7BE3AF89200F204468D406DF394DF35DE42CB90
                                                Function 06A282DE Relevance: 1.3, Strings: 1, Instructions: 30COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2950089285.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a20000_CasPol.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $dq
                                                • API String ID: 0-847773763
                                                • Opcode ID: 212212b53ab865f21787fca3e40c2d5ce1442a7208c7ba10b2f3276fed6e3319
                                                • Instruction ID: 5b58e5b7f2d2ad8c3e79a226553fe2225a06a9483f7a8fd691db58715225fcb5
                                                • Opcode Fuzzy Hash: 212212b53ab865f21787fca3e40c2d5ce1442a7208c7ba10b2f3276fed6e3319
                                                • Instruction Fuzzy Hash: E4F0A035F84227CBDF64AA5EF9801A8F3A1FB00251B144066ED00CB150D23DEA09CA91
                                                Function 06A2C170 Relevance: .6, Instructions: 634COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2950089285.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a20000_CasPol.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3b190477375804b6eec8e7a3a045985a8be07149e18976c992a23807586caae7
                                                • Instruction ID: 55223c7eac6ee01fe65e47f21c3971a80308cd92bae286e5c2d0d3fdb7b53d40
                                                • Opcode Fuzzy Hash: 3b190477375804b6eec8e7a3a045985a8be07149e18976c992a23807586caae7
                                                • Instruction Fuzzy Hash: F6329474B502169FDF94DB6DE984BADB7B2FB88320F108529D40ADB355DB34EC418B90
                                                Function 06A261E0 Relevance: .2, Instructions: 229COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2950089285.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a20000_CasPol.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 36bfe1d14bc326b600d405d2f59004a3b30467e60fdf7b4780c2430a9d9f8a0a
                                                • Instruction ID: 293db2c0c2e07aa9cd38ce8a63bc480cf6b36adf619f3e43ace3a53d8be6ee71
                                                • Opcode Fuzzy Hash: 36bfe1d14bc326b600d405d2f59004a3b30467e60fdf7b4780c2430a9d9f8a0a
                                                • Instruction Fuzzy Hash: 8161C0B1F401224FDF54AB6EC88066FBADBAFD4210B254479E80EDB364DE65EC4287D1
                                                Function 06A24280 Relevance: .2, Instructions: 221COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2950089285.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a20000_CasPol.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3669b03efd3304bc65872f0361853ee1f7565c163d384302a5f9917218baa0ba
                                                • Instruction ID: 0d3bcfdeb02e4d97afc09bc2678d3c0d36bde0a12d54f6ff99cfb0b7451e41ff
                                                • Opcode Fuzzy Hash: 3669b03efd3304bc65872f0361853ee1f7565c163d384302a5f9917218baa0ba
                                                • Instruction Fuzzy Hash: 69814E30B1021A9BDB54DFA9D5547AEBBF6EF89300F108529D40ADB394EB34EC428B91
                                                Function 06A245A0 Relevance: .2, Instructions: 221COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2950089285.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a20000_CasPol.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a9dfd24e1c62a15d1661bf5031133173841b838f7a6334964b4430b2153f46c7
                                                • Instruction ID: dc8be3b84c8ef136ca13bea3d30a24d269c8ac4889277efc272ef3019fe2e3c7
                                                • Opcode Fuzzy Hash: a9dfd24e1c62a15d1661bf5031133173841b838f7a6334964b4430b2153f46c7
                                                • Instruction Fuzzy Hash: D5914D34E1021A8FDF60DF68C890B9DB7B1FF89300F208695D459AB295DB70AA85CB90
                                                Function 06A24290 Relevance: .2, Instructions: 218COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2950089285.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a20000_CasPol.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 33529a1fbb1978701d546beac77d6224528ba5867a769a8c2cb1640367960e85
                                                • Instruction ID: 52bb51585575e96be7912abd9fe1310d2abb107864f6a548527cde4516797138
                                                • Opcode Fuzzy Hash: 33529a1fbb1978701d546beac77d6224528ba5867a769a8c2cb1640367960e85
                                                • Instruction Fuzzy Hash: 75812D30B1021A9BDB54DFA9D5547AEBBF6EF89300F108529D40ADB394EB74EC428B91
                                                Function 06A245B8 Relevance: .2, Instructions: 210COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2950089285.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a20000_CasPol.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9569643df4d6cd07494c878bebd9730117e822017b65269a719884b095aeade8
                                                • Instruction ID: 43dff8f396ad2d6df9e5ffb8d466bbd6585e092571922bf67715d5144d631c43
                                                • Opcode Fuzzy Hash: 9569643df4d6cd07494c878bebd9730117e822017b65269a719884b095aeade8
                                                • Instruction Fuzzy Hash: 2D913D70E1061A8BDF64DF68C890B9DB7B1FF89300F208595D559BB394DB70AA85CF90
                                                Function 06A2EAF8 Relevance: .2, Instructions: 201COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2950089285.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a20000_CasPol.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f9d9b388cfe807c612a997883094e4bd0c682f4efcc60419847246d274886727
                                                • Instruction ID: fa78c9833f8afa6e6ae2407d0ac987c7fe3695e260ebc34cbe4ad2663c8c0af9
                                                • Opcode Fuzzy Hash: f9d9b388cfe807c612a997883094e4bd0c682f4efcc60419847246d274886727
                                                • Instruction Fuzzy Hash: 23710B70A002199FDB54EFA9D990A9DBBF6FF88304F248469D4199B355DB30EC86CB50
                                                Function 06A2EAE8 Relevance: .2, Instructions: 197COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2950089285.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a20000_CasPol.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4f50a059855e06df773a6092f8870a273da187d6c5ca8763c51a5866d388a032
                                                • Instruction ID: f7e843110d722c800249b8274bcf36ee660631dcbd5f2b1ab724556b6cb23357
                                                • Opcode Fuzzy Hash: 4f50a059855e06df773a6092f8870a273da187d6c5ca8763c51a5866d388a032
                                                • Instruction Fuzzy Hash: 70713C70A0021A9FDB54EFA9D990A9DBBF6FF88300F248469D419DB255DB30EC86CB50
                                                Function 06A2FA0B Relevance: .2, Instructions: 171COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2950089285.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a20000_CasPol.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 78d0b3f99d99e78922b107a13de3441340fe5eeb9f7c0bc19bf9020b86aa6161
                                                • Instruction ID: 27051471661bc39c26e81b3594472a05a7f9ba937dca5719cd7a36ce6512ca9b
                                                • Opcode Fuzzy Hash: 78d0b3f99d99e78922b107a13de3441340fe5eeb9f7c0bc19bf9020b86aa6161
                                                • Instruction Fuzzy Hash: 2B51D770B602359FEF64676CE85877F26AAD789711F20442AE50ACB395CF2DCC8153A2
                                                Function 06A2FC67 Relevance: .2, Instructions: 169COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2950089285.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a20000_CasPol.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 42210743ccb1e0c2008e1741f8492521439056ba502343f682a4e86506dac4ff
                                                • Instruction ID: 029433d2cce48515b5febe2906bde2ab2051e368f553c0f8ede3a836e126c700
                                                • Opcode Fuzzy Hash: 42210743ccb1e0c2008e1741f8492521439056ba502343f682a4e86506dac4ff
                                                • Instruction Fuzzy Hash: 4651D131F80126DFCB64BBBCE5586ADB7B2FF84315F10886AE106DB250DB319955CB80
                                                Function 06A2FA18 Relevance: .2, Instructions: 163COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2950089285.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a20000_CasPol.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bd0f7cc68b22a1ae28dbb301d7b5c8c5fe9f843501faad3257fd3d11344e580f
                                                • Instruction ID: e04f4e81de432e0d6bb71e8790013ec8f98720ecfc00c30becfc79a78852cba0
                                                • Opcode Fuzzy Hash: bd0f7cc68b22a1ae28dbb301d7b5c8c5fe9f843501faad3257fd3d11344e580f
                                                • Instruction Fuzzy Hash: 6851B5B0BA02355FEF6467ACE85873F26AAD78D711F20442AE50ACB395CF2DCC815391
                                                Function 06A25408 Relevance: .1, Instructions: 126COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2950089285.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a20000_CasPol.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b0768a3ca04691b70a3fb73381907190ce667846881232e3aed9e76694a542b3
                                                • Instruction ID: 844cd99d262a772deaf07cdab669b482cf279d6d6b366fd8bf5cd69cbe7d6be6
                                                • Opcode Fuzzy Hash: b0768a3ca04691b70a3fb73381907190ce667846881232e3aed9e76694a542b3
                                                • Instruction Fuzzy Hash: E3412971E4061A9BDB60DFADD880AAFFBB2FB84310F10492AE11AD6650D731E9558B90
                                                Function 06A2D950 Relevance: .1, Instructions: 100COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2950089285.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a20000_CasPol.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1aca5ea89d08816cb7c4cbc5ce229e536848af5069b0bd411ea11f186ceb52da
                                                • Instruction ID: 52b203cb3bd64a64d4a0207d6fc7a31e93f83f0cf1d3cad78de92a65410167bf
                                                • Opcode Fuzzy Hash: 1aca5ea89d08816cb7c4cbc5ce229e536848af5069b0bd411ea11f186ceb52da
                                                • Instruction Fuzzy Hash: 1231C670E113269FCB14EF6CD9906DEBBB2FF85300F108929E405EB645DB71A846CB90
                                                Function 06A22081 Relevance: .1, Instructions: 97COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2950089285.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a20000_CasPol.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ecc3171a051b54221b165ff0c39662ea4996c74b1d15967f0139246f8ed4f8c2
                                                • Instruction ID: 0e9483ef7b3c2913e771fc154f4f6d94ff89c29e633279d648e5bee2f4d32018
                                                • Opcode Fuzzy Hash: ecc3171a051b54221b165ff0c39662ea4996c74b1d15967f0139246f8ed4f8c2
                                                • Instruction Fuzzy Hash: 7F31B434E102169BCB58DFA8D894B9EB7B2FF88300F508519E905EB350DB71AD81CB90
                                                Function 06A22090 Relevance: .1, Instructions: 91COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2950089285.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a20000_CasPol.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 98b25e1f08f4186a454d37996eea78593bae33ae2bbfa3a0a1eabe8144ecd53b
                                                • Instruction ID: a58d34aec5bef149f4d9c0267e29f5b3660768c5cd62d1b5e0792cb14c8a4898
                                                • Opcode Fuzzy Hash: 98b25e1f08f4186a454d37996eea78593bae33ae2bbfa3a0a1eabe8144ecd53b
                                                • Instruction Fuzzy Hash: 2531A434E102169BCB18DFA8D894B9EB7B2FF88300F508529E815EB354DB71AD81CB50
                                                Function 06A23A80 Relevance: .1, Instructions: 84COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2950089285.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a20000_CasPol.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 006f47f8161d9bd7423d29d02b1c84bb93c6b12bd98b94b5fba3597e3b1ea9f4
                                                • Instruction ID: 0c7489f49f009aad8e3b5689ab20f7a56ee3a064dbe9506573be2f61115be59c
                                                • Opcode Fuzzy Hash: 006f47f8161d9bd7423d29d02b1c84bb93c6b12bd98b94b5fba3597e3b1ea9f4
                                                • Instruction Fuzzy Hash: C4219A36F402169FDF40CF69E980AEEBBF5EB49210F108025E905EB361D738DC418B90
                                                Function 06A23A90 Relevance: .1, Instructions: 78COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2950089285.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a20000_CasPol.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f4d20a22994bb0daf56b9470ba39d27cbbcb0f5c04a9ebac1b99d7ac8892b919
                                                • Instruction ID: fea8b602dec2211e904e177a2553757692a88e6b5ab3915ad9a0a916fdf2febf
                                                • Opcode Fuzzy Hash: f4d20a22994bb0daf56b9470ba39d27cbbcb0f5c04a9ebac1b99d7ac8892b919
                                                • Instruction Fuzzy Hash: 52218B35F012169FDF40DF6DE980AAEBBF1EB48610F108069E905EB354E739EC408B90
                                                Function 012CD030 Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2945307417.00000000012CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012CD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_12cd000_CasPol.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2453ee90048592d19ed40c0ccd60242903d608088a433585a957bfd9f5afc0bc
                                                • Instruction ID: e86ac200cd5d773d4c730a74f565a5caf54fdc6b26d9f67b74f2c7a79579448f
                                                • Opcode Fuzzy Hash: 2453ee90048592d19ed40c0ccd60242903d608088a433585a957bfd9f5afc0bc
                                                • Instruction Fuzzy Hash: 06212571614208EFCB11DF58D9C0B26BBA5FB84714F24C67DDA0A0B242C377D407CAA1
                                                Function 06A26D00 Relevance: .1, Instructions: 68COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2950089285.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a20000_CasPol.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8bc8cf21f301d23d533373af794ee8dca474cae4a6f70121fe316c5beb3ddb77
                                                • Instruction ID: 4549382ed7d88942278cd3179e4ff000b040e054249a1f8f35354d758ef34cc0
                                                • Opcode Fuzzy Hash: 8bc8cf21f301d23d533373af794ee8dca474cae4a6f70121fe316c5beb3ddb77
                                                • Instruction Fuzzy Hash: E521B130F1112A9FDF84EB6DE8546AEBBF6EB84350F648469E405DB340DB35ED418B90
                                                Function 06A253FA Relevance: .1, Instructions: 64COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2950089285.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a20000_CasPol.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f8e42b7412f4831030ca6ce99c3105a75b705291d581eb2affd9799175b8f972
                                                • Instruction ID: eebe4f15209366c0ed6ce531208ce637f760c2272e1cc51949fa95e1d4f7d6da
                                                • Opcode Fuzzy Hash: f8e42b7412f4831030ca6ce99c3105a75b705291d581eb2affd9799175b8f972
                                                • Instruction Fuzzy Hash: A7218E71E007169FCB24DFA9DDC5AAFFBB2FF88300F108929E11697654D730A8558B90
                                                Function 06A23BA0 Relevance: .1, Instructions: 59COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2950089285.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a20000_CasPol.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 327a1920e91d84a5bb66e2b62fa411f18c0f2d1bf91b17aee13cab8c7c2e5646
                                                • Instruction ID: ce34a0be87d1e667f1ad09f09d8f06923acc747ccf35f0c28bf7877f574ea7a8
                                                • Opcode Fuzzy Hash: 327a1920e91d84a5bb66e2b62fa411f18c0f2d1bf91b17aee13cab8c7c2e5646
                                                • Instruction Fuzzy Hash: FC11A531B141395FDF54AA7CD8146AE77AAEBC9611F00443AD40AEB344DE38DC024BD1
                                                Function 06A23040 Relevance: .1, Instructions: 53COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2950089285.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a20000_CasPol.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 33498d0eeab1b6d4d9e4b58bdb296d62ae6558f82f68af147c184f6dc9aaec0b
                                                • Instruction ID: 3638d03e35db6761451354b52666611e87a8928a29f1726ce6ef9af828c0c843
                                                • Opcode Fuzzy Hash: 33498d0eeab1b6d4d9e4b58bdb296d62ae6558f82f68af147c184f6dc9aaec0b
                                                • Instruction Fuzzy Hash: 4901A171E002299ACF58EB79D9405DEF7F6EF89310F108569D506EB304DA35DA40CBE0
                                                Function 012CD02B Relevance: .1, Instructions: 53COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2945307417.00000000012CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012CD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_12cd000_CasPol.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                                                • Instruction ID: c0e05babe134a8606cdb42831829d5b9d8a847c9a924130fb7831167f92d9238
                                                • Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                                                • Instruction Fuzzy Hash: 7E11EE75504284CFCB12CF58C5C4B15BB71FB84314F24C6AEDA494B652C33BD40ACBA1
                                                Function 06A23860 Relevance: .1, Instructions: 52COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2950089285.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a20000_CasPol.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6c418dd1e5255bdfa77475522c3bc73fe5217a5ddd6b0f9bd3baab510ea8534d
                                                • Instruction ID: 287c76a86484d5a1ae4c63fe300dbf2bb467f4008d5577f9f540c3c7f5dddb0b
                                                • Opcode Fuzzy Hash: 6c418dd1e5255bdfa77475522c3bc73fe5217a5ddd6b0f9bd3baab510ea8534d
                                                • Instruction Fuzzy Hash: 9111AFB5D01259AFCB00DF9AD884ADEFBF8FB49310F10812AE918A7241D375A954CBA5
                                                Function 06A2ED69 Relevance: .1, Instructions: 52COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2950089285.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a20000_CasPol.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b78f58907f7135247e067ca77fb7a05bdff9a4fd85aeaa80b41c3e0787050bde
                                                • Instruction ID: 55fe36d3b1089fe081aa9c3b1aa740f009e74d09533f8ad0ba8dcb53ee0d0809
                                                • Opcode Fuzzy Hash: b78f58907f7135247e067ca77fb7a05bdff9a4fd85aeaa80b41c3e0787050bde
                                                • Instruction Fuzzy Hash: 1C01F235B641215FDB64EB6C98A476E27D6EBC9220F14883AF40ECB345DE28DC424391
                                                Function 06A23859 Relevance: .1, Instructions: 51COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2950089285.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a20000_CasPol.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 066bce198709ce6528de7d99bcbbbca52ab7855d52b83fae55f77f4b7f4f6b47
                                                • Instruction ID: 70b318b74f7cead8d5af73371f45f371e1f4301c3c58d96c5fe7285b26c16110
                                                • Opcode Fuzzy Hash: 066bce198709ce6528de7d99bcbbbca52ab7855d52b83fae55f77f4b7f4f6b47
                                                • Instruction Fuzzy Hash: CE21CEB5D01219AFCB00DF9AD985ADEFBB4FB48310F10822AE518A7241C374A554CFA4
                                                Function 06A241E2 Relevance: .1, Instructions: 51COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2950089285.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a20000_CasPol.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 13c3eee778d3fe2a246a6575dca0ac2340969358bb9bd46aad35a67c43c48012
                                                • Instruction ID: 03a41d7d4f8919113213f456f783d2e65879caff56fa5b9719dc561bd7d41470
                                                • Opcode Fuzzy Hash: 13c3eee778d3fe2a246a6575dca0ac2340969358bb9bd46aad35a67c43c48012
                                                • Instruction Fuzzy Hash: 4B01F2B1B101221FEBA0E6BDE85872FA3D6DBCC721F20846AE00ACB354ED25DC424390
                                                Function 06A241F0 Relevance: .1, Instructions: 51COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2950089285.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a20000_CasPol.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f61f62aa0adaa467cce052d53c667fc8d62b56c1580d71e26934da77bc2c0e48
                                                • Instruction ID: d013368c6e8e89e8e6f2c9da8485bf877288f6bfdac7c9197e5c2038d7a3d8dc
                                                • Opcode Fuzzy Hash: f61f62aa0adaa467cce052d53c667fc8d62b56c1580d71e26934da77bc2c0e48
                                                • Instruction Fuzzy Hash: DE018171B201221FDBA4A6AEE45476FB3DADBC9720F20843AF10ECB754DE65DC424791
                                                Function 06A2A2F0 Relevance: .0, Instructions: 50COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2950089285.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a20000_CasPol.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 52b55c81d32ebce0027a672880735778663dd88218a3d044285f6ee7ffc70aad
                                                • Instruction ID: 0f3308ea887b2a5141365b523e772c7ef3025e2b71b225b2c5d138925148ecd7
                                                • Opcode Fuzzy Hash: 52b55c81d32ebce0027a672880735778663dd88218a3d044285f6ee7ffc70aad
                                                • Instruction Fuzzy Hash: 99018F74B144219FDB64E76CA9A476EA7E5EB89710F10882AE20ECB390EE25DC418781
                                                Function 06A2ED78 Relevance: .0, Instructions: 49COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2950089285.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a20000_CasPol.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9524011a8307416fd4ced44f7bb0861dc490456b25549ebf2c820a0a36ae4d49
                                                • Instruction ID: 2418ed20bf460078c807c42fa7bfda8852274013400293ab6ed46fc4791b5b02
                                                • Opcode Fuzzy Hash: 9524011a8307416fd4ced44f7bb0861dc490456b25549ebf2c820a0a36ae4d49
                                                • Instruction Fuzzy Hash: FA01AF35B241225FDBA8E66CA86476F67D6EBC9620F108839F10ECB344DE65DC4243D1
                                                Function 06A23B8F Relevance: .0, Instructions: 46COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2950089285.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a20000_CasPol.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 511e8357fd941ae3e81c3ffc610a8eff2a0c9c5c145f6d327fabd685c4887fbb
                                                • Instruction ID: 820531b7594a985e53bcd1f382a45c0dbdb73bb1eb9565cfe0b2ac7d46238f22
                                                • Opcode Fuzzy Hash: 511e8357fd941ae3e81c3ffc610a8eff2a0c9c5c145f6d327fabd685c4887fbb
                                                • Instruction Fuzzy Hash: 2301F732B1412A4BDF95AA7C98152AE77ABDBC8611F04403AC50AE7280EE289D0747D1
                                                Function 06A2A300 Relevance: .0, Instructions: 46COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2950089285.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a20000_CasPol.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cee187995b079cb6efc6a37ca084536eaa7309f48fdd7bc661cc75c26723c970
                                                • Instruction ID: 9cf4193d1a4ec6a113e9616a1b604e8f685cab717c89e720f9a220e049ebc9d4
                                                • Opcode Fuzzy Hash: cee187995b079cb6efc6a37ca084536eaa7309f48fdd7bc661cc75c26723c970
                                                • Instruction Fuzzy Hash: D5018174B141215FDB64E66CE89476EB7D5EB89610F108829E60ECB354DE25EC018780
                                                Function 06A2C7C0 Relevance: .0, Instructions: 43COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2950089285.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a20000_CasPol.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d9c8b361d16ed21831978d93787069338b20bca1fa87340ce238a3e51ae778fb
                                                • Instruction ID: bd1eaf22004e5fc8d97886d6e8d7fc950a99b8d1137fa3c29dc8f335f05514aa
                                                • Opcode Fuzzy Hash: d9c8b361d16ed21831978d93787069338b20bca1fa87340ce238a3e51ae778fb
                                                • Instruction Fuzzy Hash: 7B01A432F20235ABDB58AB6DF844ADE7775FB85324F508429E906EB340DB31AC158790
                                                Function 06A26461 Relevance: .0, Instructions: 26COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2950089285.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a20000_CasPol.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3c9a4b3a240d192ba9f47d5102148ead3ad89f7a723e6cbcc45d1515df707ff1
                                                • Instruction ID: f7c51f9f39816306ea48b250c54c82b139515bb5a3830647b5575da17d82b96f
                                                • Opcode Fuzzy Hash: 3c9a4b3a240d192ba9f47d5102148ead3ad89f7a723e6cbcc45d1515df707ff1
                                                • Instruction Fuzzy Hash: 9CE0D870D921159BDBA0EFB88B6535D37ABD742314F2089A5D444DF241E137CE018381
                                                Function 06A26470 Relevance: .0, Instructions: 22COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2950089285.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a20000_CasPol.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a3f40778c56a94cb1829351910999078a94cedfe7366333d70a95a28b265ea9a
                                                • Instruction ID: ad4c69f99fcec5e0eda53deb059fc66a1cb13caa41dde3a94672a2a184b3ee3f
                                                • Opcode Fuzzy Hash: a3f40778c56a94cb1829351910999078a94cedfe7366333d70a95a28b265ea9a
                                                • Instruction Fuzzy Hash: 83E01271E5211AABDF50EFB8CB5575A77ADD702214F2088A5D449DF201E576DE014780

                                                Non-executed Functions

                                                Function 06A27688 Relevance: 13.0, Strings: 10, Instructions: 468COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2950089285.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a20000_CasPol.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $dq$$dq$$dq$$dq$$dq$$dq$$dq$$dq$$dq$$dq
                                                • API String ID: 0-3623093008
                                                • Opcode ID: 31b6f223f2372b1fe0ca335d57445830a5a226f78fe29ec4b9ab103ae8c4340c
                                                • Instruction ID: d871a26252c5ec9c3e3903f513bcad95c9563332c6db0a34278a30595c47ed0a
                                                • Opcode Fuzzy Hash: 31b6f223f2372b1fe0ca335d57445830a5a226f78fe29ec4b9ab103ae8c4340c
                                                • Instruction Fuzzy Hash: DB12FD70E0122A8FDB64EF69D95469EB7B2FF88301F208569D40AAB355DB30DE45CF90
                                                Function 06A2A920 Relevance: 10.2, Strings: 8, Instructions: 229COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2950089285.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a20000_CasPol.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $dq$$dq$$dq$$dq$$dq$$dq$$dq$$dq
                                                • API String ID: 0-634254105
                                                • Opcode ID: 2c15ee5acaa1b4bda8df51a1ad2f1f662a562a34f9709a093be872ce2625d3f5
                                                • Instruction ID: 1afdfaa25225e0d8e5889df9fbe2481badaf233119549f8d305a31910d1de8fb
                                                • Opcode Fuzzy Hash: 2c15ee5acaa1b4bda8df51a1ad2f1f662a562a34f9709a093be872ce2625d3f5
                                                • Instruction Fuzzy Hash: FC91A130A4022ADFDB58EF69D9547AEB7F2FF44301F108529D5069B391DB34AD41CB90
                                                Function 06A27088 Relevance: 9.2, Strings: 7, Instructions: 405COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2950089285.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a20000_CasPol.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: .5|q$$dq$$dq$$dq$$dq$$dq$$dq
                                                • API String ID: 0-3447281907
                                                • Opcode ID: 77c080646072a35d602c5248267fdf0c6ed6a9ec75ab4415f9f02fa88d3c9a95
                                                • Instruction ID: f070b08be428d07aef8bb5dd68e9b09e6e3e6d4db64ccb8ccfdb5d81192e49c9
                                                • Opcode Fuzzy Hash: 77c080646072a35d602c5248267fdf0c6ed6a9ec75ab4415f9f02fa88d3c9a95
                                                • Instruction Fuzzy Hash: 79F14B70B01219CFDB59EB69D494A6EBBB2FF88341F248568D4069B394CB35ED42CB90
                                                Function 06A283C0 Relevance: 5.3, Strings: 4, Instructions: 282COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2950089285.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a20000_CasPol.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $dq$$dq$$dq$$dq
                                                • API String ID: 0-185584874
                                                • Opcode ID: 58e1c055d79fc97b708e461fa9c91908e96ee9cc84393669bb1d9ba376f9b042
                                                • Instruction ID: 8d4394291fe8073f0aa6edcb500ee554449475b2ff090704e1bb1069e264710e
                                                • Opcode Fuzzy Hash: 58e1c055d79fc97b708e461fa9c91908e96ee9cc84393669bb1d9ba376f9b042
                                                • Instruction Fuzzy Hash: C0B13E30B10229CFDB54EB69D59469EB7B2FF88301F248429E406DB394DB38DC86CB90
                                                Function 06A287D8 Relevance: 5.2, Strings: 4, Instructions: 168COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2950089285.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a20000_CasPol.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: LRdq$LRdq$$dq$$dq
                                                • API String ID: 0-340319088
                                                • Opcode ID: 70b677786aaab66f3e7b414dba7b6d43bd41c3ab76b27719fb447ab569245fe6
                                                • Instruction ID: 6e867a26b911ff1c55bda706beac2b5035a9818923700aacb65bfa31e0620fe0
                                                • Opcode Fuzzy Hash: 70b677786aaab66f3e7b414dba7b6d43bd41c3ab76b27719fb447ab569245fe6
                                                • Instruction Fuzzy Hash: 0D51A030B002269FDB58EB2DD994A6EB7F2FF89300F148569E4069F395DA34EC45CB91
                                                Function 06A2ACAB Relevance: 5.2, Strings: 4, Instructions: 158COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2950089285.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a20000_CasPol.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $dq$$dq$$dq$$dq
                                                • API String ID: 0-185584874
                                                • Opcode ID: 8b55d22f1c5a321570ec245249b9e6c6089608108be757f4d74513e819560b83
                                                • Instruction ID: b1d083488dda69769dbcf351a77465d89507214038880133890c466a65611a66
                                                • Opcode Fuzzy Hash: 8b55d22f1c5a321570ec245249b9e6c6089608108be757f4d74513e819560b83
                                                • Instruction Fuzzy Hash: E6518030F502269FDB65EB6CE9806AEB7F2EF89211F14452AD906DB354DB34DC42CB90